Subject: Risks Digest 22.62 From: risko@csl.sri.com (RISKS List Owner) Date: Mon, 10 Mar 2003 22:52:11 +0000 (UTC) Newsgroups: comp.risks RISKS-LIST: Risks-Forum Digest Monday 10 March 2003 Volume 22 : Issue 62 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at http://catless.ncl.ac.uk/Risks/22.62.html and by anonymous ftp at ftp.sri.com, cd risks . Contents: Identity mixup: NZ teacher identified as prostitute (Ruth Berry via Max Power) The darkest side of ID theft (Bob Sullivan via Monty Solomon) Wrong man arrested after identity theft (Neil Youngman) Microsoft speaks, site goes dark (Joe Wilcox via Monty Solomon) Computer crashes threaten hospital operations (Monty Solomon) Toronto public health computer accidentally erases records (Chris Smith) Inappropriate HMI on medical device (Erling Kristiansen) Security firm shuttered by sabotage (Andrew Colley via Keith Rhodes) Sendmail flaw tests Homeland Security (Robert Lemos via Monty Solomon) Hackers access University of Texas database (Mike Swaim) You might just be a hacker if... (Andrew Orlowski via Tim Finin) Kevin Poulsen: Windows root kits a stealthy threat (Monty Solomon) FirstUSA/BankOne sends login ID & PW as clear text (Ric Cohen) Nigerian scams continue to thrive (Monty Solomon) Traffic lights don't work in the snow (Bob Copeland) Re: Computer error means 2.3-trillion-pound electricity bill (Michael Bacon) Re: Someone protecting patient data well (Edwin Culver) Re: BSA Accuses OpenOffice ftp sites of piracy (Fuzzy Gorilla) Re: Visa moves to improve customers' privacy (Brett Glass, Margie Wylie) New article on critical infrastructure risks (Fred Cohen) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Thu, 6 Mar 2003 18:14:45 -0800 (PST) From: Max Power Subject: Identity mixup: NZ teacher identified as prostitute Michelle Garforth (Dunedin, NZ) applied to be registered as a teacher, after finishing four years of training. She was notified that she was "likely" to be a prostitute convicted on four charges, including two assaults, based on a computer match of her maiden name and birthdate. Despite going to the police and submitting to fingerprinting that demonstrated she was not the person in question, she was not cleared until weeks later -- after her local Member of Parliament had intervened. [Source: Prostitute mix-up shocks teacher, by Ruth Berry, 06 March 2003; PGN-ed] http://www.stuff.co.nz/stuff/0,2106,2309649a7694,00.html ------------------------------ Date: Mon, 10 Mar 2003 09:49:24 -0500 From: Monty Solomon Subject: The darkest side of ID theft Malcolm Byrd was confronted at home by three Rock County, Wisconsin, sheriff's officers with a warrant for Byrd's arrest for cocaine possession, with intent to distribute. He tried to tell them that he was a victim of identity theft. So, he was handcuffed and taken away. Again! "This is the worst-case scenario for identity theft victims. Losing your clean credit history is one thing; losing your freedom is another. And victims of America's fastest-growing crime are discovering they often have much more to worry about than the hundreds of hours of paperwork necessary to clean up the financial mess associated with ID theft. Sometimes, they have to worry about ending up in jail - again and again." [Source: ... When impostors are arrested, victims get criminal records, Bob Sullivan, MSNBC, 9 Mar 2003; PGN-ed] http://www.msnbc.com/news/877978.asp ------------------------------ Date: Sun, 9 Mar 2003 19:55:25 +0000 From: Neil Youngman Subject: Wrong man arrested after identity theft A British man was arrested in South Africa and held for 2 weeks on an FBI warrant after his identity was stolen by a fraudster. He was only released after the real suspect was picked up in the U.S. http://news.bbc.co.uk/1/hi/england/2806827.stm ------------------------------ Date: Sat, 8 Mar 2003 17:28:46 -0500 From: Monty Solomon Subject: Microsoft speaks, site goes dark Microsoft speaks, site goes dark, by Joe Wilcox, CNET News.com, 7 Mar 2003 In an uncommonly harsh application of a widely used Internet enforcement tool, a Windows news site was taken offline for nearly 24 hours this week after Microsoft accused the site of infringing its copyrights. Neowin was shut down late Thursday and came back online Friday afternoon. Microsoft's Internet investigator sent a takedown notice on Tuesday, alleging the site was infringing the company's copyrights relating to its recently released Windows XP Peer-to-Peer Software Development Kit (SDK), apparently due to a message posted by a reader in an online feedback forum. Such legal filings are routine. But in this case, the request turned into a nightmare for Neowin when it was sent not to the site