The RISKS Digest
Volume 25 Issue 29

Tuesday, 19th August 2008

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…

Contents

Olympics Windows crash
PGN
Translate of device mech auto-reproduce
Rob Slade
Electronic voting and antivirus software
jared
Officials Say Flaws at Polls Will Remain in November
Ian Urbina via PGN
Glitch let hundreds get free transit rail tickets
William Neuman via PGN
Big trouble with Germany's New Unified Tax Identification Codes
Ralf Fritzsch
Online Consumers at Risk and the Role of State Attorneys General
CAP/CDT item via Monty Solomon
11 charged with massive ID theft
Monty Solomon
Re: Firefox 3's Step Backwards For Self-Signed Certificates
Michael Barrett
Re: 'Fakeproof' microchipped British e-passport
Hamish Marson
Billion dollar IT failure at Census Bureau
Michael Lewchuk
Attempt to muzzle MIT subway research backfires
B.K. DeLong
My date and place of birth are public
jidanni
Re: How reliable is DNA ...?
Geoff Kuenning
Rob Searle
Brian Hayes
Bob Buxton
Info on RISKS (comp.risks)

Olympics Windows crash

<"Peter G. Neumann" <neumann@csl.sri.com>>
Tue, 12 Aug 2008 16:26:50 PDT

This is rather amusing, but not particularly surprising: A Windows
XP/Vista-style Blue Screen of Death projected onto an overhead display at
the opening ceremonies to the 2008 Olympics in Beijing, courtesy of River
Cool Forums.
  http://macenstein.com/default/archives/1562


Translate of device mech auto-reproduce

<Rob Slade <rMslade@shaw.ca>>
Sun, 17 Aug 2008 14:35:23 -0800

Given the number of times RISKS has noted problems with automatic
correction and translation systems, I thought you'd find this cute:

  http://adweek.blogs.com/adfreak/2008/07/then-well-grab.html

  [The sign says something in Chinese that would correctly translate to
  "... Restaurant".  The supposed translation that appears on the sign says
  "Translate server error."  The humorous caption on the photo is "Then
  we'll grab a bite at 404 Not Found."  PGN-ed]

rslade@vcn.bc.ca     slade@victoria.tc.ca     victoria.tc.ca/techrev/rms.htm
rslade@computercrime.org  blogs.securiteam.com/index.php/archives/author/p1/


Electronic voting and antivirus software

<jared <jared@netspace.net.au>>
Sat, 16 Aug 2008 14:21:25 -0600

From an Ohio (USA) Secretary of State press release 
www.sos.state.oh.us/PressReleases/2008%20Press%20Releases/2008-0806.aspx

"These malfunctions resulted in dropped votes when memory cards were
uploaded to the server. "

"The office is also continuing to test Premier's undocumented contention
that the sharing violation is because of virus protection software that had
been certified by the Board of Voting Machine Examiners as part of the
Premier system at the time it was introduced in Ohio."

The xkcd web comic has a summary: http://xkcd.com/463/

  [I find the contention that failures of a voting machine could be
  attributed to interactions with anti-virus software to be really
  outrageous.  Premier (formerly Diebold) has developed an inherently
  untrustworthy application on top of an inadequately trustworthy and
  relatively huge operating system that anyone with access could compromise
  the application software or merely accidentally disrupt elections.
  Blaming the anti-virus software (which exists primarily because of the
  weaknesses of the operating system) seems totally fatuous.  There should
  be no need for anti-virus software in a well-designed voting system.  PGN]


Officials Say Flaws at Polls Will Remain in November

<"Peter G. Neumann" <neumann@csl.sri.com>>
Mon, 18 Aug 2008 17:30:42 PDT

Election Assistance Commission officials say they will not be able to
certify that flawed machines are actually repaired in time for the November
election — because of the backlog at testing labs.  [Source: Ian Urbina,
*The New York Times*, 16 Aug 2008; PGNed]


