The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 18 Issue 94

Thursday 27 March 1997

Contents

o Crackers Obtained Gulf War Military Secrets
Edupage
o Clinton Administration Pushing New Encryption Legislation
Edupage
o Thieves steal license machines
Gary Grossoehme
o Jail release: Just the Fax, Ma'am.
David Kennedy
o Traffic signals, red-runners & all-greens
J. DeBert
o UK Banks clearing system salary payment problems
Lord Wodehouse
o Sweden may offer constitutional protection to Internet publications
Martin Minow
o Liability risk in Web Frames
David Kennedy
o Hungary's State-Run ISP Compromised
David Kennedy
o Warning to MSIE users
Andre Hallam
o Risks of automatic spam blockers
Prentiss Riddle
o Catastrophic Y2K risk
Joel Garry
o Year 2000 costs -- they're large
Martin Minow
o Re: Splendour of the Seas not so Splendid
Martin Ewing
Jeremy Anderson
o Bad variable names in programs
Randy Holcomb
o USENET control messages as worm transport
Steve Kilbane
o Re: Bank cannot believe it made a mistake!
Mark Brukhartz
o Re: Risks of random-number servers
Jeff Nelson
Przemek Klosowski
o Info on RISKS (comp.risks)

Crackers Obtained Gulf War Military Secrets (Edupage)

Edupage Editors <educom@elanor.oit.unc.edu>
Tue, 25 Mar 1997 13:06:41 -0500
During the Gulf War, computer vandals working from Eindhoven in the
Netherlands cracked into U.S. government computers at 34 military sites to
steal information about troop movements, missile capabilities, and other
secret information; they then offered it to the Iraqis, but the Iraqis
rejected it because they considered the information a hoax.  Dr. Eugene
Schultz, former head of computer security at the U.S. Department of Energy,
has told the British Broadcasting Company: "We realized that these files
should not have been stored on Internet-capable machines.  They related to
our military systems, they related to Operation Desert Shield at the time,
and later Operation Desert Storm.  This was a huge mistake."  (*London
Telegraph*, 23 Mar 1997; Edupage, 25 Mar 1997)


Clinton Administration Pushing New Encryption Legislation (Edupage)

Edupage Editors <educom@elanor.oit.unc.edu>
Tue, 25 Mar 1997 13:06:41 -0500
The Clinton administration will introduce more legislation on encryption
technology export, in addition to the three bills already pending in
Congress.  The latest effort seeks to help develop an electronic key
management infrastructure that would allow U.S. users to employ any
encryption they want, and would, among other provisions, spell out the legal
circumstances for handing over keys to law enforcement officials.  The other
bills pending are: the Security and Freedom Through Encryption Act, the
Promotion of Commerce Online in the Digital Era bill, and the Encrypted
Communications Privacy Act.  (InfoWorld Electric 21 Mar 1997; Edupage, 25
Mar 1997)


Thieves steal license machines

<GaryG4430@aol.com>
Tue, 25 Mar 1997 16:39:50 -0500 (EST)
Excuse me Sir, but would you watch my Golden Goose while I go get a cup of
coffee?

Published in the *Portland Oregonian*, 25 Mar 1997, p.2, Around the Nation:

  Thieves steal license machines

  MIAMI - Last year, Florida bought computers to make driver's licenses that
  are virtually impossible to counterfeit.  But brazen South Florida thieves
  have been stealing the computers, sometimes later returning to the scene
  to pick up accessories.  In seven burglaries at five virtually unprotected
  driver's license offices from Key Largo to Okeechobee, crooks have
  gathered the $15,000 computers, software and supplies for five complete
  systems -everything they would need to crank out the state's new high-tech,
  counterfeit-resistant licenses.

Yup, only our high-tech systems can make our high-security, tamperproof,
extremely valuable documents.  And you can't just buy one of these system
just anywhere...

Gary Grossoehme, Oregon Electronics

  [Also commented on by Bob_Frankston@frankston.com, who notes that if the
  new licenses are considered "foolproof", it only increases their value!  PGN]


Jail release: Just the Fax, Ma'am.

