precedence: bulk Subject: Risks Digest 22.95 RISKS-LIST: Risks-Forum Digest Friday 10 October 2003 Volume 22 : Issue 95 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at http://www.risks.org as http://catless.ncl.ac.uk/Risks/22.95.html The current issue can be found at http://www.csl.sri.com/users/risko/risks.txt Contents: [notsp REALLY helps! PGN] New breed of 'spackers' eludes antispammers (NewsScan) OCLC ILL System's rolls over 130th time... (Brig C. McCoy) SunnComm: DCMA strikes again (Peter Houppermans) SunnComm won't sue Princeton student over "shift key" paper (Declan McCullagh) Microsoft to fix Windows -- again (Gene Lambson) Winning the security trifecta (Jeremy Epstein) Something's fishy with Diebold in California (Craig DeForest) Data transfer Excel-COBOL loses voter data (Patrick O'Beirne) The shape of elections to come in England (C. Cartledge) Risks of living in New Mexico (Kent Hartfield) Re: Unencrypted credit-card submission forms (Jeffrey W. Baker) Re: Hidden risks: location dependence (Mark Brader) Re: Identity Denial really exists (Paul Wallich) Re: Too much spam filtering (John Bechtel) Observed sudden 1400-fold increase in W32/Swen infected e-mails (Jon Seymour) Re: Difficulties with Census Bureau income data (Tony Lima) Re: Getting over that fishbowl feeling (Identity withheld) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Thu, 09 Oct 2003 09:35:20 -0700 From: "NewsScan" Subject: New breed of 'spackers' eludes antispammers Computer crackers have joined forces with spammers to devise new ways of defrauding hapless Internet users. The latest technique enables spammers to create Web sites that are virtually untraceable, making it impossible for antispammers to shut down those sites by conventional means. Typical of the scam is a group in Poland currently advertising "invisible bulletproof hosting" for $1,500 a month, which provides its clients protection from network sleuthing tools such as 'traceroute' and 'whois' by routing traffic through thousands of hijacked computers (most of them home computers running Windows and having broadband connections). The technique is effective. "You're not going to have much success trying to follow IP addresses through hacked hosts," says one security researcher. "About all you can do is follow the money -- sign up for whatever it is they're selling and try to figure out who's behind the whole thing." Fueling the new tactics is an influx of "engineers who have been laid off or fired, and people who really know what they're doing with networking and DNS," says Steve Linford, head of the Spamhaus Project. "Hackers used to detest spammers, but now that spamming has become such a big business, it's suddenly cool to be a spammer." [Wired.com 9 Oct 2003; NewsScan Daily, 9 Oct 2003] http://www.wired.com/news/business/0,1367,60747,00.html ------------------------------ Date: Fri, 10 Oct 2003 15:38:34 -0500 From: "Brig C. McCoy" Subject: OCLC ILL System's rolls over 130th time... The OCLC (Online Computer Library Center) Interlibrary Loan System is used by many libraries around the world to facilitate interlibrary loan of materials. Unfortunately, the system display only shows record numbers up to 999999. This means that, with OCLC ILL transaction 130,000,000 due to happen in a few days, they will have rolled over 130 times without changing the system to allow for an appropriate number of digits! Brig C. McCoy, 4722 Oak St, Apt 1033, Kansas City, MO 64112 1-816 885-2700 ------------------------------ Date: Fri, 10 Oct 2003 07:17:58 +0100 From: Peter Houppermans Subject: SunnComm: DCMA strikes again If I buy a doorlock I'd be jolly grateful to find out that it takes hairpin + primary school kid to break it (and I'd be rather annoyed with the supplier). But instead of said supplier fixing the problem - you guessed it, they go and sue the person who told the world. Same with SunnComm: a student discovers a simple bypass for their heavily marketed "CD" protection - and hey, new, surprising move: they sue. Register article "SunnComm to sue 'Shift key' student for $10m", URL http://theregister.co.uk/content/6/33322.html Question: is this really the best way to rescue your reputation? Answer: if you want to create the impression that you don't want to fix the problem you couldn't have chosen a better route. The longer I've been on the RISKS list, the more convinced I become the DCMA is a serious threat to security. I'd like to hear of examples where it has contributed to actual security rather than allow security through obscurity to prolong its life .. Peter Houppermans, PA Consulting Group, 123 Buckingham Palace Road London SW1W 9SR +44 (0)20 7333 5303 http://www.paconsulting.com [Correction in archive