The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 25 Issue 30

Thursday 28 August 2008

Contents

Bruce Schneier on Airport Photo ID Checks
PGN
Flight-plan FAAilure
PGN
Aug 26 FAA flight plan fiasco
Ken Knowlton
Commuter Flights Grounded Thanks To Bumbling TSA Inspector
PGN
Computer viruses make it to orbit
Gabe Goldberg
Ohio Voting Machines Contained Programming Error That Dropped Votes
PGN
States throw out costly electronic voting machines
vim
Risks of going on Internet record
Spamcop
And here we go off the rails: "spam hunter"
Identity withheld by request
Educational "testing firm" flunks Internet Security 101
Danny Burstein
A cellphone bill roams to the stratosphere
Gabe Goldberg
Weird Clock Issue
Steven J. Greenwald
Risks of omitting off-site backups?
C.Y./J.E. Cripps
Telephone banking password /in/security
Tim Bradshaw
Boston judge tosses MIT students' gag order
Richard Forno
Re: DNA Database Searches
Hal Murray
Ken Knowlton
Re: Couple of On-Line Travel Booking Risks
Chris Drewe
Re: Germany's New Unified Tax Identification Codes
Ralf Fritzsch
Re: P2P Data Breach affects SCOTUS
Hal Murray
Info on RISKS (comp.risks)

Bruce Schneier on Airport Photo ID Checks

<"Peter G. Neumann" <neumann@csl.sri.com>>
Thu, 28 Aug 2008 10:00:09 PDT

Opinion

The TSA's useless photo ID rules
No-fly lists and photo IDs are supposed to help protect the flying
public from terrorists. Except that they don't work.

By Bruce Schneier

August 28, 2008
http://www.latimes.com/news/opinion/la-oe-schneier28-2008aug28,0,3099808.story

The TSA is tightening its photo ID rules at airport security.  Previously,
people with expired IDs or who claimed to have lost their IDs were subjected
to secondary screening. Then the Transportation Security Administration
realized that meant someone on the government's no-fly list -- the list that
is supposed to keep our planes safe from terrorists -- could just fly with
no ID.

Now, people without ID must also answer personal questions from their credit
history to ascertain their identity. The TSA will keep records of who those
ID-less people are, too, in case they're trying to probe the system.

This may seem like an improvement, except that the photo ID requirement is a
joke. Anyone on the no-fly list can easily fly whenever he wants. Even
worse, the whole concept of matching passenger names against a list of bad
guys has negligible security value.

How to fly, even if you are on the no-fly list: Buy a ticket in some
innocent person's name. At home, before your flight, check in online and
print out your boarding pass. Then, save that web page as a PDF and use
Adobe Acrobat to change the name on the boarding pass to your own. Print it
again. At the airport, use the fake boarding pass and your valid ID to get
through security. At the gate, use the real boarding pass in the fake name
to board your flight.

The problem is that it is unverified passenger names that get checked
against the no-fly list. At security checkpoints, the TSA just matches IDs
to whatever is printed on the boarding passes. The airline checks boarding
passes against tickets when people board the plane. But because no one
checks ticketed names against IDs, the security breaks down.

This vulnerability isn't new. It isn't even subtle. I first wrote about it
in 2006. I asked Kip Hawley, who runs the TSA, about it in 2007. Today, any
terrorist smart enough to Google "print your own boarding pass" can bypass
the no-fly list.

This gaping security hole would bother me more if the very idea of a no-fly
list weren't so ineffective. The system is based on the faulty notion that
the feds have this master list of terrorists, and all we have to do is keep
the people on the list off the planes.

That's just not true. The no-fly list -- a list of people so dangerous they
are not allowed to fly yet so innocent we can't arrest them -- and the less
dangerous "watch list" contain a combined 1 million names representing the
identities and aliases of an estimated 400,000 people. There aren't that
many terrorists out there; if there were, we would be feeling their effects.

