The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 17 Issue 36

Tues 27 September 1995

Contents

o The latest maths bug in a Microsoft product
Ian Mason
o Security Flaw Found in Netscape
Edupage
o Third Netscape weakness found
PGN
o German telephone cards cracked
Klaus Brunnstein
o British Telecom replaces payphone software
Phil Payne
o London Underground gets hacked
Clive D.W. Feather
o Another punched-card saga
Terry Ireland
o Hottest New Computer
F. Barry Mulligan
o Cardiff Software Shipped Teleforms 4.0 with self-destruct timebomb
Lubetkin
o European Governments Agree to Ban Strong Crypto
Ross Anderson
o Searching via the catless RISKS Web Pages
Lindsay F. Marshall
o Yet another airport tower outage
Alan Tignanelli [2]
o Re: SSNs for E-mail addresses!
Dave Parnas
o Re: Abandoned oil tank phones...
Sean Reifschneider
o Don't believe everything you read (hacking Citibank ATMs)
John Pettitt
o CitiBank overdraft protection
John Pettitt
o Call-box scams in California
Kevin Maguire
o ABRIDGED info on RISKS (comp.risks)

The latest maths bug in a Microsoft product

Ian Mason <ianm@cix.compulink.co.uk>
Tue, 26 Sep 95 01:00 BST-1

When does 1.40737488355328 = 0.64? When you're a user of Microsoft's Excel spreadsheet.

For several years a (now well known) maths bug existed in the Calculator applet that came bundled with Microsoft Windows. This remained uncorrected in several releases over a considerable period of time.

A new maths related bug has now surfaced in another Microsoft product. Type or paste 1.40737488355328 into a cell in a copy of Microsoft's Excel spreadsheet and you will be rewarded, not with the number you expect but with 0.64. If you perform arithmetic with this it will act as if 0.64 had been entered so it is not simply a display error. When the number is used as part of a formula the error is not apparent.

A friend who used to work in the UK investment banking business tells me that much of the planning of the privatisation of most of Britain's state owned industries was carried out using Excel. Perhaps we now have the real explanation for the state of the British Economy?

The risk? Don't use software from a man who freely claims that what he really wanted to be was a lawyer.

Ian Mason

Security Flaw Found in Netscape (Edupage, 19 September 1995)

Educom <educom@elanor.oit.unc.edu>
Tue, 19 Sep 1995 16:50:52 -0400 (EDT)

Two Berkeley computer science graduate students interested in cryptography have identified a serious security flaw in the Netscape software for browsing the World Wide Web. Netscape says a repaired version will be available for free downloading from < http://home.netscape.com > within a week.
(John Markoff, The New York Times, 19 Sep 1995 A1)

[This flaw has been widely reported elsewhere on the net, and involved a weakness in the use of a pseudorandom number generator to create the crypto seed. Knowledge of the weakness enables the key to be reverse- engineered with significantly less than exhaustive effort. PGN]

Third Netscape weakness found

"Peter G. Neumann" <neumann@csl.sri.com>
Mon, 25 Sep 95 16:33:39 PDT

Yet another weakness was discovered in Netscape's Internet software, found by the "Cypherpunks". This flaw can crash the Navigator browser software. "The flawed software isn't able to read very long numbers. An Internet user
could exploit the flaw by planting a bit of text containing a long number, causing computers used by unsuspecting readers of the text to crash." This one is also being repaired. [Abstracted by PGN from "Netscape Says Hackers Uncover 3rd Flaw in Its Internet Software", By Heather Green, Bloomberg Business News, 25 Sep 1995, in The New York Times. The first weakness was the French and British cracking of Netscape's 40-bit crypto, in RISKS-17.27,28,29.]


German telephone cards cracked

Klaus Brunnstein <brunnstein@rz.informatik.uni-hamburg.d400.de>
Sun, 17 Sep 1995 13:58:43 +0200

German Telecom suffered losses from a telephone card attack that was detected recently, according to several German media reports. A gang of telephone card crackers, evidently based in Hamburg (but likely NOT related to InFamous Chaos Computer Club :-), had analysed German Telecom's chipcard program that controls telephone cells equipped with telephone cards readers, and they found a trick whereby the card program automagically filled up after completing any call to again hold the full amount of 50 DM. The head of the gang was jailed last week by UK police, and equipment (of the chief programmer?) was confiscated in a Hamburg flat, including some "chipcard simulation program".

