precedence: bulk Subject: Risks Digest 21.29 RISKS-LIST: Risks-Forum Digest Friday 23 March 2001 Volume 21 : Issue 29 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at and by anonymous ftp at ftp.sri.com, cd risks . Contents: Identity theft: Forbes-ing a head? Indiana University penetration raises fears of identity theft (Keith A Rhodes) Serious new CA Drivers License ID RISK (Peter V. Cornell) Faulty radar prompts FAA inspections and remediations (Keith A Rhodes) Bogus Microsoft Corporation digital certificates from Verisign (Jeff Savit) Your PGP E-Hancock can be forged (Monty Solomon) Czech PGP flaw tech details (David Kennedy) Politically correct: DoE is slow to warn of computer virus (David Farber) Nokia cell phone trivially easy to unlock (Eric Hanchrow) Hacker sentenced to hacking (Jeremy Epstein) Government, school sites link to porn (Dave Stringer-Calvert) Yahoo! Mail translates attachments (Matt Curtin) Re: Air gaps (Fred Cohen) Re: MIT/Caltech voting study (Paul Terwilliger) German armed forces ban MS software, citing NSA snooping (Pete McVay) MS Word: Ohm, SaveAs Watt (Kevin Rolph) Workshop CfP: Security and Privacy in Digital Rights Management 2001 (Tomas Sander) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Tue, 20 Mar 2001 11:26:58 PST From: "Peter G. Neumann" Subject: Identity theft: Forbes-ing a head? In RISKS, we have for many years been warning about the burgeoning increase in identity theft. The following case could foster a broader awareness of the depth of the problem, but then again most folks still seem to have their heads in the sand -- unless they have already been burned. Abraham Abdallah was arrested on 7 Mar 2001, a 32-year-old Brooklyn NY high-school dropout working as a busboy, and already a convicted swindler. Although he was arrested as he was picking up equipment for making bogus credit cards, he is suspected of already having stolen millions of dollars. In his possession were SSNs, addresses, and birthdates of 217 people whose names appeared in a Forbes Magazine itemization of the 400 richest people in the U.S. He reportedly also had over 400 stolen credit-card numbers, and had used computers in his local library to access of the Web for information gathering. He is being held on bail of $1M. His activities were detected after an e-mail request to transfer $10M from a Merrill Lynch account, whereupon authorities found mailboxes he had rented in various names and other evidence. His defense attorney said Abdallah is innocent, and that prosecutors had ``made an unfair leap from possession of this information to an inference that there was an attempt to take money.'' [PGN-ed from a variety of sources, including an AP item by Tom Hays http://www0.mercurycenter.com/premium/business/docs/forbes21.htm; Thanks to Dave Stringer-Calvert and to Michael Perkins at Red Herring] ------------------------------ Date: Wed, 28 Feb 2001 10:19:34 -0500 From: "Keith A Rhodes" Subject: Indiana University penetration raises fears of identity theft A user browsing from Sweden stored music and video files on a server at Indiana University that had apparently been left unprotected after a crash. IU realized it had a problem when huge increases were noted in network traffic. In the process, they also noted that a file of over 3,100 student names and SSNs had been copied from the server. Associate Vice President Perry Metz contacted the Social Security Administration about what might be an appropriate reaction, and said that they told him ``it's unlikely and unusual for someone who has your Social Security number to be able to do anything with it. Normally, financial institutions require additional information.'' [Is that reassuring to RISKS readers? Sources: Swedish hacker breaches IU server; Culprit stored music, video files on system and also downloaded private student data, AP item 28 Feb 2001, and article by John Meunier, *Herald-Times*, 28 Feb 2001; PGN-ed] ------------------------------ Date: Wed, 21 Mar 2001 16:03:12 -0800 From: "Peter V. Cornell" Subject: Serious new CA Drivers License ID RISK This is really happening! Almost exactly one decade ago Chris Hibbert posted a RISKS article describing the (then) new California Drivers License (CDL). He gave a warning to us all. That little piece is still on server: http://catless.ncl.ac.uk/Risks/11.03.html#subj10 [and has been updated by Chris since. PGN] That warning, given in 1991, has blossomed into a nightmare. Recently, The California driver license and ID card have been declared as PRIMARY IDENTIFICATION DOCUMENTS in this state by the California