precedence: bulk Subject: Risks Digest 22.82 RISKS-LIST: Risks-Forum Digest Sunday 27 July 2003 Volume 22 : Issue 82 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at http://www.risks.org as http://catless.ncl.ac.uk/Risks/22.82.html The current issue can be found at http://www.csl.sri.com/users/risko/risks.txt Contents: Serious flaws in electronic voting systems (NewsScan) South Africa bank Internet spyware and fraud (Heinz M. Kabutz) Stealing passwords from Kinko's (John F. Whitehead) New method cracks passwords in seconds (NewsScan) Bypassing the safeguards (Mark Lutton) Limit to stupidity? Credit card scam uses rather nasty flaw. (Gillian Brent) Biometrics technology: not yet ready for primetime (NewsScan) Spammers who don't read RISKS (Diamond) Adieu to 'e-mail'? (NewsScan) E-mail harvesting and re-use as a new virus vector? (Jim Garrison) Identity theft: a crime that pays? (NewsScan) Cross *words*? (Mark Brader) Presidential "doublespeak" ... (Jim Bauman) Owner of stolen 'sex.com' can sue VeriSign (Monty Solomon) Another risk of decency filters (J. Lasser) SCO wants licensing fees from corporate Linux users (Monty Solomon) Microsoft rediscovers MultiLevel Security (Jeremy Epstein) Re: Powergenitalia (Eliah Grabbet) Re: Error in E-Mini Dow Futures creates havoc at CBOT, CME (Greg Compestine) Re: GPS-piloted tractors? (Kent Borg) Re: GPS-piloted tractors? Hell yes! Que Stephen King! (Fredric L. Rice) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Thu, 24 Jul 2003 09:28:33 -0700 From: "NewsScan" Subject: Serious flaws in electronic voting systems Johns Hopkins University experts say that high-tech voting machine software from Diebold Election Systems has flaws that would let voters cast extra votes and allow poll workers to alter ballots secretly. Aviel D. Rubin, technical director of the Information Security Institute at Johns Hopkins, led a team that examined the Diebold software, which has about 33,000 voting machines operating in the United States. Adam Stubblefield, a colleague of Rubin's, said that "practically anyone in the country -- from a teenager on up -- could produce these smart cards that could allow someone to vote as many times as they like." Diebold has not seen the Institute's report and would not comment on it in detail, but a company spokesman said: "We're constantly improving it so the technology we have 10 years from now will be better than what we have today. We're always open to anything that can improve our systems." Peter G. Neumann, an expert in computer security at SRI International, said the Diebold code was "just the tip of the iceberg" of problems with electronic voting systems. [*The New York Times, 24 Jul 2003; NewsScan Daily, 24 Jul 2003] http://partners.nytimes.com/2003/07/24/technology/24VOTE.html ------------------------------ Date: Mon, 21 Jul 2003 08:42:44 +0200 From: "Dr. Heinz M. Kabutz" Subject: South Africa bank Internet spyware and fraud ABSA, the leading bank in South Africa has very weak Internet security. All you have to know is someone's bank account number and their pin, and you can set up beneficiaries, pay money over, to your heart's content. There is no TAN like in German banks. This story is not surprising at all, what is surprising is that it took so many years for this to happen on such a big scale. Here is the story according to the Sunday Times. Simple spyware was installed on victim's computers and the account numbers and PIN sent back to the perpetrator. This allowed the thief to steal approximately R500,000 (about US$ 65000) from various victims. http://www.sundaytimes.co.za/2003/07/20/news/news01.asp The bank responded with the usual tips: http://www.absa.co.za/ABSA/Media_Releases/Article_Page/0,1551,424,00.html These were the funniest: * Make sure that the software that is loaded onto your PC via a third party is licensed. (How would that make a difference?) * Update your operating system and browser with the latest Microsoft patches to protect your PC from exploitation. These can be downloaded from the Microsoft website http://www.microsoft.com (Assuming of course that everyone in South Africa uses Microsoft - oh, all the victims used Microsoft!) I am fairly confident that the police will catch the thief. You cannot transfer money out of the country from South Africa without special clearance, so at least we did not have the problem with money ending up in some country that would not cooperate. He will probably be given a death sentence. (Not directly, but a visit to our jails is akin to a death sentence through HIV infection :-( Dr. Heinz M. Kabutz (Maximum