On Friday, 29 Nov 1996, Amtrak's nationwide reservation and ticketing system bellied up during what is usually the heaviest travel weekend of the year. The outage caused enormous confusion and delays, because agents typically had no printed schedules and fare tables. [Source: An item from *The New York Times* in the *San Francisco Chronicle*, 30 Nov 1996, A6.]
Bell Atlantic Customers Put on Hold by Directory Assistance [Source not specified, 26 Nov 1996. PGN Abstracting.] Hundreds of thousands of would-be telephone callers in nine states from NJ to WV could not get prompt directory assistance from Bell Atlantic on 25 Nov 1996, because of flaws in new database software installed by Northern Telecom that affected the entire customer area. The problems affected all of the about two dozen directory-assistance centers throughout the day, until the old version could be resuscitated. Operators were noting requests and calling customers back when assistance could be attained (with delays typically from three minutes to half an hour). Northern Telecom said that the new upgrade was intended to correct some minor errors in the earlier version, and had previously been used without incident by at least two other large telcos. Blame was allocated to a technician who had installed the software. This was reportedly one of the biggest outages of this kind ever.
The Shetland Islands have a 124-year-old print weekly (*Shetland Times*) and a 1-year-old online daily (*Shetland News*). The *News* includes titles of *Times* articles as hypertext links to the *Times*. Robert Wishart, the *Times* managing director (who once fired his former editor, Jonathan Wills, who is now the *News* publisher), has demanded that the links be removed; Wills has refused, although he did add asterisked footnotes. Wishart then invoked Scotland's Court of Session, which issued an interim interdict against the hyperlinks. A full hearing is pending. If the interim judgement is upheld, this is seemingly a landmark case in Scotland and potentially the UK, including issues such as the differences between a web site and a cable TV service, and whether newspaper headlines constitute copyrightable literary works. [Source: Scottish Case Tests `Right to Link', By Pamela Mendels, *The New York Times* CyberTimes, 30 Nov 1996. PGN Abstracting] <http://www.nytimes.com/library/cyber/week/1130shetland.html> [So, perhaps the *Times* really wants the *News* to stop a little horsing around, and pony up? But the ponies are so small there. PGN]
A recent security announcement was made to the 'linux-alert' security list describing how the 'lpr' utility suffers from the (now infamous) buffer overrun problem. This could be exploited as a security vulnerability in the case where it has the suid bit set. It wasn't until after this first announcement that it was realised that various Linux distributions have different ideas about the version number of the *same* lpr source. Of course, this could cause much confusion and prompted a follow-up message drawing people's attention to this somewhat annoying and misleading situation. The RISKS are that, especially in the case of freely-redistributable source, users may not know the 'true' version that they are running and may be deluded into thinking that they have a 'fixed' or 'safe' version. Of course, the program *could* differ in all but name but in any case some co-ordination, clarity and careful thought should be exercised by all. A case for truth in advertising ? John Pelan (J.Pelan@qub.ac.uk)
The following item from WhiteBoard News (posted without permission of the author firstname.lastname@example.org; for list info, http://www.vantagepoint.com/ghayes/Lists/news.html) reminds us that risks are possible in the case of any system that's relied upon, whether or not that system is technological in nature: == begin excerpt == Jackson, Tennessee: Cathy Mullikin's bird is cooked, and her calendar is toast. Mullikin had her Thanksgiving turkey dinner already cooked on Thursday [Nov. 21], "and my friends and family are coming on the 28th and they're going to think I'm a kook," she said. She should never have believed that free calendar. Jackson-Madison County General Hospital gave out 40,000 of them last year and every last one said Thanksgiving was on the 21st instead of the 28th. "I wouldn't have known it was wrong except my niece called and asked what I was doing. When I told her I was finishing up Thanksgiving dinner, she said 'A week in advance?'" Mullikin told The Jackson Sun on Thursday.... "We've had a number of calls from people who have seen the error and called it to our attention," [JMCG Hospital] spokesman Ken Marston said. [Various power outages were reported on Thanksgiving Day, when it was stormy and windy in parts of the western U.S. Many turkeys apparently were left partly cooked during the outages. PGN]
>From "Central & East European Secure Systems Strategies (CEESSS)" with permission of the copyright holder: Secret incidents of hackers' attacks upon Czech banks and release of Czech citizens' personal information by Steven Slatem <email@example.com> Copyright (c) 1996 IntelliTech Hackers stole 50 million Kc ($1.9 million) during attacks upon unnamed Czech banks and, in another incident, obtained and posted to BBSs a file of Czech citizens' personal information, we learned in an interview at INVEX (Brno, 22 -- 26. October) with Jiri Mrnustik, CEO of the Brno-based anti-virus and encryption software developer AEC s.r.o.// (ss961112-002) (630 words) (STS) Central & East European Secure Systems Strategies (CEESSS) is delivered via e-mail and the Web. See http://www.intellitech.cz/ceesss/ for details. [To preempt our esteemed moderator, I will immediately warn readers that the facts will have to be Czeched before giving credence to this report.] M. E. Kabay, Ph.D. / Director of Education National Computer Security Association (NCSA)/ http://www.ncsa.com
Criminal group made money by manipulating ... COMTEX Newswire 25 Nov 1996 SARATOV, November 25 (Itar-Tass) -- A well-organised criminal group that made more than 800 million roubles every month by manipulating computer files in gambling has been exposed by police in the Saratov region, the middle Volga. A source in the regional directorate in charge of fighting organised crime told Itar-Tass that computer-added swindling was exposed by police for the first time in Russia, although crimes of this sort have been reported in many regions of Russia. The source described the technology of fraud: the operator used a false file to influence the outcome of the "cockroach races" in a way that ensured that the victory was won by the cockroach chosen by the operator. [Or perhaps the file was altered to select the designated "winner"? PGN] The experience accumulated in the process reportedly will enable the law enforcers in other regions of Russia to take into account computer swindlers who have escaped responsibility until now. (The net take was about US$5,500 daily.) Dave Kennedy [CISSP] Research Team Chief, National Computer Security Assoc.