but to the upstream Internet service provider responsible for Neowin's Web connection. That provider responded by pulling the entire site offline. Neowin declined to name the ISP, but a traceroute on the Neowin.net address showed Williams Communications Group, now known as WillTel Communications, as its furthest upstream provider. Sources later confirmed that Microsoft contacted the closer upstream provider, Hurricane Electric Internet Services of Fremont, Calif. Neowin and its Web host, Invision Power Services Hosting (IPS), blamed Microsoft for the incident, saying the software giant gave them no chance to fix the problem before referring it to the ISP for more draconian measures. [...] http://news.com.com/2100-1025-991624.html ------------------------------ Date: Sun, 9 Mar 2003 00:28:12 -0500 From: Monty Solomon Subject: Computer crashes threaten hospital operations Beth Israel Deaconess Medical Center was paralyzed for four days by a computer crash in November 2003. Dr. Peter Kilbridge, an independent consultant who reviewed the incident at Beth Israel at the request of the *New England Journal of Medicine* editor, Dr. Jeffrey Drazen, said even if hospitals have policies in place to encourage the appropriate use of computers, those policies are often are ignored. [Source: Associated Press, 7 Mar 2003] http://www.boston.com/dailynews/066/ region/Computer_crashes_threaten_hosp:.shtml ------------------------------ Date: Mon, 10 Mar 2003 08:52:26 -0500 (Eastern Standard Time) From: Chris Smith Subject: Toronto public health computer accidentally erases records As reported 10 Mar 2003 *Toronto Star*, GTA section, page B5: "Health records feared erased" A computer fault may have accidentally erased the immunization records of thousands of Toronto school children, the city's public health department fears. Last April, the department discovered that its immunization records information system was erasing files from among 425,000 student records, Dr. Barbara Yaffe, associate medical officer of health, said. "It appears it was randomly erasing files - and we don't know how many," Yaffe said. The department tried to get technical help from the provincial health ministry, but its technicians were among the 45,000 Ontario civil servants taking part in a 54-day strike last spring. I suppose this is better than the traditional health info problem of accidental privacy breaches, but not by much. The department will have to contact parents to have them supply -- again -- the immunization status of their children in the above cases. This is especially important since failure to ensure appropriate immunizations can possibly result in suspension of children from school. Article is online at... http://thestar.ca/NASApp/cs/ContentServer?pagename=thestar/Layout/Article_PrintFriendly&c=Article&cid=1035778928098&call_pageid=968350130169 ------------------------------ Date: Sat, 08 Mar 2003 20:38:46 +0100 From: Erling Kristiansen Subject: Inappropriate HMI on medical device I spent some time in a hospital recently. The patient next to me, a woman in her late seventies, was being treated with a suction pump to remove fluid from an infected operation wound. This pump was a very neat, portable, lightweight device that allowed the patient to move around relatively freely. After a few days, the patient was sent home. A short instruction course was given to her and her husband, who was about the same age. The next day, she was back. In tears and very depressed. Her husband did not accompany her: He had had a nervous breakdown. They had been unable to figure out how to operate the pump. I did not want to interfere directly, but tried to figure out from conversations, events and casual inspection what the HMI of the pump looked like. It was a menu-driven interface with a small LCD display and at least 4 push-keys. Activating the pump seemed to require at least 4 key-pushes, as did resetting the alarm that went off if the device was not operating properly for more than a given time. As far as i could figure out, some of the 4 steps were actually going through menus that allowed to re-configure the operating parameters, so a real risk existed of accidentally changing the setup. A scenario that played out several times, was: The patient wanted to go to the bathroom at night; she disconnected mains power (switching from mains to battery and back seemed to require operator intervention); after some 15 menus, the alarm went off; pushing any key seemed to reset the alarm, that then went off again 15 minutes later. And so on. The poor lady was so embarrassed keeping other patients awake that she even tried to wrap the device in towels to subdue the