Solutions), Author of "The Java(tm) Specialists' Newsletter" http://www.javaspecialists.co.za +27 (83)340-5633 ------------------------------ Date: Sat, 26 Jul 2003 12:41:31 -0700 From: "John F. Whitehead" Subject: Stealing passwords from Kinko's For two years a man stole passwords from customers in New York City Kinko's copy/printing/office services stores, and used the information to try to access and open bank accounts: "In pleading guilty to computer damage, [Juju] Jiang admitted that, between February 14, 2001, and December 20, 2002, without the permission of Kinko's Inc., he installed special keylogging software on computer terminals located at Kinko's stores throughout Manhattan to surreptitiously record keystroking activity on those computers, and collect computer usernames and passwords of Kinko's customers. Jiang also admitted that he then used the confidential information he obtained to access, or attempt to access, bank accounts belonging to other persons, and fraudulently open on-line bank accounts. Jiang also pled guilty to similar fraudulent conduct that he continued to commit while on bail after his arrest on December 20, 2002." For more see the Dept of Justice press release: http://www.cybercrime.gov/jiangPlea.htm ------------------------------ Date: Wed, 23 Jul 2003 08:48:41 -0700 From: "NewsScan" Subject: New method cracks passwords in seconds A senior research assistant at the Swiss Federal Institute of Technology's Cryptography and Security Laboratory has published a paper outlining a way to speed up the process of cracking alphanumeric Windows passwords to only 13.6 seconds on average. The previous average time was 1 minute, 41 seconds. The new method uses massive lookup tables to match encoded passwords to the original text entered by a person, thus reducing the time it takes to break the code. "Windows passwords are not very good," says researcher Phillippe Oechslin. "The problem with Windows passwords is that they do not include any random information." The only requirement for the cracker is a large amount of memory in order to accommodate the lookup tables. The larger the table, the shorter the time it takes to crack the password. Users can protect themselves by adding nonalphanumeric characters to a password, which adds another layer of complexity to the process. Any cracker would then need more time or more memory or both to accomplish the break-in. For more information on Oechslin's method, check out http://lasecwww.epfl.ch/php_code/publications/search.php?ref=Oech03 [CNet News.com 22 Jul 2003; NewsScan Daily, 23 Jul 2003] http://news.com.com/2100-1009_3-5053063.html ------------------------------ Date: Thu, 24 Jul 2003 23:48:51 -0400 From: Mark Lutton Subject: Bypassing the safeguards On 23 Jul 2003, New York City Councilman James E. Davis was shot to death by political opponent Othneil Boaz Askew inside New York's City Hall. Davis had a concealed handgun of his own. How did the two opponents get their weapons past the metal detectors? According to the news report, the councilpersons (and apparently their guests) routinely bypass the detectors. You can have all the technology in the world against violence and terrorism and it won't do you a damn bit of good if you let everybody and his enemy go around it. ------------------------------ Date: Fri, 25 Jul 2003 23:19:17 +1000 From: Gillian Brent Subject: Limit to stupidity? Credit card scam uses rather nasty flaw. The following Spam arrived on the alt.devilbunnies newsgroup. As we are fairly used to a couple of certain rabbits trying to pull similar schemes, we weren't fooled - but I'm sure some people were. > Finally I found a hack that really works to get free VALID CREDIT CARD > NUMBERS! I bought the information off ebay for $15.00. > Using a valid credit card account, you can get many more VALID CREDIT > CARD NUbers for free using my method. > > You basically send a coded message to the yahoo account information > computer database. > All the account information still active is in this computer. Iam not > going to explain exactly how it works(its around 7 pages long), I'll > just tell you a little and how to do it. > > Copy the information below in its exact format or it will not work. > Make sure to put a zero under each character(number, letter, hyphen, etc) > you type. Type in small caps. If you capitalize, it will not work. > And if you do not send the exact information on the credit card, it > will not work. The computer has to register the information to be > valid before it will send you an account. I've tried to use a false > account, it doesn't work. (I