The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 25 Issue 26

Wednesday 6 August 2008

Contents

'Fakeproof' microchipped British e-passport is cloned in minutes
Martyn Thomas
On Metro Fraud and NXP
David Lesher
11 charged in largest ID theft in U.S. history
Paul Saffo
Theft perils 150,000 on Busch laptop
PGN
Verified Identity Pass: CLEAR Suspended Following Laptop Theft
PGN
Unsuspected travelers' laptops may be detained at border
Ellen Nakashima via Monty Solomon
Neglecting to logout from Skype means sharing your Instant Messages
Michael Weiner
Another small interface risk
Peter Zilahy Ingerman
E-Z Pass Maryland training customers to visit random sites?
Mike Porter
Prescription Data Used To Assess Consumers
Ellen Nakashima via Monty Solomon
Re: What's in a name?
Dag-Erling Smørgrav
Re: UPS ... indistinguishable from phishing
G.M.Sigut
Re: Fascinating phishing attack: valid links, dangerous ... number
Al Macintyre
Re: Apple Fails to Patch Critical Exploited DNS Flaw
Robin Stevens
Re: Another GPS error story
J R Stockton
Survey: Perception of security in online environments
Gene Spafford
REVIEW: "The Innocent Man", John Grisham
Rob Slade
Info on RISKS (comp.risks)

'Fakeproof' microchipped British e-passport is cloned in minutes

<Martyn Thomas <martyn@thomas-associates.co.uk>>
Wed, 06 Aug 2008 09:21:06 +0100

http://www.timesonline.co.uk/tol/news/uk/crime/article4467106.ece

Martyn Thomas CBE FREng  http://www.thomas-associates.co.uk


On Metro Fraud and NXP

<wb8foz@panix.com (David Lesher)>
Thu, 24 Jul 2008 12:17:57 -0400 (EDT)

I wondered whether the recent mag-stripe card fraud arrests (RISKS-25.24)
would prompt WMATA [DC Metro] to intensify their campaigns to encourage/
coerce riders into their new stored value smartcards, over the existing
anonymous magstripe/paper ones.

That same day, multiple sources report a Dutch judge ruled that research by
Prof Bart Jacobs (see RISKS-25.17) and colleagues from Radboud University,
Nijmegen in March 2008 can be published. This work exposed significant flaws
in NXP's smartcards, used in London's "Oyster" transport system (RISKS-25.22
and 24), transit systems in many other cities, and for access to many Dutch
government buildings.

The vendor, NXP sought a permanent injunction against releasing the work.

The court ruled: "Damage to NXP is not the result of the publication of the
article but of the production and sale of a chip that appears to have
shortcomings."

<http://technology.timesonline.co.uk/tol/news/tech_and_web/article4373717.ece>
<http://newsvote.bbc.co.uk/mpapps/pagetools/print/news.bbc.co.uk/2/hi/technology/7516869.stm>


11 charged in largest ID theft in U.S. history

<Paul Saffo <paul@saffo.com>>
Tue, 5 Aug 2008 22:21:08 -0700

  [Another compelling reminder to go to the ATM and -- USE CASH!  -p]

More than 40 million debit and credit card account numbers were stolen from
major retailers. Fraud is estimated in the tens of millions of dollars.
[Source: Joseph Menn and Andrea Chang, 11 charged in largest ID theft in
U.S. history, *Los Angeles Times*, 5 Aug 2008; PGN-ed]
  http://www.latimes.com/business/la-fi-hack6-2008aug06,0,6262500.story

Federal authorities said Tuesday that they had cracked the largest case of
identity theft in U.S. history, charging 11 people in the theft of more than
40 million credit and debit card account numbers from computer systems at
such major retailers as TJ Maxx and Barnes & Noble.  The three-year
investigation by federal agencies and overseas allies brought home the
global nature of the Internet's underground economy as agents tracked leads
from China to Ukraine and picked up suspects in Turkey and Germany as well
as the U.S.

