precedence: bulk Subject: Risks Digest 22.98 RISKS-LIST: Risks-Forum Digest Monday 27 October 2003 Volume 22 : Issue 98 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at http://www.risks.org as http://catless.ncl.ac.uk/Risks/22.98.html The current issue can be found at http://www.csl.sri.com/users/risko/risks.txt Contents: Internet fraud update (NewsScan) Casino barcode forgery (Steve Dunbar) Air Traffic Control vulnerable to fire! (Paul Cox) South Carolina DMV software glitch costs Sumter County $164,000 (Frank Carey) New risk of leaving devices OFF (Walter Roberson) Mississippi liquor stores and restaurants risk going dry (Ben Moore) RFID friend and foe, with a note on biometric passports (Markus Kuhn) Amazon's new 'search inside the book' feature (NewsScan) Amazon's new text search service (Drew Dean) Google Stumbles? (Monty Solomon) Unwanted e-mail turns into a "chain of stupidity" (William Colburn) Re: Recent London power outage (Martin Ward) Re: First DEWEY DEFEATS TRUMAN, and now YANKEES LOSE! (Amos Shapir) Yet Another eBay-Spoofing Scam (David Graham) Self-inflicted phishing (Andrew Yeomans) SNAFU at the bank (Walter Regan) Re: Top 10 data disasters (Merlyn Kline) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Fri, 24 Oct 2003 08:17:15 -0700 From: "NewsScan" Subject: Internet fraud update The Federal Trade Commission says that complaints of Internet-related identity theft more than tripled last year, to 2,352 last year from the year before. Jay Foley of the Identity Theft Resource Center says, "Online fraud is becoming as big an issue for eBay and AOL as security is for Microsoft." Typically, eBay covers buyers or sellers for up to $200 (or $500 for some listings) if an item is not delivered or is in bad condition, though there is a $25 processing fee. Posting safety tips for eBay transactions are listed at at www.ebay.com/securitycenter. [*USA Today*, 24 Oct 2003; NewsScan Daily, 24 Oct 2003] http://www.usatoday.com/tech/news/2003-10-23-fraud_x.htm ------------------------------ Date: Sat, 18 Oct 2003 12:06:20 -0700 From: Steve Dunbar Subject: Casino barcode forgery The Kalispel Indian Tribe's Northern Quest Casino near Spokane, Washington, lost around $100,000 to forgers who printed copies of barcoded payout tickets. http://www.registerguard.com/news/Wire/N1620WA--CasinoScam.html ------------------------------ Date: Mon, 27 Oct 2003 00:51:34 -0800 From: "Paul Cox" Subject: Air Traffic Control vulnerable to fire! I work as an air traffic controller at Seattle Air Route Traffic Control Center. We were less busy than usual today, because nearly all of the flights to/from southern California were severely delayed or canceled. Not only did the fires in the SoCal area generate large volumes of smoke (reducing visibility and slowing traffic in general) but the fires threatened the physical structure of the main Southern California Terminal Radar Control (SoCal TRACON) facility. From the controllers' union regional vice president, Bob Marks... "SCT structurally received minimal damage, but the pine trees at the entrance caught fire and the Fire Department chopped them down so they wouldn't fall into the building. The field next to the facility burned completely. The facility was full of smoke, and we estimate a minimum of two days before it reopens. The FAA has been great, and honored our request for air sampling prior to having controllers come back." The RISK here should be obvious; you've got a facility that is designed and intended to be in operation 24X7, no matter what. They have power backup systems there that can run the TRACON for at least a week on the on-site diesel fuel. But if the air outside is too smoky from fires in the immediate vicinity, and people cannot work inside the building (apparently it was so smoky inside people were coughing up hunks of lungs... well, not quite, but really bad) then the precautions don't do much good. Additionally, the physical building itself was threatened with fire damage. The controllers at the enroute facility (like I work at) in Los Angeles were able to take over the airspace that SoCal TRACON works, but at greatly-reduced traffic rates. Again, from Bob Marks... "ZLA took over TRACON ops. My deepest gratitude and thanks to the good members at my old facility for dealing with this emergency. The news is not all good, however, as it appears there is pressure to try and run the system "nominally" when the busiest TRACON on the planet is ATC-Zero. A center cannot safely run a significant percentage of approach traffic during a sustained period for several reasons: Technical: Finals, MVAs, and