David Kennedy <76702.3557@compuserve.com>
Wed, 26 Mar 1997 16:51:47 -0500
Gregory Williamson was released from jail after his girlfriend Kim Starke
faxed to jail officials a bogus letter supposedly from the Pennsylvania
Governor's office, ordering his release.  He was subsequently recaptured
after he tried the same technique to get his former cellmate released,
sending a fax that appeared to be from Florida Governor Lawton Chiles'
office -- someone had bothered to check with Chiles' office.  Starke
formerly worked for a printing company, and investigators found computers
and disks containing official seals for various state offices in her
apartment.  [Source: AP US & World 26 Mar 1997, Associated Press via
CompuServe's Executive News Service, PGN Abstracting]

  [DMK: Corel Draw 3, I wonder?]

  [For newer RISKS readers, we note that jail spoofing is of course old hat.
  William Londono (an alleged cocaine dealer) was released from Los Angeles
  County jail in 1987 based on a bogus e-mail message, and Jean Paul Barrett
  (a convicted forger) was released from a Tucson jail on the basis of a
  forged fax.  Earlier, a Santa Clara inmate had gotten access to the prison
  computer and simply changed his own release date.  PGN]


Traffic signals, red-runners & all-greens

"J. DeBert" <onymouse@hypatia.com>
Tue, 25 Mar 1997 22:37:06 -0800
I understand, from discussions with public works departments and from
glancing views of the insides of controllers, that traffic signals are
controlled by software, now.

A recent accident in San Francisco, in which both drivers and witnesses
state they they had green lights caused me to remember some instances where
I have seen modern signals go all green. (These were all stand-alone signals
with no remote controls at all.)

This is obviously a serious danger to traffic, if it occurs at all.  It is
made worse because no one seems to believe that it is possible. I have
talked to public works people and police, who all have told me that it is
impossible. Sure, it quite likely is, for old-style timer and stepper relay
controlled signals, but what about the new types?

Has anyone else seen signals go all green?


UK Banks clearing system salary payment problems

Lord Wodehouse <w0400@ggr.co.uk>
Thu, 27 Mar 1997 11:21:19 +0000 (GMT)
As you may have read, there was a problem with the banks automatic clearing
system earlier this week, and records for salary payment in the UK did not
all get processed in time. With Easter this weekend, Good Friday a bank
holiday and also Easter Monday, people whose salary was not paid, would find
that the ATMs might not allow them money, because their accounts were out of
funds. With two extra days when banks are closed making a period of four
consecutive days, customers could well be placed in a difficult position.

I checked with my bank today, once via the telephone banking service,
once in the branch and once via an ATM. The first check showed no money, the
second and third showed GW had paid the money and I would not be penniless
over Easter, on account of the bank clearing problems in the press today.

So everyone else in GW should be OK, but while using the ATM to query
another account, it failed to make the transaction. I can only assume that
the extra traffic levels because of the newspaper comment are resulting in
overloads at the banks ATM computer centres.

So we have at least two problems here. The first is the failure to process
all the records through the clearing system in time. The exact reason has
not been given as yet. The second problem is the long "weekend" and the
impact on customers. Thirdly the press coverage nwo increasing the load on
the ATM system, and you have a very interesting situation. One simple
failure causes a series of consequences, which may trigger further failures,
a domino effect.

Now the press are saying that the banks won't charge for people overdrawn as
a result. I guess that will be quite taxing for people to sort that out
after the event. Even if as it has been said that only a small percentage of
the transfers were not completed, it certainly is already having a wide
impact. At least one of the TV News desks were trying to speak to "a bank"
and not getting through this morning. so BT will finding its network is
having extra loadings in unusual patterns.

Of course the clocks go forward in the UK this weekend too ... on some
computers, but we know the problems that often presents.

... and you think that the y2k problem is not really one ...

