RISKS-LIST: Risks-Forum Digest Wednesday 23 July 2008 Volume 25 : Issue 24 ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as <http://catless.ncl.ac.uk/Risks/25.24.html> The current issue can be found at <http://www.csl.sri.com/users/risko/risks.txt> Contents: Washington Metro farecard fraud (David Lesher) The $100,000 Keying Error (Patrick O'Beirne) What happened to handcuffing the briefcase to James Bond's wrist? (Randall Webmail) Taking a grab at what's the real system error (Jared) What's in a name? (Peter Houppermans) Yet more GPS risks: Angry Mob Stones Lost Tourist (Steven J Klein) Shocking idea for air passenger security (Robin Stevens) Re: Oyster card hack to be published (Amos Shapir) Re: San Francisco admin hijacks city net: Paul Venezia (David Lesher) Re: ComCast in Concrete? MAC addresses (R A Lichtensteiger) Re: P2P Data Breach affects SCOTUS (Pete Klammer, Jay R. Ashworth) Re: Approval voting and sincerity (Geoffrey Brent, Richard Gadsden) NC State Voter site exposes voter addresses (John O Long) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Sun, 20 Jul 2008 01:25:01 -0400 (EDT) From: "David Lesher" <wb8foz_at_private> Subject: Washington Metro farecard fraud *The Washington Post* reports six arrests in a Metro Farecard fraud scheme. <http://www.washingtonpost.com/wp-dyn/content/article/2008/07/18/AR2008071801912.html> Allegedly the accused would buy a paper farecard; split the 0.25" wide magstrip into 4 ribbons and glue each atop a blank card. Then they'd trade in the card by adding some small cash value, getting a new card in return. Metro's first response was to lower the allowable trade-in value from $30 to $4. It's not clear if a Metro employee noticed the altered cards in the discard bin inside of a ticket vending machine; or they were tipped off by other system safeguards, such as. A duplicate-card serial-number detector. Comment: I recall a similar BART fraud of about 2 decades ago, which used a steam iron and knowledge of Curie points. I wonder if Metro will try to use this to mandate moving to their traceable stored value "Smartrip" cards... ------------------------------ Date: Sun, 20 Jul 2008 7:40 PM From: Randall Webmail [rvh40_at_private] Subject: What happened to handcuffing the briefcase to James Bond's wrist? [From Dave Farber's IP distribution.] On 20 Jul 2008, the Ministry of Defence confirmed another laptop with "sensitive information" has been stolen while one of their officials checked out of a hotel. An MoD spokesman said the theft from the Britannia Adelphi hotel in Liverpool city centre on 17 Jul 2008 brought the total of laptops stolen to 659. On 18 Jul 2008 the MoD admitted that 658 of its laptops had been stolen over the past four years - nearly double the figure previously claimed. The department also said 26 portable memory sticks containing classified information had been either stolen or misplaced since January 2008. [Another MoD laptop stolen, *The Guardian*, 20 Jul 2008; PGN-ed] <http://www.guardian.co.uk/uk/2008/jul/20/military.ukcrime> IP Archives: https://www.listbox.com/member/archive/247/=now ------------------------------ Date: Wed, 23 Jul 2008 11:45:55 +0100 From: "Patrick O'Beirne" <pob_at_private> Subject: The $100,000 Keying Error When testing your systems, you do check for length as well as checksum errors, don't you? http://www.computer.org/portal/site/computer/menuitem.5d61c1d591162e4b0ef1bd108bcd45f3/index.jsp?&pName=computer_level1_article&TheCat=1015&path=computer/homepage/0408&file=profession.xml&xsl=article.xsl& An ordinary bank customer, Grete Fossbakk, used Internet banking to transfer a large amount to her daughter. She keyed one digit too many into the account number field, however, inadvertently sending the money to an unknown person. This individual managed to gamble away much of the sum before police confiscated the remainder. http://kursinfo.himolde.no/in-kurs/inf111/pensum/bank.pdf Patrick O'Beirne, Systems Modelling Ltd. http://www.sysmod.com/ (+353)(0) 5394 22294 ------------------------------ Date: Sat, 19 Jul 2008 09:33:28 -0600 From: jared <jared_at_private> Subject: Taking a grab at what's the real system error The Capital Letters feature of the Saturday Guardian discusses a risk of on-line banking - what you see is not what you have. http://www.guardian.co.uk/money/2008/jul/19/consumeraffairs Q: I have a number of savings accounts with Bradford & Bingley which I access online. The total value is around 100,000 pounds. But often the on- screen version does not tally with the balance over the phone. Even