other map items are not displayed. Mosaic requires 5-mile minimum separation. Radar ID is more cumbersome, since usually the a/c is more than a mile from the departure end of the runway before tag-up. Training: Most center controllers don't do approach control work, or haven't for years. Proficiency: When was the last time you got a thorough briefing and training on ATC-Zero procedures?" Basically, to maintain the minimum level of safety, controllers had to drastically reduce the numbers of flights from what the TRACON would ordinarily handle. More RISKS... lack of training, lack of forethought in planning video maps, keeping copies of routes and procedures handy, and some other technical issues (facilities that had a need to talk to one another had to rely on regular commercial telephones, or cellphones, because the FAA doesn't have the proper 24X7 dedicated circuits between all of them). In the end? Kept the skies safe, as always, but the monster delays (several flights that I personally knew of from Portland, Oregon, and from Seattle, Washington, were delayed by 10+ hours) showed that lack of good contingency planning- and drills on contingency plans- severely hampered the FAA's ability to react to the problems. ------------------------------ Date: Sat, 25 Oct 2003 20:56:49 EDT From: Frank Carey Subject: South Carolina DMV software glitch costs Sumter County $164,000 The South Carolina Department of Motor Vehicles says it has sent Sumter County officials a list of nearly 1,000 automobile tax records that were possibly left off the county's tax rolls because of problems with their Project Phoenix software which had been installed last year. In August of this year Sumter County officials discovered they were missing a large number of car tax records and that the missing records had cost the county $164,000. When first confronted with the situation in August, DMV officials said they were unaware of any problems with the software. After looking into the Sumter County complaint, the state DMV officials recognized that records might have been omitted but also that the software glitches caused billing problems. Other South Carolina counties have also reported the same problems. [*The Item*, Sumter, SC, front page, 24 Oct 2003] ------------------------------ Date: Wed, 22 Oct 2003 13:32:12 -0500 (CDT) From: Walter Roberson Subject: New risk of leaving devices OFF Cisco recently announced an unusual problem with leaving some of its devices *off*. It seems that a particular lot of electrolytic capacitors in some of its 2900XL and 3500XL switches undergo chemical degradation when the devices are powered off for extended periods. This can lead to Cyclic Redundancy Check (CRC) and Frame Check Sequence (FCS) errors in the switches. http://www.cisco.com/warp/public/770/fn26174.shtml [Somehow I never expected quite this form of "bit rot"!] ------------------------------ Date: Mon, 27 Oct 2003 01:39:35 GMT From: Ben Moore Subject: Mississippi liquor stores and restaurants risk going dry Mississippi's Alcohol Beverage Control division shut down the warehouse last week for an indefinite amount of time to fix computer problems, with an estimated outage of at least one week. (Most establishments do not keep more than a week's backlog.) [Source: AP item, PGN-ed] http://www.godesoto.com/modules.php ?op=modload&name=News&file=article&sid=2313&mode=thread&order=0&thold=0 ------------------------------ Date: Sun, 26 Oct 2003 22:28:47 +0000 From: Markus Kuhn Subject: RFID friend and foe, with a note on biometric passports One is tempted to think of the planned RFID tagging of all US DoD supplies as a major step forward. This will finally enable the design of a new and far safer generation of mines that detonate only near people carrying DoD equipment. Defense Department drafts RFID policy Matthew Broersma, CNET News.com The U.S. Department of Defense will give radio frequency identification technology a massive boost with a new policy requiring its suppliers to use RFID chips. [...] RFID chips, or tags, contain identification information that can be wirelessly passed on to a reader, allowing, for example, the contents of a shipping container to be identified without opening it. This promises huge improvements in supply-chain efficiency, but also raises the prospect of remote tracking of consumers via RFID chips embedded in their clothes or the cards in their wallets. The Defense Department's policy requires that by January 2005 all suppliers embed passive RFID chips in each individual product if possible, or otherwise at the level of cases or