Almost all of the people stopped by the no-fly list are false positives. It
catches innocents such as Ted Kennedy, whose name is similar to someone's on
the list, and Islam Yusuf (formerly Cat Stevens), who was on the list but no
one knew why.

The no-fly list is a Kafkaesque nightmare for the thousands of innocent
Americans who are harassed and detained every time they fly.  Put on the
list by unidentified government officials, they can't get off. They can't
challenge the TSA about their status or prove their innocence. (The U.S. 9th
Circuit Court of Appeals decided this month that no-fly passengers can sue
the FBI, but that strategy hasn't been tried yet.)

But even if these lists were complete and accurate, they wouldn't
work. Timothy McVeigh, the Unabomber, the D.C. snipers, the London subway
bombers and most of the 9/11 terrorists weren't on any list before they
committed their terrorist acts. And if a terrorist wants to know if he's on
a list, the TSA has approved a convenient, $100 service that allows him to
figure it out: the Clear program, which issues IDs to "trusted travelers" to
speed them through security lines. Just apply for a Clear card; if you get
one, you're not on the list.

In the end, the photo ID requirement is based on the myth that we can
somehow correlate identity with intent. We can't. And instead of wasting
money trying, we would be far safer as a nation if we invested in
intelligence, investigation and emergency response -- security measures that
aren't based on a guess about a terrorist target or tactic.

That's the TSA: Not doing the right things. Not even doing right the things
it does.


Flight-plan FAAilure

<"Peter G. Neumann" <neumann@csl.sri.com>>
Tue, 26 Aug 2008 19:11:09 PDT

On 26 Aug 2008, the Atlanta Federal Aviation Administration facility had
difficulties processing data, which meant that all of its flight-plan
information had to be processed by the Salt Lake City facility -- which
became overloaded.  As a result, airports experienced hours of flight delays
on Tuesday afternoon and into the evening.  A similar event occurred on 8
Jun 2007.  [Source: CNN.com item, 26 Aug 2008; PGN-ed]
http://www.cnn.com/2008/TRAVEL/08/26/faa.computer.failure/index.html


Aug 26 flight plan fiasco

<KCKnowlton@aol.com>
Wed, 27 Aug 2008 12:14:36 EDT

Apropos of the Aug 26 flight plan disaster, FAA spokeswoman Diane Spitaliere
said that the investigation into what caused the problem is still ongoing,
and she did not know when it would be completed. "It usually takes a while
to be quite honest," she said. (AP, 8/26/08)

Is this improper to imagine: "Traffic control to all planes in flight: We're
having problems with traffic logistics and don't know when they will be
unsnarled, to be quite honest. Please proceed to and augment the nearest
holding pattern, remain aloft, and observe VFR until further notice."

  [Unfortunate recording of what she said?  "It usually takes a while to be
  quite honest."  It should NEVER take any time to be honest.  We presume
  that what she said orally should have been transcribed as "It usually
  takes a while, to be quite honest."  But commas are seldom COMMAndeered
  orally.  PGN]


Commuter Flights Grounded Thanks To Bumbling TSA Inspector

<"Peter G. Neumann" <neumann@csl.sri.com>>
Wed, 20 Aug 2008 17:17:11 PDT

Total Air Temperature (TAT) probes on nine American Eagle regional jets were
damaged because "an overzealous TSA employee attempted to gain access to the
parked aircraft" by using the TAT probes has would-be handholds.  [Source:
Aero-News.Net, 20 Aug 2008; PGN-ed; see the follow-up analysis by Jim
Campbell, ANN E-I-C, who says "This was an extraordinarily dangerous
incident, folks."]

http://www.aero-news.net/index.cfm?ContentBlockID=340a79d6-839a-470d-b662-944325cea23d


Computer viruses make it to orbit

<Gabe Goldberg <gabe@gabegold.com>>
Thu, 28 Aug 2008 09:09:43 -0400

A computer virus is alive and well on the International Space Station (ISS).
NASA has confirmed that laptops carried to the ISS in July were infected
with a virus known as Gammima.AG.  The worm was first detected on Earth in
August 2007 and lurks on infected machines waiting to steal login names for
popular online games.  NASA said it was not the first time computer viruses
had traveled into space, and it was investigating how the machines were
infected.

