RISKS-LIST: Risks-Forum Digest Wednesday 6 August 2008 Volume 25 : Issue 26 ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as <http://catless.ncl.ac.uk/Risks/25.26.html> The current issue can be found at <http://www.csl.sri.com/users/risko/risks.txt> Contents: 'Fakeproof' microchipped British e-passport is cloned in minutes (Martyn Thomas) On Metro Fraud and NXP (David Lesher) 11 charged in largest ID theft in U.S. history (Paul Saffo) Theft perils 150,000 on Busch laptop (PGN) Verified Identity Pass: CLEAR Suspended Following Laptop Theft (PGN) Unsuspected travelers' laptops may be detained at border (Ellen Nakashima via Monty Solomon) Neglecting to logout from Skype means sharing your Instant Messages (Michael Weiner) Another small interface risk (Peter Zilahy Ingerman) E-Z Pass Maryland training customers to visit random sites? (Mike Porter) Prescription Data Used To Assess Consumers (Ellen Nakashima via Monty Solomon) Re: What's in a name? (Dag-Erling Smørgrav) Re: UPS ... indistinguishable from phishing (G.M.Sigut) Re: Fascinating phishing attack: valid links, dangerous ... number (Al Macintyre) Re: Apple Fails to Patch Critical Exploited DNS Flaw (Robin Stevens) Re: Another GPS error story (J R Stockton) Survey: Perception of security in online environments (Gene Spafford) REVIEW: "The Innocent Man", John Grisham (Rob Slade) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Wed, 06 Aug 2008 09:21:06 +0100 From: Martyn Thomas <martyn_at_thomas-associates.co.uk> Subject: 'Fakeproof' microchipped British e-passport is cloned in minutes http://www.timesonline.co.uk/tol/news/uk/crime/article4467106.ece Martyn Thomas CBE FREng http://www.thomas-associates.co.uk ------------------------------ Date: Thu, 24 Jul 2008 12:17:57 -0400 (EDT) From: wb8foz_at_private (David Lesher) Subject: On Metro Fraud and NXP I wondered whether the recent mag-stripe card fraud arrests (RISKS-25.24) would prompt WMATA [DC Metro] to intensify their campaigns to encourage/ coerce riders into their new stored value smartcards, over the existing anonymous magstripe/paper ones. That same day, multiple sources report a Dutch judge ruled that research by Prof Bart Jacobs (see RISKS-25.17) and colleagues from Radboud University, Nijmegen in March 2008 can be published. This work exposed significant flaws in NXP's smartcards, used in London's "Oyster" transport system (RISKS-25.22 and 24), transit systems in many other cities, and for access to many Dutch government buildings. The vendor, NXP sought a permanent injunction against releasing the work. The court ruled: "Damage to NXP is not the result of the publication of the article but of the production and sale of a chip that appears to have shortcomings." <http://technology.timesonline.co.uk/tol/news/tech_and_web/article4373717.ece> <http://newsvote.bbc.co.uk/mpapps/pagetools/print/news.bbc.co.uk/2/hi/technology/7516869.stm> ------------------------------ Date: Tue, 5 Aug 2008 22:21:08 -0700 From: Paul Saffo <paul_at_private> Subject: 11 charged in largest ID theft in U.S. history [Another compelling reminder to go to the ATM and -- USE CASH! -p] More than 40 million debit and credit card account numbers were stolen from major retailers. Fraud is estimated in the tens of millions of dollars. [Source: Joseph Menn and Andrea Chang, 11 charged in largest ID theft in U.S. history, *Los Angeles Times*, 5 Aug 2008; PGN-ed] http://www.latimes.com/business/la-fi-hack6-2008aug06,0,6262500.story Federal authorities said Tuesday that they had cracked the largest case of identity theft in U.S. history, charging 11 people in the theft of more than 40 million credit and debit card account numbers from computer systems at such major retailers as TJ Maxx and Barnes & Noble. The three-year investigation by federal agencies and overseas allies brought home the global nature of the Internet's underground economy as agents tracked leads from China to Ukraine and picked up suspects in Turkey and Germany as well as the U.S. To the chagrin of the U.S. Secret Service, which handles many electronic fraud investigations, the trail led back to one of its own informants, Albert Gonzalez. Justice Department officials said Gonzalez served as the ringleader and double-crossed the agency by tipping off his cohorts. Prosecutors said Gonzalez could face a life term in prison. ------------------------------ Date: Tue, 5 Aug 2008 14:16:13 PDT From: "Peter G. Neumann" <neumann_at_private> Subject: Theft perils 150,000 on Busch laptop About 150,000 people in six states have been affected by the theft in June 2008 of laptops that contained personal information on current and former Anheuser-Busch employees. [Source: a short item in the *San Francisco Chronicle*, 5 Aug 2008, p. D2; PGN-ed] ------------------------------ Date: Tue, 5 Aug 2008 10:36:43 PDT From: "Peter G. Neumann" <neumann_at_private> Subject: Verified Identity Pass: CLEAR Suspended Following Laptop Theft [Thanks to Richard