very much doubt whether this information actually came from eBay.) I'm not going to insult your intelligence with the rest of this, but apart from the risk of losing control of your own credit card, it seems to be using a vulnerability in the yahoo system. Or just the gullibility of the fools sending their credit-card info to (account_deleted)@yahoo.com. ------------------------------ Date: Tue, 22 Jul 2003 09:27:32 -0700 From: "NewsScan" Subject: Biometrics technology: not yet ready for primetime Gartner Research director Anthony Allen told guests at the launch of European Biometrics Forum that while widespread use of biometrics was likely by 2008, the technologies still had some kinks to be ironed out. Biometrics, which includes technologies used for voice, face, iris and fingerprint identification systems, is virtually useless without adequate back security measures and databases, said Allen, and current systems have several fallibilities that must be corrected. For instance, evidence shows that wearing eyeglasses can fool an eyescanner, prosthetic makeup can confuse face scanners, a sore throat can change a voice print and breathing heavily on a fingerprint scanner can make prints unrecognizable. However, newer generations of technology are beginning to rectify some of these shortcomings; the latest fingerprint scanners now incorporate methods of detecting body heat and blood flow and can scan below the surface later, making it more difficult to deceive. [*The Register*, 22 Jul 2003; NewsScan Daily, 22 Jul 2003] http://www.theregister.co.uk/content/55/31865.html ------------------------------ Date: Sat, 26 Jul 2003 17:11:48 -0000 From: Subject: Spammers who don't read RISKS Reuters Internet Report: A hoax e-mail was circulating around the Internet on Friday purporting to be a new cookery book from British celebrity chef Jamie Oliver dishing up recipes from sushi rolls to fish and chips. Now here's the kicker: Penguin Books, the UK publisher for Oliver's books, said it was trying to track down the e-mail's author. It contained a 121-page Microsoft Word document attachment replete with color photos, scores of recipes and a fictitious title, "The Naked Chef 2." Anyone care to place bets on where they're most likely to find the author's name? ------------------------------ Date: Mon, 21 Jul 2003 08:39:36 -0700 From: "NewsScan" Subject: Adieu to 'e-mail'? France's Culture Ministry has announced a ban on the use of the word "e-mail" in all government ministries, publications or Web sites and is encouraging French Internet users to adopt the term "courriel" when referring to electronic mail. Courriel is derived from "courrier electronique" -- electronic mail -- and, according to the General Commission on Terminology and Neology, the term is "broadly used in the press and competes advantageously with the borrowed 'mail' in English." However, some Internet industry experts disagree with that assessment: "The word 'courriel' is not at all actively used. Protecting the language is normal, but e-mail's so assimilated now that no one thinks of it as American," says Marie-Christine Levet, president of French ISP Club Internet, who adds that her company has no plans to switch its terminology. [AP, 19 Jul 2003; NewsScan Daily, 21 Jul 2003] http://apnews.excite.com/article/20030719/D7SCS9201.html [I presume this is in part the result of the use of the word "email" (e'mail is a perfectly good French word relating to lacquer, and email without the hyphen is unfortunately ACM's publication standard!). Nothing in the foregoing to the contrary notwithstanding, my long-time crusade for "e-mail" rather than "email" continues. See http://www.csl.sri.com/neumann/hyphen.html if you have not already. On the other hand, one of the musical instruments I play is certainly not a Freedom Horn. PGN] ------------------------------ Date: Sat, 26 Jul 2003 21:34:31 -0500 From: Jim Garrison Subject: E-mail harvesting and re-use as a new virus vector? I've recently received several e-mails from my Dad, with whom I regularly correspond. However, the subject lines and message texts were obviously not intended for me, and I was able to deduce both the intended recipient and the original time period when the messages were written, which was over a year ago. Each such message also contained an e-mail virus. The headers indicated the messages originated in Spain (where my Dad is living), but not from his ISP. I think this represents a disturbing new trend in virus vectors, the 'harvesting' of messages and correspondence addresses in order to sneak in a virus disguised as a