The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 24 Issue 88

Weds 31 October 2007

Contents

Rox-Shocks Tix-Nix Fix
PGN
Normal hardware upgrades may deactivate Microsoft Vista(tm)
Mike Radow
German Telephone-Network Partial Outage
Peter B. Ladkin
A computer-related fatality
Martyn Thomas
Anti-DWI interlocks considered for ALL drivers
D.F. Manno
Risk of laptop computer on a commercial aircraft
jared
LoJack undoes scheme to fake SUV theft
Paul Saffo
Trojan Horse Redirects Local DNS Settings to Malicious DNS Servers
Monty Solomon
Think before you legislate
Robert S. Heuman
Court filing in TJX breach: 94 million accounts affected
Monty Solomon
Restaurant chain customers' credit card data stolen
Monty Solomon
Fighting traffic citations
Steve Greenwald and Jeremy Epstein via PGN
Gatwick Airport screens display wrong local time
Philippe Jumelle
TV PVRs getting BST change not quite right
Nick Rothwell
DST traffic signal snafu
D. Joseph Creighton
Who set up that meeting anyway?
Jeremy Epstein
US Congress pulls the classic e-mail oopsie
Danny Burstein
Who needs bots?
Matt Simpson
Re: Fake blogs
Dan Jacobson
Same ol' same ol'
Andrew Koenig
Info on RISKS (comp.risks)

Rox-Shocks Tix-Nix Fix (Re: RISKS-24.87)

<"Peter G. Neumann" <neumann@csl.sri.com>>
Wed, 31 Oct 2007 15:12:09 PDT

After last Monday's (22 Oct 2007) presumed denial-of-service attack that
hindered Denver's World Series ticket sales, reportedly with over 8 million
bogus hits on the website, Tuesday's efforts were much more successful.  The
Rockies sold out every ticket for games 3, 4, and 5 [which, as it turns out,
was not needed] in about 2.5 hours.  That's a total number of tickets three
times the seating capacity of 50,445, which works out to an average of just
about 1000 tickets per minute.  It would take a large cadres of human ticket
sellers to keep up that rate.  Thus, automation of this kind clearly has its
merits -- when it works securely and reliably (modulo some presumed amount
of credit-card fraud).  However, blocking multiple requests from the same IP
address seems to be overly aggressive -- for example, for groups of would-be
buyers behind firewalls, although it might have slowed down the scalpers.
[Actually, the Rockies suffered a much more costly denial-of-service attack
at the hands (and feet) of the Red Sox.]


Normal hardware upgrades may deactivate Microsoft Vista(tm)

<Mike Radow <mikeradow@yahoo.com>>
Tue, 23 Oct 2007 17:14:35 -0700 (PDT)

Microsoft attempts to determine when your *registered* copy of their
Operating System has been moved to another computer.

The concept is simple...: Different hardware components are identified
during the registration process and a *weighted* hash is computed from model
numbers, MAC addresses, etc. This can -- supposedly -- differentiate
innocent user-upgrades from proscribed outright copying.  At least, that is
their claim and the heuristic's intent.

When it comes to monitoring Microsoft Vista(tm), this process may not be
perfect. Perhaps it is is bit too touchy in the ''False Positive''
department. At least this is what Slashdot reports, at...:
  http://slashdot.org/article.pl?sid=07/10/23/1255235.

As reported in the 23.X.2007 issue of the Australian Consolidated Press
(ACP) magazine, ''... something as small as swapping the video card or
updating a device driver can trigger a total Vista deactivation.''

The full ACP story is at http://apcmag.com/vista_activation ,,,

This article seems to identify a major hazard (read ''show-stopper'') to
everyday regular maintenance!


German Telephone-Network Partial Outage

<"Peter B. Ladkin" <ladkin@rvs.uni-bielefeld.de>>
Wed, 31 Oct 2007 09:10:32 +0100

On 29 Oct 2007 a software update to a billing server in the network of the
former Deutsche Telekom (German Telecom) in Düsseldorf resulted in many
telephone numbers nationwide becoming unreachable. The outage lasted between
about 4pm and 9pm. Apparently it also affected some portions of the mobile
telephone network. (It affected me also, but one of my numbers carried on
working. I contract with another service provider.)