Reports are (as often) rather contradictory; while some say that manufacturing was "manual", others assume industrial production with a damage of 1 billion DM (assuming that 1 Mio cards had been manufactured). German Telecom informed that about 1,000 chipcards may have been distributed, and that the damage so far amounted to less than 1 Mio DM. Accordings to reports, German Telecom has changed essential parameters of the chipcard control program so that such falsified telecards can no longer work. This change was activated from the central computer controlling all telephone cells equipped with telephone chip-cards. Moreover, one Sunday newspaper (WamS) reports that a monitoring program was installed that from the central computer can detect unusually heavy usage of telephone cells by comparison with "normal use" (potentially something like an Intrusion Detecting program, though likely not as advanced as NIDES :-) and give some immediate alarm.

Klaus Brunnstein (Univ.Hamburg, 17 September 1995)

British Telecom replaces payphone software

Phil Payne <Phil@sievers.com>
Mon, 18 Sep 95 17:29:37 GMT

[Source: An article by Rebecca Maer, PA News, abstracted by PGN]

British Telecom has known for some time that about 9% of their public phone boxes could be subverted by its software that permits some sort of escape code to bypass charging. However, knowledge of that code has now been spreading like wildfire, resulting in lots of free calls. BT is now modifying the almost 12,000 phones thus affected.

Phil Payne, Managing Director, Sievers Consulting UK, +44 385302803
phil@sievers.com Fax/BBS: +44 1536723021 Fido: 2:2503/415

London Underground gets hacked

"Clive D.W. Feather" <clive@demon.net>
Sun, 24 Sep 1995 17:40:44 +0100 (BST)

From "Computing" 1995-09-21

London Underground is fighting to clean up its computer systems after one of its own trainees hacked in and posted an offensive message on the digital displays located above tube platforms around the capital.

Computing can reveal that on 16 August a message appeared on displays at Piccadily, Elephant & Castle and Regent's Park underground stations declaring 'All signalmen are w***ers'.

The message went unnoticed by tube staff for more than 12 hours before being removed. There were no complaints from the thousands of commuters. But, despite being cleared, the message reappeared on tube station displays on 29 August.

Two days later, London Underground IT staff were called in to locate the problem. The message had apparently been saved onto the system and was randomly generated at the later date.

A London Underground spokesman told Computing: 'When we train people we usually take them around on an induction course. It seems one of the trainees obviously had more experience than the others. He managed to hack into the computer, bypass the input codes and put a message on the dot matrix displays.'

He added: 'The reappearance [of the message] was due to a technical glitch and not a deliberate action. The trainee is no longer an employee.'

Clive D.W. Feather, 322 Regents Park Road, Demon Internet Ltd., Gateway House
Finchley, London N3 2QQ +44 181 371 1000 clive@demon.net

Another punched-card saga

Terry Ireland <ireland@his.com>
Sun, 24 Sep 95 20:06:10 -0700

I saw the story about French Punched (post) Cards. It reminds me of a true story from the mid-60s. I worked with an outstanding programmer, who was blind. He took a 2-week vacation, and while he was gone, several people ran a program he had written. Suddenly, it failed to work. A later diagnosis showed that:

  1. He used the cards with corners cut off so he could find his place.
  2. the card he used to mark the beginning of the data was blank (see 3) and in backwards (a blank card turned over is still a blank card).
  3. The computer was an IBM with a system that always read one card ahead, thus the need for the blank card just before the data.
  4. The first time we ran his program, the card reader jammed (and wouldn't you know it) on the blank card.
  5. The operator went to fix the jam, saw the blank card in backwards, and threw it away, thinking it was the problem.
  6. It became the problem, as that missing blank card was necessary for the program to run.
Terry

Hottest New Computer

"F. Barry Mulligan" <MULLIGAN@ACM.ORG>
Sat, 23 Sep 1995 16:53:09 -0500 (CDT)

The Atlanta Journal/Constitution, Sat 23 Sept 95 Business in Brief (from unidentified wire service)

"POWERBOOK BATTERY: Apple Computer Inc. said it will start shipping its
PowerBook portable computers Monday with an older style of battery, after a new type of battery caught fire in two computers and triggered a recall."

