[RISKS] Risks Digest 25.26

From: RISKS List Owner <risko_at_private>
Date: Wed, 6 Aug 2008 16:04:24 PDT
RISKS-LIST: Risks-Forum Digest  Wednesday 6 August 2008  Volume 25 : Issue 26

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
  <http://catless.ncl.ac.uk/Risks/25.26.html>
The current issue can be found at
  <http://www.csl.sri.com/users/risko/risks.txt>

  Contents:
'Fakeproof' microchipped British e-passport is cloned in minutes
  (Martyn Thomas)
On Metro Fraud and NXP (David Lesher)
11 charged in largest ID theft in U.S. history (Paul Saffo)
Theft perils 150,000 on Busch laptop (PGN)
Verified Identity Pass: CLEAR Suspended Following Laptop Theft (PGN)
Unsuspected travelers' laptops may be detained at border (Ellen Nakashima
  via Monty Solomon)
Neglecting to logout from Skype means sharing your Instant Messages
  (Michael Weiner)
Another small interface risk (Peter Zilahy Ingerman)
E-Z Pass Maryland training customers to visit random sites? (Mike Porter)
Prescription Data Used To Assess Consumers (Ellen Nakashima via
  Monty Solomon)
Re: What's in a name? (Dag-Erling Smørgrav)
Re: UPS ... indistinguishable from phishing (G.M.Sigut)
Re: Fascinating phishing attack: valid links, dangerous ... number
  (Al Macintyre)
Re: Apple Fails to Patch Critical Exploited DNS Flaw (Robin Stevens)
Re: Another GPS error story (J R Stockton)
Survey: Perception of security in online environments
  (Gene Spafford)
REVIEW: "The Innocent Man", John Grisham (Rob Slade)
Abridged info on RISKS (comp.risks)

----------------------------------------------------------------------

Date: Wed, 06 Aug 2008 09:21:06 +0100
From: Martyn Thomas <martyn_at_thomas-associates.co.uk>
Subject: 'Fakeproof' microchipped British e-passport is cloned in minutes

http://www.timesonline.co.uk/tol/news/uk/crime/article4467106.ece

Martyn Thomas CBE FREng  http://www.thomas-associates.co.uk

------------------------------

Date: Thu, 24 Jul 2008 12:17:57 -0400 (EDT)
From: wb8foz_at_private (David Lesher)
Subject: On Metro Fraud and NXP

I wondered whether the recent mag-stripe card fraud arrests (RISKS-25.24)
would prompt WMATA [DC Metro] to intensify their campaigns to encourage/
coerce riders into their new stored value smartcards, over the existing
anonymous magstripe/paper ones.

That same day, multiple sources report a Dutch judge ruled that research by
Prof Bart Jacobs (see RISKS-25.17) and colleagues from Radboud University,
Nijmegen in March 2008 can be published. This work exposed significant flaws
in NXP's smartcards, used in London's "Oyster" transport system (RISKS-25.22
and 24), transit systems in many other cities, and for access to many Dutch
government buildings.

The vendor, NXP sought a permanent injunction against releasing the work.

The court ruled: "Damage to NXP is not the result of the publication of the
article but of the production and sale of a chip that appears to have
shortcomings."

<http://technology.timesonline.co.uk/tol/news/tech_and_web/article4373717.ece>
<http://newsvote.bbc.co.uk/mpapps/pagetools/print/news.bbc.co.uk/2/hi/technology/7516869.stm>

------------------------------

Date: Tue, 5 Aug 2008 22:21:08 -0700
From: Paul Saffo <paul_at_private>
Subject: 11 charged in largest ID theft in U.S. history

  [Another compelling reminder to go to the ATM and -- USE CASH!  -p]

More than 40 million debit and credit card account numbers were stolen from
major retailers. Fraud is estimated in the tens of millions of dollars.
[Source: Joseph Menn and Andrea Chang, 11 charged in largest ID theft in
U.S. history, *Los Angeles Times*, 5 Aug 2008; PGN-ed]
  http://www.latimes.com/business/la-fi-hack6-2008aug06,0,6262500.story

Federal authorities said Tuesday that they had cracked the largest case of
identity theft in U.S. history, charging 11 people in the theft of more than
40 million credit and debit card account numbers from computer systems at
such major retailers as TJ Maxx and Barnes & Noble.  The three-year
investigation by federal agencies and overseas allies brought home the
global nature of the Internet's underground economy as agents tracked leads
from China to Ukraine and picked up suspects in Turkey and Germany as well
as the U.S.