M. Smith] Verified Identity Pass, which operates under the brand name CLEAR, was suspended by the Transportation Security Administration Monday after a laptop containing personal information for 33,000 people signing up for their registered traveler program was stolen from San Francisco International Airport. The company is in the process of notifying the people, who were signing up for an expedited airport check-in service, that their personal information may have been stolen. Officials said a laptop containing the data was stolen from a locked office at the airport. The information on the laptop was not encrypted. There was no credit card data or any social security numbers stored on the laptop, but there were names, addresses and other personal data. Verified Identity Pass will not be able to enroll new customers into the registered traveler program until the TSA verifies that the company is compliant with security procedures. http://abclocal.go.com/kgo/story?section=news/local&id=6306342 [CLEAR-ed out for now, but don't forget TSA Loses Hard Drive With Personal Info on about 100,000 employees, RISKS-24.66, 8 May 2007. http://catless.ncl.ac.uk/Risks/24.66.html#subj8 PGN] ------------------------------ Date: Mon, 4 Aug 2008 20:05:30 -0400 From: Monty Solomon <monty_at_private> Subject: Unsuspected travelers' laptops may be detained at border Ellen Nakashima, Travelers' Laptops May Be Detained At Border; No Suspicion Required Under DHS Policies, *The Washington Post*, 1 Aug 2008, A01 Federal agents may take a traveler's laptop computer or other electronic device to an off-site location for an unspecified period of time without any suspicion of wrongdoing, as part of border search policies the Department of Homeland Security recently disclosed. Also, officials may share copies of the laptop's contents with other agencies and private entities for language translation, data decryption or other reasons, according to the policies, dated July 16 and issued by two DHS agencies, U.S. Customs and Border Protection and U.S. Immigration and Customs Enforcement. ... http://www.washingtonpost.com/wp-dyn/content/article/2008/08/01/AR2008080103030.html ------------------------------ Date: Tue, 05 Aug 2008 20:32:32 +0200 From: "Michael Weiner" <michael_weiner_at_private> Subject: Neglecting to logout from Skype means sharing your Instant Messages Six months ago, I briefly used Skype on a friend's laptop. Yesterday, that very friend -- who is not very computer-savvy -- told another friend of mine that she had found a way to read other people's Skype messages. The other friend looked into the matter -- turns out that I had remained logged in on her laptop for the past six months and that she had read every single of my instant messages during that time. Obviously, I had not noticed that the "Automatically log this user on" box was ticked when I logged on and had forgotten to log out. The RISKS are obvious. So are possible fixes: The "Automatically log this user on every time Skype starts" box should never be active by default and a confirmation should be requested. Also, Skype should make users aware if they are simultaneously logged into the same account from different machines. The only way out at the moment is to change the Skype password frequently as this will terminate all sessions you may have forgotten to log out from yourself. According to several messages on the Skype Community forum, Skype considers the ability to remain logged in to the same account on several machines a "feature" and sees no need to fix anything. ------------------------------ Date: Thu, 24 Jul 2008 17:07:00 -0400 From: "Peter Zilahy Ingerman, PhD" <pzi_at_private> Subject: Another small interface risk Granite Commerce (www.granitewebdesign.com) sells a packaged e-commerce product. I discovered, when setting up an account with a store that uses this software, one of the "security questions" offered is "What city were you born in?". Not, on face, unreasonable. However ... they only want a one-word answer (and don't say that!), so that any city requiring an embedded space (e.g. "New York City") is rejected as being invalid. [PGN asked PZI: Are there any length constraints? Are there checks for your designated birth city being legitimate? Otherwise, I suppose you could write Newyorkcity.] Actually, I verified with the company that purchased the use of the software ... and it is, exactly, that the software "requires" a single word, with no other checks! [Wow! Spaced-out software. PGN] ------------------------------ Date: Thu, 24 Jul 2008 10:41:19 -0400 (EDT) From: Mike Porter <mike_at_private> Subject: E-Z Pass Maryland training customers to visit random sites? ... and type in a PIN? My EZ-Pass Maryland statements come to me as follows. The From: field does not even make an attempt to represent EZ-Pass Maryland, and the headers do not either. I spoke with the EZ-Pass Maryland help desk and they suggested the message was likely