Advanced Technology & Informatics, Glaxo Wellcome Medicines Research Centre
+44 (0)1438 76 3222  lordjohn@dial.pipex.com lordjohn@lordjohn.demon.co.uk


Sweden may offer constitutional protection to Internet publications

Martin Minow <minow@apple.com>
Tue, 25 Mar 1997 18:37:46 -0800
An article in the Swedish newspaper, Svenska Dagbladet
http://www.svd.se/svd/ettan/ettan_97-03-22/privatpersons.html describes
proposed legislation that, if passed, would offer constitutional "Freedom of
Speech," protection to Internet publications, equivalent to those granted to
traditional paper publications. (Swedish constitutional protections are
generally, but not totally, comparable to American practice -- and I'm not
qualified to discuss this in detail.)

The "Media Committee" [the article wasn't clear as to whether this is a
parliamentary committee or a non-governmental source] does not believe that
the Internet itself should be covered by constitutional protection, due to
the inability to maintain the principal of "ansvarig utgivare" [responsible
editor -- a known individual who has legal responsibility for what is
written in the publication]. On the other hand, this does not mean that the
Internet is totally beyond the law as, for example, threats against national
groups can be prosecuted under existing criminal law.

There is one interesting limitation in the legislative proposal: that an
Internet publication would receive constitutional protection by ''requesting
an "utgivnings bevis" [publication manifest] from the Radio and TV
Commission.'' The limitation is that the reader shall not be permitted to
modify the material.  This would appear to exclude unedited chat rooms, list
servers, or unmoderated news groups. Anonymity (on the part of the editor)
would also be forbidden.

[Note: this is more of a summary than a direct translation.  Svenska
Dagbladet is a major national newspaper. Articles on their web page
generally disappear after a week, but can be retrieved for a fee. There are
several terms of art, such as "ansvarig utgivare" that have very specific
meaning in Swedish law, and my translations should not be trusted.

The Swedish "grundlag" [constitution] is the basis for the Swedish legal
system. Of interest here are (using American terms) the freedom of the press
and freedom of expression laws. These grant citizens the right to publish
without prior governmental hindrance. This freedom does not permit high
treason, threat against national groups, illegal description of violence,
and slander.]

Martin Minow minow@apple.com


Liability risk in Web Frames

David Kennedy <76702.3557@compuserve.com>
Tue, 25 Mar 1997 18:23:09 -0500
Excerpted from:
EFFector        Vol. 10, No. 04       Mar. 17, 1997        editor@eff.org
A Publication of the Electronic Frontier Foundation        ISSN 1062-9424

* Web Link Lawsuits Raise Serious Questions
Comments of the Electronic Frontier Foundation on Web Content Linkage Lawsuits
  Mar 17 1996

In an action similar to a (settled) legal threat over "inlining" of
copyrighted comic strip graphics in a third party web page, a host of
publishing companies have filed suit in New York City federal district court
against a company called TotalNews.  TotalNews uses the experimental
"frames" extension to Web code to point their site's visitors to various
news sources around the Web.  CNN, Washington Post, Dow Jones, Times Mirror
and Reuters, who have filed the suit, allege that TotalNews' practice of
displaying the content of the various companies' news sites within a "frame"
with TotalNews' banner ads, is a violation of the companies' rights.  [...]

Dave Kennedy [CISSP] Research Team Chief, National Computer Security Assoc.

  [Recall the Shetland Times suit, RISKS-18.64 and 78.  PGN]


Hungary's State-Run ISP Compromised

David Kennedy <76702.3557@compuserve.com>
Wed, 26 Mar 1997 00:22:29 -0500
Courtesy of the COMTEX  Newswire via CompuServe's Executive News Service:
COMTEX Newswire  25 Mar 1997

          ****Hungary's Matav Admits Internet ID/Password Leak

> BUDAPEST, HUNGARY, 1997 MAR 25 (Newsbytes) -- By Sylvia Dennis.  Matav,
> the former state telco in Hungary, has been forced to admit that security
> in its Internet division is not all it could be. Following an anonymous
> post to several Hungarian mailing lists, the Internet service provider
> (ISP) has admitted that around 1,200 IDs and passwords for the MatavNet
> may have fallen into the wrong hands.