pallets. [...] http://news.com.com/2100-1008-5097050.html But progress will not stop there. With the "US PATRIOT Act" requiring contactless ID chips to be embedded in passports from October 2004, mines and booby-traps will soon also be able to read out remotely the victim's name, age, height, sex and nationality right before triggering, providing an unprecedented reduction in the RISK of killing the wrong person in your next local invasion, terror, anti-terror, or genocide campaign. A related and more serious note on passport security: The ICAO radio transmitters about to be added to new passports from later next year on will enable every country on the planet to query the chip's data at a few meters distance (with suitably constructed antennas). Representatives of two German government agencies (BSI, BKA) expressed serious concerns about the security and privacy implications of this in the relevant standards committee. They suggested to use the data on the existing optical character recognition (OCR) stripes in each passport as a code for enabling access to the chip. This way, the passport could only be read by anyone who had already seen its written content before. The idea would be perfectly practical, as the RFID readers at border stations would normally be integrated in the optical readers needed for existing machine-readable travel documents. US representatives, however, have already rejected this quite elegant suggestion in the relevant standards committee. I suggested at an ISO/ICAO meeting last July in London to add a small metal shield to the front cover page of the passport, such that the RFID coil antenna in the back cover page can work effectively only while the passport booklet is open. Again, this idea was quickly rejected by some of those driving the project as a privacy concern and therefore "of little interest here". But as it is not dependent on any provisions in the chip's internationally standardized protocol, it can still be hoped that responsible passport issuers will implement something along these lines anyway. http://www.icao.int/mrtd/ Markus Kuhn, Computer Laboratory, University of Cambridge http://www.cl.cam.ac.uk/~mgk25/ || CB3 0FD, Great Britain ------------------------------ Date: Fri, 24 Oct 2003 08:17:15 -0700 From: "NewsScan" Subject: Amazon's new 'search inside the book' feature Amazon.com has announced a new feature called "Search Inside the Book" that is making the text of 120,000 books (more than 33 million pages) fully searchable at no charge. The feature makes it possible to scan a database for the word or phrase entered by a visitor to Amazon's site for each relevant portion of a searchable book. The pages that are found can be read onscreen and printed but not copied or downloaded. University of Washington computer scientist Oren Etzioni says: "It's an impressive feat -- a bold concept, coupled with nice execution and clear business thinking. This really shows Amazon is a technology company, not innovating just with things like free shipping but putting something out there that's brand new." [Seattle Post-Intelligencer 24 Oct 2003; NewsScan Daily, 24 Oct 2003] http://www.siliconvalley.com/mld/mercurynews/business/7092377.htm ------------------------------ Date: Fri, 24 Oct 2003 16:12:01 -0700 (PDT) From: Drew Dean Subject: Amazon's new text search service Amazon recently announced a new full text search service of 120,000 books: http://www.siliconvalley.com/mld/mercurynews/business/7092377.htm I decided to try a random search. As "To be or not to be" is a really bad search string (it consists entirely of stop words, that is, words to be ignored by text indexers), I decided on "Call me Ishmael." [For RISKS' international audience, this is the opening line of Herman Melville's Moby Dick, quite possibly the most famous opening line in all of American literature.] The results are interesting: 2704 books are found, the 1st is "Call me Ishmael," the 2nd is "Call Me Ishmael Tonight: A Book of Ghazals," the 3rd is "The First Five Pages: A Writer's Guide to Staying Out of the Rejection Pile," and the 4th is "Programming Windows with C# (Core Reference)" !! The highest rated match that directly relates to Moby Dick is the Cliffs Notes at #15. Moby Dick itself isn't in the top 20. Drew Dean, Computer Science Laboratory, SRI International ------------------------------ Date: Sun, 19 Oct 2003 01:00:43 -0400 From: Monty Solomon Subject: Google Stumbles? Is Google starting to show signs of strain against spammers and Web scammers? Chatters at the geek news site Slashdot observed this week that using the search engine to track down certain