a phishing message. However, phone calls to the sender led to an IT person who claimed they did in fact handle statements for EZ-Pass Maryland. Eventually, I did type in my PIN and a valid statement was produced. Email to EZ-Pass Maryland asking for further clarification has been ignored. I still do not know for sure if this message is valid, but the PIN I use for this site is unique. I also receive these each month and do not receive anything else from EZ-Pass Maryland. ---------- Forwarded message ---------- Return-Path: <ezbounce_at_private> Received: from md1.nss.udel.edu (md1.nss.udel.edu [128.175.1.11]) ... Received: from isecurus.com ([198.190.195.76]) Date: Wed, 16 Jul 2008 12:44:25 -0400 From: E-ZPass Customer Service<ezpass_at_private> To: <me> Subject: E-ZPass Statement Reply-To: ezpass_at_private ... Your statement will be available for 30 days from the date of this e-mail. If you will need to access your statement beyond the 30 day period or wish to save your statement, please access the link below. ... https://ezpassstatements.gdocs.com/EZPassMtg/EZPass.cfm?p_no=############# ------------------------------ Date: Mon, 4 Aug 2008 18:56:39 -0400 From: Monty Solomon <monty_at_private> Subject: Prescription Data Used To Assess Consumers (Ellen Nakashima) Records Aid Insurers but Prompt Privacy Concerns [Source: Ellen Nakashima, *The Washington Post*, 4 Aug 2008; A01; PGN-ed] Health and life insurance companies have access to a powerful new tool for evaluating whether to cover individual consumers: a health "credit report" drawn from databases containing prescription drug records on more than 200 million Americans. Collecting and analyzing personal health information in commercial databases is a fledgling industry, but one poised to take off as the nation enters the age of electronic medical records. While lawmakers debate how best to oversee the shift to computerized records, some insurers have already begun testing systems that tap into not only prescription drug information, but also data about patients held by clinical and pathological laboratories. http://www.washingtonpost.com/wp-dyn/content/article/2008/08/03/AR2008080302077.html ------------------------------ Date: Fri, 25 Jul 2008 14:33:25 +0200 From: "Dag-Erling Smørgrav" <des_at_private> Subject: Re: What's in a name? (Houppermans, RISKS-25.24) Peter Houppermans <peter_at_private> writes: > [...] Over the years I even had an official suggesting I should change > my name or at least the sequence. So the idea is that I change my > name to suit what is a clear lack of flexibility in official systems. There was a news report a few years ago of a Norwegian company that decided to drag its blue-collar employees kicking and screaming into the 21st century by giving them all free Internet access and email accounts. The IT department arrived at a strict email account naming policy, following the usual firstname.surname_at_private pattern. You can see it coming a mile away: the company happened to have two employees with the exact same name. The IT department refused to make an exception, citing technical limitations. Their proposed solution was that one of the pair should have his name legally changed to accommodate their policy. You can't make this up, folks. Dag-Erling Smørgrav - des_at_private ------------------------------ Date: Tue, 29 Jul 2008 10:30:59 +0200 From: "G.M.Sigut" <sigut_at_private> Subject: Re: UPS ... indistinguishable from phishing (Kamens, RISKS-25.23) > In this day and age, it is amazing to see a corporation as large as UPS > failing to use the two easiest and most well-known methods of > differentiating legitimate e-mail from scams -- put the customer's name in > the e-mail, and make sure that all the links point directly at your site. In this day and age you can see the most amazing array of entities, which you would expect to behave professionally, using subcontractors, so that various links or mail addresses have names different from what you would expect. It is part of the same mindset, which forces you to leave JavaScript enabled, if you want to be able to use your browser for more than the very few responsible web sites. George M. Sigut, ETH Zurich, Informatikdienste, CH-8092 Zurich Swiss Federal Inst. of Technology Zurich, IT Services, System Services +41 44 632 5763 ------------------------------ Date: Mon, 04 Aug 2008 11:22:06 -0500 From: Al Macintyre <macwheel99_at_private> Subject: Re: Fascinating phishing attack: valid links, dangerous ... number If you were a member of KNUJON (no junk backwards) and had passed this on to them, they would likely have passed the info onto US Secret Service, or equivalent organization if some other nation involved, because they protect the nation's currency. Knujon wants your spam, to use in the fight against those that generate it, and provide the criminal infrastructure, such as crooked web sites, and phone#s for crooks. They have put approx 60,000 cyber