> The saga started last week when an anonymous set of messages started
> appearing in the Hungarian Usenet newsgroups, claiming that the poster had
> obtained a list of MatavNet IDs and passwords, and that the files had been
> leaked because of the ISP's security failures.

1200 subscribers were signed up for accounts in the second quarter of 1996
and were given accounts were the password was their billing ID number.  The
ISP published the ID numbers a "few months ago ... with predictable
results."  The ISP published the list to alert users to change their
passwords (DMK:?!?).

> The incident has similarities to a security problem caused in the
> mid-1980s by Telecom Gold, British Telecom's e-mail company, Newsbytes
> notes. Telecom Gold officials released 100's of IDs in the ICL001 to
> ICL999 ID group to ICL Computers, but allocated the IDs as passwords as
> well, and told ICL staff what they had done.

Hackers responded predictably within days.  It took weeks to discover the
problem, resulting in several thousand pounds lost.

Ameritech and Deutsche Telekom are major investors in MatavNet.

> MatavNet's Web pages are at http://www.datanet.hu .


Warning to MSIE users

Andre Hallam <***agh@netcom.ca>
Thu, 27 Mar 1997 05:21:12 GMT
You've probably heard about the infamous bug that lets people run code on
your system.  Well, really, it's quite a lot worse than that, and Microsoft
is not telling you.  Why aren't they telling you?  I don't know.

It is possible for someone to steal any file on your system. This includes
your password files, your INI files - anything at all.

I have informed Microsoft about this serious hole, and sent them
instructions on how to duplicate it, but this has not caused them to
escalate their warnings in any way.  I think they're hoping nobody finds out
about it.

(Remove asterisks from my address if you would like to reply.  Andre)
  [Ah, yes, by all means, avoid the aste-RISKS of being spammed!
  And if you have questions, please direct them to Andre, cc RISKS.  PGN]


Risks of automatic spam blockers

Prentiss Riddle <riddle@is.rice.edu>
Wed, 26 Mar 1997 09:25:38 -0600 (CST)
Forwarded from Edupage, 25 March 1997:
| SPAM BLOCK
| A California software engineer [Ron Guilmette] takes the annoyance
| caused by unsolicited e-mail messages seriously, and has developed an
| anti-spam weapon he plans to unveil next month.  Dead Bolt allows
| online users to share their "blacklists" of spam purveyors so that they
| can more effectively filter offending e-mail.  "The problem now is that
| everyone who is filtering is keeping their own blacklists and they're
| not working together to tie their lists together in a meaningful way,"
| says Dead Bolt's creator.  "What I hope my package will do is allow
| people to work together over the Net and filter all this stuff out and
| finally put these people out of business....The problem is that it
| costs the sender virtually zero dollars to send out a million messages,
| and even if the response rate is minuscule by all standards -- say .001
| percent -- they've made money.  So from an economic selfish point of
| view, it's in their interest to annoy the other 99.99 percent of the
| people." (Miami Herald 24 Mar 97)

The full Miami Herald article is available at:

   http://www.herald.com/archive/cyber/techdocs/056735.htm

Some of the risks of automatic spam filtering which Deadbolt will have
to overcome in order to be successful include:

   -- The risk of false and malicious blacklisting of non-spammers.

   -- The risk of harm to innocent bystanders who happen to share
      hostnames, ISPs, or other characteristics with targeted spammers.

   -- The possibility that spam messages will avoid detection by
      varying return addresses and other signatures in each copy of
      a message.

I find the first two particularly troubling -- were an imperfect spam
filtering system in wide use, then triggering it against an innocent
party could become a handy form of denial-of-service attack.

Published details of Deadbolt are sketchy, but a Deja News or Alta
Vista search of Usenet for "Ron Guilmette" reveals some of its
designer's thinking on the subject.  So far, I don't see enough to
convince me that he will be successful.

