precedence: bulk Subject: Risks Digest 22.29 RISKS-LIST: Risks-Forum Digest Wednesday 9 October 2002 Volume 22 : Issue 29 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at and by anonymous ftp at ftp.sri.com, cd risks . Contents: Police close fake online bank (Dave Stringer-Calvert) Risks of automatic Windows updates, and HIPAA legality (Allan Engelhardt) Weak encryption kills wolves (Urban Fredriksson) Microsoft says 1% of bugs cause half of all software errors(Henry Baker) BugBear steals lead from klez in virus prevalence (Security Wire Digest) No-fly blacklist snares political activists (Tim Meehan) Phone system could have your number (Mark White via Dave Farber) Prediction: e-mail will become double-trouble in 3 years (NewsScan) Gender: Unknown -- the risks of perception (Chris Leeson) Re: Too fast fingers, or bad shortcut design? (Greg Searle) Re: Address change blocked by online entry validation (Chris Smith) Re: Butterfly ballots and other election stuff (David Olsen, Leonard Erickson) REVIEW: "Information Security Management", Gurpreet Dhillon (Rob Slade) 2003 IEEE Symposium on Security and Privacy, Call for Papers (Steve Bellovin) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Tue, 08 Oct 2002 19:32:13 -0700 From: Dave Stringer-Calvert Subject: Police close fake online bank British police on Tuesday said they uncovered a fake Internet bank used to con at least two people out of nearly $100,000. The National Criminal Intelligence Service (NCIS) said the Web site had been set up using a domain name very similar to that of "a major British bank" and appeared almost identical. "It looks very professional," said a spokesman, declining to name the bank involved because the investigation is still ongoing. "There's also a reputation issue to think of and the issue of trust online." http://zdnet.com.com/2110-1106-959644.html http://news.bbc.co.uk/2/hi/technology/2308887.stm ------------------------------ Date: Mon, 07 Oct 2002 19:55:09 +0100 From: Allan Engelhardt Subject: Risks of automatic Windows updates, and HIPAA legality A recent article in InfoWorld discusses Microsoft Windows Service Packs in the context of health care providers. http://www.infoworld.com/articles/op/xml/02/09/16/020916opwinman.xml Apparently, the latest Service Packs for the popular Microsoft Windows 2000 and XP operating systems contains new licence language that allows Microsoft to install new updates on your machine at will and without notifying you. The RISKS of having your computer systems changing on their own accord should be obvious. As the article points out, this "upsets many companies whose PCs can't be allowed to morph at will". Indeed. The article quotes a systems manager at a teaching hospital: "Our procedures sometimes involve surgery to place over 100 recording electrodes in the patient, sometimes on the surface of the brain. These PC-based systems use Microsoft Windows..." Having a Windows application controlling the voltage to 100 pins surgically embedded in your brain is scary enough, but what happens if it updates to the latest Service Pack and that causes the systems to fail? While the pins are in your brain... The article makes the further point that, from 14 Apr 2003, it may be illegal under the Health Insurance Portability and Accountability Act (HIPAA) to install Windows Service Packs. In a strange twist, it may also be illegal _not_ to install the Service Packs... See http://www.hipaadvisory.com/regs/HIPAAprimer1.html for more information on the HIPAA. The article concludes: "It's not just hospitals but every user of Windows who should be wondering. You'd think Microsoft would understand that customers don't want their mission-critical systems changing in the dead of night. This isn't brain surgery." Allan Engelhardt http://cybaea.com/ ------------------------------ Date: Mon, 07 Oct 2002 18:02:51 +0200 From: Urban Fredriksson Subject: Weak encryption kills wolves Well, of course it's really hunters who do it, but there are strong indications they've been helped by weak encryption. In 1998 40 Swedish wolves, out of about 100, were fitted with transponders in order to track their movements to learn more about how wolves reestablish a presence. Of them, 20 are still alive, 11 have been found dead with working transponders, one has been found dead as a result of illegal hunting without transponder and eight (four this summer) have disappeared. That that many transponders have failed is considered very unlikely. Current plans are to quickly replace the transponders to something "not everyone can triangulate". It's not clear from the article in Dagens Nyheter what sort of encryption is used now, but it's