copy. PGN] ------------------------------ Date: Fri, 10 Oct 2003 14:25:01 -0400 From: Declan McCullagh Subject: SunnComm won't sue Princeton student over "shift key" paper SunnComm won't sue grad student, By Declan McCullagh, 10 Oct 2003 http://news.com.com/2100-1027-5089448.html In an abrupt reversal, SunnComm Technologies said Friday that it would not sue a Princeton University graduate student who had published a paper that describes how to bypass CD copy protection technology simply by pressing the Shift key. SunnComm had angrily assailed Princeton doctoral student John "Alex" Halderman just a day before, claiming that his academic paper was "at best, duplicitous and, at worst, a felony." The company had pledged to file a civil suit against Halderman under the Digital Millennium Copyright Act (DMCA) and lobby federal prosecutors to indict him on criminal charges. Archived at http://www.politechbot.com/ Moderated by Declan McCullagh (http://www.mccullagh.org/) ------------------------------ Date: Thu, 9 Oct 2003 16:19:50 -0500 From: "Gene Lambson" Subject: Microsoft to fix Windows - again According to NewScientist http://www.newscientist.com/news/news.jsp?id=3Dns99994258 Microsoft is making some changes to "fix" security problems with Windows - I quote: "The update will make a program more likely to crash than let a hacker in, Oaken says." How nice. If you can't fix it make sure it breaks. Good thing MS doesn't give advice to the airline industry. ------------------------------ Date: Fri, 10 Oct 2003 09:24:17 -0400 From: Jeremy Epstein Subject: Winning the security trifecta Reported in all the media... "The U.S. Securities and Exchange Commission has filed civil charges against a Pennsylvania man for computer hacking and identity theft in a scheme last July to dump worthless options for Cisco Systems Inc. stock" (Computerworld). The story I heard on NPR is that he sold "puts", and when they were about to close out and lose $37,000, he decided to take action. So he created a web site with a Trojan keyboard logger, and enticed investors to visit his site with the promise of stock charts. Those who bit (and downloaded his Trojan) had their passwords & account numbers stolen. He then logged into one of the stolen accounts, and transferred his (negative value) position to the victim. Result: he's been indicted for securities fraud, hacking, and identity theft... the first time (according to NPR) that all three have been brought together... the "security trifecta". The "moral" of the story given on NPR was that you should always check your statements, so you catch unexpected transactions. Seems to me that the moral of the story is that managing your finances, or anything else sensitive, using the Internet is inherently RISKy. Customers are being told that if they use SSL, everything is safe. But as all of us know, all SSL provides is a protected pipe, which can be used as effectively for attacks as legitimate transactions. The RISKS, as we say, are obvious. But to tie it to Mercuri's comments on California voting in RISKS 22.94 ... anyone who alleges that there's no practical way to subvert Internet voting should take a look at this case, assuming it's as claimed. It's not hard to imagine an over-enthusiastic campaign worker enticing voters to download a Trojan that causes votes to go the "right" way... especially in an election with 135 candidates where stranger things are happening every day. ------------------------------ Date: Fri, 10 Oct 2003 09:19:56 -0600 From: zowie@euterpe.boulder.swri.edu (Craig DeForest) Subject: Something's fishy with Diebold in California Mark Crispin Miller asserted, on the basis of a statistical analysis of California counties and vote distribution in the recent gubernatorial circus, that votes appear to have been "skimmed" from front-running contenders and redistributed to definite non-contenders in counties that use Diebold voting machines. http://www.markcrispinmiller.blogspot.com/ Out of curiosity, I visited the California election-return website http://vote2003.ss.ca.gov/Returns/gov/00.htm#cty and did a cursory analysis myself. It appears that the sum of all the votes for the sixth-runner through the bottom is not enough to change the outcome, even if they were all assigned to Bustamante (the second-place candidate): Schwarzenegger won by 1.3E6 votes, while all candidates below the top five only garnered 2.2e5 votes. Nevertheless, I agree with Mark that the per-county statistics look very fishy: many of the minor candidates received a much higher percentage of the vote in those counties with Diebold machines, and the difference is strongly significant. ------------------------------ Date: Fri, 10 Oct 2003 09:50:58 +0100 