Here's a verbatim quote from the Orchestra List, which is occupied by musicians and conductors. Apparently spelling correctors are getting RISKier all the time. Note that this was *automatic* spelling correction, so apparently the user didn't even get a chance to override the incorrect decision. > Subject: Parts are a MESS ... > >Here's a warning on the E.C. Scarier parts to the Mozart Vespers, K. 321. > In > > Well, I typed E.C. S-c-h-i-r-m-e-r. I must figure out how to disable my > automatic spell correcting program so it doesn't do this to me again. But > then again, given the condition of the parts, maybe scarier is the better > term anyway. Geoff Kuenning firstname.lastname@example.org geoff@ITcorp.com http://fmg-www.cs.ucla.edu/geoff/ [But a MASS is a MESS(E) (in German, French) is AMISS (from Latin, MISSA). You'll have to vesper more softly ven you perform. PGN]
[Here is a frightening snippet from Microsoft's website I'm not sure I understand the full implications of it, but I don't doubt that there are risks involved.] http://www.microsoft.com/java/sdk/getstart/javac007.htm : Updating the Java Support on a User's Machine If you are placing an applet that uses COM on an HTML page accessible from the Internet, you must ensure that any users who encounter that page have a version of the Java Support for Internet Explorer that fully supports Java/COM integration. To do this, you must insert the following tag on the HTML page containing your applet (or on the introductory page of your Web site): <OBJECT CLASSID="clsid:08B0E5C0-4FCB-11CF-AAA5-00401C608500" CODEBASE="http://www.microsoft.com/java/IE30Java.cab#Version=1,0,0,1"> </OBJECT> This tag causes the user's Internet Explorer to check the version of its Java support. If the version installed on the user's machine is not up-to-date, Internet Explorer downloads the latest version of Java support from http://www.microsoft.com and updates the user's machine. - - - - The potential risks are endless. Say I know of a security hole in a specific version of IE, I can automatically get visitors to my website to install it, then attack them through the hole. Some questions: Does it ask the user first ? Can I force a 'down'grade, i.e., install an older version ? What happens if the user uses two sites that require different versions? Is the code signing strong? (i.e., stronger than MS's CD keys ?), can I fake a CAB file? Tim Panton, Westhawk Ltd, Frederik Hendriklaan 89, 2582BW Den Haag. The Netherlands email@example.com +31 6 5348 1795 http://www.westhawk.co.uk
I'm sure we're all increasingly aware of annoying unsolicited commercial e-mail messages forced into our electronic inboxes. But is this just the tip of the iceberg? A mass mailing recently ended up in my e-mail, promising e-mail marketing to 100,000 or 1,000,000 people for $195 or $995 respectively. Ominously, the message did not have a valid "From:" address in the header, and was passed through at least two servers before being distributed to an undisclosed list of recipients. Does a $100 InterNIC registration and $15/month ISP charge now give anyone the ability to saturate the Internet community with unsolicited e-mail? Besides carefully screening incoming e-mail, what recourse does one have against acts of e-mail terrorism? With many SMTP e-mail servers readily accepting mail from anonymous senders, how can we stop the constant stream of unsolicited commercial e-mail being forced down our throats? This trend gravely concerns me, as it should concern us all! Scott Savett, Graduate Student in Analytical Chemistry, Clemson University Webmaster, National Collegiate EMS Foundation http://www.ncemsf.org/
Last week I was unable to use my cash card to pay for my groceries at the local grocery store because the system wasn't working. The November 28, 1996 business section of the Albuquerque Tribune explained why: "ATMs zapped: First Security's Albuquerque-area automated teller machines and electronic funds-transfer stations at Smith's Food & Drug Stores went on the blink last weekend when a new cellular-telephone company started service using a microwave frequency that bled over to First Security's ATM and EFT frequency. Service disruptions forced Smith's to shun electronic purchases Saturday through Monday. "We apologize to our customers who were inconvenienced and are working hard to fix the problem, but the problem of jammed frequencies is just going to get worse," said Paul Bouschelle, executive vice president for First Security Bank of New Mexico." Two obvious RISKs revealed by this incident: 1. The unintended and unexpected problems caused by bringing a new system on-line. For whatever reasons, this problem took the whole weekend to resolve. 2. This article also reveals that the ATMs and EFT terminals communicate over microwave frequencies, and are thus subject to being tapped or monitored, perhaps more easily than if they were connected via wire or telephone lines. I guess I've assumed that most of these terminals were handled via phone line, which seems inherently more secure than a radio link. This may not be true. I don't recall much discussion in this group of the risks of using radio links vs. wire for financial data transfer. Bruce E. Wampler, Ph.D., Adjunct Professor, Department of Computer Science, University of New Mexico firstname.lastname@example.org http://www.cs.unm.edu/~wampler