Deutsche Telekom is the privatised former state telephone network and still
the majority infrastructure owner in Germany, which is why the outage
affected those such as myself who do not contract for service with DT. It
affected people all over Germany, but DT doesn't say how many.

SW updates are a "daily occurrence" according to a spokesman. They went back
to a previous version and they are inspecting the problem SW now to see what
caused the outage.

(Personal experience, aided by reports in the Neue Westfalische Zeitung,
30 and 31 Oct 2007)

Peter B. Ladkin, Causalis Limited and University of Bielefeld
www.causalis.com      www.rvs.uni-bielefeld.de


A computer-related fatality

<Martyn Thomas <martyn@thomas-associates.co.uk>>
Sat, 27 Oct 2007 10:54:11 +0100

A Texas judge, Sharon Keller, refused to keep her court open for 20 minutes
to receive an appeal from the lawyers representing Michael Richard. He was
executed later the same night.

His lawyers had suffered a computer breakdown and said they were unable to
file the appeal within regular working hours. They had begged Judge Keller
for more time and she refused.

Her decision might have gone unnoticed had the supreme court not announced,
on September 25, that it was reviewing a challenge to the legality of lethal
injection.

The announcement set off a flurry of appeals from death-row inmates and it
is believed Richard's execution most likely would have been halted, to await
the supreme court decision, had he been granted a hearing. Two days after
Richard was executed, the supreme court blocked a lethal injection in
Texas. Judges in Alabama and Kentucky have also stayed executions, bringing
in an unofficial moratorium on the death penalty.

http://www.guardian.co.uk/usa/story/0,,2199596,00.html


Anti-DWI interlocks considered for ALL drivers

<"D.F. Manno" <dommanno@yahoo.com>>
Wed, 24 Oct 2007 14:25:08 -0700 (PDT)

*The New York Times* (21 Oct 2007), in a article that may not have been
widely noticed because it was buried in the Automotive section, reports that
automakers and researchers, with U.S. government funding, are working on
anti-drunk-driving interlocks that ALL drivers will have to pass in order to
drive their cars, whether or not they have a record for DWI.

<http://www.nytimes.com/2007/10/21/automobiles/21ALKY.html>

Among other things, the article notes that to start a car with the
interlocks currently used, ``the driver must puff a breath into the unit. To
avoid cheating, the breath puff is measured and must be given in a uniquely
identifiable way that would be hard for a person who is not the driver to
duplicate.'' The breath puff isn't just for starting cars. While driving,
the driver must periodically blow into the system to keep the car running."

The researchers acknowledge that the current technology is not reliable or
durable enough to install in all cars. But the capabilities to determine who
is taking the test and to require periodic retesting while driving would
presumably be carried over into the newer systems.

Aside for the Big Brother and Prohibition aspects, to me the RISK with both
current and future systems seems to be that your car can automatically stop
-- regardless of road, weather or traffic conditions -- if you don't have
time or can't split your attention to take the test (while doing 65 mph on
the freeway, or while you're dealing with your children in the back seat),
or if there's a false positive, or if the equipment is faulty.


Risk of laptop computer on a commercial aircraft

<jared <jared@netspace.net.au>>
Sun, 28 Oct 2007 08:43:23 +0000

"Jet forced to land by a runaway laptop" is a headline in the 26 Oct 2007
Jewish Chronicle (www.thejc.com).  In summary, a London-Tel Aviv flight made
an unscheduled stop at Athens. A laptop has been found on-board which no one
nearby claimed.  Per security procedures the plane made an impromptu
landing.  At which point the computer's owner, having woken up, asked if
anyone had seen a missing laptop.


LoJack undoes scheme to fake SUV theft

<Paul Saffo <psaffo@mac.com>>
Wed, 31 Oct 2007 10:19:10 -0700

Talk about dumb and dumber...