Glitch let hundreds get free transit rail tickets

<"Peter G. Neumann" <neumann@csl.sri.com>>
Mon, 18 Aug 2008 17:27:51 PDT

Apparently due to a programming error, ticket vending machines on the Long
Island Railroad and Metro-North Railroad have been giving out free tickets
whenever debit cards with inadequate balances were used, since 2001.  The
problem was discovered only recently, when an audit by the LIRR showed 990
such transactions.  Although many people have gotten free travel without
even realizing it, three people have been charged with acquiring about
$800,000 worth of tickets — which they then sold.  [Source: William Neuman,
*The New York Times* 13 Aug 2008; PGN-ed]

  [I read the article over breakfast.  George Mannes noted it online.
  http://www.nytimes.com/2008/08/13/nyregion/13scam.html?ref=nyregion
  PGN]


Big trouble with Germany's New Unified Tax Identification Codes

<"Fritzsch, Ralf" <Ralf.Fritzsch@baw.de>>
Thu, 14 Aug 2008 11:28:41 +0200

As a reader of comp.risks digest for at least 13 years I could now for the
first time contribute a nice story, happened in my home town Stade, Lower
Saxony, 35 miles west from Hamburg.

Since the beginning of August 2008, the "Bundeszentralamt für Steuern"
(Federal Central Tax Office) sends out letters to all 82 millions
inhabitants of Germany, from newborns to old men, with information regarding
their new Tax Identification Code, a mathematically spoken, eleven-digit
hash value dereferencing information like title, surname, given names, birth
name, sex, address, birthday, place of bird, country of birth.

Whereas in other places there were no or only minor problems, in Stade near
100% of the information for the roundabout 46000 inhabitants contained
errors with birth name, and country of birth. E.g. in my own family (14 year
old boy, 11 year old girl, my wife, and me, all native german-born Germans)
three of us have as country of birth "Kazakhstan", my daughter has "Italy",
and all but my wife have false, entirely fictitious birth names. The
registration office of Stade is overwhelmed with complaints, and no one has
until now found out, where the errors do come from. As a Stade official
said, the raw data of the registration office are correct, and the transport
of the data to the Federal Central Tax Office was not done via Internet, but
there was sent a CD containing the data (See (1)). Until now, nobody from
the Federal Central Tax Office phoned back to enlighten the situation. They
said, that a 1000 of errors in 80 Millions of data is not bad, either, and
blamed Stade for the error. Against this speaks the fact, that Bremerhaven,
and two other towns in Lower Saxony, suffered from the same problem. And
furthermore, a quick consistency check of the New Tax ID numbers with tax
consultant standard transmission protocol software showed, that 70% of the
IDs failed the consistency check (see also (1)).

Until now it is unknown, who or what was responsible for the mess-up. The
story made up to the tabloids (see (2)). The town of Stade recommends the
inhabitants to do nothing and wait until the situation has cleared up. (see
(3)).

Appendix: Cited website information, unfortunately in German :-(

(1)
http://www.heise.de/newsticker/Kommunen-melden-grobe-Fehler-bei-Ausgabe-der-neuen-Steuernummer--/meldung/114161

(2)
http://www.bild.de/BILD/hamburg/aktuell/2008/08/12/steuerdaten-chaos/behoerde-verschickt-bescheide-mit-falschen-namen.html

(3)
http://www.kreis-stade.de/default.cfm?DID=1207942

Dr. Ralf Fritzsch, Bundesanstalt fuer Wasserbau   Federal Waterways
Engineering and Research  Dienststelle Kueste  Tel. +49-40-81908-324

[Added by RF 19 Aug 2008:]
The latest news, to be found (auf deutsch) under
  http://www.stadt-stade.info/default.cfm?did=1207884

"... Fest steht bisher nur, dass offenbar bei der Datenübermittlung
vorhandene Leerfelder im Datensatz durch die EDV falsch interpretiert worden
sind.  Die technischen Gründe hierfür sind derzeit noch nicht geklärt."

That is, "It seems definite, that obviously white spaces in the original
data were misinterpreted during data transfer. Technical reasons remain
until now unknown."