clear from the context transmissions has to be coded and that one was aware from the beginning wolf-haters would like to take advantage of the tracking equipment. ------------------------------ Date: Thu, 03 Oct 2002 12:05:00 -0700 From: Henry Baker Subject: Microsoft says 1% of bugs cause half of all software errors I was shocked, shocked, to hear this stunning statistic! I was also shocked, shocked, to hear that pi was irrational, that the world was round, and that the Beatles had split up. Microsoft says 1 percent of bugs cause half of all software errors Reuters, 2 Oct 2002 One percent of the bugs in Microsoft Corp.'s software cause half of all reported errors with 20 percent of bugs responsible for 80 percent of the mistakes, Chief Executive Steve Ballmer said on 2 Oct 2002. Microsoft has been criticised for unstable and unwieldy software -- which runs on more than 90 percent of personal computers. "Let's acknowledge a sad truth about software: any code of significant scope and power will have bugs in it," Ballmer told customers in a memo similar to one by Chairman Bill Gates this year renewing Microsoft's commitment to trustworthy computing. But Ballmer said Microsoft was arming itself with better information to help develop its software, by building error reporting features into its products. Engineers use the reports, sent in a short burst over the Internet, to track software bugs and provide a fix, he said. "We've been amazed by the patterns revealed in the error reports that customers are sending us. About 20 percent of the bugs cause 80 percent of all errors, and -- this is stunning to me -- one percent of bugs cause half of all errors." While reassuring users the information was used for no other purpose than to fix bugs, Ballmer said such information was shared with other makers of software and hardware to try to improve Microsoft's products. He said Microsoft would work to better the system. "As we understand more errors, we're adding an option for customers to go to a Web site where they can learn more about and even fix the errors they report. In the future we want to enable customers to look up the history of their error reports and our efforts to resolve them." http://biz.yahoo.com/rc/021002/tech_microsoft_ballmer_1.html ------------------------------ Date: Thu, 03 Oct 2002 01:00:00 -0500 From: Security_Wire_Digest@bdcimail.com Subject: BugBear steals lead from klez in virus prevalence By Shawna McAlearney, SECURITY WIRE DIGEST, 4, 74, OCTOBER 3, 2002 [excerpt] First found circulating in the wild last Sunday, the W32.BugBear worm has raced to the top of virus prevalence lists, displacing Klez for the first time since its discovery last April. "BugBear is increasing steadily in volume and spreading like Klez, which became the biggest virus ever," says Alex Shipp, senior antivirus technologist at MessageLabs. "Each day, we're seeing more of BugBear all around the world--at least 1,000 copies an hour. It could very well grow to become as big a problem as Klez has been and has gotten firmly entrenched in the home user population." Similarities to Klez include the use of inconsistent body text, attachment names and subject lines, as well as forged e-mail addresses. BugBear exploits an unpatched Microsoft vulnerability. After infection, the worm copies itself into the Windows system directory and start-up folder as an executable file with a random three-letter name. It installs a Trojan keystroke logger and attempts to disable antivirus and firewall software. BugBear also attempts to infect other networked PCs via the address book and network shares. "BugBear is another example of a worm written with instructions to kill an extremely long list of security apps," says Steven Sundermeier, product manager at Central Command. "The idea of terminating various AV and personal firewall applications is becoming increasingly popular among virus authors." On the brighter side, Shipp says the BugBear worm could have been much worse. "We haven't found any remote control facilities yet, which makes the virus less dangerous than it could be otherwise," Shipp says. "Our analysis isn't complete yet so we can't say for certain that it doesn't have that capability, but it appears unlikely." Antivirus experts recommend updating AV signatures; blocking all Windows programs at the e-mail gateway, if possible; and deploying updated versions of Outlook, Explorer and Outlook Express. http://www.messagelabs.com/viruseye/report.asp?id=110 http://www.microsoft.com/technet/security/bulletin/MS01-020.asp To SUBSCRIBE to Security Wire Digest, go to: http://infosecuritymag.bellevue.com ------------------------------ Date: Tue, 