[Source: San Diego *Union-Tribune*, 31 Oct 2007; PGN-ed]
http://www.signonsandiego.com/news/northcounty/20071031-0755-bn31car.html

Sheriff's officials say an Oceanside [CA] woman who was behind on car
payments faked that her 1999 GMC Yukon was stolen and hid it in a friend's
backyard in Escondido, not realizing it was equipped with a LoJack system.
After she filed a stolen vehicle report and an insurance claim, police
activated LoJack and found the SUV in a friend's yard with the woman's
boyfriend's old plates.

  ["'Lo, Jack?  How's Jill?"  "She's 'Jilling."  PGN]


Trojan Horse Redirects Local DNS Settings to Malicious DNS Servers

<Monty Solomon <monty@roscom.com>>
Wed, 31 Oct 2007 16:18:37 -0400

INTEGO SECURITY ALERT - October 31, 2007

OSX.RSPlug.A Trojan Horse Changes Local DNS Settings to
Redirect to Malicious DNS Servers

Exploit: OSX.RSPlug.A Trojan Horse
Discovered: October 30, 2007
Risk: Critical

Description: A malicious Trojan Horse has been found on several pornography
web sites, claiming to install a video codec necessary to view free
pornographic videos on Macs. A great deal of spam has been posted to many
Mac forums, in an attempt to lead users to these sites. When the users
arrive on one of the web sites, they see still photos from reputed porn
videos, and if they click on the stills, thinking they can view the videos,
they arrive on a web page that says the following:

  Quicktime Player is unable to play movie file.
  Please click here to download new version of codec.

After the page loads, a disk image (.dmg) file automatically downloads to
the user's Mac. If the user has checked Open "Safe" Files After Downloading
in Safari's General preferences (or similar settings in other browsers), the
disk image will mount, and the installer package it contains will launch
Installer. If not, and the user wishes to install this codec, they
double-click the disk image to mount it, then double-click the package file,
named install.pkg.

If the user then proceeds with installation, the Trojan horse installs;
installation requires an administrator's password, which grants the Trojan
horse full root privileges. No video codec is installed, and if the user
returns to the web site, they will simply come to the same page and receive
a new download.
  http://www.intego.com/news/ism0705.asp


Think before you legislate

<RsH <robert.heuman@alumni.monmouth.edu>>
Tue, 23 Oct 2007 22:20:28 -0400

Elections Act changes deny vote for 1 million Canadians, CBC News 23 Oct 2007

The federal government said Tuesday it will fix a problem with the newly
revamped Elections Act that prevents up to a million rural voters from
casting a ballot.

Four months ago, Parliament passed amendments to the Canada Elections Act
that requires each voter produce proof of identity and a residential address
before being allowed to cast a ballot.

However, more than one million Canadians living in rural areas don't have an
address that includes a street name and number.

Rural addresses are often just post office boxes. On native reserves, a
resident's address is sometimes simply the name of the reserve.

In Nunavut, more than 80 per cent of registered voters don't have a
residential address.

Government House Leader Peter Van Loan told Parliament Tuesday that the
problem was an oversight and called on all parties to "enthusiastically
support efforts to correct this deficiency."

Van Loan also said if a snap election were to be called before the issue is
resolved, the chief electoral officer has assured him that he's prepared to
use "his adaptation power to ensure that no Canadian loses their right to
vote" in the ensuing election.

With files from the Canadian Press

R. S. (Bob) Heuman  <robert.heuman@alumni.monmouth.edu>


Court filing in TJX breach: 94 million accounts affected

<Monty Solomon <monty@roscom.com>>
Thu, 25 Oct 2007 02:04:37 -0400

More than 94 million accounts were affected in the theft of personal data
from TJX Cos., a banking group alleged in court filings, more than twice as
many accounts as the Framingham retailer has said were affected in what was
already the largest data breach in history.  The data breach affected about
65 million Visa account numbers and about 29 million MasterCard numbers,
according to the court filing, which was made late yesterday by a group of
banks suing TJX over the costs associated with the breach.  The banks cited
sealed testimony taken from officials at the two largest credit card
networks.  A Visa official also put fraud losses to banks and other
institutions that issued the cards at between $68 million and $83 million on
Visa accounts alone, the filing states, the most specific estimate of losses
to date.