worse, sometimes one of my accounts shows a negative figure, even though savings accounts cannot go below zero. The call centre says there must be a system error -- this appears every month. A: At first B&B said it was impossible to be in the red on a savings account -- yours showed minus 1,100 pounds. But once you sent in your screen grab, clarity emerged. You have, among others, an eSavings account where daily "updates" take place between the "core" system and the "Internet platform". To ensure the systems are fully aligned, B&B runs numerous "exchanges" of information. So there can be times when the "processed balance" does not coincide with your available balance. Had you looked even a few minutes later, the minus figure would have gone. You have not lost by this. B&B says it has not encountered this elsewhere and will have its systems people work on your account. It will apologise and send 50 pounds as a goodwill gesture. [Sounds like you need some *original* B&B: Benedictine and Brandy. PGN] ------------------------------ Date: Sat, 19 Jul 2008 10:26:25 +0200 From: Peter Houppermans <peter_at_private> Subject: What's in a name? Well, I found sequencing to be a problem too. It is traditional to have more than one first name where I come from, so I have 3. One of them is the name by which I'm called, "Peter". The twist is that it is not the FIRST name of the three. In my country of origin this is not a problem, it's accepted practice and calling names are stored separately from forenames (also because the formal names are often written in a more archaic form). But cross the borders and problems start, sometimes to the point of causing danger. In the UK, for instance, it's a bit pot luck. When I moved to another place I had quite some trouble convincing a GP administrator to then enter my calling name first, but that "wasn't as in my passport" - the fact that business cards, credit cards and even the data from the former GP were labeled "Peter" had no impact. Only when I presented her with a letter to sign for acceptance of liability was it suddenly possible - the RISK was that an accident could put me in hospital in a state unable to explain they should look for my data under another name. I moved again (this time to another country), and the circus has restarted. On entry, some official omitted the flag that marks the name by which I am called (in the new county they appear to have at least a way of marking the name - if it wasn't for the fact that my passport does NOT have such a mark - I think it's an omission in the EU passport standards). The knock-on effect is that I have to undo insurances, car registration and personal ID all in the wrong name. It's a long process.. Over the years I even had an official suggesting I should change my name or at least the sequence. So the idea is that I change my name to suit what is a clear lack of flexibility in official systems. Alas, I'm just on the wrong side of stubborn to rename myself to 12889-999-111, the logical end of that route. Besides, I do derive some professional amusement from breaking systems :-). ------------------------------ Date: Tue, 08 Jul 2008 11:18:56 -0400 From: Steven J Klein <steveklein_at_private> Subject: Yet more GPS risks: Angry Mob Stones Lost Tourist RISKS has run numerous reports of the trouble people get into by blindly following the instructions of their GPS navigation devices. The Jewy News website just published the stories of two people who, following instructions from their GPS units, drove into dangerous neighborhoods and were attacked by mobs. Excerpt: An American tourist was lightly injured by rocks hurled at him when he accidentally drove into the Qalandiyah refugee camp, west of Ramallah, Wednesday afternoon. Army sources said Wednesday that since the beginning of this year there have been several dozen cases of Israeli civilians mistakenly entering Area A, because of GPS navigational errors, and despite clear signs at the entrance to Palestinian towns warning Israelis not to enter. http://jewynews.com/2008/07/08/angry-arab-mob-stones-lost-american-tourist/ Steven J Klein Your Mac Expert Phone: (248) YOUR-MAC or (248) 968-7622 ------------------------------ Date: Wed, 23 Jul 2008 18:45:38 +0100 From: Robin Stevens <rejs_at_private> Subject: Shocking idea for air passenger security In order to enhance the security of air travel and to help manage illegal immigration, the Department of Homeland Security has solicited a proposal from a Canadian security company to develop a passenger stun bracelet. "By further equipping