From: "Patrick O'Beirne" Subject: Data transfer Excel-COBOL loses voter data http://www.ddtonline.com/articles/2003/10/08/news/news2.txt Officials begin affidavit count, By Amy Redwine / Delta Democrat Times More than 1,600 affidavit ballots remain to be counted from Monday's Democratic primary, Greenville election officials said this morning, when officials began counting the affidavits in City Council chambers. City Attorney Andy Alexander explained why there were so many affidavits. He said the city had to go through a three-step process for elections: The first part was getting the voting books from the county and checking them. After that step was completed, the names were added to an Excel spreadsheet in the city's computer. "The information from Excel had to be entered into another database, COBOL. Apparently what happened is that when the rolls were printed, all the information did not get transferred," Alexander said. "Entire neighborhoods were left off of the voter rolls." Patrick O'Beirne, Systems Modelling Ltd., Villa Alba, Tara Hill, Gorey, Co. Wexford, Ireland http://www.sysmod.com Tel. +353 55 22294 ------------------------------ Date: Fri, 10 Oct 2003 16:02:47 +0100 From: "C.Cartledge" Subject: The shape of elections to come in England Given the comments on the use of technology in US elections, readers may be interested in the approach being recommended by the body responsible for overseeing elections in England. Hand counting of ballot papers is the norm in England and is implicitly retained in the information referenced. There is no mention of dedicated voting equipment, but there are innovations such as: The roll-out of all-postal elections The use of watermarked ballot papers to replace the stamped official mark as proof of authenticity Barcodes to replace serial numbers on ballot papers All-postal voting should be made the norm at all local elections throughout Great Britain, says The Electoral Commission in its evaluation of voting trials at the May 2003 local elections in England[1]. In its independent report, The shape of elections to come, the Commission also concludes that further piloting of electronic voting is essential before setting a date for an e-enabled general election. ... 31 Jul 2003 See full press release at: http://www.electoralcommission.gov.uk/media-centre/ newsreleasereviews.cfm/news/214 The English are careful with their use of new technology. It is after all just 164 years since the "penny post" was established here. [Correction in archive copy. PGN] ------------------------------ Date: Wed, 08 Oct 2003 07:31:45 -0500 From: "Hartfield, Kent" Subject: Risks of living in New Mexico [The main risk of living in New Mexico is trying to make a phone purchase from another state and being told they don't ship to foreign countries, but that's another matter.] Risks of Living in New Mexico? This happened last week to a friend of mine in Taos, New Mexico. Event one. Friend gets purse stolen at school she teaches at. Doesn't report it for an hour thinking it was misplaced. Event two. She finally reports purse stolen. Notifies one of two credit card companies about theft, can't notify the second card company because she can't remember who issued it (had the card for years but never used it). Event three. Wal-Mart calls and said the "unknown card" was used at their store by a former employee. Wants to know if she was authorized to do this. Wal-Mart brought up to speed on events of the day. Event four. Now card issuer is known since Wal-Mart revealed it. Friend calls and cancels card. Told many purchases are made on card around town. Card cancelled. Event five. Find out that not only did cashier at Wal-Mart know the person using stolen card, cashier also knew the real owner of the card, but didn't make the connection since the card listed the first name but she knew the owner only by her middle nickname. Small but slightly disconnected world. Event six. Go to Department of Motor Vehicles to get new driver's license. Need Social Security card as identification, but that was stolen too. Finally DMV acquiesces to accept passport. Reports that person can't get new driver's license since didn't have valid driver's license to start with since not renewed two years ago. Event seven. Disagree with DMV clerk. Clearly remembered renewing license since did it same day husband renewed his. Call husband to get day of renewal off of his license. Clerk reports husband doesn't have valid renewed license either even though husband comes to office to display actual license. Physical evidence does not take precedence over computer records. Event eight. Police not yet arresting "perp" for unauthorized use of credit card even though recorded on