The article identifies a lithium ion battery in the 5300 series, which was introduced in August, as the source of the problem. It will be replaced with a nickel metal hydride battery and the price will be cut by $100.

I've seen add-on batteries described as 'bricks'; I guess this one is a briquette.

/* barry /&
[... which would be a *sobriquette* for an assaulty battery! Very sobering. Old item, but one for the archives. PGN]

Cardiff Software Shipped Teleforms 4.0 with self-destruct timebomb

<lubetkin@ccnode.mcgraw-hill.com>
15 Sep 95 07:13:00 EDT

I just discovered yesterday when I tried to boot Teleforms Version 4.0 from Cardiff Software that the company unwittingly shipped the program earlier this year with a built-in time bomb from a German company, re: Recognition, that effectively shuts down all copies of version 4.0 when your system date reaches 9-1-95. I don't know how many copies of Version 4.0 shipped, but the tech support person I spoke to described the situation at their phone center when the rogue code was discovered as "interesting." The official company statement is that the vendor included a piece of demo code in the program and failed to disable one line of code containing the timebomb. Cardiff is providing a free patch file on its BBS and on CompuServe.


European Governments Agree to Ban Strong Crypto

Ross Anderson <rja14@cl.cam.ac.uk>
20 Sep 1995 12:24:10 GMT

According to an article in `Communications Week International', the 34-nation Council of Europe has agreed to outlaw strong encryption products
which do not make keys available to governments.

The article, `Euro-Clipper chip scheme proposed', is on the front page of the magazine's issue 151, dated 18th September, which arrived in my mail this morning.

It relates that the policy was approved on the 8th September at Strasbourg by the Council, and coincides with an attempt by the European Commission to propose a pan-European encryption standard. The Council - unlike the Commission - has no statutory powers to enforce its recommendations. However, Peter Csonka, the chairman of the committee that drafted the document (and an administrative officer at the Council's division of crime problems) says that `it is rare for countries to reject Council of Europe recommendations'.

The proposal would make telecomms operators responsible for decrypting traffic and supplying it to governments when asked. It would also `change national laws to enable judicial authorities to chase hackers across borders'.

Opposition to this measure was expressed by Mike Strezbek, VP responsible for European telecomms at JP Morgan, who said that his organisation `will challenge any attempt to limit the power of our network encryption technologies very strongly'.

Czonka said that the Council had given consideration to business interests but had tries to strike a balance between privacy and justice. However, `it remains possible that cryptography is available to the public which cannot be deciphered,' his document says. `This might lead to the conclusion to put restrictions on the possession, distribution, or use of cryptography.'

Apparently another international organisation, the OECD, has called a conference of its members in December to devise a strategy on encryption.

I for one will be making clear to my MP that his stand on this issue will determine how I cast my ballot at the next election. I note that John Major stated in a 1994 parliamentary written reply to David Shaw MP that the government did not intend to legislate on data encryption. I am disappointed that government policy has changed to the point of supporting the Council of Europe, and that this change has sneaked through during the parliamentary recess.

Ross Anderson

Searching via the catless RISKS Web Pages

"Lindsay F. Marshall" <Lindsay.Marshall@newcastle.ac.uk>
Wed, 20 Sep 95 10:37:34 0100

I think I have finally managed to shake out most of the bugs from the RISKS search web page. You should now be able to do complex queries and see the whole of the archive. Please give it a go and let me know if you find any more problems. Thanks to all the RISKS Web readers that keep me informed of things wrong with the pages - one couldn't ask for a readership better informed about potential difficulties!!

Thanks.

Lindsay

Yet another airport tower outage

Alan Tignanelli <75453.2055@compuserve.com>
18 Sep 95 12:18:26 EDT

Summarizing from the Pittsburgh Post-Gazette, 18 Sept 1995, page 1:

The loss of both radio and radar contact at Pittsburgh International Airport briefly caused a "potentially dangerous situation, but no near misses." According to the FAA, radio and radar contact was lost for less than a minute before backup systems kicked in. According to an air traffic controller on duty, however, radio was out for about 90 seconds, and radar for five to eight minutes.