Online Consumers at Risk and the Role of State Attorneys General

<Monty Solomon <monty@roscom.com>>
Thu, 14 Aug 2008 23:03:10 -0400

Study: State AGs Fail to Adequately Protect Online Consumers

State attorneys general received thousands of complaints about online fraud
and abuse in 2006 and 2007.  Yet, with the exception of several notable
standouts, few states brought significant cases in response to those
complaints, according to a report released today from the Center for
American Progress and the Center for Democracy and Technology.  The study
finds online fraud and abuse aren't given a high priority by most attorneys
general. The report recommends several steps state attorneys general can
take to protect online consumers, such as: assess the applicability and
adequacy of state laws; develop computer forensic capabilities; train
investigators and prosecutors to identify Internet fraud; and devote greater
resources to enforcement efforts.

Online Consumers at Risk and the Role of State Attorneys General
By Reece Rushing, Ari Schwartz, Alissa Cooper | August 12, 2008
Center for American Progress, Center for Democracy and Technology

http://www.americanprogress.org/issues/2008/08/online_consumers_report.html
http://www.americanprogress.org/issues/2008/07/pdf/consumer_protection.pdf
http://cdt.org/press/20080812press.php
http://www.cdt.org/privacy/20080812_ag_consumer_risk.pdf


11 charged with massive ID theft (Re: RISKS-25.26)

<Monty Solomon <monty@roscom.com>>
Thu, 14 Aug 2008 20:27:27 -0400

A ring of people spread across the globe hacked into nine major US companies
and stole and sold more than 41 million credit and debit card numbers from
2003 to 2008, costing the companies and individuals hundreds of millions of
dollars, federal law enforcement officials said yesterday.  "So far as we
know, this is the single largest and most complex identity theft case ever
charged in this country," US Attorney General Michael Mukasey said at a news
conference at the John Joseph Moakley US Courthouse in Boston.

A grand jury indictment released yesterday charged that Albert "Segvec"
Gonzalez of Miami and his 10 conspirators (one from Estonia, three from
Ukraine, two from China, one from Belarus, and one of unknown origin)
cruised around with a laptop computer and tapped into accessible wireless
networks, allegedly concealed the data in encrypted computer servers they
controlled.  They then hacked into the networks of TJX, BJ's Wholesale Club,
OfficeMax, Boston Market, Barnes & Noble, Dave & Buster's, Sports Authority,
Forever 21, and DSW. After gaining access to the systems, they installed
programs that captured card numbers, passwords, and account information,
officials said.  [Source: David Abel and Jenn Abelson, *The Boston Globe*, 6
Aug 2008; PGN-ed]

http://www.boston.com/business/articles/2008/08/06/11_charged_with_massive_id_theft/


Re: Firefox 3's Step Backwards For Self-Signed Certificates (R 25 23)

<"Barrett, Michael" <mbarrett@paypal.com>>
Wed, 13 Aug 2008 06:14:44 -0700

I read a rather worrying criticism of Firefox 3.0 on RISKS the other day,
which made me realize that perhaps there isn't a common agreement amongst
the infosec industry about the threatscape and how we should prioritize our
response to them. Specifically, the complaint against Firefox 3.0 is that
the user experience has been deliberately crafted to make it hard to accept
self-signed certificates. The argument is that there are times when simply
establishing an encrypted tunnel (i.e. an SSL session) is all that's needed.

I certainly wouldn't argue that encryption is unnecessary, just that the
threat has changed.  While our old "friend" Mallory isn't particularly busy
these days, it's pretty clear that he'd be having a field day if he could
easily penetrate communications across the Internet. The attacker however is
no longer limited to passive eavesdropping. Modern attacks use active DNS
spoofing, active MITM attacks and the like, on public networks.  The main
threats these days are against the weakest link in the chain - the end
user. That's why phishing is such a popular method of e-crime - it's simple
and it works. It relies completely on the gullibility of users in clicking
on links in e-mails apparently from organizations with whom they have a
relationship.

However, it's equally clear that almost everyone who wants to communicate
securely using a browser can afford an SSL certificate from CAs such as
GoDaddy, Thawte, etc. The cost of single certificates from these sources can
only be described as nominal.