alarm! Most of the medical staff did not know how to operate the pump, either, so much confusion ensued, often resulting in a trial-and-error scenario. My remarks: - A medical device designed to be operated by patients, and in particular elderly patients, should have a very clear separation between configuration HMI and routine operation HMI. The configuration HMI should be lockable or mechanically shielded to prevent accidental operation. - The patient HMI should be as simple as at all possible, preferably a single on/off or enable/disable switch and a very clear indication whether the device is operating. - Alarm handling, if needed, should be simple and clear. In particular, reacting on an alarm, it should be immediately obvious whether the alarm condition had been solved or persisted. A design where the alarm is reset, just to re-appear after a time-out, because the underlying cause was not resolved, is confusing. - Switching between mains and battery power should be fully transparent to the user. ------------------------------ Date: Tue, 4 Mar 2003 04:09:21 -0800 (PST) From: Keith Rhodes Subject: Security firm shuttered by sabotage The enemy could be sitting next to you. An Australian security firm was forced to close due to a major internal security breach -- reportedly caused by a disgruntled employee. [Andrew Colley, ZDNet Australia, 3 Mar 2003] http://zdnet.com.com/2100-1105-990747.html ------------------------------ Date: Wed, 5 Mar 2003 16:19:31 -0500 From: Monty Solomon Subject: Sendmail flaw tests Homeland Security A critical flaw in Sendmail, the Internet's most popular e-mail server, has become the first test for the newly minted Department of Homeland Security and its cyberdefense arm. The agency's Directorate of Information Analysis and Infrastructure Protection (IAIP) worked with security company Internet Security Systems, which discovered the flaw, and Sendmail Inc. to create a patch while keeping news of the issue from leaking to those who might exploit the vulnerability. "Working with the private sector, we alerted key owners of the vulnerable software and got them talking," said David Wray, spokesman for the IAIP Directorate. "We think this is a great example of how this should, and does, work." Word of the vulnerability, which would let an attacker take control of a Sendmail server and execute a malicious program, was more widely disseminated Monday. The Department of Homeland Security got high marks from the security community for giving companies the necessary time to create the patch and for synchronizing its release. [...] Robert Lemos, CNET News.com, 3 Mar 2003 http://news.com.com/2100-1009-990879.html ------------------------------ Date: Thu, 06 Mar 2003 21:09:04 -0600 From: Mike Swaim Subject: Hackers access University of Texas database According to the *Houston Chronicle*, hackers were able to obtain information, including Social Security numbers on 59,000 former and current students, staff and faculty members between 26 Feb and 1 Mar 2003. "The theft was discovered Sunday evening by university computer systems employees performing routine maintenance, Updegrove said. They immediately disconnected the compromised database from the Internet, later hooking up a database of useless information. Computer logs indicate the information was taken by a computer in Austin on Wednesday, Thursday and Friday last week and by a computer in Houston on Saturday and Sunday, Updegrove said. He said the intrusions were likely done by the same person or persons, he added." The obvious risk is having a production system directly accessible from the Internet. http://www.chron.com/cs/CDA/ssistory.mpl/front/1806724 [Also noted by David Newman from the *Austin American-Statesman*: http://www.austin360.com/aas/metro/030603/0306uthack.html http://www.austin360.com/aas/metro/030603/0306uthack_update.html citing 55,200 SSN/Name pairs; David added "I admire the willingness of the VP to admit to a failure in his department. His honesty is refreshing in the Age of the Lawyers." Also noted by Fuzzy Gorilla from the same news account, from slashdot: http://slashdot.org/articles/03/03/06/1720224.shtml which again used the 59,000 number. PGN] ------------------------------ Date: Mon, 10 Mar 2003 01:30:25 -0500 From: Tim Finin Subject: You might just be a hacker if... ... you vote the wrong way in Senate Majority Frist's poll. That 60% of the Internet voters were against a pre-emptive invasion of Iraq doesn't seem like evidence of hacking. Frist's site claimed that only one vote per person was counted. I assume they had implemented a trivial "One IP address, one vote" check, which, while subject to subversion, was probably more ok