the bracelet with EMD technology, the bracelets will allow crew members, using radio frequency transmitters, to quickly and effective subdue hijackers" <http://www.informationweek.com/news/security/intrusion_prevention/showArticle.jhtml?articleID=208803214> Now, what could *possibly* go wrong with this idea? Robin Stevens <rejs@private> http://www.cynic.org.uk/ ------------------------------ Date: Tue, 22 Jul 2008 17:40:58 +0300 From: Amos Shapir <amos083_at_private> Subject: Re: Oyster card hack to be published (RISKS-25.22) "Details of how to copy the Oyster cards used on London's transport network can be published, a Dutch judge has ruled." Full story at: http://news.bbc.co.uk/2/hi/technology/7516869.stm IMHO the most important sentence in the judge's ruling is : ""Damage to NXP is not the result of the publication of the article but of the production and sale of a chip that appears to have shortcomings." IOW (unlike what seems to be the law in the USA), if the King is naked it's his fault, not the little boy's. ------------------------------ Date: Sat, 19 Jul 2008 23:49:23 -0400 From: David Lesher <wb8foz_at_private> Subject: Re: San Francisco admin hijacks city net: Paul Venezia (RISKS-25.23) [Source: Paul Venezia, *InfoWorld*, 19 Jul 2008] <http://www.pcworld.com/businesscenter/article/148669-1/the_story_behind_san_franciscos_rogue_network_admin.html> On 13 Jul 2008, Terry Childs, a network administrator employed by the City of San Francisco, was arrested and taken into custody, charged with four counts of computer tampering. He remains in jail, held on US$5 million bail. News reports have depicted a rogue admin taking a network hostage for reasons unknown, but new information from a source close to the situation presents a different picture. In posts to my blog <http://weblog.infoworld.com/venezia/>, I postulated about what might have occurred. Based on the small amount of public information, I guessed that the situation revolved around the network itself, not the data or the servers. A quote from a city official that Cisco was getting involved seemed to back that up, so I assumed that Childs must have locked down the routers and switches that form the FiberWAN network, and nobody but Childs knew the logins. If this were true, then regaining control over those network components would cause some service disruption, but would hardly constitute the "millions of dollars in damages" that city representatives feared, according to news reports. Apparently, I wasn't far off the mark. In response to one of by blog posts, a source with direct knowledge of the City of San Francisco's IT infrastructure and of Childs himself offered to tell me everything he knew about the situation, under condition that he remain anonymous. I agreed, and within an hour, a long e-mail arrived in my in box, painting a very detailed picture of the events. Based on this information, the case of Terry Childs appears to be much more -- and much less -- than previously reported. It seems that Terry Childs is a very intelligent man. According to my source, Childs holds a Cisco Certified Internetwork Expert certification, the highest level of certification offered by Cisco. He has worked in the city's IT department for five years, and during that time has become simply indispensible. Although Childs was not the head architect for the city's FiberWAN network, he is the one, and only one, that built the network, and was tasked with handling most of the implementation, including the acquisition, configuration, and installation of all the routers and switches that comprise the network. According to my source's e-mail, his purview extended only to the network and had nothing to do with servers, databases, or applications: "Terry's area of responsibility was purely network. As far as I know (which admittedly is not very far), he did not work on servers, except maybe VoIP servers, AAA servers, and similar things directly related to the administration of the network. My suspicion is that you are right about how he was "monitoring e-mail"; it was probably via a sniffer, IPS, or possibly a spam-filtering/antivirus appliance. But that's just conjecture on my part." ------------------------------ Date: Sat, 19 Jul 2008 11:18:38 -0400 From: R A Lichtensteiger <rali_at_private> Subject: Re: ComCast in Concrete? MAC addresses (Fife, RISKS-25.23) > The ethernet adapter in a PC and the ethernet "WAN Port" on a router both > have a unique six-byte identification known as a MAC (Medium Access Control) > address. The first three bytes identify the