precedence: bulk Subject: Risks Digest 24.11 RISKS-LIST: Risks-Forum Digest Weds 7 December 2005 Volume 24 : Issue 11 ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at as The current issue can be found at Contents: Hospital operates on wrong patient (Walter F. Roche Jr.) Mercedes brake test fiasco (Andre Kramer) Tens of thousands mistakenly put on terrorist watch lists (Anne Broache via Richard M. Smith) Security Flaw Allows Wiretaps to Be Evaded, Study Finds (John Schwartz and John Markoff via David Farber) DHS-Sponsored phishing report (Aaron Emigh) Poorly designed online interfaces make identity theft simple (ANONYMIZED) School psychologist's student records accidentally posted online (Monty Solomon) Plain-text passwords: as RISKy as you'd think (Steve Summit) Y2K++ (Jim Horning) Risks of naive date calculation (Mike Albaugh) Bye Bye BlackBerry? (Ian Austen via Monty Solomon) SafetyText (Nick Brown) Data disasters dog computer users (Amos Shapir) Online tax credit system closed (Amos Shapir) Re: Some Fast Lane accounts double-billed (Steve Summit) Stop speeding using a GPS? (Jeremy Epstein) Re: In-car GPS navigation (Henry Baker, Derek P Schatz, Ian Chard, Jack Christensen) Re: UK Police Vehicle Movement Database (Identity withheld, mathew) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Fri, 2 Dec 2005 9:16:32 PST From: "Peter G. Neumann" Subject: Hospital operates on wrong patient In 1999, a 47-year-old woman was diagnosed with breast cancer in Magee-Womens Hospital (part of the U. Pittsburgh Medical Center), and underwent a mastectomy. It was later discovered that the hospital lab had switched biopsy specimens. Ten cases against the hospital are now pending in state courts, even though the hospital has passed federal inspections. Similar lawsuits and complaints name other medical centers. * In Maryland, a hospital lab sent out hundreds of HIV and hepatitis test results despite data showing that the results might be invalid and mistakenly lead infected patients to believe they were disease-free. The same laboratory had just received a top rating from CAP inspectors. * In Yakima, Wash., eight emergency room doctors walked off their jobs to protest hospital deficiencies they said included lab mistakes, such as mixed-up blood samples. CAP had declared the lab "in good standing" the year before. * At the famed Mayo Clinic in Minnesota, an allegedly misdiagnosed gall bladder cancer case led to revelations of a close relationship between the clinic and CAP. A Mayo pathologist serving on a CAP advisory panel twice sought and obtained accreditation renewals despite unacceptable lab practices cited by CAP inspectors. [Source: Walter F. Roche Jr., Lab Mistakes Threaten Credibility, Spur Lawsuits: Some top medical facilities are scrutinized as errors mount and oversight is questioned, *Los Angeles Times*, 2 Dec 2005; PGN-ed] http://www.latimes.com/news/nationworld/nation/la-na-labs2dec02,0,3901421.story?coll=la-home-headlines [Thanks to Lauren Weinstein for contributing this article. PGN] ------------------------------ Date: Thu, 1 Dec 2005 09:59:25 -0000 From: "Andre Kramer" Subject: Mercedes brake test fiasco *The Register* reports that an automotive journalist was fired for rigging a radar enhanced (assumedly computer controlled) automobile brake system demonstration. Apparently, the Mercedes engineers (under duress) helped simulate the demonstration, which could not have worked in an enclosed space, by manual braking. However, the demo went badly wrong and the article http://www.theregister.co.uk/2005/11/29/mercedes_brake_test_fiasco/ correctly identified the risk of false trust in a new system that would have resulted from the attempted smoke and black mirrors going undetected. [Risks of lack of feedback from expensive car suspension systems could also be noted.] ------------------------------ Date: December 6, 2005 10:11:36 PM EST From: "Richard M. Smith" Subject: Tens of thousands mistakenly put on terrorist watch lists http://www.nytimes.com/cnet/CNET_2100-7348_3-5984673.html?pagewanted=print Tens of thousands mistakenly put on terrorist watch lists Anne Broache, Staff Writer, CNET News.com December 6, 2005 Nearly 30,000 airline passengers discovered in the past year that they were mistakenly placed on federal "terrorist" watch lists, a transportation security official said Tuesday. Jim Kennedy, director of the Transportation Security Administration's redress office, revealed the errors at a quarterly meeting convened here by the U.S. Department of Homeland Security's Data Privacy and Integrity Advisory Committee. Marcia Hofmann, staff counsel at the Electronic Privacy Information Center, said this appeared to be the first time such