TJX, which operates more than 2,500 stores worldwide under such brand names
as TJ Maxx and Marshalls, previously has said the unidentified hackers who
breached its systems had com promised at least 45.7 million credit and debit
card numbers as far back as 2003.  TJX has said about 75 percent of the
compromised cards were expired or had data in the magnetic strip masked,
meaning the information was stored as asterisks rather than numbers. ...
[Source: Ross Kerber, Court filing in TJX breach doubles toll: 94 million
accounts were affected, banks say, *The Boston Globe*, 24 Oct 2007]
http://www.boston.com/business/globe/articles/2007/10/24/court_filing_in_tjx_breach_doubles_toll/


Restaurant chain customers' credit card data stolen

<Monty Solomon <monty@roscom.com>>
Thu, 25 Oct 2007 01:59:51 -0400

Not Your Average Joe's, a Massachusetts restaurant chain, said yesterday
that thieves have stolen credit card data belonging to its customers.  The
Dartmouth-based chain estimated fewer than 3,500 of the 350,000 customers it
served in August and September had their credit card information stolen.
The 14-restaurant chain said it is working with the US Secret Service and
major credit card companies to determine how the data theft occurred and
precisely how many customers were affected.  [Source: Bruce Mohl, *The
Boston Globe, 24 Oct 2007]
http://www.boston.com/business/globe/articles/2007/10/24/restaurant_chain_customers_credit_card_data_stolen/

  [Small potatoes, you say?  But the customers were fried, and now they're
  playing catchup.  PGN]


Fighting traffic citations

<"Peter G. Neumann" <neumann@csl.sri.com>>
Fri, 26 Oct 2007 11:51:38 PDT

In an out-of-band communication, Steven J. Greenwald (sjg6@gate.net) pointed
out an AP item by Lisa Leff, Teen's ticket hinges on GPS vs. radar, 25 Oct
2007, in which a retired sheriff's deputy had used a GPS tracking device to
keep an eye on his stepson Shaun's driving habits.  This annoyed Shaun -- at
least until he was pulled over for allegedly doing 62 in a 45-mile-per-hour
zone.  The GPS unit showed that he was indeed doing the speed limit.
Whether this is sufficient evidence is still pending.
http://news.yahoo.com/s/ap/20071025/ap_on_hi_te/gps_ticket_challenge_2&printer=1;_ylt=AnZr6gtZNk0ZUsM9p9w..vVk24cA

This item reminded Jeremy Epstein <Jeremy.Epstein@SOFTWAREAG.COM> of a case
over 30 years ago where a physicist at Los Alamos Labs protested a speeding
ticket by trying to convince the judge (who was a retired physicist from the
labs) that the thunderstorm caused the radar system to give a false reading.
Jeremy found a reference to it at
http://www.bautforum.com/archive/index.php/t-9596.html

  It [trying physics to get out of a speeding ticket] was tried in Los
  Alamos. One of the weaponeers was booked for driving his vehicle at speeds
  well in excess of the limit.  At his trial he produced an involved theory
  of high-energy physics that suggested the radar speed gun readings were
  distorted by a nearby thunderstorm. The judge's summation went.

  "Only in Los Alamos would a defendant argue high-energy physics as a
  defense against a charge of driving with excessive speed. Only in Los
  Alamos would the Judge have the PhD necessary to know that he was talking
  utter nonsense."

[Note: Steven J. Greenwald runs a low-volume mailing list intended to foster
interaction between his former/current students from James Madison
University's graduate INFOSEC program (http://www.infosec.jmu.edu) and other
"security seniors" he knows either personally or by reputation. If you think
you qualify and wish to request a subscription, please send e-mail to Steve
with the e-mail address and name you wish to use.  PGN]


Gatwick Airport screens display wrong local time

<"Philippe Jumelle" <pjumelle@gmail.com>>
Mon, 29 Oct 2007 14:52:22 +0100

Quite surprisingly (except for RISKS readers), a daylight-saving glitch hit
Gatwick Airport on Oct 28th resulting in ire of passengers and relatives.
http://www.theregister.co.uk/2007/10/29/gatwick_computer_glitch/ and others