than not. Senate Leader scraps Web site war poll, blaming hackers Andrew Orlowski, 7 Mar 2003 http://www.theregister.co.uk/content/55/29654.html Senate majority leader Bill Frist has yanked a "Bomb Iraq" poll from his Web site. Frist's office told The Register that "tampering" was to blame for the removal of the poll, which asked "Should the United States use force to remove Saddam Hussein from power? Your opinion is important to Senator Frist." "Clever computer programmers created a program that generated 8,700 votes in a day," a spokesperson told us. Which is where the mystery really begins. The spokesperson couldn't say whether the software was running inside the firewall, representing a major breach of the Senate IT security, or was a robot-style vote generator run by netizens. The curious thing is that Frist's poll page already banned robots - including the Wayback Machine, archive.org - from the site. Respondents could vote once and then return to the site later to change their vote; only the latest response would be counted. "As you know government computers are constantly being attacked by hackers," he suggested. Nor could Frist's office explain why the Web site administrators simply didn't exclude the votes they didn't want to count - Florida-style. One correspondent has noted the increasing tally of No votes:- "At 1:35 pm Washington DC time on March 6, the Frist site reported 31,118 responses to the war poll. Anti-war respondents (55%) had gained a clear majority over pro-war respondents (44.6%). (These figures do not quite add up to 100%, apparently because of the rounding method used by Senator Frist's staff.) "Within the hour, at 2:23 pm, the anti-war fever had risen, with 56.9% anti-war, 42.9% pro-war. By 4:29 pm, according a snapshot of the Frist site, with 37, 742 total responses, the anti-war vote registered 59.5%, with the pro-war vote ebbing at 39.8%." The Senate site has been defaced before. Whether this represents a new and more serious breach - as Frist's office suggests - we don't know. But our enquiries continue. ------------------------------ Date: Mon, 10 Mar 2003 09:16:00 -0500 From: Monty Solomon Subject: Kevin Poulsen: Windows root kits a stealthy threat Hackers are using vastly more sophisticated techniques to secretly control the machines they've cracked, and experts say it's just the beginning. By Kevin Poulsen, SecurityFocus Mar 5 2003 5:12AM Barron Mertens admits to being puzzled last January when a cluster of Windows 2000 servers he runs at an Ontario university began crashing at random. The only clue to the cause was an identical epitaph carved into each Blue Screen of Death, a message pointing the blame at a system component called "ierk8243.sys." He hadn't heard of it, and when he contacted Microsoft, he found they hadn't either. "We were pretty baffled," Mertens recalls. "I don't think that cluster had bluescreened since it was put into production two years ago." Mertens didn't know it at the time, but the university network had been compromised, and the mysterious crashes were actually a lucky break -- they gave away the presence of an until-then unknown tool that can render an intruder nearly undetectable on a hacked system. Now dubbed "Slanret", "IERK," and "Backdoor-ALI" by anti-virus vendors, experts say the tool is a rare example of a Windows "root kit" -- an assembly of programs that subverts the Windows operating system at the lowest levels, and, once in place, cannot be detected by conventional means. [...] http://www.securityfocus.com/news/2879 ------------------------------ Date: Thu, 6 Mar 2003 22:20:08 -0700 From: Ric Cohen Subject: FirstUSA/BankOne sends login ID & PW as clear text This afternoon, I attempted to review my credit card account by logging in at: http://cardmemberservices.firstusa.com/index.jsp as I have for several years. My security software stopped the login and warned me that the Web page was attempting to send my password as clear text. I phoned the number on the Web page to report this, and eventually got to a low level tech. After he said that no one in the company had changed the Web page software for a long time, I pointed out this implied the Web site was hacked. He said he would report the problem. After an hour, I concluded that this person didn't appreciate the fact that a hacker reading the login information would also have access to credit card numbers. I attempted to access the same Web site, and was redirected to: http://online.firstusa.com/bolHOME.aspx -- which presented a Web page identical to that on the first Web site. The same problem appeared when I attempted to login. The problem centers upon a risk I have wondered about for years. None