legitimate message from a trusted correspondent. I use Mozilla as my mail reader so of course I see the complete filename (file.doc.exe) and cannot be tricked into opening it, but people with Outlook or Outlook Express might easily be fooled. Is this new, or have I just missed seeing it before? Anyone else having this experience? [It's been around for some time, but seems to be increasing. PGN] ------------------------------ Date: Tue, 22 Jul 2003 09:27:32 -0700 From: "NewsScan" Subject: Identity theft: a crime that pays? The number of victims that have fallen prey to identity thieves is severely underreported, according to a study by Gartner Research, which estimates that 3.4% of U.S. consumers -- about 7 million adults -- have suffered ID theft in the past year. Moreover, identity thieves generally get away with it -- arrests are made in only one out of every 700 cases. "The odds are really stacked against consumers," says Gartner VP Avivah Litan. "Unfortunately, they are the only ones with a vested interest in fixing the problem." Typically, victims of ID theft learn of the crime a year or more later after it happens -- long after the trail has gone cold. "It is different from payment fraud, where the thief takes a credit card number and consumers are innocent until proven guilty. With identity theft, it is the opposite: Consumers are thought to be guilty until proven innocent," says Litan. "There is a serious disconnect between the magnitude of identity theft that innocent consumers experience and the [financial] industry's proper recognition of the crime. Without external pressure from legislators and industry associations, financial services providers may not have sufficient incentive to stem the flow of identity crimes." [CNet News.com 21 Jul 2003; NewsScan Daily, 22 Jul 2003] http://news.com.com/2100-1009_3-5050295.html ------------------------------ Date: Wed, 23 Jul 2003 10:57:03 -0400 (EDT) From: msb@vex.net (Mark Brader) Subject: Cross *words*? I don't know how long it will remain online, but currently contains a recent crossword puzzle from the British newspaper The Guardian. And above the puzzle diagram, it says: Special instructions: Two of the solutions to today's quick crossword (no10362) contain numbers. Unfortunately, we cannot show numbers in answers in the usual way. Click here to view a pdf file... Risks of unwarranted character set assumptions! [Pointed out by Owen McShane in rec.puzzles.crosswords.] ------------------------------ Date: Thu, 24 Jul 2003 09:27:00 -0500 From: Jim Bauman Subject: Presidential "doublespeak" ... The risk here is that what is purported to be a way to enhance communication could actually be a way to do the opposite (Hmmm ... Navigate nine Web pages instead of sending an e-mail from your mail client to president@whitehouse.gov ... Gee, which would you choose?). Is it a muddled signal from the White House that they want the American public's feedback and yet they don't? Also, it's a handy way for the White House to sort its e-mail---those in favor of their position and those who are not. Would then, the President or his people bother to read and consider the e-mails not favoring the White House's policy on a certain national/foreign affair? Would they pay more attention to those that favor their position? Would they have an "accurate" number of e-mails in favor of their policies, but a nebulous one in regards to the e-mails that don't? White House puts up obstacle course for e-mails Critics cite burden of additional steps By John Markoff, *The New York Times*, 18 Jul 2003 http://www.chicagotribune.com/technology/chi-0307180184jul18,1,7186833.story Do you want to send an e-mail message to the White House? Good luck. In the past, to tell President Bush--or at least those assigned to read his mail--what was on your mind it was only necessary to sit down at a personal computer connected to the Internet and dash off an e-mail note to president@whitehouse.gov. But this week, Tom Matzzie, an online organizer with the AFL-CIO, discovered that communicating with the White House has become a bit more daunting. When he sent an e-mail protest against a Bush administration policy, the message was bounced back with an automated reply that instructed him to send the message in a new way. Under a system deployed on the White House Web site for the first time last week, those who want to send a message to President Bush must navigate as many as nine Web pages and fill out a detailed form that starts by asking whether the message sender supports or differs with White House policy. The White House says the new