"These things aren't supposed to happen, but it did," said Larry Buffalini, an
air traffic controller and vice president of the Pittsburgh local of the National Air Traffic Controller Association.

Arlene Salac, spokeswoman for the FAA's eastern region, said a problem with MCI telecommunications lines caused the problem.

Controllers used battery powered radios to stay in contact with the 38 flights in the local airspace. The backup radar is turned on manually, and takes five to eight minutes to come online according to Buffalini. [So what about the FAA's "less than a minute" estimate? - AT] Salac's account differed. She said that, according to her briefing, the controllers had immediate use of backup radar.

After recapping recent incidents familiar to RISKS readers, Salac states, "To compare this to what happened in Chicago or Oakland is inappropriate.
It's not on the same scale. Not that it's not important, but it doesn't have the same range of impact. Pittsburgh doesn't cover as wide an area." Okay, I can't really argue with the area covered, but that seems to be a pretty callous statement when you consider what could have happened, along with the fact that a lot of people around here are still fairly upset about USAir Flight 427 (which just marked its one year anniversary Sept 8), and the fact that that problem still has not been found.

Alan Tignanelli

Yet another airport tower outage

Alan Tignanelli <75453.2055@compuserve.com>
19 Sep 95 07:50:20 EDT

The FAA is investigating why two backup systems "failed to kick in" after the power outage on 23 Sep 1995. The backup generator that is supposed to restore power in "5 or 6 seconds" didn't. When the power came back, the primary radar system "failed to restart as designed." The secondary system did restart, but it tracks only aircraft with transponders that respond to radio probes from the ground. In addition, controllers said its performance was erratic. After the third time the secondary system failed to work, the controllers elected to switch over to the radar provided by the regional air traffic control center in Cleveland (which I neglected to mention in yesterday's post - AT). This switch caused controllers to increase vertical and horizontal separation between flights in the area. According to the FAA, 36 flights were delayed.

Duquesne Light (local power company - AT) could find no evidence of an outage in the area, but could not rule one out. A break in the system (a limb on a wire is the example given) sits for 30 seconds before the system tries to repair itself automatically. If this works, no record is made. If it fails, a second attempt, after 4.5 minutes (it doesn't say if this is after the original outage or after the repair attempt - AT) is recorded. Local police reported that burglar alarms at two homes and a business went off at about the same time, "often a sign of a power surge or power outage."

[Summarized from an article in the 19 Sep 1995 Pittsburgh Post-Gazette]

That's right. It happened again. Apparently, a tree limb had fallen across a power line, and when workers were trying to remove it, it broke the circuit, causing the tower to lose radar coverage. Radio also was out, but only for about a minute.

Isn't it curious that they've apparently backed off the "less than a minute" claim in the original article? Also, no direct FAA quotes this time. Kind of makes you wonder about the reports that no flights were in danger.

Alan Tignanelli

Re: SSNs for E-mail addresses! (RISKS-17.35)

Dave Parnas <parnas@triose.crl.McMaster.CA>
Sun, 17 Sep 95 09:25:51 EDT

This type of irresponsible behaviour is not at all unusual. At McMaster University the Computer Services group continues to use the student number as logon id and e-mail address in spite of the fact that may Profs post grades "anonymously" using student numbers.

Prof. David Lorge Parnas, Communications Research Lab, Dept. of Electrical and Computer Engineering, McMaster University, Hamilton, Ontario Canada L8S 4K1

Re: Abandoned oil tank phones...

Sean Reifschneider <sreifsc@sreifsc.uswc.uswest.com>
Fri, 22 Sep 1995 11:02:33 -0500 (CDT)

>The phone company eventually traced the calls to an abandoned oil tank
>in Maryland. It was rigged to call the oil company when the oil level
>was low, but the phone number was scrambled and it called her instead.

This story seems to be reported as a "truth is stranger than fiction" story, but I think it's more important than that. I'm sure most of us have gotten mis-directed FAX calls before, but this is slightly different.