Source: BBC NEWS, Technology
http://news.bbc.co.uk/2/hi/technology/7583805.stm


Ohio Voting Machines Contained Programming Error That Dropped Votes

<"Peter G. Neumann" <neumann@csl.sri.com>>
Thu 21 Aug 2008 14:47:12 PDT

Premier (formerly Diebold) has admitted to a software flaw in its GEMS
system used in 34 states that can cause votes to be dropped while being
transferred from memory cards to a central tallying point.  This flaw has
existed for at least 10 years, and because it is in the back-end counting
software, it affects both touch-screen and optical-scan systems.  [Source:
Mary Pat Flaherty, *The Washington Post*, 21 Aug 2008; PGN-ed]

  [Premier had previously asserted that this anomaly was the result of
  interference from the anti-virus software, which as I noted in my comment
  at the end of jared's post in RISKS-25.29, seemed totally bogus to me.]


States throw out costly electronic voting machines

<vim@duncan.cx>
Tue, 19 Aug 2008 18:03:50 -0700

The demise of touch-screen voting has produced a graveyard of expensive
corpses: Warehouses stacked with thousands of carefully wrapped voting
machines that have been shelved because of doubts about vanishing votes and
vulnerability to hackers.

What to do with this high-tech junkyard is a multimillion-dollar
question. One manufacturer offered $1 a piece to take back its ATM-like
machines. Some states are offering the devices for sale on eBay and
craigslist. Others hope to sell their inventories to Third-World countries
or salvage them for scrap.

Much money could have been saved had those bureaucrats just been subscribers
to The Risks Digest.

Full AP Story here:
http://ap.google.com/article/ALeqM5jej6XIWrQn6-gw5O5bJa1ELx78DgD92LLDO00


Risks of going on Internet record

<Spamcop <...>>
Thu, 21 Aug 2008 10:09:03 +0100

Even China can't remove the old or cached links fast enough:

 > Chinese Gold Medalist Too Young To Compete, Finds Security Consultant
 > InformationWeek Wed, 20 Aug 2008 1:42 PM PDT
 > Mike Walker's Web search turned up an official Chinese Excel
   spreadsheet that indicates that gymnast He Kexin is only 14 years old.
http://www.informationweek.com/news/internet/policy/showArticle.jhtml?articleID=210102137&cid=RSSfeed_IWK_All

Blogging under the name Stryde Hax, Mike Walker, a principal consultant for
the security group, has posted screenshots of an Excel spreadsheet that was
removed from an official Chinese government Web site but was still available
through Baidu, China's most popular search engine. The file appears to show
that He Kexin is not old enough for Olympic competition.
http://strydehax.blogspot.com/2008/08/hack-olympics.html

Google returns about 36,700 for "He Kexin" AND "1994". (0.31 seconds)

The risk is also claiming the success of youth when it suits the PR in one
case but not the other.
http://en.wikipedia.org/wiki/He_Kexin


And here we go off the rails: "spam hunter"

<[Identity withheld by request]>
Tue, 05 Aug 2008

A large amount of spams were sent out in the name of a well known "spam
hunter" in Switzerland, alleging he was about to commit suicide (Article in
German at <http://www.20min.ch/digital/webpage/story/19754588>).

The attack (according to the media and interview with the person involved)
appears to bear signs of the "Russian Internet mafia", and appears to herald
a change into personal territory by the criminals involved.  This attack has
already had effect in that the subject is reconsidering what he does for a
living.  It's not a new idea to go personal, especially Spamhouse has
suffered its share over the years.