system, at http://whitehouse.gov/webmail, is an effort to be more responsive to the public and offer the administration "real-time" access to citizen comments. [...] ------------------------------ Date: Fri, 25 Jul 2003 23:04:16 -0400 From: Monty Solomon Subject: Owner of stolen 'sex.com' can sue VeriSign Elinor Mills Abreu, Reuters, 25 Jul 2003 The owner of "sex.com," once considered one of the Internet's hottest addresses, can seek payment from the company that improperly transferred the domain to a "con man" who later fled to Mexico when ordered to pay $65 million, a court ruled on Friday. The Ninth Circuit Court of Appeals in San Francisco ruled that "computer-geek-turned-entrepreneur" Gary Kremen can hold VeriSign Inc.'s Network Solutions unit liable for handing the sex.com Web address over to a "con man." The decision has widespread implications for companies that register domains, which until now have not been held responsible when Web sites are switched from their rightful owners, a lawyer for the plaintiff said. ... http://finance.lycos.com/home/news/story.asp?story=35007290 ------------------------------ Date: Sun, 20 Jul 2003 17:30:40 -0600 From: "J. Lasser" Subject: Another risk of decency filters You could lose a customer. I've moved out to Colorado and was pursuing broadband through my phone company. After they verified that my line was DSL-capable, they gave me a call and asked what ISP I'd like to use. Helpfully, they suggested that MSN had the best pricing deal with them. After I agreed that this would be fine, they asked what user ID I would like. I said 'jonlasser' would be ideal. The system rejected that and several other variations due, the support technician decided, to the three-letter word buried in my last name. She asked if I'd like to pick another user ID. I said no, and asked about other service providers I could use with their service. It turns out that there's an option for those of us who already have mail/web from elsewhere and just need the broadband, which is really what I wanted in the first place. But for that decency filter, however, MSN would have had another customer. Jon Lasser jon@lasser.org 410-659-5333 ------------------------------ Date: Mon, 21 Jul 2003 17:48:44 -0400 From: "monty solomon" Subject: SCO wants licensing fees from corporate Linux users SCO wants licensing fees from corporate Linux users Otherwise, SCO said, companies could be in legal hot water Todd R. Weiss, *Computerworld*, 21 Jul 2003 The gloves are now officially off -- all enterprise Linux users have to pay The SCO Group Inc. new licensing fees to use Linux, or they could find themselves on the wrong end of a copyright infringement lawsuit. That was the ultimatum laid out today by SCO CEO and President Darl McBride, who said that the $3 billion lawsuit against IBM in March was apparently just the start of his company's march to defend itself from what it sees as rampant theft of its Unix System V intellectual property (IP). ... http://www.computerworld.com/softwaretopics/os/linux/story/0,10801,83287,00.html ------------------------------ Date: Fri, 25 Jul 2003 14:01:31 -0700 From: Jeremy Epstein Subject: Microsoft rediscovers MultiLevel Security Seems that Microsoft has rediscovered the value of MLS, allowing "analysts who hold the appropriate security clearance and have a need to know with the ability to access information across databases that may be compartmentalized or "air-gapped" for security reasons". The idea is to run multiple OSes on top of a VMWare (or similar) base, and then run multiple classifications of windows on the screen. http://www.computerworld.com/securitytopics/security/story/ 0,10801,83465,00.html?nas=PM-83465 The more things change, the more they stay the same. ------------------------------ Date: Mon, 21 Jul 2003 16:09:37 +0100 From: Eliah Grabbet Subject: Re: Powergenitalia (RISKS-22.81) It should be pointed out that while the unfortunately named http://www.powergenitalia.com really exists, and it has caused much merriment in other newsgroups, too, it is not the website of Powergen's [a British power company] Italian subsidiary. As far as I know, Powergen does not even have an Italian subsidiary. [This was noted by several RISKS readers. Many thanks. PGN] ------------------------------ Date: Sat, 26 Jul 2003 17:07:49 -0600 From: Greg Compestine Subject: Re: Error in E-Mini Dow Futures creates havoc at CBOT, CME > Apparently an order to sell 10,000 contracts instead of 100 was put in by > mistake. Physical checking always uses double entry for amounts. Why not trading systems? Sounds like a perfect