To the chagrin of the U.S. Secret Service, which handles many electronic
fraud investigations, the trail led back to one of its own informants,
Albert Gonzalez. Justice Department officials said Gonzalez served as the
ringleader and double-crossed the agency by tipping off his
cohorts. Prosecutors said Gonzalez could face a life term in prison.


Theft perils 150,000 on Busch laptop

<"Peter G. Neumann" <neumann@csl.sri.com>>
Tue, 5 Aug 2008 14:16:13 PDT

About 150,000 people in six states have been affected by the theft in June
2008 of laptops that contained personal information on current and former
Anheuser-Busch employees.  [Source: a short item in the *San Francisco
Chronicle*, 5 Aug 2008, p. D2; PGN-ed]


Verified Identity Pass: CLEAR Suspended Following Laptop Theft

<"Peter G. Neumann" <neumann@csl.sri.com>>
Tue, 5 Aug 2008 10:36:43 PDT

  [Thanks to Richard M. Smith]

Verified Identity Pass, which operates under the brand name CLEAR, was
suspended by the Transportation Security Administration Monday after a
laptop containing personal information for 33,000 people signing up for
their registered traveler program was stolen from San Francisco
International Airport.

The company is in the process of notifying the people, who were signing up
for an expedited airport check-in service, that their personal information
may have been stolen.

Officials said a laptop containing the data was stolen from a locked office
at the airport. The information on the laptop was not encrypted.  There was
no credit card data or any social security numbers stored on the laptop, but
there were names, addresses and other personal data.

Verified Identity Pass will not be able to enroll new customers into the
registered traveler program until the TSA verifies that the company is
compliant with security procedures.
  http://abclocal.go.com/kgo/story?section=news/local&id=6306342

  [CLEAR-ed out for now, but don't forget TSA Loses Hard Drive With Personal
  Info on about 100,000 employees, RISKS-24.66, 8 May 2007.
    http://catless.ncl.ac.uk/Risks/24.66.html#subj8
  PGN]


Unsuspected travelers' laptops may be detained at border

<Monty Solomon <monty@roscom.com>>
Mon, 4 Aug 2008 20:05:30 -0400

Ellen Nakashima, Travelers' Laptops May Be Detained At Border; No Suspicion
Required Under DHS Policies, *The Washington Post*, 1 Aug 2008, A01

Federal agents may take a traveler's laptop computer or other electronic
device to an off-site location for an unspecified period of time without any
suspicion of wrongdoing, as part of border search policies the Department of
Homeland Security recently disclosed.

Also, officials may share copies of the laptop's contents with other
agencies and private entities for language translation, data decryption or
other reasons, according to the policies, dated July 16 and issued by two
DHS agencies, U.S. Customs and Border Protection and U.S. Immigration and
Customs Enforcement.  ...

http://www.washingtonpost.com/wp-dyn/content/article/2008/08/01/AR2008080103030.html


Neglecting to logout from Skype means sharing your Instant Messages

<"Michael Weiner" <michael_weiner@gmx.net>>
Tue, 05 Aug 2008 20:32:32 +0200

Six months ago, I briefly used Skype on a friend's laptop. Yesterday, that
very friend -- who is not very computer-savvy -- told another friend of mine
that she had found a way to read other people's Skype messages. The other
friend looked into the matter -- turns out that I had remained logged in on
her laptop for the past six months and that she had read every single of my
instant messages during that time. Obviously, I had not noticed that the
"Automatically log this user on" box was ticked when I logged on and had
forgotten to log out.

The RISKS are obvious. So are possible fixes: The "Automatically log this
user on every time Skype starts" box should never be active by default and a
confirmation should be requested. Also, Skype should make users aware if
they are simultaneously logged into the same account from different
machines. The only way out at the moment is to change the Skype password
frequently as this will terminate all sessions you may have forgotten to log
out from yourself.

According to several messages on the Skype Community forum, Skype considers
the ability to remain logged in to the same account on several machines a
"feature" and sees no need to fix anything.


Another small interface risk

<"Peter Zilahy Ingerman, PhD" <pzi@ingerman.org>>
Thu, 24 Jul 2008 17:07:00 -0400

Granite Commerce (www.granitewebdesign.com) sells a packaged e-commerce
product.  I discovered, when setting up an account with a store that uses
this software, one of the "security questions" offered is "What city were
you born in?". Not, on face, unreasonable.