legislature. http://www.dmv.ca.gov/faq/dlfaq.htm#2504 http://www.lbl.gov/Workplace/HumanResources/irss/dmv.html Guess why? A great convenience for bankers, but enabling serious new ID fraud RISKS based on easily obtained fake driver licenses and data. http://www.fakeidsite.com/ http://www.photoidcards.com/ http://www.wdia.com/home-entrypage.htm http://www.spyheadquarters.com/ Courtesy of the California legislature, *anyone* who has a fake California drivers license with YOUR correct data, but with *his* picture and *his* version of your signature, can steal your money in many different ways. For example, if he knows your Social Security Number, bank, and account number, (easily obtained online or by mail theft) he can walk into any branch office and receive cash. Tens of thousands have been stolen from my (no longer existent) Wells Fargo accounts. I must be one of the very first victims of this new kind of identity theft. I have been scouring the internet for months and have found no mention of it. Of course there are gigabytes of stuff about the old credit card scams, alive and still growing, but no mention of use of drivers licenses to impersonate bank customers and withdraw cash directly. With that fake drivers license, that fraudster becomes YOU. All he need do is write a bad check drawn on another bank's bogus name account set up for that purpose, with the victim (you) as payee. He then walks into (in my case) a Wells Fargo branch and, impersonating the victim, cashes the check. When the check bounces, Wells Fargo (probably others, too) simply debits the victims account. The banking industry has arranged the law (California Commercial Code Sections 4401-4407 and 3101-3119) to ensure that the customer takes the hit. So that, among other conveniences, THE LAW allows banks to rely *solely* on the CDL data to confirm the identity of a customer with no risk exposure whatsoever. "IF THE CUSTOMER PROVES" means you must sue the bank. They have it written so you'd lose anyway, but the amounts, however painful, are not nearly enough to pay a lawyer. (See excerpts from the California Commercial Code below.) So, with my CDL data in circulation, if I want to keep a checking account, I must change banks regularly. There are at least two fraud artists still using my ID. The banks DO check your CDL number as well as date of birth at the teller window. But there is no possible way to change any of my drivers license data. The California Department of Motor Vehicles (DMV) web site says to go to a local office to change your drivers license number. That just plain doesn't work. Many of the items on their ID Theft page simply do not work in actual practice. It *looks* pretty. http://caag.state.ca.us/identity.htm The DMV local says they'll replace your picture ID with one that has no picture while your request is being processed which may take months. Impossible! They also require a letter from the bank. But none of the Wells Fargo's "headsets" (customer service phone reps) or "robots" (branch employees) are able or willing to do that. They'll give you forms to fill out which are totally inadequate for this new kind of ID fraud. Bank customers are thus denied any access to the bank officers responsible and accountable for bank policy. Bankers have their political money well spent. With their credit cards, computers, headsets and robots, their ethics, "good faith" and accountability were abandoned long ago. Peter V Cornell - - - - CALIFORNIA CODES COMMERCIAL CODE SECTION 4406 [excerpted] (d) (2) The customer's unauthorized signature or alteration by the same wrongdoer on ANY OTHER ITEM paid in good faith by the bank if the payment was made before the bank received notice from the customer of the unauthorized signature or alteration and after the customer had been afforded a reasonable period of time, NOT EXCEEDING 30 DAYS, in which to examine the item or statement of account and notify the bank. (e) If subdivision (d) applies and the CUSTOMER PROVES that the bank failed to exercise ORDINARY CARE in paying the item and that the failure contributed to loss, the loss is allocated between the customer precluded and the bank asserting the preclusion according to the extent to which the failure of the customer to comply with subdivision (c) and the failure of the bank to exercise ORDINARY CARE contributed to the loss. IF THE CUSTOMER PROVES that the bank did not pay the item in good faith, the preclusion under subdivision (d) does not apply. CALIFORNIA CODES COMMERCIAL CODE SECTION 3103. (a) (7) ORDINARY CARE "... in the case of a bank that takes an instrument