video and ID'ed by clerk. Police inform friend and husband they are lucky they found out their drivers licenses were invalid since they would have been arrested if stopped for any routine traffic violation. OK, so it took to Event Seven to get a computer risk out of this. Still, wasn't this a fun story? [They don't yet know why their licenses were not in the system, even though they were issued physical licenses. KH] Kent Hartfield, Lockheed Martin Missiles and Fire Control ------------------------------ Date: Thu, 09 Oct 2003 20:04:02 -0700 From: "Jeffrey W. Baker" Subject: Re: Unencrypted credit-card submission forms (Silverberg, R-22.92) The "Snake Oil Ltd." certificate is indeed a testing certificate. Specifically, it is the self-signed certificate generated by the installation procedure of Apache-SSL. The presence of this certificate does not make your SSL connections less secure: they will still be encrypted and therefore difficult to intercept or corrupt. What the web server at "Linux Web Toast" is saying is "Our name is company XYZ, just take our word for it." Your software (the browser) is bringing this to your attention because it is not configured to just take anybody's word for anything. A normal secure web server would say something like "Our name is company XYZ according to VeriSign, Inc, and you can take their word for it." Your web browser is probably configured to automatically trust VeriSign, Inc. I hope you see the risks here. Why would you trust VeriSign? They are one of the least trustworthy organizations I can think of. See "VeriSign responds with arrogance to Site Finder critics" [http://www.siliconvalley.com/mld/siliconvalley/6960632.htm] and "VeriSign settles FTC complaint" [http://news.com.com/2100-1025-5081941.html]. Do you realize, when you are using your web browser, that you implicitly trust this distant corporation? Does the average user of the Internet have any understanding of certificates and trust graphs? Is there any particular reason to trust VeriSign more than you trust, say, me, or your barber, or the guy who lives around the corner? A further risk is that VeriSign operates a toll gate to the Internet. As the previous correspondent has ably demonstrated, you must pay VeriSign to sign your SSL certificate or you will lose customers. In this way VeriSign has electronic commerce cornered. The final risk is that VeriSign acts as a single point of failure in the trust system. Anyone who compromises VeriSign's root private keys will be able to issue legitimate-sounding certificates claiming to be anyone. VeriSign has previously been tricked into issuing certificates in the name of Microsoft Corp. and other entities [RISKS-21.29,30,32] PS: I checked the certificate of linuxwebhost.com, and it appears to be signed by Equifax, not self-signed. ------------------------------ Date: Fri, 10 Oct 2003 01:26:56 -0400 (EDT) From: msb@vex.net (Mark Brader) Subject: Re: Hidden risks: location dependence (RISKS-22.85) Another surprising location-dependency led to a key discovery in nuclear physics, according to Richard Rhodes in "The Making of the Atomic Bomb" (1986, Simon & Schuster, ISBN 0-671-44133-7). In 1934, physicists Edoardo Amaldi and Emilio Segre were exposing samples of various elements to streams of neutrons: they hoped for a reaction where the neutrons would be captured, creating a new isotope that would be revealed by its radioactivity. This worked, but they found that the results varied greatly according to *where in the lab* they did the experiment. This was in Italy, where marble was cheap enough that some of the lab tables were made of it. And as it turned out, that was the difference: more neutrons were captured when the experiment was done on a wooden table than a marble one. It was Enrico Fermi who figured it out: neutrons were captured more easily if they were moving slower. Wood, unlike marble, contains a substantial proportion of hydrogen atoms, which are the right size to slow some of the neutrons and deflect them back. And in this way the concept of a moderator for nuclear reactions was discovered. (I suppose that in this particular case, some people may feel that the Risk was that nuclear reactions *would* be discovered!) [Old item. Catching up, thanks to Mark's prompt. PGN] ------------------------------ Date: Wed, 08 Oct 2003 09:49:01 -0400 From: Paul Wallich Subject: Re: Identity Denial really exists (Clark, RISKS-22.93) Depending on what's meant by "cancel" this doesn't seem too uncommon or unlikely. Death certificates in many US states, for example, can be forged with relatively basic tools, and some institutions don't require even that level of proof. And the corpse will find out only if they try to use