criminals out of business since March 2005. I suggest you familiarize yourself with KNUJON services in fighting cyber crime. http://www.knujon.com/ ------------------------------ Date: Tue, 5 Aug 2008 18:49:27 +0100 From: Robin Stevens <rejs_at_private> Subject: Re: Apple Fails to Patch Critical Exploited DNS Flaw (RISKS-25.25) I too was unimpressed by Apple's slow response to Kaminsky's DNS flaw (which appears to be inadequate - see <http://db.tidbits.com/article/9721>). Unfortunately it's far from the only flaw they've been slow to correct. Their latest version of the operating system (OS X 10.5) still ships with a root hints file dating from 2002. This hints file is that used to "bootstrap" the whole process of DNS resolution, by listing the IP addresses of the thirteen top-level servers. Unfortunately, since 2002, two of the IP addresses have changed. This isn't generally a problem; if the first address tried fails to respond, then a nameserver will simply try another. But what if, instead of getting no response from an obsolete root server address, a malicious response is received from a third party? This isn't purely scare-mongering. Hijacking of an old address has already been seen, e.g.: <http://www.renesys.com/blog/2008/05/identity_theft_hits_the_root_n_1.shtml> following the most recent address change. There's no reason to suspect any malicious intent in this case, but it could have happened. I reported to Apple in early 2006 that their root hints file was out of date. They responded, telling me they were already aware of this. OS X 10.5 shipped last year, with the same outdated hints file. It's *still* unfixed - why? Robin Stevens <rejs@private> http://www.cynic.org.uk/ ------------------------------ Date: Mon, 4 Aug 2008 17:33:53 +0100 From: Dr J R Stockton <jrs_at_private> Subject: Re: Another GPS error story (Spafford, RISKS-25.25) >Sat-nav driver's 1600-mile error: A DOZY trucker driving from Turkey to >Coral Road in Gibraltar ended up at Skegness. Gibraltar is considered part >of the UK by the Sat-Nav systems. That omits an important point -- the driver was in fact directed to *Gibraltar Point*, which is on the outskirts of Skegness in Lincolnshire (see Wikipedia, etc.). Iberian Gibraltar is British, but is not part of the UK. [Also noted by Tony Ford. PGN] ------------------------------ Date: Sun, 3 Aug 2008 20:12:52 -0400 From: Gene Spafford <spaf_at_private> Subject: Survey: Perception of security in online environments Please participate, and please pass the invitation along to others... From: Johannes Strobel [mailto:johannes.strobel_at_private] Survey: Security Incidents and perception of security in online environments Invitation to Participate in Survey As a team consisting of members of the Center for Education and Research in Information and Security (CERIAS) and Educational Technology at Purdue University, we are conducting a study investigating information security incidents and perception of security in online environments (games and virtual worlds), especially when it comes to educational institutions. We developed a survey and invite you to participate. Your identity will be kept confidential and not published or disclosed. Your participation will be strictly voluntary and you will be free to withdraw from participation at any time. It is entirely up to you, if you want to be contacted for some follow up questions. In all likelihood, unless you write extensive responses to the open-ended questions (which we would encourage), the survey should take about 15 minutes. It will be online until late August. The url for the survey is: http://www.surveymonkey.com/s.aspx?sm=3D_2fKEhOBQUA5MxHCc7g7F_2fPA_3d_3d If you have any questions please email us. Thank you in advance. Johannes Strobel & Fariborz Farahmand ------------------------------ Date: Mon, 28 Jul 2008 14:33:17 -0800 From: Rob Slade <rmslade_at_private> Subject: REVIEW: "The Innocent Man", John Grisham BKINCTMN.RVW 20080715 "The Innocent Man", John Grisham, 2006, 0-385-51723-8, U$28.95/C$35.95 %A John Grisham www.jgrisham.com %C 666 Fifth Ave., New York, NY 10103 %D 2006 %G 0-385-51723-8 %I Bantam Books/Doubleday/Dell %O U$28.95/C$35.95 800-323-9872 www.bdd.com www.doubleday.com %O http://www.amazon.com/exec/obidos/ASIN/0385517238/robsladesinterne http://www.amazon.co.uk/exec/obidos/ASIN/0385517238/robsladesinte-21 %O http://www.amazon.ca/exec/obidos/ASIN/0385517238/robsladesin03-20 %O Audience n+ Tech 2 Writing 3 (see revfaq.htm for explanation) %P 360 p. %T "The Innocent Man: murder and injustice in a small town" In seminars dealing with forensics and investigation, I stress to my students that it is important to be scrupulous, unprejudiced, and honest in your investigation. This is not only to give the suspect a "fair chance," but also because when you become fixated on proving the guilt of an individual, you may fail to determine the identity of the person who actually committed the crime. "The