Your electronic wallet in the Van Allen radiation belt, or Electronic commerce at RISK in space? Jean-Jacques Quisquater UCL Crypto Group - Microelectronics Lab November 30, 1996 [Note: This short remark was intended as a contribution to the rump session of EUROCRYPT '97 but the subject is too hot to wait.] >From end September until now many announcements were issued about the so-called Bellcore attack against tamper-resistant chips (example: smartcard or chipcard for electronic commerce). The attack is based on the (theoretical) possibility of flipping some bits (at some random position) of the secret key, stored in RAM or E2PROM, before or during the computations done by the chip. Another attack is to induce some decoding error during the execution of one instruction (Anderson and Kuhn). One crucial question is the effectiveness of such attacks by malicious hackers. In fact, this problem was very well studied in the contexts of nuclear physics and of space applications (what about the behavior of semiconductors in such hard environments?). In that area, there is the concept of SEE (Single Event Effect) and it is what we are trying to study! A SEE is an event induced by radiation, temperature, microwave, ..., having some effect one time on a device. There are many studies about that. What we need to know are the SEEs --- relatively well focused (one or few bits are flipped), --- and/or at a given moment, --- and/or for a very short time. Here are some references to begin the study. The reference newsgroup is sci.engr.semiconductors (others?). - The NASA ASIC guide, published by JPL and NASA, Chapter 4, Design for radiation tolerance, 1993. - Hardening integrated circuits against radiation effects, J.-P. Colinge and P. Francis, November 1996, Notes (66 pp.), Microelectronics Lab, UCL, Louvain-la-Neuve, Belgium (yes!, my lab), - Single-Event-Effect mitigation from a system perspective, IEEE Trans. on Nuclear Science, vol. 43, April 1996, pp. 654-660. - Laboratory tests for Single-Event Effects, IEEE Trans. on Nuclear Science, vol. 43, April 1996, pp. 678-686. - Microbeam studies of Single-Event Effects, IEEE Trans. on Nuclear Science, vol. 43, April 1996, pp. 687-695. - Soft errors susceptibility ands immune structures in dynamic random access memories (DRAM's) investigated by nuclear microprobes, IEEE Trans. on Nuclear Science, vol. 43, April 1996, pp. 696-704. - 32-bit processing unit for embedded space flight applications, IEEE Trans. on nuclear science, vol. 43, June 1996, pp. 873-878. - Single Event Effect testing of the Intel 80386 family and the 80486 microprocessor, IEEE Trans. on Nuclear Science, vol. 43, June 1996, pp. 879-885. - Analysis of local and global transient effects in a CMOS SRAM, IEEE Trans. on Nuclear Science, vol. 43, June 1996, pp. 899-906. - 1997 IEEE nuclear and space radiation effects conference, call for papers. Jean-Jacques Quisquater, Universite catholique de Louvain, Place du Levant, 3, B-1348 Louvain-la-Neuve, Belgium tel 22.214.171.124.41 email@example.com
A (corrected thanks to Arjen Lenstra) postscript version of Attacks on systems using Chinese remaindering by Marc Joye and Jean-Jacques Quisquater, Report CG-1996/9 is accessible at the following URL: http://www.dice.ucl.ac.be/crypto/techreports.html
Workshop on Human Error and Systems Development The Senate Room, University of Glasgow 20-22 March 1997 Co-chairs: Nancy Leveson and Chris Johnson <http://www.dcs.gla.ac.uk/~johnson/HF_Engineering.html> Recent accidents in a range of industries have increased concern over the management and control of safety-critical systems. Much recent attention has focussed upon the role of human error both in the development and in the operation of complex processes. This workshop will, therefore, provide a forum for practitioners and researchers to discuss leading edge techniques that can be used to mitigate the impact of human error on safety-critical systems. Our intention is to focus the workshop upon techniques that can be easily integrated into existing systems engineering practices. With this in mind, each day will have a different theme. The session on Thursday 20th March will focus on accident analysis and risk assessment techniques. Friday, 21st will focus more narrowly upon interface and component design, development, and testing. We also encourage papers that cross these boundaries. Saturday 22nd March will provide the opportunity for informal discussion about the issues raised during the workshop. The day will be spent on the Isle of Arran, off the west Coast of Scotland [not to be confused with Aran]. Deadlines: Authors should submit extended abstracts to Chris Johnson, see below, to arrive no later than January 17th, 1997. [
Please report problems with the web pages to the maintainerTop