To the chagrin of the U.S. Secret Service, which handles many electronic
fraud investigations, the trail led back to one of its own informants,
Albert Gonzalez. Justice Department officials said Gonzalez served as the
ringleader and double-crossed the agency by tipping off his
cohorts. Prosecutors said Gonzalez could face a life term in prison.

------------------------------

Date: Tue, 5 Aug 2008 14:16:13 PDT
From: "Peter G. Neumann" <neumann_at_private>
Subject: Theft perils 150,000 on Busch laptop

About 150,000 people in six states have been affected by the theft in June
2008 of laptops that contained personal information on current and former
Anheuser-Busch employees.  [Source: a short item in the *San Francisco
Chronicle*, 5 Aug 2008, p. D2; PGN-ed]

------------------------------

Date: Tue, 5 Aug 2008 10:36:43 PDT
From: "Peter G. Neumann" <neumann_at_private>
Subject: Verified Identity Pass: CLEAR Suspended Following Laptop Theft

  [Thanks to Richard M. Smith]

Verified Identity Pass, which operates under the brand name CLEAR, was
suspended by the Transportation Security Administration Monday after a
laptop containing personal information for 33,000 people signing up for
their registered traveler program was stolen from San Francisco
International Airport.

The company is in the process of notifying the people, who were signing up
for an expedited airport check-in service, that their personal information
may have been stolen.

Officials said a laptop containing the data was stolen from a locked office
at the airport. The information on the laptop was not encrypted.  There was
no credit card data or any social security numbers stored on the laptop, but
there were names, addresses and other personal data.

Verified Identity Pass will not be able to enroll new customers into the
registered traveler program until the TSA verifies that the company is
compliant with security procedures.
  http://abclocal.go.com/kgo/story?section=news/local&id=6306342

  [CLEAR-ed out for now, but don't forget TSA Loses Hard Drive With Personal
  Info on about 100,000 employees, RISKS-24.66, 8 May 2007.
    http://catless.ncl.ac.uk/Risks/24.66.html#subj8
  PGN]

------------------------------

Date: Mon, 4 Aug 2008 20:05:30 -0400
From: Monty Solomon <monty_at_private>
Subject: Unsuspected travelers' laptops may be detained at border

Ellen Nakashima, Travelers' Laptops May Be Detained At Border; No Suspicion
Required Under DHS Policies, *The Washington Post*, 1 Aug 2008, A01

Federal agents may take a traveler's laptop computer or other electronic
device to an off-site location for an unspecified period of time without any
suspicion of wrongdoing, as part of border search policies the Department of
Homeland Security recently disclosed.

Also, officials may share copies of the laptop's contents with other
agencies and private entities for language translation, data decryption or
other reasons, according to the policies, dated July 16 and issued by two
DHS agencies, U.S. Customs and Border Protection and U.S. Immigration and
Customs Enforcement.  ...

http://www.washingtonpost.com/wp-dyn/content/article/2008/08/01/AR2008080103030.html

------------------------------

Date: Tue, 05 Aug 2008 20:32:32 +0200
From: "Michael Weiner" <michael_weiner_at_private>
Subject: Neglecting to logout from Skype means sharing your Instant Messages

Six months ago, I briefly used Skype on a friend's laptop. Yesterday, that
very friend -- who is not very computer-savvy -- told another friend of mine
that she had found a way to read other people's Skype messages. The other
friend looked into the matter -- turns out that I had remained logged in on
her laptop for the past six months and that she had read every single of my
instant messages during that time. Obviously, I had not noticed that the
"Automatically log this user on" box was ticked when I logged on and had
forgotten to log out.