for processing for collection or payment by automated means, reasonable commercial standards DO NOT REQUIRE THE BANK TO EXAMINE THE INSTRUMENT..." (To see the complete text of the above California Commercial Code Sections, go to http://www.leginfo.ca.gov/calaw.html Check the "Commercial Code" box, enter keyword "4401", then click search.) ------------------------------ Date: Mon, 19 Mar 2001 07:32:49 -0500 From: "Keith A Rhodes" Subject: Faulty radar prompts FAA inspections and remediations The ASR-9 radar system in use at 134 major U.S. commercial and military airports has recently had some serious mechanical failures -- notably in Boston on 22 Apr 2000 and NY's JFK on 17 Dec 2000. The Federal Aviation Administration ordered an inspection, which detected 23 further cases of similar problems. 17 had the same problem that Boston had -- stripped rivets in the support assembly. The other 6 had the JFK problem -- a stripped jackscrew assembly for positioning the antenna. Various remedial actions are underway to hopefully prevent future collapses, with an estimated total cost of $22 million. [Source: Problems at 23 Installations Are Linked to Support Stands or Tilt Mechanisms, Don Phillips, *The Washington Post*, 19 Mar 2001, A02; PGN-ed] http://www.washingtonpost.com/wp-dyn/articles/A23566-2001Mar18.html ------------------------------ Date: Thu, 22 Mar 2001 17:12:06 -0500 From: Jeff Savit Subject: Bogus Microsoft Corporation digital certificates from Verisign Spoofing hazard: Verisign gave digital certificates under Microsoft name to an individual not from Microsoft. Microsoft issued a bulletin at http://www.microsoft.com/technet/security/bulletin/MS01-017.asp that describes the risk of running code that erroneously appears to be signed by Microsoft (eg: ActiveX controls), and discusses the risks due to not having a proper revocation mechanism. Note that the certs were made available January 30th, so who knows what code has been accepted and executed since then. Microsoft is a victim in this particular instance. Jeff Savit, Sun Microsystems 1-201/498-8306 Jeff.Savit@sun.com [Noted by quite a few RISKS contributors. Many thanks! PGN] ------------------------------ Date: Wed, 21 Mar 2001 17:09:00 -0500 From: Monty Solomon Subject: Your PGP E-Hancock can be forged A Czech information security firm has found a flaw in Pretty Good Privacy that permits digital signatures to be forged in some situations. Phil Zimmermann, the PGP inventor who's now the director of the OpenPGP Consortium, said that he and a Network Associates (NETA) engineer verified that the vulnerability exists. http://www.wired.com/news/politics/0,1283,42553,00.html ------------------------------ Date: Thu, 22 Mar 2001 18:23:24 -0500 From: David Kennedy CISSP Subject: Czech PGP flaw tech details The promised technical paper is at: http://www.i.cz/en/pdf/openPGP_attack_ENGvktr.pdf (PDF, 100 KB) "The attack to private signature keys in OpenPGP format, PGPTM program and other OpenPGP based applications" here. http://www.i.cz/pdf/pgp/OpenPGP_Attack_ENGfinal.ppt (PPT, 81 kB) ICZ's scientists' reactions to criticism and FAQ http://www.i.cz/en/onas/ohlasy.html [...] Hal Finney has a succinct analysis posted to the Open-PGP list archived at: http://www.imc.org/ietf-openpgp/mail-archive/msg04767.html My summary of Hal's analysis: 1. Attackers have to diddle the secret key. 2. Does *not* work with commercial PGP 7.0.3 w/RSA keys (unknown about earlier). 3. Does work with all DSA keys and RSA keys in GPG. Dave Kennedy CISSP Director of Research Services TruSecure Corp. http://www.trusecure.com [Debate rages over whether this is a realistic attack. Once again, the vulnerability of underlying operating systems and the presence of subvertible networked resources makes such attacks easier. PGN] ------------------------------ Date: Sun, 18 Mar 2001 9:36:24 PST From: David Farber Subject: Politically correct: DoE is slow to warn of computer virus The "Naked Wife" virus was already wreaking havoc, but when DoE headquarters set out to warn the troops, the politically correct DoE software balked at the word "naked." WN has been told that it took several hours before the warning could be passed on. [From Dave's IP. For archives, see: http://www.interesting-people.org/] ------------------------------ Date: 20 Mar 2001 10:04:50 -0800 From: Eric Hanchrow Subject: Nokia cell phone trivially easy to unlock My cell phone -- a Nokia 8260 -- has lots of information in it that I wouldn't want divulged. Examples: phone numbers of friends, my calling-card number, a detailed record of all the calls, text