application for voice recognition technology (no pun intended). The person entering the number has to type in and then say the amount, and if the two don't agree, then the transaction isn't accepted. ------------------------------ Date: Mon, 21 Jul 2003 15:47:36 -0400 From: Kent Borg Subject: Re: GPS-piloted tractors? (Heiney, RISKS-22.81) > The RISK of unmanned vehicles relying on GPS signals, with or without > rotating blades attached, is interesting to contemplate, especially at night! The article said nothing about "unmanned" tractors. This equipment is expensive, farmers aren't stupid, they don't send them off on their own, they ride in them. Farmers also know that things that have nothing to do with GPS can go wrong and they want to be there to notice and do something about them when they do. Don't jump to such conclusions! If you want to worry about such things worry about unmanned lawn mowers or house vacuum cleaners or swimming pool vacuum cleaners even--they all do exist. ------------------------------ Date: Mon, 21 Jul 2003 11:24:42 -0700 (PDT) From: "Fredric L. Rice" Subject: Re: GPS-piloted tractors? Hell yes! Que Stephen King! In RISKS-22.81 it's noted that there's advocacy of GPS-piloted tractors going into operation in Australia, sent in by Conrad Heiney who notes that tractors "with or without rotating blades attached is interesting to contemplate." Where's the RISK? I *love* the idea of fully automated whirling machines of horrible, mangling death roaming the countryside at night, hiding from villagers by day, emerging in packs to assault gasoline stations to steal fuel, killing anyone who tries to stop them. What's the down side? I'm sure Stephen King would agree with my delight that there are people out there working hard on the technology that would allow roaming packs of automated, economically efficient death to go from city to city harvesting and de-boning humans, cutting them into manageable sizes, and packaging them up in shrink wrap for your grocery shelf. Soylent Green has to start somewhere! These machines will dispassionately collect humans just as dispassionately as they collect potatoes and I can't wait to see what hackers and anti-genetically modified food activists would make of such wonderful toys. Man, I hope like hell they call the new technology "Godzilla." ------------------------------ Date: 30 May 2003 (LAST-MODIFIED) From: RISKS-request@csl.sri.com Subject: Abridged info on RISKS (comp.risks) The RISKS Forum is a MODERATED digest. Its Usenet equivalent is comp.risks. => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) if possible and convenient for you. Alternatively, via majordomo, send e-mail requests to with one-line body subscribe [OR unsubscribe] which requires your ANSWERing confirmation to majordomo@CSL.sri.com . If Majordomo balks when you send your accept, please forward to risks. [If E-mail address differs from FROM: subscribe "other-address " ; this requires PGN's intervention -- but hinders spamming subscriptions, etc.] Lower-case only in address may get around a confirmation match glitch. INFO [for unabridged version of RISKS information] There seems to be an occasional glitch in the confirmation process, in which case send mail to RISKS with a suitable SUBJECT and we'll do it manually. .UK users should contact . => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you NEVER send mail! => The INFO file (submissions, default disclaimers, archive sites, copyright policy, PRIVACY digests, etc.) is also obtainable from http://www.CSL.sri.com/risksinfo.html ftp://www.CSL.sri.com/pub/risks.info The full info file will appear now and then in future issues. *** All contributors are assumed to have read the full info file for guidelines. *** => SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line. => ARCHIVES: http://www.sri.com/risks http://www.risks.org redirects you to the Lindsay Marshall's Newcastle archive http://catless.ncl.ac.uk/Risks/VL.IS.html [i.e., VoLume, ISsue] Lindsay has also added to the Newcastle catless site a palmtop version of the most recent RISKS issue and a WAP version that works for many but not all telephones: http://catless.ncl.ac.uk/w/r http://the.wiretapped.net/security/info/textfiles/risks-digest/ . http://www.planetmirror.com/pub/risks/ ftp://ftp.planetmirror.com/pub/risks/ ==> PGN's comprehensive historical Illustrative Risks summary of one liners: http://www.csl.sri.com/illustrative.html for browsing, http://www.csl.sri.com/illustrative.pdf or .ps for printing ------------------------------ End of RISKS-FORUM Digest 22.82 ************************