The ensuing discussion on a security mailing list was interesting.  It
started with a simple observation that it maybe was a drive-by attack with
infected websites, but there are some deeper implications.  I've compiled
the observations below.

  - - - first response - - -

>  AFAIK no DriveBy download, as the domains are not responding at all.

That may have more to do with actions of ISPs in the chain or there may be
irony at work - the serving DNS may have been poisoned, thus having one
evil canceling out another.

> but according to 20min.ch (article in German)
> http://www.20min.ch/digital/webpage/story/19754588
> it was, as assumed, some unhappy spammer who thought that its funny to
> send suicide letters.

Calling it that way ignores the real issue IMHO..

> Apparently several people contacted the police to report a possible
> suicide, and they promptly went and ringed the guy out of his bed at
> his apartment.

What happened here was that the spammers got personal, and with a large
degree of success as the guy is now reconsidering what he's going to do
professionally.

Let me translate this for you:

1 - he was obviously successful in what he did or whoever did this would not
have bothered;

2 - a couple of published successes like that will ensure this to become a
frequent event.  The good news is that the effect will diminish over time,
the bad news is that this will take time.  Are you prepared to have family
and friends threatened in this way - YOU may know it's mostly air, but most
non-professionals don't., and it won't stop here.

  - - - next response - - -

yep. try to explain THAT to your friends, customers, business contacts,
etc. IF they are on the recipient list for that kind of spam. It could
take you out of business, if people read that kind of crap and probably
believe it. Even worse: Who are you going to inform about the faked story?
If you inform all of your contacts, you will alert also those who did
not even know about the SPAM problem.


Educational "testing firm" flunks Internet Security 101

<danny burstein <dannyb@panix.com>>
Tue, 19 Aug 2008 14:55:39 -0400 (EDT)

The Princeton Review, the test-preparatory firm, accidentally published the
personal data and standardized test scores of tens of thousands of Florida
students on its Web site, where they were available for seven weeks. ...
One folder on the Web site gave unusual insight into how test preparation
companies use older exams to prepare their practice tests. The folder
contained digital scans of eight official SATs and six PSAT exams from 2005
through 2007. The tests are created by the Educational Testing Service, a
nonprofit organization in Princeton, N.J.

http://www.nytimes.com/2008/08/19/technology/19review.html?em


A cellphone bill roams to the stratosphere

<Gabe Goldberg <gabe@gabegold.com>>
Thu, 28 Aug 2008 10:17:18 -0400

Santa Monica resident Aurelie Foucaut traveled last month to Paris with her
two kids. During a brief stopover in Montreal, she made six calls on her
BlackBerry to friends and family members, each lasting less than three
minutes.

Foucaut's wireless bill from T-Mobile arrived a few weeks ago. It included
$59.77 in ordinary usage charges. It also included a $2,367.40 "data service
roaming charge" for nearly 158 megabytes' worth of Internet access while in
Montreal -- the equivalent of downloading about 80 novels.

"How is this possible?" Foucaut, 41, wanted to know. "I never go on the
Internet with my phone. I don't download into my BlackBerry. I don't even
know how to do it."

*Los Angeles Times*, 27 Aug 2008
http://www.latimes.com/business/la-fi-lazarus27-2008aug27,0,7630867.column


Weird Clock Issue

<"Steven J. Greenwald" <sjg6@gate.net>>
Mon, 18 Aug 2008 21:06:36 -0400

At the moment, we experience tropical storm Fay here in the Miami area.  It
does not seem too bad compared to past tropical storms, and we have only
experienced some few power outages that got fixed fairly quickly
(typical). We've had some pretty impressive wind gusts (I'd guess about
40-50MPH). However, I noticed something really weird.

I have a battery operated clock that syncs via radio signal reception with
the atomic clock in Boulder (very common - made by Oregon Scientific). It
currently shows the correct time (as of writing: 9:05 PM EDT) but shows the
date as Saturday September 27th 2008 instead of the correct date of Monday
August 18, 2008!