some service that depends on being officially alive. (Some years back, I was surprised to receive condolences from a pension-fund officer on the ostensible demise of a sibling -- who was similarly surprised to hear of the event.) ------------------------------ Date: Wed, 8 Oct 2003 10:07:07 +0100 From: John Bechtel Subject: Re: Too much spam filtering I read with interest the item in RISKS-22.92 about spam filtering for good e-mail, and note as well the comment about not trusting your ISP. I have recently had to change my ISP from AXX (name changed) because of their aggressive spam filtering policy. AXX advertise that they aggressively filter spam, and equally go after spammers. I applaud the attitude. I cannot applaud their mechanism. After too many games of "Did you get my e-mail?" ... "What e-mail?" leading to missed appointments and what-have-you I was told that 1) AXX was spam filtering my e-mail even though I had set my account not to filter anything, 2) I would not be allowed to see or change the policies used to decide what was spam and what wasn't, 3) It was not possible for me to see what was being "filtered" in order to rescue it, and 4) Filtering could not be turned off. After I gave them a list of addresses that I knew were being blocked I was told that AXX had detected spam from their ISPs... not my people specifically, just the ISP. I was told it was best for me to contact those people's ISPs to ask the ISPs to stop allowing spam. Only then would AXX stop deleting my e-mail. BTW, I don't consider that AXX was filtering my e-mail... they were deleting it, at random, without notice. They produced some discussion about possibly being able to selectively allow specific addresses, in the concept of allowing known addresses through, but were not sure it would work, and of course that would not solve the problem of e-mails from third parties that I do want being filtered never to be seen again. I believe some new versions of AXX can allow users more control since then, but I was not told about that at the time (1 month ago), nor am I sure now, nor do I care. John Bechtel, 1 Farnham Road, Guildford, Surrey, UK, GU2 4RG ------------------------------ Date: Thu, 09 Oct 2003 04:10:21 +1000 From: Jon Seymour Subject: Observed sudden 1400-fold increase in W32/Swen infected e-mails I'd like to draw attention to a phenonmenon associated with the W32/Swen worm with which I have just painfully become acquainted. At 10pm, October 7 Sydney time (12:pm October 7 GMT), I noticed a sudden increase in the number of W32/Swen-infected e-mails that my spam filter was detecting. To put the increase in perspective. Between September 23 and October 7, I had received 12 e-mails infected with W32/Swen. With each e-mail weighing in at roughly 145kB that's around 6kB per hour over 298 hours. Irritating, but tolerable. Starting at 10pm October 7, I started receiving one of these 145kB e-mails every 6 minutes. That's a 1400-fold increase in the rate of W32/SWEN infected e-mails hitting my inbox. And as I write this, over 28 hours later -- it still hasn't stopped. I am still receiving infected e-mails -- from a wide variety of different hosts -- at the roughly same rate as when the deluge started at 12:00 GMT on 7 Oct. That's an inbound rate of 38MB in one day. If it keeps going at this rate, my mail box will receive about 1GB of this stuff each month. Some points of note: * The e-mails appear to originate from random ISP accounts around the world. * There is no reason to believe that my e-mail address was harvested from the local address books of these machines -- suggesting that these zombies are acquiring their address lists from some external agency. * Each account is responsible for a small number (usually < 3, always less than 6) e-mails. * From my perspective, this is not an exponential growth characteristic - more of a step - suggesting that these infected hosts were "switched on" at 12:00 GMT, perhaps because my e-mail address was added to some pool of addresses at that time. So, the lesson here is: even if you keep your virus software up to date, discard all suspicious e-mail, don't use peer-to-peer software, install a personal firewall, yada, yada, yada you can still fall victim to a worm created by a suitably deranged mind. [Added note, Fri, 10 Oct 2003 08:38:59 +1000:] I understand what the trigger for the deluge was now. Unfortunately, I hadn't read: http://www.f-secure.com/v-descs/swen.shtml If I had, I would have realised that a post to USENET would have this effect. So, it would appear that, if the consequence of posting to USENET is to provision oneself with a 38MB/day stream of virus-laden spam, it would then seem that USENET is now effectively, finally, dead. ------------------------------ Date: Thu, 09 Oct 2003 15:15:53 -0700 From: Tony Lima Subject: Re: Difficulties with Census Bureau income data (Mannes, RISKS 22.93) [I took the liberty of asking my colleague Dr. Nan Maxwell about this issue. Her reply is below (forwarded with her permission, naturally). Dr. Maxwell is Director of the Human Investment Research and Education Center at California State University, Hayward. She is also Professor of Economics and a respected researcher into the relationship between demographics and economics. Tony Lima] Thu, 09 Oct 2003 08:54:02 -0700, "Nan Maxwell" The census has always capped income figures (as the article notes) for reasons of confidentiality.