However ... they only want a one-word answer (and don't say that!), so that
any city requiring an embedded space (e.g. "New York City") is rejected as
being invalid.

  [PGN asked PZI:
    Are there any length constraints?
    Are there checks for your designated birth city being legitimate?
    Otherwise, I suppose you could write Newyorkcity.]

Actually, I verified with the company that purchased the use of the software
... and it is, exactly, that the software "requires" a single word, with no
other checks!

  [Wow!  Spaced-out software.  PGN]


E-Z Pass Maryland training customers to visit random sites?

<Mike Porter <mike@udel.edu>>
Thu, 24 Jul 2008 10:41:19 -0400 (EDT)

... and type in a PIN?

My EZ-Pass Maryland statements come to me as follows.  The From: field does
not even make an attempt to represent EZ-Pass Maryland, and the headers do
not either.  I spoke with the EZ-Pass Maryland help desk and they suggested
the message was likely a phishing message.

However, phone calls to the sender led to an IT person who claimed they did
in fact handle statements for EZ-Pass Maryland.  Eventually, I did type in
my PIN and a valid statement was produced.

Email to EZ-Pass Maryland asking for further clarification has been ignored.
I still do not know for sure if this message is valid, but the PIN I use for
this site is unique.  I also receive these each month and do not receive
anything else from EZ-Pass Maryland.

  ---------- Forwarded message ----------
  Return-Path: <ezbounce@isecurus.com>
  Received: from md1.nss.udel.edu (md1.nss.udel.edu [128.175.1.11]) ...
  Received: from isecurus.com ([198.190.195.76])
  Date: Wed, 16 Jul 2008 12:44:25 -0400
  From: E-ZPass Customer Service<ezpass@isecurus.com>
  To: <me>
  Subject: E-ZPass Statement
  Reply-To: ezpass@isecurus.com
  ...

  Your statement will be available for 30 days from the date of this
  e-mail. If you will need to access your statement beyond the 30 day period
  or wish to save your statement, please access the link below. ...
  https://ezpassstatements.gdocs.com/EZPassMtg/EZPass.cfm?p_no=#############


Prescription Data Used To Assess Consumers (Ellen Nakashima)

<Monty Solomon <monty@roscom.com>>
Mon, 4 Aug 2008 18:56:39 -0400

Records Aid Insurers but Prompt Privacy Concerns
[Source: Ellen Nakashima, *The Washington Post*, 4 Aug 2008; A01; PGN-ed]

Health and life insurance companies have access to a powerful new tool for
evaluating whether to cover individual consumers: a health "credit report"
drawn from databases containing prescription drug records on more than 200
million Americans.  Collecting and analyzing personal health information in
commercial databases is a fledgling industry, but one poised to take off as
the nation enters the age of electronic medical records. While lawmakers
debate how best to oversee the shift to computerized records, some insurers
have already begun testing systems that tap into not only prescription drug
information, but also data about patients held by clinical and pathological
laboratories.

http://www.washingtonpost.com/wp-dyn/content/article/2008/08/03/AR2008080302077.html


Re: What's in a name? (Houppermans, RISKS-25.24)

<"Dag-Erling Smørgrav" <des@des.no>>
Fri, 25 Jul 2008 14:33:25 +0200

Peter Houppermans <peter@houppermans.com> writes:
> [...] Over the years I even had an official suggesting I should change
> my name or at least the sequence.  So the idea is that I change my
> name to suit what is a clear lack of flexibility in official systems.

There was a news report a few years ago of a Norwegian company that decided
to drag its blue-collar employees kicking and screaming into the 21st
century by giving them all free Internet access and email accounts.  The IT
department arrived at a strict email account naming policy, following the
usual firstname.surname@example.com pattern.

You can see it coming a mile away: the company happened to have two
employees with the exact same name.  The IT department refused to make an
exception, citing technical limitations.  Their proposed solution was that
one of the pair should have his name legally changed to accommodate their
policy.

You can't make this up, folks.