My company is a major target of phishing, and as such we've spent quite a
bit of time researching what anti-phishing approaches work We published a
whitepaper on this topic (which can be found on the company blog at
www.thepaypalblog.com), which explains this in detail. However, a couple of
relevant conclusions are that: 1) the vast majority of users simply want to
be protected, 2) there's no single "silver bullet", and 3) that what we
describe as "safer browsers" such as IE 7, and Firefox 3.0 are a significant
part of the solution based on their improvements in user visible security
indicators and secure-by-default behaviors.

I conflated two or three separate ideas in that last sentence, and I should
explain them. The general logic is that most users should never be presented
with a security dialog that gives them a choice - if they are, there's
typically at least a 50:50 chance that the wrong decision will be
made. Instead, the browser should make the decision for them.  However, in
the case of self-signed certificates it's almost impossible to see how any
technology can disambiguate between legitimate uses and criminal ones.

When viewed through this lens, the changes to the Firefox user experience
for self-signed certificates makes perfect sense. It's not that self-signed
certificates are impossible to use - but for most users, the experience will
be such that they won't accept them. In the unsafe world in which we live,
that will be the right choice. For organizations which wish to use
self-signed certs internally, it is still technically possible - but it will
require either explicit user training, or deployment of pre-installed
certificates on PCs.

I should also add that the major security features which have been added
into the most recent browser versions (and which we believe are necessary in
order to be considered 'safer') are exactly those which impact this
area. That is: support for Extended Validation certificates, which make it
clear to end users whose web site they're on; and support for spoof-site
black lists, so that users can't easily reach spoof-sites.

While I'm personally a great supporter of RISKS, I think it's important that
the Infosec industry speaks with good consensus about risks. In this case, I
believe that the criticism of Firefox 3.0 was simply misguided and
ill-informed. This is not helpful.

This post is also at: http://www.thesecuritypractice.com/


Re: 'Fakeproof' microchipped British e-passport (Poulsen, R-25.28)

<Hamish Marson <hamish@travellingkiwi.com>>
Wed, 13 Aug 2008 12:07:10 +0100

> I know that I am not so smart that I have figured out something that all the
> experts have overlooked, so I must be missing something critical. What have
> I overlooked?

Lets see... After a quick think you've missed...

1. Authentication... How does the issuing agency authenticate the border
agent requesting the information? Passwords? Secure Certs? One time tokens?
Each have their own down sides...

2. Assuming someone solves the problem of how to get all the border agencies
to agree on a method of authentication, how do you keep it secure? Passwords
get written down... The issuing agency has no control over the remote access
devices so can't guarantee the security of any client certs...

3. Comms... Long time readers will be well aware of the risks of depending
on long comms links to be up at inopportune times.

4. How much info would be required? I think this would bring in various
privacy laws... Witness the debacle between the EU and the U.S. over
passenger data...

5. What's to stop a border agency from just browsing someone else's database
by just brute forcing all those passport ID's? Again, what faith can we have
that the ID's used won't be easily guessable...

And a myriad of others... Basically they boil down to Connectivity,
Authentication of border agents and privacy... Count me out.


Billion dollar IT failure at Census Bureau (Re: RISKS-25.12,13)

<"Michael Lewchuk" <michael.lewchuk@matrikon.com>>
Wed, 13 Aug 2008 10:03:50 -0600

I do have a few comments about this one:

* The handhelds should be simple and cheap.  They should be able to
download their information to a computer via a common interface (e.g.
wireless).  How long they survive is dependent upon use and care.  If using
10 year old computers seems strange to you, I know of many production plants
that are still using 30 year old hardware.  The key factor is whether it
does what needs doing.  If a device is damaged, it may be replaced with a
new device (that is, in 12 years the Census Bureau may have another one
designed, presumably for a lot less, and enough replacements built to last
another 3 censuses).

* I fail to see how anyone could spend $11B on such things.  I mean, that's,
what, $300 per capita?  Engineering a small device should be in the single
digit millions of dollars, shouldn't it (anyone know how much the Blackberry
cost to design)?  The device should use standard tech and interface easily
with PCs.  It should be cheap.  Let's say $100 each for 1 million census
workers =3D $100M.  Where do they get $11B from?!

* If there is significant waste and mismanagement, perhaps someone should
consider decapitating the Census Bureau: a simple revocation of all posts
pending review.