oddball series of words, such as "speaker bracelet" or "candle truck," turned up strangely low results. Instead of finding only the expected handful of sites, Google reported that none could be found. Cambridge, Mass., computer programmer Seth Finkelstein, an expert on Internet filters, thinks he's figured out the reason. "The Google search results are crashing, presumably as a result of a bug in the spam-filtering measures." (See www.sethf.com) The explanation involves dummy Web sites with long lists of words that are intended to provide matches and then link to Web scammer sites. [Source: Mike Musgrove, Google Stumbles? Web Watch, 12 Oct 2003, F07; PGN-ed] http://www.washingtonpost.com/wp-dyn/articles/A11461-2003Oct11.html ------------------------------ Date: Mon, 20 Oct 2003 13:50:39 -0600 From: "Schlake (William Colburn)" Subject: Unwanted e-mail turns into a "chain of stupidity" Several years ago I wrote a print accounting filter for LPRng. In case of a problem it sent e-mail to a list of people here at work. Another department on campus wanted it, so I sent the filter to them. I later remembered (when I started getting e-mail) that there was a hard coded address in it. Attempts to get them to remove or change it proved fruitless, so I just made a procmailrc script to mail the error back to them. Today, after a good two years of my sending the e-mail back to them, that department apparently got fed up, and set up a procmail script of their own which mails me back a thank you for each of these messages I forward to them. I added their thank you to my spam filter, and I'm blocking them now. The risk here is a chain of stupidity. I gave out some software that meant for in house use. They are using it but are unable or unwilling to change an e-mail address in it. I use procmail to push the problem back to them. They use procmail to push the problem back to me. I use a Sendmail milter to block their e-mail. Another escalation like this and I'll be hoarding my precious bodily fluids and calling for Wing Attack Plan R. ------------------------------ Date: Fri, 24 Oct 2003 09:47:59 +0100 From: Martin Ward Subject: Re: Recent London power outage (Amey, RISKS-22.97) It is irrelevant *when* the transformer was switched out. Transformers are expected to be switched out occasionally (for either routine maintenance, or emergency maintenance). The circuits are designed to take the extra load when one or two transformers are switched out. In this case, one circuit experienced an extra load which was still well within its design capacity, but a relay with the wrong rating (1,020 amps instead of 5,100 amps) had been installed on the circuit which tripped while the cable was well within its operating capacity of 4,450 amps. The point is that the accident was waiting to happen from the time the relay was fitted: "basic preventive maintenance" of fixing the leak as soon as it was found would have necessitated switching out the transformer and would also have triggered the power outage. Martin.Ward@durham.ac.uk http://www.cse.dmu.ac.uk/~mward/ ------------------------------ Date: Sat, 25 Oct 2003 12:35:40 +0200 From: amos083@walla.co.il Subject: Re: First DEWEY DEFEATS TRUMAN, and now YANKEES LOSE! A similar error, but much more embarrassing (*) had happened on Ynet, Israel's largest news site (www.ynet.co.il): on the day the Columbia shuttle was lost, at 16:09 local time (09:09 EST) -- the time it was due to land -- an item was released bearing the title COLUMBIA LANDED SAFELY, with some details of what Israel's first astronaut Ilan Ramon was supposed to be doing oafter landing. The item was removed after a few minutes, but apparently not soon enough to be copied and spread around the net for infamy. * For those of us who consider matters of life and death more important than baseball... ------------------------------ Date: Sun, 19 Oct 2003 13:20:39 -0400 From: David Graham Subject: Yet Another eBay-Spoofing Scam I received an unsolicited e-mail yesterday (one of the hundred or so unsolicited e-mails a day that I am up to now), with this link: http://scgi.ebay.com%69%6E%64%65%78%75%70%64%61%74%65%79%6F%75%72%69%6E%66%6F%72%6D%61%74%69%6F%6E%73%65%63%75%72%65@%32%31%31%2E%31%34%32%2E%32%32%36%2E%31%36%37:%34%39%38%37/%69%6E%64%65%78%2E%68%74%6D followed by several lines of semi-nonsense. The link resolves to 211.142.226.167:34/index.htm The e-mail included a GIF which, if loaded inline, would display what looks like a completely legitimate account verification message from eBay, together with a faked link to a (legitimate looking) eBay URL. The real URL above