messages, and e-mail messages that I've made or received. And, of course, I certainly wouldn't want anyone who got hold of my phone to be able to place calls with it, thus forcing me to pay for them. Until recently, I assumed that the phone's "lock" feature would indeed protect the information and prevent unauthorized use. However, I now believe that that feature is close to worthless. Here's how it's supposed to work: The phone stores two secret numbers, which act essentially as keys. One number, called the "security code", is like a master key, in that if you know this number, you don't need the other; the other, called the "lock code", is like a regular key. You can set the phone up to "lock" itself as soon as you turn it off. This means that, the next time you turn it on, the phone will be unable to place calls until you enter the lock code. Thus the lock code appears to protect the information -- you can't poke around in the phone's menu system to read the information while the phone is locked -- and to protect against unauthorized use, since you can't place calls while the phone is locked. Now, there's a handy feature built into the phone that will save you if you've forgotten the lock code, but still remember the security code: merely enter the wrong lock code five times in a row, and the phone will then ask for the security code. Once you enter the security code, the phone unlocks, and you can then change the lock code to something you will remember. So if you know the security code, you don't need the lock code. Surely, you can see where I'm headed: I've discovered that it's trivially easy to find out the phone's security code, even if you don't know the lock code, even if the phone is locked. All you need to do is turn the phone on, enter a magic string of digits and symbols (which I won't divulge here, but which is *very easy* to find on the web), and then scroll through an undocumented menu hierarchy until you find a menu called "security". Once you select that menu, the phone displays its security code. You then turn the phone off and on, enter the wrong lock code five times in a row, enter the security code when prompted, and the phone is now yours. ------------------------------ Date: Fri, 16 Mar 2001 15:48:46 -0500 From: "Jeremy Epstein" Subject: Hacker sentenced to hacking A teenager who was convicted of defacing Web sites must serve a sentence that includes programming the jail's computers (see http://www.usatoday.com/life/cyber/tech/2001-03-09-coolio.htm). Talk about putting the fox in charge of the henhouse! What's going to happen when he puts in some backdoors to change the behavior of the system to better suit his needs? Who will be able to correct the problems introduced this way? --Jeremy [We noted a case 15 years ago of a prisoner gaining access to the prison information system to change his release date, plus three cases of bogus release messages. PGN] ------------------------------ Date: Fri, 23 Mar 2001 08:42:19 -0800 From: Dave Stringer-Calvert Subject: Government, school sites link to porn Farmers and gardeners around the country looking for growing tips from university research centers are currently being pointed to pornography instead. Hundreds of university and government Web sites including the U.S. Department of Agriculture are linking to the porn site, which has taken over the domain of an important agricultural resource center. The university that runs the site blames bad record keeping at Network Solutions, which maintains part of the Internet's domain names system. http://www.msnbc.com/news/547652.asp ------------------------------ Date: 16 Mar 2001 09:59:23 -0500 From: Matt Curtin Subject: Yahoo! Mail translates attachments (Re: Frankston: RISKS-21.27) > http://www.zdnet.com/zdhelp/stories/main/0,5594,2631218,00.html Unfortunately, ZDNet has chosen not to put its story on a single page; the two paragraphs at the cited URL are just the introduction; one must click through the rest of the story. Therein, we learn what's happening. One example of translation is instances of "expression" being changed to "statement". It appears that the translation -- RISKy as it could be -- is itself a "feature" to minimize risk. Namely, the risk of malicious JavaScript or ActiveX code. There are a lot of issues raised by this; unfortunately none of the raised issues is new. It's not hard to argue that using the web (built atop the stateless protocol HTTP, rife with lots of potential for leaky channels of communication and therefore privacy problems) for email is the Wrong Thing to do. It seems to me that