* One thing I would note is that there should be a law requiring executives
of public companies and their subsidiaries to be bondable.  That is, in
order to work as an executive for a company that is publicly held, or one in
which the majority of the ownership is public, you must be trustable.

* Ever notice how managers spend so much time trying to find ways to measure
and improve output while there really is no solid criteria by which
management itself can be measured?  That is, why is executive X paid $8M/yr
rather than $5M/yr or $2M/yr?  Is said executive really more effective than
having the business managed by a potted plant?  If so, by how much?  Note:
end profit and/or share price, by which a lot of managers are measured, is
too dependent upon market fluctuations and simple year-to-year sales.  I'm
sure that if we replaced the executive of any conglomerate by potted plants
that the company would still continue to run for decades due to sheer
inertia.

Michael J. Lewchuk, Software Engineer (M.Sc., M.Eng. P.Eng.(Alberta Canada))
MatrikonOPC Technical Lead, Software Development 1-780-448-1010 x.4512


Attempt to muzzle MIT subway research backfires (Re: RISKS-25.28)

<"B.K. DeLong" <bkdelong@pobox.com>>
August 12, 2008 5:41:50 PM EDT

  [From Dave Farber's IP distribution.]

Year after year, I am incredibly surprised at the amount and types of
companies and organizations that have a knee-jerk reaction to a
vulnerability or security hole being presented at either the Black Hat or
DEFCON security events. Do PR professionals, crisis response managers, or
corporate image specialists do their homework? Why isn't there an industry
case study that says the fastest way to HELP a vulnerability in your
software or product get absolute full and fast disclosure before you have
time to fix it, is to try and stop it being discussed at one of these two
events?

In the MBTA's case, they hit the absolute pinnacle by filing a lawsuit in
Federal court setting off a trigger to both the cadre of journalists,
security researchers, civil libertarian activists, and hackers to begin
doing everything in their power to make sure the story gets heard and (in
some of their minds), the vulnerability gets exposed.

The Public Relations Society of America should send out a brief every year
in mid-July to remind them of the forthcoming security conferences and how
extremely public attempts to quash research that may appear to be harmful to
an organization's image will backfire horribly. In some cases, even quiet
attempts to stop it could be detrimental as well.

It should serve to all companies and organizations across the country (and
world) that maybe in the long run cooperation with these researchers very
early on (or at least as soon as the talks are announced every year) is the
best way to ensure proper lead time to put together patches while allowing
for full disclosure of the vulnerabilities that may effect a product's
userbase.

Why does no one seem to be getting the hint until after it happens to them?


My date and place of birth are public

<jidanni@jidanni.org>
Thu, 14 Aug 2008 04:01:44 +0800

Like everybody else, I was determined to keep my date and place of
birth a secret to prevent identity theft — until one day I discovered
someone had written a Wikipedia entry on me,
http://zh.wikipedia.org/wiki/%E7%A9%8D%E4%B8%B9%E5%B0%BC
Mom will be proud! — but only if I untwisted one fact first.

Everything on Wikipedia is a battle, for me at least. To establish
that I was BORN in Philadelphia, but GREW UP in Chicago, just saying
"I was there, I ought to know", is not enough. They need reliable
references. Something they can quote. I.e., it all spelled out on my
personal website, which I then did.

And of course all proper famous people have a date of birth listed
(which I dare not cheat on as you never know what database they'll be
using at Heaven's Gate on Judgment Day :-)

By the way, one's Taiwan temporary Tax ID is date of birth + first two
letters of surname: 19601216JA. Good thing I don't have a twin.

So I'm now "living in a glass house". Well, plastic:
http://jidanni.org/me/home/images/


Re: How reliable is DNA ...? (Schaefer, RISKS-25.27)

<Geoff Kuenning <geoff@cs.hmc.edu>>
Wed, 13 Aug 2008 01:50:09 -0700

Actually, there's a third question that can be asked: if you randomly choose
a particular person at your party, what is the probability that that person
shares your birthday?  Obviously, it's one in 365.25, or about 0.3%, and the
probability is independent of the number of people at the party.