Prentiss Riddle  riddle@rice.edu


Catastrophic Y2K risk

Joel Garry <joelga@amber.rossinc.com>
Thu, 27 Mar 1997 06:14:42 -0800
The news is awash with stories of the Rancho Santa Fe (by some measures, the
most affluent community in the US) apparent religious-cult mass suicide
yesterday.  [39 dead.]  The reports mention that 4 or 5 of the victims were
web programmers.  Beyond the obvious Y2K risk of losing your programmers to
Millennium cults, this may bring to the public consciousness the risk of a
doomsday cult seeking to destroy the Net, which of course leads to the risk
that the public may become paranoid about that risk.  Paranoid nontechnical
people may be a worse risk than malicious technical people.

Joel Garry  joelga@rossinc.com


Year 2000 costs -- they're large

Martin Minow <minow@apple.com>
Thu, 27 Mar 1997 08:59:27 -0800
In an article in the Swedish newspaper, Svenska Dagbladet,
  http://www.svd.se/svd/ettan/dagens/tusenarsskiftet.html Jan Freese, the
general director of the Swedish PTT, estimated that that the total national
cost [not just the PTT] for fixing the year 2000 problem will be roughly SKR
30,000 ($4,000) per Swedish citizen.  He made his estimate based on a report
by Capers Jones, "Global economic impact of the year 2,000 software software
problem."  That report estimates the total cost of fixing the problem as
roughly comparable to the total Swedish GNP for the entire 1980's.

One paragraph from a long, interesting, article, quickly summarized.

The Capers Jones report (from Software Productivity Research of Burlington,
Massachusetts) might be worth pursuing. Their web page is at
http://www.spr.com/ and Capers Jones report is at
http://www.spr.com/library/y2k00.htm (follow the link to the current
version).

Martin Minow  minow@apple.com


Re: Splendour of the Seas not so Splendid (Kabay, RISKS-18.93)

Martin Ewing <martin.ewing@yale.edu>
Tue, 25 Mar 1997 09:46:51 -0500
>  [I suppose it might add to the hypothetical risks if the ship were to
>  cross the equator for the first time precisely at the Y2K midnight!  PGN]

The most dangerous spot might be on the equator and on the international
dateline at Y2K +/- 1 day.

Martin Ewing,   Science & Engineering Computing Facility, Yale University
73 de AA6E martin.ewing@yale.edu, 203-432-4243, http://www.yale.edu/secf/

  [Also noted by Jason Yanowitz <yanowitz@jimi.hmm.com>.  I should also have
  mentioned the international date line, but I was thinking primarily of
  the F-16 whose software simulation detected the bug that had caused the
  virtual plane to turn upside down when crossing the equator, because a
  programmer had forgotten the relevance of the latitude sign.  PGN]


Re: Splendour of the Seas not so Splendid (Kabay, RISKS-18.93)

Jeremy Anderson <jsamail@transend.com.tw>
Tue, 25 Mar 1997 13:37:45 +0800 (CST)
This is an amusing article.  Having once worked in the marine industry, I
have heard stories like this over and over.  The level of computerization on
many working boats continues to be low (outside of radar, GPS and the like)
because of the number of stories like this that get told and retold.

The technical problems of shipboard systems are fairly straightforward:
you are dealing with mission-critical systems which are subject to heat,
humidity, occasional quantities of salt water, inept workers and various
permutations thereof (let me tell you about the one where a high-speed
fish filleting line's automation system had the control door left open
during the daily cleaning, and was subjected to 60PSI salt water).  These
sort of problems can be engineered around with backup systems, industrial-
grade computers, and hosing down inept helpmeat with 60PSI salt water.

The more common problems tend to be the same as those encountered on land.
The non-technical owners of boats do not understand the intricacies of
fault-tolerant systems or their associated costs.  They understand that
these systems are many times more expensive than systems without
environmental protection or backups, and are very suspicious of suppliers
screwing them (if you dealt with waterfront types on a regular basis, you
would be too).

... Thus none-too-splendid seas.