  [Back at the beginning of April, I noted in RISKS-24.63 that Caltrain
  managed to botch the daylight saving cutover.  This week they did it even
  more curiously: the Menlo Park Station had the correct daylight time
  displayed on one side of the tracks, and the week-too-early standard time
  on the other side.  On the other hand, it makes some sense that the two
  sets of displays at any given station are intentionally controlled
  separately, particularly when bearing the bad news of late trains
  and accidents in one direction or the other.  PGN]


TV PVRs getting BST change not quite right

<Nick Rothwell <nick@cassiel.com>>
Sun, 28 Oct 2007 16:23:09 +0000

Since it's the time of year for summer time/daylight savings bugs, here's
mine, from the Humax PVR-9200T. It's a UK hard disk TV recorder which takes
Freeview digital-over-aerial channels and supports a seven-day EPG
(programme guide).

Yesterday (last day of BST), the programming timeline display showed
continuous time across the BST-to-GMT boundary; programmes before the change
showed the correct broadcast time, programmes after the change were lined up
against time markers one hour ahead of the wallclock time at which they
would actually be broadcast: in other words, everything was displayed in
BST, so a 7pm weekly episode yesterday would be followed by an 8pm episode
this coming Saturday. Today, all times are in GMT, including those of
programmes before the time change.

So, I thought: a consistent, if slightly unexpected, view of time changes,
and one which would allow the device to switch times unambiguously...
except, of course, it doesn't work: programmed recording entries are
apparently stored with clock times, so all the recordings I programmed last
week will now start (and stop) one hour late. I'm currently going through
and editing them all...


DST traffic signal snafu

<"D. Joseph Creighton" <djc@cc.umanitoba.ca>>
Mon, 29 Oct 2007 10:47:35 -0500

Monday 29 Oct 2007.

Hundreds of traffic lights in Winnipeg, Canada did not change from their
overnight 'flashing amber' states to the normal 'morning rush' state until
an hour later than usual due to old DST settings in them.  The lights will
need to be manually overriden for the week until time catches up.

Ref. http://www.cbc.ca/canada/manitoba/story/2007/10/29/daylight-time.html

The RISK of believing all your DST issues are fine when there's no problem
in the spring is illustrated nicely here.

D. Joseph Creighton [ESTP] | Info. Technologist, Database Technologies, IST
Joe_Creighton@UManitoba.CA | University of Manitoba  Winnipeg, MB, Canada, eh?


Who set up that meeting anyway?

<"Jeremy Epstein" <Jeremy.Epstein@softwareag.com>>
Mon, 29 Oct 2007 13:37:38 -0400

As many readers are aware, there's frequently a discrepancy between when
countries switch between "summer time" (or Daylight Savings Time as it's
called in the US) and "winter time" (or Standard Time).  Europe switched
to winter time this year on Oct 28; the US switches to Standard Time on
Nov 4.  What I'm finding today is that my schedule is a shambles,
because meetings that are normally sequential are overlapping, depending
on who scheduled the meeting.  As an example, I have a meeting I
normally attend every Tuesday at 8:30 Eastern; because that was set up
in Outlook by a colleague in Europe, this week it's at 9:30 Eastern
(i.e., the time stayed constant for him but shifted for me).  I have
another meeting every Tuesday at 9:30 Eastern which contains an
overlapping set of attendees, but because I set that one up, Outlook has
left my time constant and shifted my European colleagues - thus, the two
meetings "overlap".

Of course, they don't really overlap - it's an artifact of how we've
become dependent on computerized scheduling systems without thinking
about the implications.  Yet another reason, I suppose, why airlines and
military systems run on "Zulu time", so as to avoid these glitches!


US Congress pulls the classic e-mail oopsie

<Danny Burstein <dannyb@panix.com>>
Sun, 28 Oct 2007 14:47:42 -0400 (EDT)

The House Judiciary Committee wrote back, via e-mail, to the contributors to
its confidential whistleblower Internet submission hotline.

Aside from the standard issues of doing any of this stuff via insecure and
unverified e-mail, they listed all the e-mail addresses in the "to" line, so
everyone saw everyone else's name [a].