1 Oct 2002 12:40:42 -0400 From: "Tim Meehan - OCSARC" Subject: No-fly blacklist snares political activists http://www.sfgate.com/cgi-bin/article.cgi ?file=/chronicle/archive/2002/09/27/MN181034.DTL A federal "No Fly" list, intended to keep terrorists from boarding planes, is snaring peace activists at San Francisco International and other U.S. airports, triggering complaints that civil liberties are being trampled. [...] Critics question whether Sister Virgine Lawinger, a 74-year-old Catholic nun, is the kind of "air pirate" lawmakers had in mind when they passed the law. Lawinger, one of the Wisconsin activists stopped at the Milwaukee airport on April 19, said she didn't get upset when two sheriff's deputies escorted her for questioning. [Source: Alan Gathright, *San Francisco Chronicle*, 27 Sep 2002] Tim Meehan, Communications Director Ontario Consumers for Safe Access to Recreational Cannabis Web: ocsarc.org ------------------------------ Date: Tue, 8 Oct 2002 9:08:44 PDT From: "Peter G. Neumann" Subject: Phone system could have your number (Mark White via Dave Farber's IP) >From: Mark White Phone system could have your number Kate Mackenzie, *The Australian*, 7 Oct 2002 A single telephone number doubling as an e-mail address could soon be available in Australia despite fears the technology could become a de facto identification number. Under the ENUM system being analysed by the Australian Communications Authority, one number could track down a person via a home or mobile phone number, or an e-mail or website address. The technology has attracted controversy overseas because of privacy implications of people being identified by a single number. The ACA wants feedback on a discussion paper it has issued, saying privacy is one of its concerns. But ACA numbering manager Neil Whitehead said potential benefits of the system could be enormous. "People would only need to remember one number to contact other people in a variety of devices," he said. Equipment manufacturers and Internet service providers were keen to pursue the technology. Telstra proposed a single-number service in 1997 and offered numbers beginning with 0500 that could redirect to any number. Called Telepath, the service, which cost $7 a month, failed to attract many subscribers. ENUM would have to be deployed across all telecommunications and Internet providers to be effective. IP Archives at: http://www.interesting-people.org/archives/interesting-people/ ------------------------------ Date: Mon, 30 Sep 2002 08:36:11 -0700 From: "NewsScan" Subject: Prediction: e-mail will become double-trouble in 3 years IDC, the technology research firm, is predicting that within just three years, the number of e-mail messages sent worldwide will increase from the current level of 31 billion daily to more than 60 billion daily. Most of it will be spam (unsolicited commercial messages), and if the problem of spam is not dealt with by more effective message-filtering, the usefulness of e-mail as an effective business and personal communications tool will be endangered. IDC executive Mark Levitt says, "Like water flowing out of a hose, e-mail has the potential to fill our inboxes and workdays, overwhelming our abilities to navigate through the growing currents of content." [VNUNet 30 Sep 2002; NewsScan Daily, 30 September 2002] http://www.vnunet.com/News/1135485 ------------------------------ Date: Wed, 2 Oct 2002 16:53:00 +0100 From: "LEESON, Chris" Subject: Gender: Unknown -- the risks of perception An interesting juxtaposition of "Design" and "User Perception". I had to visit one of our local hospitals. I went to Reception and identified myself to the receptionist. She asked if I had filled in the Questionnaire (in effect, the Personal Details form) and I hadn't. She brought out her copy of the form, which had been partially filled in by the administrator who made the original appointment. It started with the following information: Name: Andrew Leeson [Andrew being my first name] Gender: Unknown Our reactions to this little piece of data were quite different: Her reaction was to mutter darkly about the administrator who could not tell that "Andrew" was clearly "Male". My reaction was that: (a) The database designer had understood that it was possible for the gender to be unknown (at least at the time the appointment was set up), and chosen suitable values for the field: male, female and (default) unknown. (b) In the absence of supplied information, the administrator had not assumed that any one name implied a specific gender. So, the system was designed correctly, the administrator used it correctly, but the receptionist interpreted it as "bad" because the