Dag-Erling Smørgrav - des@des.no


Re: UPS ... indistinguishable from phishing (Kamens, RISKS-25.23)

<"G.M.Sigut" <sigut@id.ethz.ch>>
Tue, 29 Jul 2008 10:30:59 +0200

> In this day and age, it is amazing to see a corporation as large as UPS
> failing to use the two easiest and most well-known methods of
> differentiating legitimate e-mail from scams -- put the customer's name in
> the e-mail, and make sure that all the links point directly at your site.

In this day and age you can see the most amazing array of entities, which
you would expect to behave professionally, using subcontractors, so that
various links or mail addresses have names different from what you would
expect. It is part of the same mindset, which forces you to leave JavaScript
enabled, if you want to be able to use your browser for more than the very
few responsible web sites.

George M. Sigut, ETH Zurich, Informatikdienste, CH-8092 Zurich Swiss Federal
Inst. of Technology Zurich, IT Services, System Services +41 44 632 5763


Re: Fascinating phishing attack: valid links, dangerous ... number

<Al Macintyre <macwheel99@wowway.com>>
Mon, 04 Aug 2008 11:22:06 -0500

If you were a member of KNUJON (no junk backwards) and had passed this on to
them, they would likely have passed the info onto US Secret Service, or
equivalent organization if some other nation involved, because they protect
the nation's currency.

Knujon wants your spam, to use in the fight against those that generate it,
and provide the criminal infrastructure, such as crooked web sites, and
phone#s for crooks.  They have put approx 60,000 cyber criminals out of
business since March 2005.  I suggest you familiarize yourself with KNUJON
services in fighting cyber crime.  http://www.knujon.com/


Re: Apple Fails to Patch Critical Exploited DNS Flaw (RISKS-25.25)

<Robin Stevens <rejs@cynic.org.uk>>
Tue, 5 Aug 2008 18:49:27 +0100

I too was unimpressed by Apple's slow response to Kaminsky's DNS flaw (which
appears to be inadequate - see <http://db.tidbits.com/article/9721>).
Unfortunately it's far from the only flaw they've been slow to correct.

Their latest version of the operating system (OS X 10.5) still ships with a
root hints file dating from 2002.  This hints file is that used to
"bootstrap" the whole process of DNS resolution, by listing the IP addresses
of the thirteen top-level servers.  Unfortunately, since 2002, two of the IP
addresses have changed.  This isn't generally a problem; if the first
address tried fails to respond, then a nameserver will simply try another.

But what if, instead of getting no response from an obsolete root server
address, a malicious response is received from a third party?  This isn't
purely scare-mongering.  Hijacking of an old address has already been seen,
e.g.:
<http://www.renesys.com/blog/2008/05/identity_theft_hits_the_root_n_1.shtml>
following the most recent address change.  There's no reason to suspect any
malicious intent in this case, but it could have happened.

I reported to Apple in early 2006 that their root hints file was out of
date.  They responded, telling me they were already aware of this.  OS X
10.5 shipped last year, with the same outdated hints file.  It's *still*
unfixed - why?

Robin Stevens  <rejs@cynic.org.uk> http://www.cynic.org.uk/


Re: Another GPS error story (Spafford, RISKS-25.25)

<Dr J R Stockton <jrs@merlyn.demon.co.uk>>
Mon, 4 Aug 2008 17:33:53 +0100

>Sat-nav driver's 1600-mile error: A DOZY trucker driving from Turkey to
>Coral Road in Gibraltar ended up at Skegness.  Gibraltar is considered part
>of the UK by the Sat-Nav systems.

That omits an important point -- the driver was in fact directed to
*Gibraltar Point*, which is on the outskirts of Skegness in Lincolnshire
(see Wikipedia, etc.).

Iberian Gibraltar is British, but is not part of the UK.

  [Also noted by Tony Ford.  PGN]


Survey: Perception of security in online environments

<Gene Spafford <spaf@cerias.purdue.edu>>
Sun, 3 Aug 2008 20:12:52 -0400

Please participate, and please pass the invitation along to others...