The RISKS are obvious. So are possible fixes: The "Automatically log this
user on every time Skype starts" box should never be active by default and a
confirmation should be requested. Also, Skype should make users aware if
they are simultaneously logged into the same account from different
machines. The only way out at the moment is to change the Skype password
frequently as this will terminate all sessions you may have forgotten to log
out from yourself.

According to several messages on the Skype Community forum, Skype considers
the ability to remain logged in to the same account on several machines a
"feature" and sees no need to fix anything.

------------------------------

Date: Thu, 24 Jul 2008 17:07:00 -0400
From: "Peter Zilahy Ingerman, PhD" <pzi_at_private>
Subject: Another small interface risk

Granite Commerce (www.granitewebdesign.com) sells a packaged e-commerce
product.  I discovered, when setting up an account with a store that uses
this software, one of the "security questions" offered is "What city were
you born in?". Not, on face, unreasonable.

However ... they only want a one-word answer (and don't say that!), so that
any city requiring an embedded space (e.g. "New York City") is rejected as
being invalid.

  [PGN asked PZI:
    Are there any length constraints?
    Are there checks for your designated birth city being legitimate?
    Otherwise, I suppose you could write Newyorkcity.]

Actually, I verified with the company that purchased the use of the software
... and it is, exactly, that the software "requires" a single word, with no
other checks!

  [Wow!  Spaced-out software.  PGN]

------------------------------

Date: Thu, 24 Jul 2008 10:41:19 -0400 (EDT)
From: Mike Porter <mike_at_private>
Subject: E-Z Pass Maryland training customers to visit random sites?

... and type in a PIN?

My EZ-Pass Maryland statements come to me as follows.  The From: field does
not even make an attempt to represent EZ-Pass Maryland, and the headers do
not either.  I spoke with the EZ-Pass Maryland help desk and they suggested
the message was likely a phishing message.

However, phone calls to the sender led to an IT person who claimed they did
in fact handle statements for EZ-Pass Maryland.  Eventually, I did type in
my PIN and a valid statement was produced.

Email to EZ-Pass Maryland asking for further clarification has been ignored.
I still do not know for sure if this message is valid, but the PIN I use for
this site is unique.  I also receive these each month and do not receive
anything else from EZ-Pass Maryland.

  ---------- Forwarded message ----------
  Return-Path: <ezbounce_at_private>
  Received: from md1.nss.udel.edu (md1.nss.udel.edu [128.175.1.11]) ...
  Received: from isecurus.com ([198.190.195.76])
  Date: Wed, 16 Jul 2008 12:44:25 -0400
  From: E-ZPass Customer Service<ezpass_at_private>
  To: <me>
  Subject: E-ZPass Statement
  Reply-To: ezpass_at_private
  ...

  Your statement will be available for 30 days from the date of this
  e-mail. If you will need to access your statement beyond the 30 day period
  or wish to save your statement, please access the link below. ...
  https://ezpassstatements.gdocs.com/EZPassMtg/EZPass.cfm?p_no=#############

------------------------------

Date: Mon, 4 Aug 2008 18:56:39 -0400
From: Monty Solomon <monty_at_private>
Subject: Prescription Data Used To Assess Consumers (Ellen Nakashima)

Records Aid Insurers but Prompt Privacy Concerns
[Source: Ellen Nakashima, *The Washington Post*, 4 Aug 2008; A01; PGN-ed]

Health and life insurance companies have access to a powerful new tool for
evaluating whether to cover individual consumers: a health "credit report"
drawn from databases containing prescription drug records on more than 200
million Americans.  Collecting and analyzing personal health information in
commercial databases is a fledgling industry, but one poised to take off as
the nation enters the age of electronic medical records. While lawmakers
debate how best to oversee the shift to computerized records, some insurers
have already begun testing systems that tap into not only prescription drug
information, but also data about patients held by clinical and pathological
laboratories.

http://www.washingtonpost.com/wp-dyn/content/article/2008/08/03/AR2008080302077.html

------------------------------

Date: Fri, 25 Jul 2008 14:33:25 +0200
From: "Dag-Erling Smørgrav" <des_at_private>
Subject: Re: What's in a name? (Houppermans, RISKS-25.24)

Peter Houppermans <peter_at_private> writes:
> [...] Over the years I even had an official suggesting I should change
> my name or at least the sequence.  So the idea is that I change my
> name to suit what is a clear lack of flexibility in official systems.