result was not what she thought of as reasonable. The actual event - wrong gender data - is not much of a risk. The difference in perception could be. ------------------------------ Date: Wed, 09 Oct 2002 12:14:35 -0400 From: Greg Searle Subject: Re: Too fast fingers, or bad shortcut design? (Huuskonen, R-22.28) Note also that the shortcut for inserting a "hard return" in a formatted e-mail is Shift-Enter. This is sometimes necessary for, say, creating a multiple-line item in a bulleted list. You can easily send your partially-complete e-mail instead of inserting a hard return just by accidentally misplacing one finger a little lower on the keyboard. Send any responses to greg_searle(at)hotmail(dot)com. ------------------------------ Date: Wed, 9 Oct 2002 11:27:45 -0400 (EDT) From: "Chris Smith" Subject: Re: Address change blocked by online entry validation (White, R-22.28) Hopefully those mailing databases are configured to catch transcription errors for Canadian postal codes. In all of the above examples, transcription errors would likely result in the erroneous code failing the standard test of ANA NAN (letter-number-letter number-letter-number) that covers all Canadian postal codes. Further reduction in undetected transcription errors is achieved by disallowing certain letters: Q U O I D F are not permitted in Canadian postal codes. I suspect that Q O D are just too similar to sort out, U is too much like V, F confuses the issue with E, and a plain I (straight vertical stroke) is easily confused with parts of letters like T and L. Some of these may be driven by the requirement to determine postal codes on mail by scanning and recognizing handwritten codes. It's important to know what RISK-reducing features are available - and then take advantage of them. Better yet would be a snippet of javascript to check the postal codes before the WWW address form is even submitted. ------------------------------ Date: Tue, 08 Oct 2002 16:50:57 -0700 From: David Olsen Subject: Re: Butterfly ballots and other election stuff (Russell, RISKS-22.28) The messages about elections in Britain and Germany where the ballots are counted by hand seem to indicate (though it wasn't entirely clear) that each ballot contains only one or two races. I agree that in this case hand counting is quite feasible. But in the United States, that assumption does not hold. As a resident of Portland, Oregon, I get to vote for all of the following elected positions: US president, US senator, US representative, state governor, state senator, state representative, secretary of state, state attorney general, state treasurer, state labor commissioner, state superintendent of schools, state supreme court judges, state appeals court judges, state circuit court judges, regional government commissioners, county commissioners, county sheriff, city mayor, city council members, school board members, and the water & soil conservation district directors. Not all of these positions are up for election at the same time, but in the general election in even numbered years a majority of them are. In addition to candidates, I also get to vote for or against any changes to the city charter or state constitution, any property tax levies, any laws referred to the voters by the state legislature (usually to avoid the governor's veto), and any initiatives that citizens have put on the ballot by submitting enough signatures. In the November 2000 general election I had about 45 things to vote for on my ballot. When all the various cities, special districts, and state legislature districts are factored in, the county elections board had a total of 117 different races for which it had to count votes in that election. I am by no means an election expert, but here are my opinions anyway: It seems to me that counting every one of those races by hand would be much slower, more tedious, and more error prone than counting them by machine. I think the best way to cast and count votes is to have the voter fill in ovals on a piece of paper, have an optical scanner read the ballots and count the votes, and have any recounts done by hand. That seems to provide the best combination of ease and accuracy of voting, quick counting of results, and verifiability of results when disputes arise. David Olsen [The alternative that makes a single-issue piece of paper possible is that you vote for your delegated representative, and everything else follows therefrom. You are describing the other extreme. PGN] ------------------------------ Date: Tue, 8 Oct 2002 18:43:59 -0800 From: shadow@krypton.rain.com (Leonard Erickson) Subject: Re: Butterfly ballots (Russell, RISKS-22.28) Well, as an example, here