From: Johannes Strobel [mailto:johannes.strobel@gmail.com]
Survey: Security Incidents and perception of security in online environments

Invitation to Participate in Survey

As a team consisting of members of the Center for Education and Research in
Information and Security (CERIAS) and Educational Technology at Purdue
University, we are conducting a study investigating information security
incidents and perception of security in online environments (games and
virtual worlds), especially when it comes to educational institutions.

We developed a survey and invite you to participate.

Your identity will be kept confidential and not published or disclosed.
Your participation will be strictly voluntary and you will be free to
withdraw from participation at any time. It is entirely up to you, if you
want to be contacted for some follow up questions. In all likelihood, unless
you write extensive responses to the open-ended questions (which we would
encourage), the survey should take about 15 minutes. It will be online until
late August.

The url for the survey is:
http://www.surveymonkey.com/s.aspx?sm=3D_2fKEhOBQUA5MxHCc7g7F_2fPA_3d_3d

If you have any questions please email us.

Thank you in advance.

Johannes Strobel & Fariborz Farahmand


REVIEW: "The Innocent Man", John Grisham

<Rob Slade <rmslade@shaw.ca>>
Mon, 28 Jul 2008 14:33:17 -0800

BKINCTMN.RVW   20080715

"The Innocent Man", John Grisham, 2006, 0-385-51723-8, U$28.95/C$35.95
%A   John Grisham www.jgrisham.com
%C   666 Fifth Ave., New York, NY   10103
%D   2006
%G   0-385-51723-8
%I   Bantam Books/Doubleday/Dell
%O   U$28.95/C$35.95 800-323-9872 www.bdd.com www.doubleday.com
%O  http://www.amazon.com/exec/obidos/ASIN/0385517238/robsladesinterne
  http://www.amazon.co.uk/exec/obidos/ASIN/0385517238/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0385517238/robsladesin03-20
%O   Audience n+ Tech 2 Writing 3 (see revfaq.htm for explanation)
%P   360 p.
%T   "The Innocent Man: murder and injustice in a small town"

In seminars dealing with forensics and investigation, I stress to my
students that it is important to be scrupulous, unprejudiced, and honest in
your investigation.  This is not only to give the suspect a "fair chance,"
but also because when you become fixated on proving the guilt of an
individual, you may fail to determine the identity of the person who
actually committed the crime.

"The Innocent Man" is the story of the improper conviction of Ron Williamson
for murder, as well as the interrelated stories of other improper
convictions around the same time and place.

John Grisham's popular novels have demonstrated his ability to write.  They
have also established his knowledge of the law and competence in research.
This, the author's first non-fiction text, puts that expertise to good work.
The ground is covered thoroughly, noting limitations on the part of all
involved.  Grisham is, in fact, very careful to be fair, and avoids
imputations of motive (which is rather at odds with the descriptions of
motivation he must make in his fictional works).  United States case law in
regard to investigations, confessions, and aspects of forensic evidence and
presentation is introduced carefully at every point.

There are, of course, a great many books written about specific crimes and
their outcomes.  A number have been written about wrongful convictions.
However, "The Innocent Man" is particularly relevant to those interested in
the management of investigations, especially where forensic, rather than
direct, evidence plays a major part in the case.  In one sense, it is an
excellent primer on how not to conduct an investigation.

The justice system is created and staffed by people, and people make
mistakes.  This is why structures have been created to catch possible
errors.  The adversarial system itself, and various appeals processes, is
intended to act as audits, checks, and balances for the system.  It is,
therefore, critical to note one other disturbing point that arises from the
events in the book.  There are numerous layers of appeals, but a consistency
of personnel and direction between the various offices.  As any student of
internal controls knows, weak separation of duties creates the possibility
of all kinds of problems.

This book is entertaining, readable, distressing, and important.

copyright Robert M. Slade, 2008   BKINCTMN.RVW   20080715
rslade@vcn.bc.ca     slade@victoria.tc.ca     rslade@computercrime.org
victoria.tc.ca/techrev/rms.htm blogs.securiteam.com/index.php/archives/author/p1/

Please report problems with the web pages to the maintainer

Top