a large error has been admitted. "It was a novel figure to me," Hofmann said. "The figure shows that many more passengers than we've anticipated have encountered difficulty at airports. The watch list still has a long way to go before it does what it's supposed to do." Kennedy said that travelers have had to ask the TSA to remove their names from watch lists by submitting a "Passenger Identity Verification Form" and three notarized identification documents. On average, he said, it takes officials 45 to 60 days to evaluate the request and make any necessary changes. Travelers have been instructed to file the forms only after experiencing "repeated" travel delays, he said, because additional screening can occur for multiple reasons, including fitting a certain profile, flying on a one-way ticket, or being selected randomly by a computer. ... EPIC_IDOF@mailman.epic.org https://mailman.epic.org/cgi-bin/mailman/listinfo/epic_idof ------------------------------ Date: Wed, 30 Nov 2005 06:54:22 -0500 From: David Farber Subject: Security Flaw Allows Wiretaps to Be Evaded, Study Finds [from IP] The technology used for decades by law enforcement agents to wiretap telephones has a security flaw that allows the person being wiretapped to stop the recorder remotely, according to research by computer security experts who studied the system. It is also possible to falsify the numbers dialed, they said. Someone being wiretapped can easily employ these "devastating countermeasures" with off-the-shelf equipment, said the lead researcher, Matt Blaze, an associate professor of computer and information science at the University of Pennsylvania. "This has implications not only for the accuracy of the intelligence that can be obtained from these taps, but also for the acceptability and weight of legal evidence derived from it," Mr. Blaze and his colleagues wrote in a paper that will be published today in Security & Privacy, a journal of the Institute of Electrical and Electronics Engineers. [...] [Source: John Schwartz and John Markoff, *The New York Times*, 30 Nov 2005] ------------------------------ Date: Tue, 29 Nov 2005 01:11:02 -0800 From: "Aaron Emigh" Subject: DHS-Sponsored phishing report Online identity theft, a.k.a. "phishing," refers to attacks that exploit a wide variety of RISKS, using both technology and social engineering, to illicitly obtain and profit from confidential information. A new report on online identity theft, sponsored by the US Department of Homeland Security and SRI International, provides a holistic treatment of the subject. The report discusses technologies used by phishers, breaks down the flow of information in a phishing attack, identifies chokepoints at which an attack can be thwarted, and discusses technical countermeasures that can be applied at each chokepoint. While technology alone cannot solve the phishing problem, substantial opportunities to mitigate the losses are identified. The report is titled "Online Identity Theft: Phishing Technology, Chokepoints and Countermeasures," and is available at http://www.anti-phishing.org/Phishing-dhs-report.pdf. Aaron Emigh, Radix Labs, 415-297-1305 ------------------------------ Date: Thu, 17 Nov 2005 13:11:22 -0800 From: [ANONYMIZED] Subject: Poorly designed online interfaces make identity theft simple I recently had to renew my membership with the American Automobile Association (the equivalent to the CAA in Canada, or the RAC in the UK). In the past there was no web interface, but AAA has now moved online. To sign up for an account, I needed to supply a membership number (printed on your plastic member card), and my name (also printed on the card), along with an email address, and a chosen account name. A few seconds later, I was logged in, and was able to check my account info, including mailing address, and type of credit card used for membership. There was no verification of identity at all during account establishment. At a minimum, mandating that a user-entered postal code match the AAA database prior to creating the account would have afforded some protection. So with a AAA member number and name, someone is well on their way to identity theft -- the rest of your wallet not required. Since many places take AAA cards to provide discounted services (hotels, car repair, restaurants, movie theatres, etc.) you can imagine the RISK. I've sent a letter to the organization letting them know their web registration needs to be redesigned. ------------------------------ Date: Sat, 3 Dec 2005 13:47:29 -0500 From: Monty Solomon Subject: School psychologist's student records accidentally posted online A school psychologist's records detailing students' confidential information and personal