translation of words that could potentially be read by an eager JavaScript interpreter fails to follow mom's maxim: two wrongs don't make a right. Matt Curtin, Founder Interhack Corporation http://www.interhack.net/ ------------------------------ Date: Fri, 16 Mar 2001 06:50:48 -0800 (PST) From: Fred Cohen Subject: Re: Air gaps (Jaffe, RISKS-21.27) It's hard to believe that people in the 'security business' who have claims that are so unworthy of trust can continue to exist. Of course all systems have covert channels - after all, it is the wave nature of matter and energy - and yet an air gape is supposed to mean that there is literally no connection between the components other than the one afforded by subatomic forces acting over a distance across the 'air gap'. The distance across of the air gap then leads to the signal strength across the distance and we can calculate how far away things need to be to have very nearly zero chance of passing a digital level signal. But the term "air gap" is fraudulent as used in these product claims. That are nothing like air gaps. They are in fact directly connected systems with wires between them and no air gap at all. Being able to remotely send an email that causes the introduction of software that gets into the 'inside' and sends results back to the 'outside', even if not instantaneously. Is very very different from Being able to induce current in a proximate system by getting close enough to it to create the proper fields and having a sensitive enough specialized piece of electronics gear there to detect the changes in signal strength returning from the other side. Mr. Jaffe may wish to minimize this difference through rhetoric, but I do not think it is accurate to do so. Fred Cohen at Sandia National Laboratories at tel:925-294-2087 fax:925-294-1225 Fred Cohen & Associates: http://all.net - fc@all.net - tel/fax:925-454-0171 Fred Cohen - Practitioner in Residence - The University of New Haven ------------------------------ Date: Wed, 21 Mar 2001 20:06:21 -0500 From: Paul Terwilliger Subject: Re: MIT/Caltech voting study (PGN, RISKS-21.28) In RISKS-21.28, PGN commented after a writeup about the NSF study of internet voting: > [These results are rather similar to the findings of the California > commission. Interested readers should also dig up the recent Caltech/MIT > report, which states that lever machines, hand-counted paper ballots, and > optically scanned ballots are all significantly more accurate than > direct-recording voting machines (DREs) and Internet voting schemes. PGN] The MIT/Caltech voting technology project's *preliminary* report, available at http://www.vote.caltech.edu/Reports/report1.pdf, studies the "residual vote", which is defined in this context as the difference between the number of voters who sign-in (the turnout), and the total votes cast for president. This report did indeed conclude that lever machines and hand-counted ballot jurisdictions had the lowest average residual vote (1.8% and 2.0%, respectively), and DRE (3.0%) one of the highest. Internet voting was not studied. Are the differences statistically significant? I do not know. Are there external factors at work? It would seem likely. Ballot design can be logical or confusing - doesn't matter what type of technology is being used! Introduction of new systems may cause confusion. Heavy turnout and long lines may cause voters to walk out after signing in. Or there could be problems with a particular system or technology. However, it is a long stretch to take the conclusions of this study and make claims that one system is "significantly more accurate" than another. Paul Terwilliger, Sequoia Voting Systems ------------------------------ Date: Mon, 19 Mar 2001 05:58:36 -0500 From: "Pete McVay" Subject: German armed forces ban MS software, citing NSA snooping The German foreign office and Bundeswehr are pulling the plugs on Microsoft software, citing security concerns, according to the German news magazine *Der Spiegel*, which claims that German security authorities suspect that the US National Security Agency (NSA) has 'back door' access to Microsoft source code, and can therefore easily read the Federal Republic's deepest secrets. The Bundeswehr will no longer use American software (we surmise this includes Larry and Scott as well) on computers used in sensitive areas. The German foreign office has meanwhile put plans for videoconferencing with its overseas embassies on hold, for similar reasons. Undersecretary of State Gunter Pleuger is said by *Der Spiegel* to have discovered that "for technical reasons" the