The problem is that during criminal investigations, investigators can ask
either question 2 or question 3, but evidence presented to the jury quite
consistently gives the probabilities from question 3, and in a number of
cases judges have prevented defense attorneys from pointing out that the
wrong calculation has been used.

(Question 3 gets asked when the police have identified a suspect through
other means, and the DNA match is used to confirm or reject the hypothesis.
Question 2 gets asked when there is no suspect, and a statewide DNA database
is searched.  If you have a big enough database--and some states do--you're
almost guaranteed to get a hit.)

Geoff Kuenning   geoff@cs.hmc.edu   http://www.cs.hmc.edu/~geoff/


Re: How reliable is DNA ...? Schafer RISKS 25.28

<rob searle <robert.searle@tait.co.nz>>
Thu, 14 Aug 2008 11:09:31 +1200

I mostly agree with this interpretation but the asterisk note at the end is
more a hope a truth.  In a number of investigations an entire community is
asked to provide DNA "to exclude them" and there is also a lot of "nothing
to hide, nothing to fear" innuendo. The DNA evidence in such cases is
tainted with the birthday paradox, family relationships (and in many
communities secret relationships).

An alternative view, from Medical research, is that a multi-variate study
needs to adjust its correlation significance threshold downward to take
account of the number of variables.  For example, the significance of
finding a correlation between behaviour A and disease D in a study of the
available evidence is much stronger than that of finding a correlation
between one of A, B, C, and one of the diseases D, E, F.


Re: How reliable is DNA ...? (Michael Black, Steve Schafer)

<Brian Hayes <brian@bit-player.org>>
Wed, 13 Aug 2008 23:20:28 -0400

Michael Black's analysis of DNA forensics likens a genetic fingerprint to a
binary numeral of nine to thirteen digits. In effect, Black assumes that
each genetic locus has just two possible forms, or alleles, which occur with
equal probability. In fact, the markers commonly used in DNA forensics have
dozens of alleles. Thus the number of possible 13-locus matches is not 2^13
but N^13 where N has a value somewhere in the neighborhood of 10 or 15 or
even 25. The number is reduced somewhat (and the calculation is made more
complicated) by the fact that not all the alleles are equally likely, but
the number of variants is well above 8,192.

There's a good explanation of all this in a 1992 report from the National
Research Council, The Evaluation of Forensic DNA Evidence (see especially
pp. 14-15). The report is available on Google Books at

  http://books.google.com/books?id=SnHYMZXAkQEC

There's plenty of reason to be skeptical of overwrought claims that DNA
never lies, but the numerical counter-evidence isn't quite as stark as Black
suggests.


Re: How reliable is DNA ...? (Schaefer, RISKS-25.28)

<Bob Buxton <bob_buxton@uk.ibm.com>>
Thu, 14 Aug 2008 12:19:41 +0100

Steve's analogy to the Birthday Problem/Paradox can be extended further in
considering the DNA question.

The birthday problem probabilities contain a number of assumptions:
-  We know the number of days in the year
-  Births are evenly distributed across the year
-  Party invites are random

If we find at my party there are lots of people with a common birthday or more
than two with my birthday we have to ask whether:
- This is perfectly normal and likely event based on the probabilities
- It is a rare, but still normal 'fluke'
- The interpretation of the probabilities was incorrect.
- The calculation of the probabilities was incorrect
- There is a flaw in the underlying assumptions.

I am neither a genetics or statistical expert but it seems that Troyer found
a result that didn't match the expected results for the first part of the
birthday problem.  You can't tell much from a single sample but if you get
similar results from multiple samples you have a better basis for
questioning the underlying assumptions and by modifying them provide a far
better estimate of the true probability of an actual genetic match from a
profile.  With DNA I am not even sure we are confident with knowing the
number of day in a year

It seems to me that the FBI in their attempts to prevent lawyers
using/misusing statistical data to induce confusion in mathematically naive
juries by casting doubt on Troyer's work and blocking attempts to conduct
further analysis are actually preventing legitimate research which could
ultimately provide a proper basis for the uniqueness statistics.

Please report problems with the web pages to the maintainer

x
Top