in Oregon, we can vote by *mail* in most elections. But the votes cannot legally be counted until 8 pm on election day. You can vote as late as that by dropping off the ballot at a collection site! That means *millions* of votes have to be counted in a few hours. > Why keep paper ballots unless you have trained and experienced humans > in place to count them? And if you have that, why not just get the > humans to count the papers in the first place? Time. We can't *afford* that many people, nor do we have that many trained volunteers available. So if it *does* come down to a manual count, it'll require recruiting and training a *lot* of people. > I'd have to check the Guinness Book of Records for this, but I think > the record number of counts in a British General Election is > something like 7, and it took about 20 hours from when the polls > closed. A far cry from Florida in 2000, where it wasn't possible to > count every vote even once in several months. Much of this was due to court fights. And the fact that the (poorly designed) ballots were hard to make out the vote on. They had to stop the count several times, and then restart it. Often with changes in the rules as to what constituted a "valid" vote ("hanging chad", "dimpled chad", etc) Also, look up the population of Florida and compare it with the population of Britain. [More on multiple races and issues...] My "ballot" for one election a while back was both sides of *six* sheets of paper. With something like six "columns" of things to vote on. Our ballots are the type where you use a pencil to fill in an oval. The technology for scanning those is something like 40 years old. It's pretty mature and reliable. And I'm told that any questionable ballots get kicked out to be looked at by a human. Even so, it only takes a few hours to run the ballots for a major election in the Portland Metro area. It's not perfect. But I think it's a pretty good compromise between speed, usability and security. Leonard Erickson (aka shadow{G}) shadow@krypton.rain.com [Further comment on long US ballots from Andrew Sapuntzakis. PGN] ------------------------------ Date: Fri, 13 Sep 2002 12:48:08 -0800 From: Rob Slade Subject: REVIEW: "Information Security Management", Gurpreet Dhillon BKINSCMN.RVW 20020628 "Information Security Management", Gurpreet Dhillon, 2001, 1-878289-78-0, U$69.95 %A Gurpreet Dhillon %C 1331 E. Chocolate Ave., Hershey PA 17033-1117 %D 2001 %G 1-878289-78-0 %I Idea Group Publishing %O U$69.95 800-345-4332 fax: 717-533-8661 cust@idea-group.com %P 184 p. %T "Information Security Management: Global Challenges in the New Millennium" This is a collection of essays by different authors. The preface, however, states that the intention was to bring together diverse views and yet to "build an argument." What the argument, or central thesis, of the work is, has not been stated. Chapter one is supposed to set forth the new challenges to information security, but ends up telling us, at great length, that "the times they are a-changin." (Extracting further information from the academic-speak is not made any easier by the many grammatical oddities and awkward constructions.) Policy is central to security, and so it is no surprise to see it as the topic of chapter two. What is astounding is the fact that so much is wrong with this paper that it is hard to know where to start. Everything seems to be backwards. It is stated that an audit should be done as the prelude to policy development, by how can you conduct an audit with no policy to measure compliance against? Again, the essay says that the procedures in place will form the policy, whereas it should be the policy that guides development of procedures. A simplistic discussion of ethics makes up chapter three. There really isn't any analysis: after a few facile presentations of both sides of a variety of issues the author just asserts that X is or is not moral. Chapter four is supposed to argue that ethical policies build trust and trust promotes e-commerce, but instead actually just lists a number of random security topics. A look at "cyber terrorism," in chapter five, seems to consist only of listing Web sites for known terrorist organizations. Prescription fraud is never rigorously defined, so it is hard to say whether the technical measures proposed in chapter six are relevant or not. Chapter seven tells us (surprise, surprise) that disaster recovery planning is often done inadequately, or left undone. A discussion of development models, in chapter eight, seems to be so abstract that it is of no digital use. Internet and e-business security touches on some miscellaneous subjects in chapter nine. The author