manufacturer (i.e., Linksys), > and the other three bytes identify the specific device. Default values are > assigned by the manufacturer and programmed into the hardware. Forgive the pedantry ... The last three octets of a MAC aren't a "default" -- they are uniquely assigned to one device within all the ethernet interfaces that manufacturer builds [1] and the entire six octet address is globally unique because the value in the upper three octets are assigned to a single vendor by the IEEE. This is one of the fundamental points in the ethernet spec. > If this doesn't work, I would turn off remote management, "Universal Plug > and Play," and anything else that might allow the cable company to interact > with your router over the network and recognize its specific behavior. This is useful advice in that one should never expose to network access any functionality that isn't required. UPnP is used particularly by games that need to open inbound connections on a device that filters traffic (usually a residential router device like a Linksys router performing network address translation [NAT]); the application needs to be able to receive incoming packets from a remote host for purposes of network gameplay. In the case of the Linksys routers, the last time I looked at the source code (which Linksys makes available because the "firmware" in the device is linux) the routers didn't accept UPnP packets from the outside [WAN] interface. [1] Or, more likely, purchases from a silicon vendor who builds ethernet chipsets! ------------------------------ Date: Sat, 19 Jul 2008 14:02:49 -0600 From: Pete Klammer <netronics-pe_at_private> Subject: Re: P2P Data Breach affects SCOTUS (Ashworth, RISKS-25.23) Many financial websites now allow you to choose your own security question(s), either from a multiple-choice list, or even an original one of your own choosing. While considering the dossier that could be constructed from accumulating them (each one knows only my eye color, or only my birthplace, but together, my whole identity may be assembled); it dawned on me recently that I do not have to answer these questions truthfully -- only consistently. That is, if I set up with my eye color purple, and later remember and answer that question with purple, I can have my password resent, etc. So now I answer all those security questions (even mother's maiden name) dishonestly, but with answers that I will not be able to forget. In fact, it might behoove the webpage security designers to change the security questions to promote such behavior: "If Abcorp needs to confirm your identity, how would you answer the question, 'What color are your eyes?'" Peter F. Klammer, P.E. / NETRONICS Professional Engineering, Inc. 3200 Routt Street / Wheat Ridge, Colorado 80033-5452 1-303-915-2673 ------------------------------ Date: Mon, 21 Jul 2008 15:03:02 -0400 From: "Jay R. Ashworth" <jra_at_private> Subject: Re: P2P Data Breach affects SCOTUS (Klammer, RISKS 25.24) In light of the recent MySpace case, where prosecutors with nothing else to hang a case on are trying to convict that mother of *lying on her profile*, perhaps you *shouldn't* lie in the answers to those questions... but of course that just makes it worse. 1/2 :-) You make a good point though, which was inherent in the observations I made, but subtle enough that I missed it: since you can't trust the site operators with passwords, there's no reason you believe that you can trust them with any other data either. People would be inclined to say "but it's not reasonable to believe that large corporate sites would be involved in this sort of collusion!". But we wouldn't have expected either of these things either: http://rawstory.com/news/2008/Wiretap_immunity_bill_gets_closer_to_0709.html http://rawstory.com/news/2008/Cybersecurity_expert_raises_allegations_of_2004_0717.html and yet they appear to have happened. Some sites do, in fact, ask the applicant to supply both the question and the answer, which seems perfectly reasonable: at least, it permits security-thoughtful applicants to protect themselves from this sort of thing. All of this is also akin to the Middle Initial Gambit: tracking junkmail (usually of the paper variety) by putting a different middle initial in your name for each primary source, something which will usually pass in-band through the filters of the mailers in the middle. This sort of service is handled by disposable email addresses in this day and age, of course. Jay R. Ashworth, Ashworth & Associates, St Petersburg FL USA +1 727 647 1274 http://baylink.pitas.com <jra@private> ------------------------------ Date: Sat, 19 Jul 2008 11:50:00 +1000 From: Geoffrey Brent <gpbrent_at_private> Subject: Re: Approval voting and sincerity (Re: Youngman, RISKS-24.23) "Unless you get a very weird result (i.e., it's statistically very unlikely), one candidate will win all his individual contests. That person should be elected. Failing that, someone will almost certainly lose all his contests and should be eliminated. When they're removed from consideration the win-lose cycle can be repeated until you're left with a winner." It won't do that. If you don't *immediately* have a candidate who has won all his individual contests (call that a 'universal winner'), then iteratively eliminating 'universal losers' will never produce a universal winner. If nobody wins all their individual contests, then each candidate loses to somebody else. Suppose you can indeed find a 'universal loser' candidate Z. By definition, Z is *not* the guy that anybody else loses to, so if you remove him from the pool each of the remaining candidates still lose to one of the other remaining candidates. Removing Z might produce a new universal loser amongst the remaining candidates, but it will never produce a universal winner (and since you only have a finite number of candidates, eventually you'll hit the point where you run out of universal losers too). To see how something like this might come about, consider a three-cornered election in which approximately one-third of voters are primarily concerned about foreign policy, one-third about healthcare, and one-third about taxation. If you randomly order the candidates' credibility on each of these three issues, you have a 1/18 chance of getting a deadlock where people are voting e.g. A-B-C, B-C-A, and C-A-B. Obviously real-life politics isn't that clear-cut, and the chances of a deadlock may be somewhat lower... but they could also be higher, especially when people modify their campaigning strategies to take advantage of the new system, and even a small rate of unresolved elections has the potential to cause a lot of trouble. You can of course set up some sort of tie-breaker for such situations - e.g. use some other form of preferential counting among the remaining candidates - but this will inevitably run into one of the other clauses of Arrow's Theorem. ------------------------------ Date: Tue, 22 Jul 2008 12:31:01 +0100 From: "Richard Gadsden" <richard_at_private> Subject: Re: Approval voting and sincerity (Re: Youngman, RISKS-24.23) Not wishing to get into this debate in too much detail - this isn't infosec, and really shouldn't be on RISKS - but this is a Condorcet system, which has well-known vulnerabilities; voters who are confident that their first-choice will win the tiebreaker can deliberately induce a top cycle to block a sincere Condorcet winner where that winner is a centre-compromise candidate. [Several of the words in the above paragraph are terms of art, notably "Condorcet", "sincere", "centre-compromise", "top cycle", "vulnerability"] Rather than doing a worked example, my suggestion of the RISK here is that voting theory is a very specialised area of knowledge, and that non-experts should no more expect to be able to invent a voting algorithm than an encryption algorithm. RISKS doesn't normally discuss design details of encryption algorithms, and I would suggest that we should cease trying to discuss voting algorithms. Suffice it to say that there are many different properties of voting algorithms, and different systems are optimised for different properties. One property that many would like to optimise for is that voters should not need information about other voters' likely ballots to determine how to cast their vote most effectively. What is meant (in the field of voting theory) by a 'sincere vote' is the vote that voter would cast given no information about other voters, just information about the candidates. Gibbard-Satterthwaite and Duggan-Schwartz and the extensions of their theorems to many non-preferential systems (approval, disapproval and scoring systems included) prove that this property is unachievable in theory. For those wishing to try their own thought experiments, usual insincere votes are 1) Voting more strongly against a candidate you regard as middling in order to help your first choice. 