satellite service that was to be used was routed via Denver, Colorado. According to a colleague of Pleuger, this meant that the German foreign services "might as well hold our conferences directly in Langley." We're not entirely sure whose interesting video conferencing via satellite service has a vital groundstation in Denver, but we note that Pleuger seems to have gleaned this information from a presentation held earlier this month in Berlin by, er, Deutsche Telekom. Which just happens, along with Siemens, to have picked up the gig. The two companies have supplanted Microsoft (and anything else American) and will be producing a secure, home-grown system that the German military can be confident in. [From an article by John Lettice in *The Register*, 17 Mar 2001, German armed forces ban MS software, citing NSA snooping http://www.theregister.co.uk/content/4/17679.html] ------------------------------ Date: Wed, 21 Mar 2001 21:38:03 +0000 From: Kevin Rolph Subject: MS Word: Ohm, SaveAs Watt Reviewing an intranet document the other day, I was puzzled to see electrical resistances given in kilowatts! I'd created the document from a Word document using save-as HTML and it had automagically converted the Omega symbols into 'W's (and not to mention 'tick's into 'v's). I recall seeing a passing generic warning about symbols but as I had used a club / clover-leaf symbol as a marker elsewhere I'd assumed it meant that. It didn't actually say *which* symbols it was bothered about. Kevin Rolph, Cambridge, UK [Thanks for that one. It is a real joule. How about omegawatts? PGN] ------------------------------ Date: Thu, 15 Mar 2001 15:39:33 -0800 From: Tomas Sander Subject: Workshop CfP: Security and Privacy in Digital Rights Management 2001 [Excerpted for RISKS. Looks like a really interesting workshop. For full CfP see the workshop Web site: http://www.star-lab.com/sander/spdrm/ PGN] CALL FOR PAPERS WORKSHOP ON SECURITY AND PRIVACY IN DIGITAL RIGHTS MANAGEMENT 2001 Philadelphia, Pennsylvania, USA, 5 November 2001 held as part of the Eighth ACM Conference on Computer and Communications Security (CCS-8) This workshop will consider technical problems faced by rights holders (who seek to protect their intellectual property rights) and end consumers (who seek to protect their privacy and to preserve access they now enjoy in traditional media under existing copyright law). Submissions are due 3 Aug 2001. Program Chair Tomas Sander, InterTrust STAR Lab, sander@intertrust.com, +1-408-855 0242 ------------------------------ Date: 12 Feb 2001 (LAST-MODIFIED) From: RISKS-request@csl.sri.com Subject: Abridged info on RISKS (comp.risks) The RISKS Forum is a MODERATED digest. Its Usenet equivalent is comp.risks. => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) if possible and convenient for you. Alternatively, via majordomo, SEND DIRECT E-MAIL REQUESTS to with one-line, SUBSCRIBE (or UNSUBSCRIBE) which now requires confirmation to majordomo@CSL.sri.com (not to risks-owner) [with option of E-mail address if not the same as FROM: on the same line, which requires PGN's intervention -- to block spamming subscriptions, etc.] or INFO [for unabridged version of RISKS information] .MIL users should contact (Dennis Rears). .UK users should contact . => The INFO file (submissions, default disclaimers, archive sites, copyright policy, PRIVACY digests, etc.) is also obtainable from http://www.CSL.sri.com/risksinfo.html ftp://www.CSL.sri.com/pub/risks.info The full info file will appear now and then in future issues. *** All contributors are assumed to have read the full info file for guidelines. *** => SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line. => ARCHIVES are available: ftp://ftp.sri.com/risks or ftp ftp.sri.comlogin anonymous[YourNetAddress]cd risks [volume-summary issues are in risks-*.00] [back volumes have their own subdirectories, e.g., "cd 20" for volume 20] http://catless.ncl.ac.uk/Risks/VL.IS.html [i.e., VoLume, ISsue]. Lindsay Marshall has also added to the Newcastle catless site a palmtop version of the most recent RISKS issue and a WAP version that works for many but not all telephones: http://catless.ncl.ac.uk/w/r http://the.wiretapped.net/security/info/textfiles/risks-digest/ . http://www.planetmirror.com/pub/risks/ ftp://ftp.planetmirror.com/pub/risks/ ==> PGN's comprehensive historical Illustrative Risks summary of one liners: http://www.csl.sri.com/illustrative.html for browsing, http://www.csl.sri.com/illustrative.pdf or .ps for printing ------------------------------ End of RISKS-FORUM Digest 21.29 ************************