There was a news report a few years ago of a Norwegian company that decided
to drag its blue-collar employees kicking and screaming into the 21st
century by giving them all free Internet access and email accounts.  The IT
department arrived at a strict email account naming policy, following the
usual firstname.surname_at_private pattern.

You can see it coming a mile away: the company happened to have two
employees with the exact same name.  The IT department refused to make an
exception, citing technical limitations.  Their proposed solution was that
one of the pair should have his name legally changed to accommodate their
policy.

You can't make this up, folks.

Dag-Erling Smørgrav - des_at_private

------------------------------

Date: Tue, 29 Jul 2008 10:30:59 +0200
From: "G.M.Sigut" <sigut_at_private>
Subject: Re: UPS ... indistinguishable from phishing (Kamens, RISKS-25.23)

> In this day and age, it is amazing to see a corporation as large as UPS
> failing to use the two easiest and most well-known methods of
> differentiating legitimate e-mail from scams -- put the customer's name in
> the e-mail, and make sure that all the links point directly at your site.

In this day and age you can see the most amazing array of entities, which
you would expect to behave professionally, using subcontractors, so that
various links or mail addresses have names different from what you would
expect. It is part of the same mindset, which forces you to leave JavaScript
enabled, if you want to be able to use your browser for more than the very
few responsible web sites.

George M. Sigut, ETH Zurich, Informatikdienste, CH-8092 Zurich Swiss Federal
Inst. of Technology Zurich, IT Services, System Services +41 44 632 5763

------------------------------

Date: Mon, 04 Aug 2008 11:22:06 -0500
From: Al Macintyre <macwheel99_at_private>
Subject: Re: Fascinating phishing attack: valid links, dangerous ... number

If you were a member of KNUJON (no junk backwards) and had passed this on to
them, they would likely have passed the info onto US Secret Service, or
equivalent organization if some other nation involved, because they protect
the nation's currency.

Knujon wants your spam, to use in the fight against those that generate it,
and provide the criminal infrastructure, such as crooked web sites, and
phone#s for crooks.  They have put approx 60,000 cyber criminals out of
business since March 2005.  I suggest you familiarize yourself with KNUJON
services in fighting cyber crime.  http://www.knujon.com/

------------------------------

Date: Tue, 5 Aug 2008 18:49:27 +0100
From: Robin Stevens <rejs_at_private>
Subject: Re: Apple Fails to Patch Critical Exploited DNS Flaw (RISKS-25.25)

I too was unimpressed by Apple's slow response to Kaminsky's DNS flaw (which
appears to be inadequate - see <http://db.tidbits.com/article/9721>).
Unfortunately it's far from the only flaw they've been slow to correct.

Their latest version of the operating system (OS X 10.5) still ships with a
root hints file dating from 2002.  This hints file is that used to
"bootstrap" the whole process of DNS resolution, by listing the IP addresses
of the thirteen top-level servers.  Unfortunately, since 2002, two of the IP
addresses have changed.  This isn't generally a problem; if the first
address tried fails to respond, then a nameserver will simply try another.

But what if, instead of getting no response from an obsolete root server
address, a malicious response is received from a third party?  This isn't
purely scare-mongering.  Hijacking of an old address has already been seen,
e.g.:
<http://www.renesys.com/blog/2008/05/identity_theft_hits_the_root_n_1.shtml>
following the most recent address change.  There's no reason to suspect any
malicious intent in this case, but it could have happened.