2) Voting more strongly for a candidate you regard as middling to damage a candidate you are opposed to, often abandoning your first choice to do so. 3) Voting for a candidate you really hate in order to put them above someone you merely dislike, where the one you dislike has a chance of winning and the one you hate does not. ------------------------------ Date: Tue, 22 Jul 2008 09:57:49 -0400 (GMT-04:00) From: John O Long <j1long_at_private> Subject: NC State Voter site exposes voter addresses The North Carolina Board of Elections has made it possible to learn quite a bit about any registered voter in the state. Go to their site at http://www.sboe.state.nc.us/Default.aspx?s=0 and click on My Election Information. Select Show Me My Voter Information and enter your name and county. You are then presented with all of the people who match your first and last name in your county. You can select any of them and find out: - their address - what party they are registered with - which elections and primaries they voted in - voter registration number I think a lot of people wouldn't want their address exposed in this way. I know I wasn't too happy to see this. However, it also makes it easier for voter fraud to take place. If I find someone in my county who doesn't vote very often, I can show up at their polling place and vote for them. If necessary, I can provide their voter registration number. However, I don't need to provide a photo ID. [Most of this information is publicly available. However, systematically data mining it to identify folks who were not voting could indeed lead to organized fraud. For example, I recall a former North Carolina resident telling me that when he returned to NC after many years of voting as a resident of California, he went to register again in NC. He was informed that not only was he *still* registered -- he was recorded as having voted in every election (while he was voting in California)! PGN] ------------------------------ Date: Thu, 29 May 2008 07:53:46 -0900 From: RISKS-request_at_private Subject: Abridged info on RISKS (comp.risks) The ACM RISKS Forum is a MODERATED digest, with Usenet equivalent comp.risks. => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) if possible and convenient for you. The mailman web interface can be used directly to subscribe and unsubscribe: http://lists.csl.sri.com/mailman/listinfo/risks Alternatively, to subscribe or unsubscribe via e-mail to mailman your FROM: address, send a message to risks-request_at_private containing only the one-word text subscribe or unsubscribe. You may also specify a different receiving address: subscribe address= ... . You may short-circuit that process by sending directly to either risks-subscribe_at_private or risks-unsubscribe_at_private depending on which action is to be taken. Subscription and unsubscription requests require that you reply to a confirmation message sent to the subscribing mail address. Instructions are included in the confirmation message. Each issue of RISKS that you receive contains information on how to post, unsubscribe, etc. => The complete INFO file (submissions, default disclaimers, archive sites, copyright policy, etc.) is online. <http://www.CSL.sri.com/risksinfo.html> The full info file may appear now and then in RISKS issues. *** Contributors are assumed to have read the full info file for guidelines. => .UK users should contact <Lindsay.Marshall_at_private>. => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you NEVER send mail! => SUBMISSIONS: to risks_at_private with meaningful SUBJECT: line. *** NOTE: Including the string "notsp" at the beginning or end of the subject *** line will be very helpful in separating real contributions from spam. *** This attention-string may change, so watch this space now and then. => ARCHIVES: ftp://ftp.sri.com/risks for current volume or ftp://ftp.sri.com/VL/risks for previous VoLume <http://www.risks.org> redirects you to Lindsay Marshall's Newcastle archive http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue. Lindsay has also added to the Newcastle catless site a palmtop version of the most recent RISKS issue and a WAP version that works for many but not all telephones: http://catless.ncl.ac.uk/w/r <http://the.wiretapped.net/security/info/textfiles/risks-digest/> . ==> PGN's comprehensive historical Illustrative Risks summary of one liners: <http://www.csl.sri.com/illustrative.html> for browsing, <http://www.csl.sri.com/illustrative.pdf> or .ps for printing ==> Special Offer to Join ACM for readers of the ACM RISKS Forum: <http://www.acm.org/joinacm1> ------------------------------ End of RISKS-FORUM Digest 25.24 ************************Received on Wed Jul 23 2008 - 15:35:11 PDT
This archive was generated by hypermail 2.2.0 : Wed Jul 23 2008 - 15:58:14 PDT