would not be disabled, however; only covered up. I did not try this, but I *think* that clicking the faked link would actually load the real one hidden underneath. [The attached GIF was deleted. Vastly too long for RISKS. PGN] I tried to notify eBay but eventually gave that up as too much trouble. (1) Simply forwarding suspect e-mail to abuse@ebay.com no longer works; all I got was a bounce directing me to a notification URL. [Added note: spoof@ebay.com reportedly works. PGN] (2) As always, I had to login to eBay insecurely, just to try to tell them about this new scam. (3) The notification page, once I got to it, would only accept text. No way to send eBay the "faked text" GIF which made this scam noteworthy (and potentially very effective). Risks: 1. Letting your browser autoload anything other than plain text. 2. Trusting eBay not to be clueless about security. [Furthermore, this was the first legitimate message to RISKS among the week's more than 7000 spams. It was the "notsp" that enabled me to spot it. TNX! PGN] ------------------------------ Date: Mon, 27 Oct 2003 22:21:07 -0000 From: "Andrew Yeomans" Subject: Self-inflicted phishing In September I received a newsletter from BT Openworld, which very kindly warned me about "e-mails titled 'From your ISP'. You're asked to download 'new' dial-up software* - this may result in high connection charges". Later on they helpfully offer "if you're worried that you've installed a 'fake' dialer, simply download BT Openworld's ICM dialer to replace it. To do this, click here...". But the URL provided is http://www.digitaldataanalysis.com/btopenworld/r.emt?h=www.btopenworld.com/ business/help/sections/0,,1_23_2_0,.html&t=IEiFHQ&e=QJmXtQtyJPQ The headers of the message also indicate it was sent from "BT Openworld Business Team" I tried asking BT Openworld whether a) This was a "phishing" scam, or b) They were incapable of running URL click tracking themselves. Unfortunately their help desk was unable to give me a definitive answer, as e-mail bounced ("mailbox full") when I tried to forward the original e-mail. Not to be outdone, Smile on-line bank in their October newsletter say "To find out more about the recent e-mail scam affecting various UK banks, visit http://www.smile.co.uk". But the URL at the end is actually http://www.foretelsystems.com/eventmonitor/monitor.aspx ?cn=76&id=6936&ev=12&rd=http://www.smile.co.uk This had Return-Path: At least their help desk could assure me "The e-mail that you attached is a genuine e-mail, and has not been spoofed. Fortel systems handle the smile marketing e-mails." So how can I tell whether future e-mails are genuine? A case of "Give a man a phish; you might catch account details today. Teach a man to phish; and you have been caught for a lifetime". Andrew Yeomans, 65 Grove Road, Tring, Herts, HP23 5PB, UK andrew_yeomans@yahoo.com ------------------------------ Date: Thu, 23 Oct 2003 21:51:50 -0400 From: "Walter Regan" Subject: SNAFU at the bank On my way to work this (Thursday) morning, I heard a news item on the radio concerning a drive-thru ATM machine at a bank. It was reported that, over the last weekend, at least one customer had had his bank account drained by someone who had installed a 'skimmer' over top of the card reader to copy customers' ATM cards and a pinhole camera to capture customers' P.I.N. numbers. I found this story of particular interest because my wife had used that very ATM machine on Sunday morning. So I decided to call the bank to see if my wife's ATM card had been compromised. I dialed the number for what is laughably called 'customer service'. An automated voice read a menu to me detailing what information I could obtain by selecting one, two and three and then went on to say that, if I really wanted to talk to a customer service representative, I should select zero. I selected zero and, after a short pause, I got a busy signal. I decided to try again. This time I thought I might be able to pre-empt the menu by selecting zero before it was finished. No such luck. As soon as I selected zero, an automated voice, (which sounded very disappointed with me), told me that I had made an invalid selection and the menu spiel restarted from the beginning. So I waited until it had finished, selected zero and got a busy signal again. As it appeared that it would involve a long and frustrating ordeal to contact the bank in question, I instead phoned the main branch of the same bank. Surprisingly, a very obliging human being answered and, after I had explained the problem, gave me the unlisted phone number of the manager at the bank in question. I