Innocent Man" is the story of the improper conviction of Ron Williamson for murder, as well as the interrelated stories of other improper convictions around the same time and place. John Grisham's popular novels have demonstrated his ability to write. They have also established his knowledge of the law and competence in research. This, the author's first non-fiction text, puts that expertise to good work. The ground is covered thoroughly, noting limitations on the part of all involved. Grisham is, in fact, very careful to be fair, and avoids imputations of motive (which is rather at odds with the descriptions of motivation he must make in his fictional works). United States case law in regard to investigations, confessions, and aspects of forensic evidence and presentation is introduced carefully at every point. There are, of course, a great many books written about specific crimes and their outcomes. A number have been written about wrongful convictions. However, "The Innocent Man" is particularly relevant to those interested in the management of investigations, especially where forensic, rather than direct, evidence plays a major part in the case. In one sense, it is an excellent primer on how not to conduct an investigation. The justice system is created and staffed by people, and people make mistakes. This is why structures have been created to catch possible errors. The adversarial system itself, and various appeals processes, is intended to act as audits, checks, and balances for the system. It is, therefore, critical to note one other disturbing point that arises from the events in the book. There are numerous layers of appeals, but a consistency of personnel and direction between the various offices. As any student of internal controls knows, weak separation of duties creates the possibility of all kinds of problems. This book is entertaining, readable, distressing, and important. copyright Robert M. Slade, 2008 BKINCTMN.RVW 20080715 rslade_at_private slade_at_private rslade_at_private victoria.tc.ca/techrev/rms.htm blogs.securiteam.com/index.php/archives/author/p1/ ------------------------------ Date: Thu, 29 May 2008 07:53:46 -0900 From: RISKS-request_at_private Subject: Abridged info on RISKS (comp.risks) The ACM RISKS Forum is a MODERATED digest, with Usenet equivalent comp.risks. => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) if possible and convenient for you. The mailman web interface can be used directly to subscribe and unsubscribe: http://lists.csl.sri.com/mailman/listinfo/risks Alternatively, to subscribe or unsubscribe via e-mail to mailman your FROM: address, send a message to risks-request_at_private containing only the one-word text subscribe or unsubscribe. You may also specify a different receiving address: subscribe address= ... . You may short-circuit that process by sending directly to either risks-subscribe_at_private or risks-unsubscribe_at_private depending on which action is to be taken. Subscription and unsubscription requests require that you reply to a confirmation message sent to the subscribing mail address. Instructions are included in the confirmation message. Each issue of RISKS that you receive contains information on how to post, unsubscribe, etc. => The complete INFO file (submissions, default disclaimers, archive sites, copyright policy, etc.) is online. <http://www.CSL.sri.com/risksinfo.html> The full info file may appear now and then in RISKS issues. *** Contributors are assumed to have read the full info file for guidelines. => .UK users should contact <Lindsay.Marshall_at_private>. => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you NEVER send mail! => SUBMISSIONS: to risks_at_private with meaningful SUBJECT: line. *** NOTE: Including the string "notsp" at the beginning or end of the subject *** line will be very helpful in separating real contributions from spam. *** This attention-string may change, so watch this space now and then. => ARCHIVES: ftp://ftp.sri.com/risks for current volume or ftp://ftp.sri.com/VL/risks for previous VoLume <http://www.risks.org> redirects you to Lindsay Marshall's Newcastle archive http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue. Lindsay has also added to the Newcastle catless site a palmtop version of the most recent RISKS issue and a WAP version that works for many but not all telephones: http://catless.ncl.ac.uk/w/r <http://the.wiretapped.net/security/info/textfiles/risks-digest/> . ==> PGN's comprehensive historical Illustrative Risks summary of one liners: <http://www.csl.sri.com/illustrative.html> for browsing, <http://www.csl.sri.com/illustrative.pdf> or .ps for printing ==> Special Offer to Join ACM for readers of the ACM RISKS Forum: <http://www.acm.org/joinacm1> ------------------------------ End of RISKS-FORUM Digest 25.26 ************************Received on Wed Aug 06 2008 - 16:04:24 PDT
This archive was generated by hypermail 2.2.0 : Wed Aug 06 2008 - 16:28:33 PDT