--if there are 26 people in the us making over $1 million and you know their gender, race, place of residente, industry, occupation, etc. you can pretty much guess who they are. When I first started in this business the cap was $100,000!!! The cap has always been the source of discussion like the one below, but confidentiality always wins. (And I guess I believe it should). The real question (in my mind) is...has the cap become more constraining over time? Nan L. Maxwell, Co-Chair and Professor of Economics and Executive Director, HIRE Center, Cal State University, Hayward College of Business and Economics 25800 Carlos Bee Blvd., Hayward, CA 94542 510.885.3191 ------------------------------ Date: 10 Oct 2003 09:02:18 -0400 From: [Identity withheld by request] Subject: Re: Getting over that fishbowl feeling (Smith, R-22.94) > A piece of evidence he presented to support this was a set of estimates of > the street value of ID information: $1 for a valid card number, $5-10 for > one with personal info to back it up (name, addr, etc), and $10-15 if it > includes the CVV2 number from the back ... The numbers are high, by about three orders of magnitude. The normal way to quote prices of stolen credit card numbers is for a thousand. Prices such as $10 to $60 per 1000 numbers are not unusual (the price depends on the presence of billing information and CVV2 code, but mostly on the pseudonymous reputation of the seller). It is easy to purchase the numbers on the net anonymously (but credit card payment will not be accepted). ------------------------------ Date: 30 May 2003 (LAST-MODIFIED) From: RISKS-request@csl.sri.com Subject: Abridged info on RISKS (comp.risks) The RISKS Forum is a MODERATED digest. Its Usenet equivalent is comp.risks. => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) if possible and convenient for you. Alternatively, via majordomo, send e-mail requests to with one-line body subscribe [OR unsubscribe] which requires your ANSWERing confirmation to majordomo@CSL.sri.com . If Majordomo balks when you send your accept, please forward to risks. [If E-mail address differs from FROM: subscribe "other-address " ; this requires PGN's intervention -- but hinders spamming subscriptions, etc.] Lower-case only in address may get around a confirmation match glitch. INFO [for unabridged version of RISKS information] There seems to be an occasional glitch in the confirmation process, in which case send mail to RISKS with a suitable SUBJECT and we'll do it manually. .UK users should contact . => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you NEVER send mail! => The INFO file (submissions, default disclaimers, archive sites, copyright policy, PRIVACY digests, etc.) is also obtainable from http://www.CSL.sri.com/risksinfo.html ftp://www.CSL.sri.com/pub/risks.info The full info file will appear now and then in future issues. *** All contributors are assumed to have read the full info file for guidelines. *** => SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line. *** NEW: Including the string "notsp" at the beginning or end of the subject *** line will be very helpful in separating contributions from spam. *** This pass-string may change, so watch this space now and then. => ARCHIVES: http://www.sri.com/risks http://www.risks.org redirects you to the Lindsay Marshall's Newcastle archive http://catless.ncl.ac.uk/Risks/VL.IS.html [i.e., VoLume, ISsue] Lindsay has also added to the Newcastle catless site a palmtop version of the most recent RISKS issue and a WAP version that works for many but not all telephones: http://catless.ncl.ac.uk/w/r http://the.wiretapped.net/security/info/textfiles/risks-digest/ . http://www.planetmirror.com/pub/risks/ ftp://ftp.planetmirror.com/pub/risks/ ==> PGN's comprehensive historical Illustrative Risks summary of one liners: http://www.csl.sri.com/illustrative.html for browsing, http://www.csl.sri.com/illustrative.pdf or .ps for printing ------------------------------ End of RISKS-FORUM Digest 22.95 ************************