People would freak out if it had been an abandoned baby, the entity that had done the abandoning would I'm sure be facing criminal charges as a result. Is an abandoned oil tank any less serious though? Is there no decommissioning process for oil tanks?

The RISK may be that the tank was calling for help and nobody cared to listen. Did the tank start calling when they removed all oil from the tank, or did it happen because the oil that was left there somehow got down below the trigger level? If the oil level went down, where did it go?

Another RISK may be that these details were made clear in the CNN information, but as there was no synopsys, and the hot-link to the CNN story is dead, I have no way of knowing. Should an archive such as the one that holds RISKS have as the major substance of one of the articles a link that is likely to not be around in 2 more weeks, let alone on the 20th anniversary of RISKS?

Sean

Don't believe everything you read (hacking Citibank ATMs)

John Pettitt <jpp@software.net>
Sat, 23 Sep 1995 19:02:57 +0100

A recent issue of 2600 (a hacker magazine) had info on a supposed control mode on Citibank ATM machines (the ones the the touch screen). The article went on to say that if you tapped the screen twice (a double click) it went into a control mode with crude graphics and strange 'tap out your pin number' interface.

The local CitiBank confirms my thoughts on this - it's a visually impaired user mode. It's public info and they will even supply an audio tape on how to use it!

2600 strikes again :-)

John Pettitt, VP Engineering, CyberSource Corporation
jpp@software.net +1 415 473 3065 (V) +1 415 473 3066 (F)

CitiBank overdraft protection

John Pettitt <jpp@software.net>
Sat, 23 Sep 1995 18:57:26 +0100

CitiBank bounced one of my checks a couple of months back. The reason it bounced is a classic human error / bad systems design risk.

I wrote a large check to the state of california to cover tax on a capital gains (far too large IMHO but thats another issue). To cover the check I asked citibank to wire funds from a sterling account to my US dollar citigold checking account. Knowing that transfers between these accounts takes longer than they claim it does (a whole other issue between me and them) I called my branch and told the what was going on. They assured me that since I had more than 5 times the check amount in other accounts they would cover it.

It came as rather a shock when it bounced.

Panic ensued - CitiBank were horrified because they didn't know why it had bounced. I was horrified because the franchise tax board said they don't re-present bad checks. My accountant said don't worry the tax board do re-present. (an incidental risk - the tax board was right *they* don't re-present but their bank *does* re-present once so the check cleared without hurting my good rep with the tax folks).

Anyway it took three months and several more bounced checks from other customers before citibank figured out what was happening:

Every morning the manager checks the system for overdrafts, if he does not override the system the checks bounce. Unfortunately when he was trained (way back when) you had to specify an account type code to do the overdraft
check. In doing so accounts like mine (a citigold CMA type account) do not show up! If he had let it default (as new staff are trained to do) he would have seen the citigold overdrafts. The net effect of this is that for a three month period this summer citibank in california was bouncing random checks from it's best customers ...

The good news it they have learned from it and issued a memo to all managers to ensure that everybody knows why it's happening.

John Pettitt, VP Engineering, CyberSource Corporation
jpp@software.net +1 415 473 3065 (V) +1 415 473 3066 (F)

Call-box scams in California (PGN, RISKS-17.35)

Kevin Maguire <maguire@tina.jpl.nasa.gov>
18 Sep 1995 23:32:06 GMT

> The remaining call boxes have now been reprogrammed to be able to dial
> only 911

That's a poor solution to the problem. The 911 system is already overburdened by people using it for non-emergency calls; some communities even impose a fine for making non-emergency calls to 911.

I may be wrong in this assumption, but I'd imagine that most users of highway call boxes are suffering from flat tires, overheated engines and similar problems which don't require immediate emergency response.

Are you sure it's set to 911 and not local non-emergency police numbers? The one time I had to use a highway call box, in LA county, it direct-dialed a non-emergency operator. I don't remember if I got a police operator or CalTrans.

Kevin Maguire Kevin.P.Maguire@jpl.nasa.gov
[You are probably correct. Journalism is not an exact science. PGN]

Please report problems with the web pages to the maintainer

Top