I have no idea why this has happened. Perhaps some weird electromagnetic
effect due to the storm (I have noticed things like compasses giving 180
degree wrong readings and spinning during storms)? Perhaps just some other
glitch that just coincidentally happened during the storm?


Risks of omitting off-site backups?

<"C.Y./J.E. Cripps" <cycmn@nyct.net>>
Thu, 21 Aug 2008 23:26:15 -0400 (EDT)

Victor M. Deeb is wondering why 20 years of his work was thrown away.  At
71, he had been experimenting in his basement laboratory.  When firemen came
in to put out a fire in a window air conditioner, they found 1500 vials,
jars cans, bottles, and boxes of chemicals in his basement when they went to
turn off the power.  The Massachusetts state hazardous materials team
reacted by having everything that was deemed hazardous removed and disposed
of.  So, 45 years of his research in polymer chemistry went down the drain
(so to speak).  However, all of his materials were approved by the U.S. FDA
and seemingly nonhazardous.  City officials maintain he was violating zoning
laws.  They also maintain he was given opportunities to recover his 20-years
worth of notes, which were apparently seized.  [Source: Priyanka Dayal,
Chemist considers legal action over materials seized, *Worcester Telegram &
Gazette News*, 16 Aug 2008]
http://www.telegram.com/article/20080816/NEWS/808160346/1116

The need for backups is not emphasized enough in this much-discussed story.
(In this instance, photocopies of the mss notes would suffice.)


Telephone banking password /in/security

<Tim Bradshaw <tfb@tfeb.org>>
Thu, 28 Aug 2008 00:24:33 +0100

See this story in the BBC news: http://news.bbc.co.uk/1/hi/england/hereford/worcs/7585098.stm

The story raises at least two questions.

Firstly, if we are to believe the story, the person found out what his
password had been altered to.  So the whole text of the password was
available to him (and probably to members of bank staff also). This should
not be the case for obvious reasons.

Secondly, the story itself is extraordinary, as the BBC seem to have no
notion that there might be a serious problem here, rather than just an
amusing story.

It's tempting to add that this must mean that telephone banking passwords
are held in plain-text equivalent, and that this is obviously a huge
security problem.  It does mean that they must be in plain-text equivalent,
but things are not quite so simple: given the common "tell me characters a,
b, and c of your password" approach, a conventional one-way hash of the
password does not work.  I suppose you could create hashes for every
possible subset of (say) 3 characters (so for "password", hash "pas-----",
"pa-s----" & so on), but that may be quite a lot of hashes (I think it is
the number of combinations, so for 3-from-10 it would be 120 hashes, for
3-from-20 it would be 1140), and might also give an attacker a way into
guessing the whole password.  Still, that would probably be a lot better
than keeping it in clear, which seems to be what is happening here.


Boston judge tosses MIT students' gag order (Re: RISKS-25.28)

<Richard Forno <rforno@infowarrior.org>>
August 19, 2008 1:54:46 PM EDT

  [From Dave Farber's IP distribution]

[Source: Kim Zetter's WiReD blog, Federal Judge Throws Out Gag Order Against
Boston Students in Subway Case, 19 Aug 2008; PGN-ed]
http://blog.wired.com/27bstroke6/2008/08/federal-judge-t.html

U.S. District Judge George A. O'Toole, Jr., vacated the temporary 10-day gag
order that another judge had instituted against the three MIT students who
were prevented from presenting a talk on security vulnerabilities in the
Boston subway's fare tickets and cards.  The judge also threw out a request
by the MBTA to expand the restraining order.  [RISKS-25.28 and 25.29]

Dave's IP Archives: https://www.listbox.com/member/archive/247/=now


Re: DNA Database Searches (RISKS-25.25)

<Hal Murray <hmurray@megapathdsl.net>>
Tue, 19 Aug 2008 13:53:09 -0700

 From:
   http://articles.latimes.com/2008/jul/20/local/me-dna20

> The FBI laboratory, which administers the national DNA database
> system, tried to stop distribution of Troyer's results and began an
> aggressive behind-the-scenes campaign to block similar searches
> elsewhere, even those ordered by courts, a Times investigation found.