struggles were accidentally posted to the school system's Web site and were publicly available for at least four months. A reporter for *The Salem News* [Mass.] discovered the records last week and alerted school officials, the newspaper said in a story Friday. To protect students' privacy, the newspaper said it withheld publishing the story until the documents were removed from the Internet, which occurred Wednesday. [...] [Source: *The Boston Globe*, 2 Dec 2005; PGN-ed] http://www.boston.com/news/education/k_12/articles/2005/12/02/school_psychologists_student_records_accidentally_posted_online/ ------------------------------ Date: Fri, 18 Nov 2005 12:55:57 -0500 From: Steve Summit Subject: Plain-text passwords: as RISKy as you'd think A nice report of an investigation into how many plain-text passwords one can almost trivially sniff in public-access places like hotels, conference centers, and open wireless hotspots: http://www.infoworld.com/article/05/11/04/45OPsecadvise_1.html The article also makes the point that although the passwords so sniffed are often "unimportant" ones, for services such as mere e-mail access or gambling site logins, people are often known to use their same passwords for these and for their "secure" systems such as Windows network logins. I came across this link in Bruce Schneier's excellent "Crypto-Gram" newsletter at http://www.schneier.com/crypto-gram.html, which I'm sure is known to many RISKS readers, but which I had neglected to read in a while. It's worth keeping up with. ------------------------------ Date: Wed, 30 Nov 2005 11:53:33 -0800 From: "Jim Horning" Subject: Y2K++ My employer has outsourced the administration of its 401(k) plan to TruSource, a division of Union Bank of California, N.A. This week I received annual enrollment material from TruSource. It contains generic blurbs about 401(k)s and retirement planning, in addition to material particular to our plan. Part of the latter is a summary page for each of the available investment options. These pages are clearly labeled "Copyright (c) Standard & Poor's, a division of The McGraw-Hill Companies." The page for each fund contains a graph of "GROWTH OF $10,000." I think the format and content are specified by the SEC, and they are presumably automatically generated from some kind of database. For some reason, I happened to look more closely than usual at one of the charts, and noticed something odd about the labeling of the year axis, and started inspecting them all. Most of them contain dates in the 31st and 41st centuries! For example, the chart for the Pioneer High Yield Fund "(SINCE 03/31/98)" is labeled with consecutive years 4098 3099 2000 1001 4001 4002 2003 1004 4004 3005 Apparently the dates escaped the notice of the humans (if any) at McGraw-Hill and TruSource who were in the loop in the preparation of these documents. It is interesting to speculate what combination of programming errors would yield this precise sequence of dates. Jim H. http://horning.blogspot.com ------------------------------ Date: Wed, 23 Nov 2005 12:48:48 -0700 From: Mike Albaugh Subject: Risks of naive date calculation I have in my possession a box of Nyakers (that should be an A-ring, BTW) "Authentic Swedish Apple Snaps" that is BEST BEFORE 29 FEB 2006 Lazy Programmer? Faulty date-manipulation library? Or do the Swedes know something about the depths to which lawmakers will stoop in calendar manipulation? The computer scientist in me wants to know if the comparison to a (currently) non-existent date should: * always fail (Cookies are stale now), * always succeed (Cookies will never get stale) * throw an exception (Cookies should not exist in this universe) ------------------------------ Date: Sun, 4 Dec 2005 01:45:19 -0500 From: Monty Solomon Subject: Bye Bye BlackBerry? A ``long-running patent infringement battle between the maker of BlackBerry, Research In Motion, and NTP, a tiny patent holding company, might cause a service shutdown, perhaps within a month. ... R.I.M., which is based in Waterloo, Ontario, promises it has a solution that will keep its beloved BlackBerries humming even in the face of an injunction. While most analysts view the prospects of a shutdown as unlikely, they have little faith in the proposed solution, which has potential legal pitfalls of its own. What's more, the history of the struggle between the companies means that no outcome is certain.'' [Source: Ian Austen, Bye Bye BlackBerry?, What if your BlackBerry screen went dark? *The New York Times*, 3 Dec 3005; PGN-ed] http://www.nytimes.com/2005/12/03/technology/03blackberry.html?ex=1291266000&en=df205fd24ccb8593&ei=5090 ------------------------------ Date: Mon, 28 Nov 2005 17:17:20 +0100 From: Nick Brown Subject: SafetyText A new UK-based service called SafetyText (http://www.safetytext.com/) enables you to send a text message which will be delivered after a certain delay unless canceled. The idea seems to be that, before exposing yourself to danger, you send a text - say, "Help, I'm being attacked by rabid bats" before entering a cave - and then it will be sent if you don't emerge from the cave in time to cancel it. The risks are left as an exercise to the reader, but here are some pointers to get you started: - SMS messaging delivery is inherently unreliable, so maybe your "help" text won't get through... - ... or maybe your "cancel" text won't get through. - Many people receiving such a text, regardless of how it's phrased, will tend to assume the worst (despite the "don't panic" instructions on the service's Web site) and will send in the emergency services on a possibly unnecessary search for someone who just happens to be out of GSM service range. I'm also slightly worried that the same short number used for the SafetyText service - 63344 - appears in the banner advert above the site's start page, which at the present time invites me to send the name of Coldplay's lead singer to win tickets to see them in concert. I hope they don't launch a particularly popular game while I'm being attacked by the rabid bats. ------------------------------ Date: Wed, 07 Dec 2005 14:58:20 +0200 From: "Amos Shapir" Subject: Data disasters dog computer users A laptop crammed with dead cockroaches tops a list of data disasters compiled by computer experts. http://news.bbc.co.uk/go/em/-/2/hi/technology/4500482.stm [That would be a tough roach to hoe. PGN] ------------------------------ Date: Mon, 05 Dec 2005 17:12:37 +0200 From: "Amos Shapir" Subject: Online tax credit system closed Organised fraud forces HM Revenue and Customs to stop accepting online applications for tax credits. Full story: http://news.bbc.co.uk/go/em/-/2/hi/business/4493008.stm ------------------------------ Date: Sun, 04 Dec 2005 14:17:37 -0500 From: Steve Summit Subject: Re: Some Fast Lane accounts double-billed (Solomon, RISKS 24.09) Monty Solomon forwarded an item to RISKS 24.09 about a batch of Massachusetts Turnpike drivers who were doubly charged for their electronic tolls, due to one day's worth of records being mistakenly processed twice. If anyone's keeping a canonical list of "bugs that are way easy to make and deserve special handling", this scenario clearly belongs. We've been hearing variations on the same song for decades: it used to be the phone company accidentally double-running a billing tape containing the call records from a long-distance switch, but to this day it can still easily happen any time there are batches of transactions created by system A and later processed or reconciled on separate system or subsystem B. (And I can't personally be at all smug about this: in a former life I ran a small, simple, homebrew, but high-volume e-commerce site, and I committed this same mistake once or twice myself. Fortunately I was also in a position to synthesize and inject automatic refunds to the credit card accounts of affected customers, well before most of them even noticed.) I'm sure that any organization large enough to address this risk responsibly has implemented the obvious sorts of double-checks (perhaps involving explicit batch serial numbers which are logged and checked by the processing system, in order to reject inadvertent duplicates). But since the need for such double-checks is all too likely to be recognized only *after* the double-billing problem has bitten a particular system at least once, and since new systems having this vulnerability are continually being written, it's a problem that, unfortunately, will continue to happen. ------------------------------ Date: Sun, 4 Dec 2005 15:06:26 -0500 From: Jeremy Epstein Subject: Stop speeding using a GPS? Transport Canada is testing a device that figures out where you are using GPS, and causes your car to increase the resistance in the gas pedal if you try to exceed the speed limit. Bad idea. I'm not an expert in GPS systems, but I've seen them get confused, especially when there are nearby parallel roads. I wouldn't want it to hold my speed to 25 MPH because it thinks I'm on the dirt road that runs parallel to a highway. And if the device changes its mind suddenly, the results could be catastrophic - I'm pushing hard on the accelerator because (for whatever reason) I decide to exceed the speed limit, and suddenly it decides the speed limit has increased - now I'm flooring the car because it reduces its resistance factor. Conversely, if I have a normal pressure on the accelerator, and the speed limit