One of the addresses they sent this whole list to was...
  vice_president@whitehouse.gov [b]
ratcheting up the usual paranoia concerns.

lots more detail at:
  http://www.tpmmuckraker.com/archives/004576.php

[a] since many e-mail spam filters will kill off material addressed to large
numbers of recipients, many of the intended folk probably never got the
note.

[b] it's unclear whether this was really the address they were using to send
a copy to the VP or whether it was one of the "fake" ones used by initial
submitters.  I suspect it was the latter.

Either way this procedure was pretty clueless.


Who needs bots? (Re: Williams, RISKS-24.87)

<Matt Simpson <net-news69@jmatt.net>>
Tue, 23 Oct 2007 11:19:05 -0400

In "Risks of cute e-mail" in RISKS-24.87, Chris Williams says

> 1) Who needs a bot army to send spam/viruses when you can get people to
>    willingly forward things along for you?
>
> 3) Since this appears to have started as a local phenomenon and has slipped
>    by every anti-spam and anti-virus engine, the potential for malice is
>    high.

There's a joke about the use of gullible humans instead of bots to spread
viruses.  It's an e-mail that says something like:

  "This is the <insert favorite stupid ethnicity here> virus.  We don't have
  any smart programmers, so please erase all the files on your hard drive
  and forward this to all your friends."

Haha.  Very funny.  What's really funny is that, if worded just a little bit
differently, this can work, as has already been demonstrated.

Another popular legend that circulated for a while a few years ago was the
"virus" that was on every Windows system.  The e-mail warned of some virus
that the sender had found on his own system.  It gave instructions for
browsing some directory deep within the bowels of Windows, and if you found
a specific file name, that meant you were infected, and you needed to delete
the file.

Of course, the file was one that exists on any normal Windows system.
(Un)fortunately, it was something non-critical, so deleting it didn't do
much damage, and restore instructions were widely available.  I actually
wished that those who followed the warning and deleted the file had suffered
more damage as a result of their gullibility.

So, although the "redneck" virus was a joke, it really is possible to send
people e-mail that will cause them to voluntarily delete parts of their
operating system and then forward the mail to all their friends.  Just don't
include the word "joke" and they'll do it.


Re: Fake blogs (Yurman, RISKS-24.86)

<Dan Jacobson <jidanni@jidanni.org>>
Wed, 24 Oct 2007 04:24:10 +0800

DY> The problem of fake blogs is significant for me...
DY> I have no way as an individual to stop the current problem...

Hold the domain owner responsible perhaps?:

Dear Yahoo Corporation, YOUR website, http:..., is
impersonating MY website. Please cease and desist.

It would be wrong to go further and give YOU, the impersonators,
copies of MY personal identification documents you request as proof of
my identity. I'm sure you will agree.

YOU, Yahoo Corporation, are impersonating MY website. YOU are
responsible!

Is that not MY telephone number on YOUR website? Call it!

Does YOUR page not say "This page should be at http:...? And where is
that? MY website!

I demand YOU remove http:... It is an unauthorized copy of MY website!

Update: my above bold e-mail merely got me the same form e-mail from
Yahoo asking for identification. The Federal Trade Commission website,
where I turned to next, says they don't solve individuals' problems,
which is just as well, as their webform produced an error.

Second update: No need to hide the URLs:
  http://www.geo  :phony: cities.com/fireboy1983/index.htm
  impersonates my :real: http://jidanni.org/


Same ol' same ol'

<"Andrew Koenig" <ark@acm.org>>
Thu, 18 Oct 2007 10:54:20 -0400

Today I got e-mail from the bank that services one of my credit cards,
saying:

  Need to simplify your finances?
  A Balance Transfer can help!

followed by various comments and a clickable link marked

  TRANSFER BALANCES NOW

I was about to dismiss this as yet another phishing scheme, but I was
surprised by how authentic it looked. Then I looked more closely, and
noticed that it included my name (correctly spelled) and the last four
digits of my account number.

So I checked the destination for the link, and it actually did refer to my
bank's website.  Not only that, but the two other hyperlinks in the message
also referred to my bank's website.

... From which I can only conclude that this bank is trying to train its
customers to be vulnerable to phishing scams.  What on earth could they be
thinking?

Please report problems with the web pages to the maintainer

Top