> No one knows precisely how rare DNA profiles are. The odds presented
> in court are the FBI's best estimates.

There is another risk in here.  The FBI is tarnishing their reputation and
with it the reputation of our whole justice system.

The FBI has (had?) a reputation for doing good science.  Why are they
dragging their feet because somebody wants to double check their work?  What
are they trying to hide?

I'm not a wizard on DNA matching or statistics, but I think I'm smart enough
to understand a good white paper discussing this topic.  I'm surprised the
FBI hasn't written one and squashed this discussion.

Maybe The National Academy of Sciences should be asked to review this tangle.


Re: How reliable is DNA (RISKS-25.27-29)

<KCKnowlton@aol.com>
Tue, 19 Aug 2008 10:21:22 EDT

RISKS readers should be quite aware of the troublesome February 29th.
Rather special statistics apply to about one of 1461 people who are born on
Feb 29.

Recall: Leap-Year software bug gives "Million-dollar glitch" (RISKS-18.74)

On the last day of a leap year in 1996, an aluminum plant in New Zealand
triggered a software flaw that failed to account for the year having 366
days.  It caused an enormously expensive event on the 366th day of the
year. And there must be many similar incidents I don't remember.  [PGN-ed]


Re: Couple of On-Line Travel Booking Risks (RISKS-25.28)

<"Chris Drewe" <e767pmk@yahoo.co.uk>>
Sat, 23 Aug 2008 21:53:49 +0100

There's a sort-of follow-up to this item in the travel section of today's
newspaper (23 Aug 2008):

> A reader comments that the US Electronic System for Travel Authorisation
> application site at https://esta.cbp.dhs.gov didn't accept his passport
> because it was valid for more than 10 years.

Several readers have reported being charged $49.95 for a permit application,
which is a pain as the previous paper I-94W forms were free.  As far as I
can tell, applying via the official ESTA web site is free, but it appears
that doing a Google (or similar) search for the site will match on some
commercial agency sites which do charge for handling applications.  These
agencies may be offering some sort of value-added service, but the RISK is
that people may be persuaded to pay a third party unnecessarily for
something that they could do themselves, because of web search results.


Re: Germany's New Unified Tax Identification Codes (RISKS-25.29)

<"Ralf Fritzsch" <Ralf.Fritzsch@baw.de>>
Wed, 27 Aug 2008 10:14:40 +0200

It seems definite that obviously white spaces in the original data were
misinterpreted during data transfer. Technical reasons remain until now
unknown.

In the between, all 46000 inhabitants of Stade (Lower Saxony) received new
letters from the Federal Central Tax Office regarding their Tax
Identification Codes.  As far as I can speak for myself and my family, for
now the information is correct :-)

Nevertheless, the question who or what was responsible for the mess-up,
remains unanswered.


Re: P2P Data Breach affects SCOTUS (Ashworth, RISKS 25.24)

<Hal Murray <hmurray@megapathdsl.net>>
Tue, 19 Aug 2008 12:18:06 -0700

> People would be inclined to say "but it's not reasonable to believe that
> large corporate sites would be involved in this sort of collusion!".

Maybe things outside the USA are better, but around here anybody who is at
all concerned about their privacy knows that our advertising companies
collect all the information that they can get their hands on.  Consider
credit bureaus.  Many years ago they may have been in the credit business.
Today, they are in the information business.

Besides, it's not just corporate America that wants to collect your info.
How many times has TSA been mentioned on RISKS?

Please report problems with the web pages to the maintainer

Top