phoned this number, which got me to an answering machine. I left my phone number and a brief description of the problem. Hours later, I received a phone call from someone (not the manager) at the bank in question. She said that my account did not seem to have been tampered with. I asked if they could tell from the surveillance cameras when the skimmer had been removed. She told me that the surveillance cameras transmit the pictures directly to a central location in another city so that they had no way to tell how long the skimmer had been installed. She said that, for my own peace of mind, I could replace the ATM card or change the P.I.N. number. Several RISKS present themselves here - the vulnerability of the ATM machines to the skimmer , the poorly designed automated answering system, the bureaucracy that centralizes the capture of data but apparently cannot analyze it in a timely fashion, the lackadaisical attitude. ------------------------------ Date: Mon, 20 Oct 2003 10:24:42 +0100 From: "Merlyn Kline" Subject: Re: Top 10 data disasters (RISKS-22.96) > This could be a result of the rush to complete work and leave early for > the weekend on Friday afternoons, as well as a lack of staff concentration > on Monday mornings," Or perhaps it could be a result of the fact that many of these cases are precisely *not* those where human error is to blame -- computer failure often occurs in machines running 24x7 so, given a reasonably even distribution, around 35% of such failures will occur at the weekend and not be discovered until Monday morning when the users arrive to discover their data loss and ask for assistance with recovery. This will obviously give rise to a peak in recovery activity on Mondays. Recovery "experts" should be very familiar with this. [...] Recovery "experts" should not be amazed by the fact that a physically damaged computer often does not contain a completely destroyed hard drive. RISKS readers should not be amazed to see yet another marketing press-release reproduced as "news", even on the BBC site. For the same to make it into RISKS is another thing altogether... ------------------------------ Date: 30 May 2003 (LAST-MODIFIED) From: RISKS-request@csl.sri.com Subject: Abridged info on RISKS (comp.risks) The RISKS Forum is a MODERATED digest. Its Usenet equivalent is comp.risks. => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) if possible and convenient for you. Alternatively, via majordomo, send e-mail requests to with one-line body subscribe [OR unsubscribe] which requires your ANSWERing confirmation to majordomo@CSL.sri.com . If Majordomo balks when you send your accept, please forward to risks. [If E-mail address differs from FROM: subscribe "other-address " ; this requires PGN's intervention -- but hinders spamming subscriptions, etc.] Lower-case only in address may get around a confirmation match glitch. INFO [for unabridged version of RISKS information] There seems to be an occasional glitch in the confirmation process, in which case send mail to RISKS with a suitable SUBJECT and we'll do it manually. .UK users should contact . => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you NEVER send mail! => The INFO file (submissions, default disclaimers, archive sites, copyright policy, PRIVACY digests, etc.) is also obtainable from http://www.CSL.sri.com/risksinfo.html ftp://www.CSL.sri.com/pub/risks.info The full info file will appear now and then in future issues. *** All contributors are assumed to have read the full info file for guidelines. *** => SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line. *** NEW: Including the string "notsp" at the beginning or end of the subject *** line will be very helpful in separating real contributions from spam. *** This attention-string may change, so watch this space now and then. => ARCHIVES: http://www.sri.com/risks http://www.risks.org redirects you to the Lindsay Marshall's Newcastle archive http://catless.ncl.ac.uk/Risks/VL.IS.html [i.e., VoLume, ISsue] Lindsay has also added to the Newcastle catless site a palmtop version of the most recent RISKS issue and a WAP version that works for many but not all telephones: http://catless.ncl.ac.uk/w/r http://the.wiretapped.net/security/info/textfiles/risks-digest/ . http://www.planetmirror.com/pub/risks/ ftp://ftp.planetmirror.com/pub/risks/ ==> PGN's comprehensive historical Illustrative Risks summary of one liners: http://www.csl.sri.com/illustrative.html for browsing, http://www.csl.sri.com/illustrative.pdf or .ps for printing ------------------------------ End of RISKS-FORUM Digest 22.98 ************************