I reported to Apple in early 2006 that their root hints file was out of
date.  They responded, telling me they were already aware of this.  OS X
10.5 shipped last year, with the same outdated hints file.  It's *still*
unfixed - why?

Robin Stevens  <rejs@private> http://www.cynic.org.uk/

------------------------------

Date: Mon, 4 Aug 2008 17:33:53 +0100
From: Dr J R Stockton <jrs_at_private>
Subject: Re: Another GPS error story (Spafford, RISKS-25.25)

>Sat-nav driver's 1600-mile error: A DOZY trucker driving from Turkey to
>Coral Road in Gibraltar ended up at Skegness.  Gibraltar is considered part
>of the UK by the Sat-Nav systems.

That omits an important point -- the driver was in fact directed to
*Gibraltar Point*, which is on the outskirts of Skegness in Lincolnshire
(see Wikipedia, etc.).

Iberian Gibraltar is British, but is not part of the UK.

  [Also noted by Tony Ford.  PGN]

------------------------------

Date: Sun, 3 Aug 2008 20:12:52 -0400
From: Gene Spafford <spaf_at_private>
Subject: Survey: Perception of security in online environments

Please participate, and please pass the invitation along to others...

From: Johannes Strobel [mailto:johannes.strobel_at_private]
Survey: Security Incidents and perception of security in online environments

Invitation to Participate in Survey

As a team consisting of members of the Center for Education and Research in
Information and Security (CERIAS) and Educational Technology at Purdue
University, we are conducting a study investigating information security
incidents and perception of security in online environments (games and
virtual worlds), especially when it comes to educational institutions.

We developed a survey and invite you to participate.

Your identity will be kept confidential and not published or disclosed.
Your participation will be strictly voluntary and you will be free to
withdraw from participation at any time. It is entirely up to you, if you
want to be contacted for some follow up questions. In all likelihood, unless
you write extensive responses to the open-ended questions (which we would
encourage), the survey should take about 15 minutes. It will be online until
late August.

The url for the survey is:
http://www.surveymonkey.com/s.aspx?sm=3D_2fKEhOBQUA5MxHCc7g7F_2fPA_3d_3d

If you have any questions please email us.

Thank you in advance.

Johannes Strobel & Fariborz Farahmand

------------------------------

Date: Mon, 28 Jul 2008 14:33:17 -0800
From: Rob Slade <rmslade_at_private>
Subject: REVIEW: "The Innocent Man", John Grisham

BKINCTMN.RVW   20080715

"The Innocent Man", John Grisham, 2006, 0-385-51723-8, U$28.95/C$35.95
%A   John Grisham www.jgrisham.com
%C   666 Fifth Ave., New York, NY   10103
%D   2006
%G   0-385-51723-8
%I   Bantam Books/Doubleday/Dell
%O   U$28.95/C$35.95 800-323-9872 www.bdd.com www.doubleday.com
%O  http://www.amazon.com/exec/obidos/ASIN/0385517238/robsladesinterne
  http://www.amazon.co.uk/exec/obidos/ASIN/0385517238/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0385517238/robsladesin03-20
%O   Audience n+ Tech 2 Writing 3 (see revfaq.htm for explanation)
%P   360 p.
%T   "The Innocent Man: murder and injustice in a small town"

In seminars dealing with forensics and investigation, I stress to my
students that it is important to be scrupulous, unprejudiced, and honest in
your investigation.  This is not only to give the suspect a "fair chance,"
but also because when you become fixated on proving the guilt of an
individual, you may fail to determine the identity of the person who
actually committed the crime.

"The Innocent Man" is the story of the improper conviction of Ron Williamson
for murder, as well as the interrelated stories of other improper
convictions around the same time and place.

John Grisham's popular novels have demonstrated his ability to write.  They
have also established his knowledge of the law and competence in research.
This, the author's first non-fiction text, puts that expertise to good work.
The ground is covered thoroughly, noting limitations on the part of all
involved.  Grisham is, in fact, very careful to be fair, and avoids
imputations of motive (which is rather at odds with the descriptions of
motivation he must make in his fictional works).  United States case law in
regard to investigations, confessions, and aspects of forensic evidence and
presentation is introduced carefully at every point.