drops, the device might cause my speed to drop precipitously. I'm sure there are lots of other GPS-based risks - what does the device do if it can't find a GPS signal? Hopefully the designers of the device considered the risks, but the article doesn't mention any - only the advantages of improved road safety, reduced fuel usage, etc. Article at http://www.cnn.com/2005/AUTOS/12/01/canada_gps_speed/index.html which references a Toronto Globe & Mail article at http://www.globetechnology.com/servlet/story/RTGAM.20051128.gtsmartcars28/BNPrint/Technology/ ------------------------------ Date: Sun, 27 Nov 2005 18:09:42 -0800 From: Henry Baker Subject: Re: In-car GPS navigation (Scott, RISKS-24.10) For the last year or so, if you rented a Hertz car with its "Neverlost" (Magellan) GPS system, you couldn't get out of Boston's Logan Airport -- at least if you listened to the "Neverlost" system. It tried to route you onto a one-way street in the airport itself (the other direction was closed off due to construction). Now everyone who has been in Boston in the last several years knows about the construction at the airport and the Big Dig, but here's a system that clearly is failing in its primary task! On the whole, GPS is a very big win, but you do have to take every "recommendation" it gives you with some level of skepticism. Within the canyons of Manhattan, the GPS system often thinks that you are in the middle of Central park. Also around NYC (and probably many other places), the GPS system isn't accurate enough to get you into the correct lane for turning, which sometimes means that you get off at the wrong exit or get onto the wrong level of the George Washington Bridge. The net result is that you end up in New Jersey instead of Manhattan. ------------------------------ Date: Wed, 23 Nov 2005 11:43:24 -0800 From: "Schatz, Derek P" Subject: Re: In-car GPS navigation (Scott, RISKS-24.10) Mike Scott appears to be making issue of something that the GPS navigator companies have already clearly avoided liability for. Every mapping system I've ever seen warns that map results may not be completely accurate and that you need to verify things for yourself. Those of us who have been driving for many years have learned the hazards of taking your eyes off the road to futz with something inside the car (then again, some still haven't). I don't see a risk with the GPS system here, but rather a risk with the son's friend's driving abilities. Besides, it takes London cabbies years to learn the intricacies of the city's streets (some 400 years of intricacy) -- how could we expect a GPS system to have that same knowledge? Now, it might be a different situation if the car had an auto-pilot system relying on that GPS guidance... ------------------------------ Date: Thu, 24 Nov 2005 09:33:21 +0000 From: Ian Chard Subject: Re: In-car GPS navigation (Scott, RISKS-24.10) The disclaimers displayed by such systems (including the one I use, Tomtom) aren't just there to get the manufacturers out of trouble. One-way systems change so frequently that there's no reasonable way you could expect a sat nav device to be completely up-to-date. I've been asked to drive through buildings, across fields and against traffic restrictions, but as the driver I have ultimate control and therefore ultimate responsibility. To misquote the age-old schoolboy admonition, "if a sat nav system told you to jump off a cliff, would you do it?" :) Ian Chard, Unix & Network Administrator, Systems and Electronic Resources Service Oxford University Library Services 80587 / (01865) 280587 ------------------------------ Date: Sat, 26 Nov 2005 17:18:48 -0500 From: "Jack Christensen" Subject: Re: In-car GPS navigation (Scott, RISKS-24.10) I had a friend whose vehicle had a built-in GPS navigation and map system. When you started the vehicle, the first thing on the screen was a disclaimer (which, if I recall correctly, had a fair amount of similarity to that of the Garmin unit.) The unit would not go into operational mode until you touched a button on the screen to "acknowledge" the disclaimer. At first, I laughed at this, but upon thinking about it a little more, I wasn't so surprised. I am not a lawyer, so I don't know the actual legal worth of this approach, or how it might fare in court. Jack Christensen, Grand Blanc, MI, USA j.christensen@sbcglobal.net ------------------------------ Date: Sun, 20 Nov 2005 9:42:58 PST From: Identity withheld by request Subject: Re: UK Police Vehicle Movement Database (RISKS-24.09) The vehicle isn't flagged when the "tax" (Vehicle Excise Licence) is renewed, so this is a misunderstanding of how the system works. The "VEL expired" marker is only added, retrospectively, some