of BankOne's (or its' subsidiaries) login Web pages begin on a secure https page. They require you to enter your user ID and password on an insecure http page, and this information is supposed to be encrypted immediately prior to submission. They even have a friendly 'security help' page which describes how this *should* work without problem. I never trusted this approach which is used on several Web sites, and that is why I use software which monitors for passwords. Because my software always stopped the login process as the password was about to be sent, I decided to experiment. I chose a nonsense login ID and password, and set my software to look for them both (but allow them to be sent to FirstUSA). What I observed was both the ID and password text being sent several times by TCP port 80, to the bank's IP 159.53.21.247. Only then, did the Web page change to a secure page using port 443, and tell me that it did not know me. After this happened, I called a local bank branch just before closing time, described the problem, and got a phone number for the 'Office of the Chairman'. I talked with someone who seemed intelligent, who seemed to understand that credit card numbers could be stolen if someone were to make use of customer's login information, and who seemed to agree that the Web site should be shut down. However, 6 hours later, I write this as the Web site is still (dys)functioning as before. The last time I logged into FirstUSA was Feb. 27 (without a problem). Somewhere between then and today, their Web site was altered and who knows what problems will eventually come of this. FWIW, I attempted earlier to login at http://www.bankone.com with my nonsense ID and PW. They were encrypted properly, and nothing at all was sent clear text. I have not tried their other subsidiary's Web sites. [Added by Ric 7 Mar 2003:] There is now a new Web site that requires login in a secure environment: https://online.firstusa.com/bank/bolLogin.aspx However, the same Web site mentioned in the last note (which has existed for years) still exists today and continues to transmit user login info as clear text. ------------------------------ Date: Sun, 9 Mar 2003 14:56:37 -0500 From: Monty Solomon Subject: Nigerian scams continue to thrive Cashier's checks, Iraqi plea add two new flavors to old story By Bob Sullivan, MSNBC, 5 Mar 2003 Two new flavors of the age-old Nigerian e-mail scam are making the rounds, and at least one of them appears to be gaining traction. Hundreds of victims have recently fallen for a variation that plays upon people's misunderstanding about how bank cashier's checks work. Meanwhile, other scammers are trying to take advantage of heightened interest in Iraq, posing as frightened Iraqis trying to move money out of that country before hostilities begin. The scam also took a deadly turn last month, when a victim in the Czech Republic allegedly shot and killed a Nigerian diplomat after losing his life savings to the scam. [...] http://www.msnbc.com/news/881169.asp ------------------------------ Date: Mon, 3 Mar 2003 21:43:03 -0500 From: Bob Copeland Subject: Traffic lights don't work in the snow In my area, northern Virginia, nearly every intersection is outfitted with inductance loops -- sensors for detecting when a large metal object (often, a car) sidles up to a traffic light. Ideally, this is so it turns green more quickly for you, but of course in practice, it usually turns green more quickly for the other guy. Most of these intersections operate in normal turn-based fashion but speed up or slow down when cars are present. However, at least one such light refuses to turn green unless there is a car present. Recently, a 24 inch snowfall and a snow plow conspired to bury the sensor at that light under a mountain of ice, so when I approached it last weekend, the car ahead of me and I had to stop in the left turn lane. After sitting at red for 2 cycles, we gave up and ran it. One more risk of driving in the snow! ------------------------------ Date: Sat, 8 Mar 2003 05:40:15 -0000 From: michael_bacon@synigystic.com Subject: Re: Computer error means 2.3-trillion-pound electricity bill (RISKS-22.61) Two things in particular surprise me about this. The first is that apparently someone designed a system that would accommodate a consumer bill reaching into the trillions of pounds. The second is that there were seemingly no validity (or common sense if the letter was hand-typed) checks that detected a consumer bill many times the UK National Debt! Of course this could be the same sort of "clerical error" that led Civil Servants recently to claim that they had frozen a 'Bin Laden' bank account containing =A323.19 