There are, of course, a great many books written about specific crimes and
their outcomes.  A number have been written about wrongful convictions.
However, "The Innocent Man" is particularly relevant to those interested in
the management of investigations, especially where forensic, rather than
direct, evidence plays a major part in the case.  In one sense, it is an
excellent primer on how not to conduct an investigation.

The justice system is created and staffed by people, and people make
mistakes.  This is why structures have been created to catch possible
errors.  The adversarial system itself, and various appeals processes, is
intended to act as audits, checks, and balances for the system.  It is,
therefore, critical to note one other disturbing point that arises from the
events in the book.  There are numerous layers of appeals, but a consistency
of personnel and direction between the various offices.  As any student of
internal controls knows, weak separation of duties creates the possibility
of all kinds of problems.

This book is entertaining, readable, distressing, and important.

copyright Robert M. Slade, 2008   BKINCTMN.RVW   20080715
rslade_at_private     slade_at_private     rslade_at_private
victoria.tc.ca/techrev/rms.htm blogs.securiteam.com/index.php/archives/author/p1/

------------------------------

Date: Thu, 29 May 2008 07:53:46 -0900
From: RISKS-request_at_private
Subject: Abridged info on RISKS (comp.risks)

 The ACM RISKS Forum is a MODERATED digest, with Usenet equivalent comp.risks.
=> SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent)
 if possible and convenient for you.   The mailman web interface can
 be used directly to subscribe and unsubscribe:
   http://lists.csl.sri.com/mailman/listinfo/risks
 Alternatively, to subscribe or unsubscribe via e-mail to mailman
 your FROM: address, send a message to
   risks-request_at_private
 containing only the one-word text subscribe or unsubscribe.  You may
 also specify a different receiving address: subscribe address= ... .
 You may short-circuit that process by sending directly to either
   risks-subscribe_at_private or risks-unsubscribe_at_private
 depending on which action is to be taken.

 Subscription and unsubscription requests require that you reply to a
 confirmation message sent to the subscribing mail address.  Instructions
 are included in the confirmation message.  Each issue of RISKS that you
 receive contains information on how to post, unsubscribe, etc.

=> The complete INFO file (submissions, default disclaimers, archive sites,
 copyright policy, etc.) is online.
   <http://www.CSL.sri.com/risksinfo.html>
 The full info file may appear now and then in RISKS issues.
 *** Contributors are assumed to have read the full info file for guidelines.

=> .UK users should contact <Lindsay.Marshall_at_private>.
=> SPAM challenge-responses will not be honored.  Instead, use an alternative
 address from which you NEVER send mail!
=> SUBMISSIONS: to risks_at_private with meaningful SUBJECT: line.
 *** NOTE: Including the string "notsp" at the beginning or end of the subject
 *** line will be very helpful in separating real contributions from spam.
 *** This attention-string may change, so watch this space now and then.
=> ARCHIVES: ftp://ftp.sri.com/risks for current volume
     or ftp://ftp.sri.com/VL/risks for previous VoLume
 <http://www.risks.org> redirects you to Lindsay Marshall's Newcastle archive
 http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue.
   Lindsay has also added to the Newcastle catless site a palmtop version
   of the most recent RISKS issue and a WAP version that works for many but
   not all telephones: http://catless.ncl.ac.uk/w/r
 <http://the.wiretapped.net/security/info/textfiles/risks-digest/> .
==> PGN's comprehensive historical Illustrative Risks summary of one liners:
    <http://www.csl.sri.com/illustrative.html> for browsing,
    <http://www.csl.sri.com/illustrative.pdf> or .ps for printing
==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
    <http://www.acm.org/joinacm1>

------------------------------

End of RISKS-FORUM Digest 25.26
************************
Received on Wed Aug 06 2008 - 16:04:24 PDT

This archive was generated by hypermail 2.2.0 : Wed Aug 06 2008 - 16:28:33 PDT