obviously thinks Compliance Monitoring for Anomaly Detection (CMAD, with some kind of trademark symbol appended to it) is vitally important, but chapter ten's explanation seems to just describe another type of statistical change measurement. Chapter eleven vaguely discusses some of the security issues involved with the use of agent or mobile software. The final chapter lists some "motherhood" security principles. One of the interesting, and disturbing, aspects of the book is that each paper is accompanied by a bibliography of sources, but almost none of the standard security reference works in the various fields addressed are cited. How can you discuss, for example, computer ethics without having read Deborah Johnson's (cf. BKCMPETH.RVW) works? Compilation works tend to be hard to pin down, and to vary in quality and usefulness. This work has a remarkable consistency, in that the items included are all vague, uninteresting to the professional, and unhelpful to the practitioner. copyright Robert M. Slade, 2002 BKINSCMN.RVW 20020628 rslade@vcn.bc.ca rslade@sprint.ca slade@victoria.tc.ca p1@canada.com http://victoria.tc.ca/techrev or http://sun.soci.niu.edu/~rslade ------------------------------ Date: Tue, 08 Oct 2002 01:33:22 -0400 From: Steve Bellovin Subject: 2003 IEEE Symposium on Security and Privacy, Call for Papers 2003 IEEE Symposium on Security and Privacy 11-14 May 2003, The Claremont Resort, Oakland, California, USA sponsored by IEEE Computer Society Technical Committee on Security and Privacy in cooperation with The International Association for Cryptologic Research (IACR) Paper submissions due: 6 Nov 2002 Panel proposals due: 6 Nov 2002 5-minute abstracts due: 17 Mar 2003 For submission guidelines see http://www.research.att.com/~smb/oakland03-cfp.html For questions, please contact the program chairs, at oakland-chairs03@research.att.com. Symposium Committee: General Chair: Bob Blakley (IBM Software Group - Tivoli Systems, USA) (bblakley@us.ibm.com) Vice Chair: Lee Badger (Network Associates Labs, USA) Program Co-Chairs: Steven M. Bellovin (AT&T Research, USA) David A. Wagner (University of California at Berkeley, USA) Steve Bellovin, http://www.research.att.com/~smb [This has been probably the most important research conference on security and privacy for over two decades. PGN] ------------------------------ Date: 29 Mar 2002 (LAST-MODIFIED) From: RISKS-request@csl.sri.com Subject: Abridged info on RISKS (comp.risks) The RISKS Forum is a MODERATED digest. Its Usenet equivalent is comp.risks. => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) if possible and convenient for you. Alternatively, via majordomo, send e-mail requests to with one-line body subscribe [OR unsubscribe] which requires your ANSWERing confirmation to majordomo@CSL.sri.com . If Majordomo balks when you send your accept, please forward to risks. [If E-mail address differs from FROM: subscribe "other-address " ; this requires PGN's intervention -- but hinders spamming subscriptions, etc.] Lower-case only in address may get around a confirmation match glitch. INFO [for unabridged version of RISKS information] There seems to be an occasional glitch in the confirmation process, in which case send mail to RISKS with a suitable SUBJECT and we'll do it manually. .MIL users should contact (Dennis Rears). .UK users should contact . => The INFO file (submissions, default disclaimers, archive sites, copyright policy, PRIVACY digests, etc.) is also obtainable from http://www.CSL.sri.com/risksinfo.html ftp://www.CSL.sri.com/pub/risks.info The full info file will appear now and then in future issues. *** All contributors are assumed to have read the full info file for guidelines. *** => SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line. => ARCHIVES are available: ftp://ftp.sri.com/risks or ftp ftp.sri.comlogin anonymous[YourNetAddress]cd risks [volume-summary issues are in risks-*.00] [back volumes have their own subdirectories, e.g., "cd 21" for volume 21] http://catless.ncl.ac.uk/Risks/VL.IS.html [i.e., VoLume, ISsue]. Lindsay Marshall has also added to the Newcastle catless site a palmtop version of the most recent RISKS issue and a WAP version that works for many but not all telephones: http://catless.ncl.ac.uk/w/r http://the.wiretapped.net/security/info/textfiles/risks-digest/ . http://www.planetmirror.com/pub/risks/ ftp://ftp.planetmirror.com/pub/risks/ ==> PGN's comprehensive historical Illustrative Risks summary of one liners: http://www.csl.sri.com/illustrative.html for browsing, http://www.csl.sri.com/illustrative.pdf or .ps for printing ------------------------------ End of RISKS-FORUM Digest 22.29 ************************