time after the renewal falls due, and only if it isn't relicensed as expected. So there is a delay before such a marker is removed following relicensing, but from the foregoing readers can see that a vehicle with an unbroken relicensing history is therefore never added to the database. > He then had to spend 5 mins filling in a form as this had to be regarded > as an official "stop" event... Yes, the real value of this is highly questionable (he's fast, if he completed the form in only 5 minutes), and as one stop form has to be completed for each member of a group, you might want to ask your MP if it's a good use of police time to spend up to an hour standing in the street filling in the forms if, say, an officer checks a group of half-a-dozen youths who are the subject of a complaint by a local resident... But that's the reality for officers, and it has been imposed to fulfill a political agenda irrespective of the actual financial cost, the opportunity costs, or the inconvenience to those being spoken to (who, of course, don't actually need to give their details - but the forms still have to be filled in...). ------------------------------ Date: Sun, 4 Dec 2005 12:44:29 -0600 From: mathew Subject: Re: UK Police Vehicle Movement Database > Hence technology + Automation + DVLA = 5 mins wasted police time It could be worse. In Massachusetts, cities charge you excise tax each year if you own a vehicle. When you register a vehicle with the Massachusetts Registry of Motor Vehicles (RMV), they inform the city you live in that you have a vehicle and should pay tax. When you de-register a vehicle--e.g. move to another state, sell the vehicle, return your license plates, and so on--the RMV doesn't bother to inform the city you were in of the new information. Hence when I bought a car and left Massachusetts permanently, almost a year later I got a completely incorrect tax bill which had been sent to the wrong address. (This was the first I had heard about excise tax, in fact.) MA expected me to pay the incorrect bill and then argue with them to get the money back, or else pay extra non- payment fees. What's more, because they had sent the bill to the wrong address, it had taken so long to arrive I was already subject to non-payment fees. I can only imagine that this brokenness is deliberate because it monetarily favors the state. ------------------------------ Date: 2 Oct 2005 (LAST-MODIFIED) From: RISKS-request@csl.sri.com Subject: Abridged info on RISKS (comp.risks) The ACM RISKS Forum is a MODERATED digest, with Usenet equivalent comp.risks. => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) if possible and convenient for you. The mailman web interface can be used directly to subscribe and unsubscribe: http://lists.csl.sri.com/mailman/listinfo/risks Alternatively, to subscribe or unsubscribe via e-mail to mailman your FROM: address, send a message to risks-request@csl.sri.com containing only the one-word text subscribe or unsubscribe. You may also specify a different receiving address: subscribe address= ... . You may short-circuit that process by sending directly to either risks-subscribe@csl.sri.com or risks-unsubscribe@csl.sri.com depending on which action is to be taken. Subscription and unsubscription requests require that you reply to a confirmation message sent to the subscribing mail address. Instructions are included in the confirmation message. Each issue of RISKS that you receive contains information on how to post, unsubscribe, etc. => The complete INFO file (submissions, default disclaimers, archive sites, copyright policy, etc.) is online. The full info file may appear now and then in RISKS issues. *** Contributors are assumed to have read the full info file for guidelines. => .UK users should contact . => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you NEVER send mail! => SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line. *** NOTE: Including the string "notsp" at the beginning or end of the subject *** line will be very helpful in separating real contributions from spam. *** This attention-string may change, so watch this space now and then. => ARCHIVES: ftp://ftp.sri.com/risks [subdirectory i for earlier volume i] redirects you to Lindsay Marshall's Newcastle archive http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue. Lindsay has also added to the Newcastle catless site a palmtop version of the most recent RISKS issue and a WAP version that works for many but not all telephones: http://catless.ncl.ac.uk/w/r . ==> PGN's comprehensive historical Illustrative Risks summary of one liners: for browsing, or .ps for printing ------------------------------ End of RISKS-FORUM Digest 24.11 ************************