million. The true figure was just 23 pounds and 19 pence! ------------------------------ Date: Fri, 07 Mar 2003 13:27:27 -0500 From: Edwin Culver Subject: Re: Someone protecting patient data well (RISKS-22.60) In a similar story to Dr O'Keefe's: When I was working in the aerospace industry, the method we had chosen for making sure magnetic media no longer contained classified data was very simple: remove the platters from the disk drives (or the floppies from their sleeves or the tape from its reel) and sand blast the magnetic coating off. We all thought this was a mite drastic, as a degausser should scramble all the bits. Sandblasting may be more subtle than the sysadmin at his university's medical research group, but probably quite as effective. The mistake trying to recover the residual value of the disk drives. ------------------------------ Date: Thu, 06 Mar 2003 17:19:41 -0500 From: "Fuzzy Gorilla" Subject: Re: BSA Accuses OpenOffice ftp sites of piracy (RISKS-22.61) Unfortunately, they are not claiming, under penalty of perjury, that the notification is accurate, only that they are authorized to "act in this matter on behalf of the copyright owners listed above. [Microsoft]" Basically, they cannot legally act on behalf of someone who has not given them that authority. ------------------------------ Date: Thu, 06 Mar 2003 13:29:44 -0700 From: Brett Glass Subject: Re: Visa moves to improve customers' privacy (RISKS-22.61) [Blanking out part of the credit-card number and the expiration date] has already been the law in California for more than a year. It would actually cost them more not to have a uniform policy nationwide. ------------------------------ Date: Thu, 06 Mar 2003 12:51:00 -0800 From: Margie Wylie Subject: Re: Visa moves to improve customers' privacy (RISKS-22.61) [...] Many businesses are already complying, but the final deadline for implementing the change is Jan. 1, 2004. http://www.bankrate.com/brm/news/cc/20010129a.asp ------------------------------ Date: Thu, 6 Mar 2003 18:34:23 -0800 (PST) From: Fred Cohen Subject: New article on critical infrastructure risks Your readers may be interested in: http://all.net/ => InfoSec Baseline Studies => Cyber-Risks and Critical Infrastructures Fred Cohen - http://all.net/ fc@all.net fc@unhca.com tel/fax: 925-454-0171 Fred Cohen & Associates - University of New Haven - Security Posture ------------------------------ Date: 29 Mar 2002 (LAST-MODIFIED) From: RISKS-request@csl.sri.com Subject: Abridged info on RISKS (comp.risks) The RISKS Forum is a MODERATED digest. Its Usenet equivalent is comp.risks. => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) if possible and convenient for you. Alternatively, via majordomo, send e-mail requests to with one-line body subscribe [OR unsubscribe] which requires your ANSWERing confirmation to majordomo@CSL.sri.com . If Majordomo balks when you send your accept, please forward to risks. [If E-mail address differs from FROM: subscribe "other-address " ; this requires PGN's intervention -- but hinders spamming subscriptions, etc.] Lower-case only in address may get around a confirmation match glitch. INFO [for unabridged version of RISKS information] There seems to be an occasional glitch in the confirmation process, in which case send mail to RISKS with a suitable SUBJECT and we'll do it manually. .UK users should contact . => The INFO file (submissions, default disclaimers, archive sites, copyright policy, PRIVACY digests, etc.) is also obtainable from http://www.CSL.sri.com/risksinfo.html ftp://www.CSL.sri.com/pub/risks.info The full info file will appear now and then in future issues. *** All contributors are assumed to have read the full info file for guidelines. *** => SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line. => ARCHIVES are available: ftp://ftp.sri.com/risks or ftp ftp.sri.comlogin anonymous[YourNetAddress]cd risks [volume-summary issues are in risks-*.00] [back volumes have their own subdirectories, e.g., "cd 21" for volume 21] http://catless.ncl.ac.uk/Risks/VL.IS.html [i.e., VoLume, ISsue]. Lindsay Marshall has also added to the Newcastle catless site a palmtop version of the most recent RISKS issue and a WAP version that works for many but not all telephones: http://catless.ncl.ac.uk/w/r http://the.wiretapped.net/security/info/textfiles/risks-digest/ . http://www.planetmirror.com/pub/risks/ ftp://ftp.planetmirror.com/pub/risks/ ==> PGN's comprehensive historical Illustrative Risks summary of one liners: http://www.csl.sri.com/illustrative.html for browsing, http://www.csl.sri.com/illustrative.pdf or .ps for printing ------------------------------ End of RISKS-FORUM Digest 22.62 ************************