Bad variable names in programs (re: Kaiser, RISKS-18.92)

"Randy Holcomb" <randyh@ibm.net>
Tue, 25 Mar 1997 22:13:50 -0600
Bad variable names and poor documentation are a problem in ANY computer
language, and their risks have been well known for quite a while.

It should not be forgotten that some compiler implementations of yesteryear
had limits on how many characters identifier names could be; I recall from
some 20 years ago on the Honeywell Model 58 that had 2 different COBOL
compilers- a 'MiniCOBOL' compiler which had 5 phases (and only recognized 4
characters in variable names) to the ANS 68 COBOL compiler, which used 21
phases - and up to six times longer to compile the same code for the same
function.

Many of the commercial packages today that I have seen and worked with
(those that are delivered with source-good luck with OCO applications) do
have meaningful identifier names and adequate documentation-but as with
anything else, its value will be variable to the programmer assigned.

Randy Holcomb (randyh@ibm.net)


USENET control messages as worm transport

<Steve_Kilbane@cegelecproj.co.uk>
Tue, 25 Mar 1997 09:33:04 GMT
I haven't seen any comments on this in recent RISKS articles, so I thought
I'd mention it. On 15 Mar 1997, David Lawrence warned in news.admin.announce
that control messages had been posted in his name which exploited a bug in
versions of innd prior to 1.5.1. The deviant messages mailed passwd and
inetd configuration information to a number of addresses. CERT has issued an
advisory (CA-97.08.innd) concerning this.

What I find interesting about this is the comparison between this attack and
RTM's 1988 Internet Worm. The original worm expended a lot of effort to move
from one machine to another, propagating itself. The design of the USENET
control system does exactly that. Usenet control messages *are* worms,
performing a usually benign task.

For more information, see:
ftp://info.cert.org/pub/cert_advisories/CA-97.08.innd.  I'd give a reference
to David Lawrence's message too, but our news system has undergone a sudden
complete re-install, and we no longer have the article available. :-)

steve


Re: Bank cannot believe it made a mistake! (RISKS-18.92)

Mark Brukhartz <mark_brukhartz@il.us.swissbank.com>
Wed, 26 Mar 1997 13:29:03 -0600
I recall a similar story in the news. The recipient of an ``impossible''
erroneous deposit withdrew it as a bank cashiers' check and locked it in his
safe deposit box at the same bank.  He demanded and received a public
apology in exchange for the return of the check.

About 20 years ago, a bank gave me a $32,000 check in exchange for a $320
withdrawal.  The teller erred in keying the amount into the imprinter.  The
bank teller supervisor agreed that I could have cashed it (with a raised
eyebrow, no doubt) at the other local bank where I held an account.  Since
then, I've noticed that the banks have imposed a one-day hold on cashiers'
checks.  That is insufficient for them to actually receive the funds, but is
probably adequate for a few basic fraud safeguards.


Re: Risks of random-number servers (Re: Zaba, RISKS-18.93)

Jeff Nelson <jnelson@dialogosweb.com>
Wed, 26 Mar 1997 15:54:56 -0500
In RISKS-18.93, Stefak Zaba writes that random-number servers on the
Internet should not just PGP-sign but also encrypt their data, if such data
is to be used for trusted applications.

Numerous attacks are known against many different cryptographic algorithms,
including RSA, which allow statistical information to be gained about
certain bits or the combination of certain bits in the plaintext message.
In order to prevent any of this statistical information about the random
numbers from being stolen en route to the consumer, the consumer would have
to use only "hard core" bits of the message.  That is, bits which have been
proven such that gaining any statistical information about them is
equivalent to breaking the cryptographic algorithm.

This situations demonstrates the risks inherent in trusting a
tool/technology which has proven excellent at solving one problem to solve
other related problems, when the tool may or may not actually have the
required properties.

Ref.  Advances in cryptology, {EUROCRYPT} '95: Kouichi Sakurai
and Hiroki Shizuya. Universal hash functions and hard core bits.

Jeff Nelson <corba@acm.org> See also http://www.dialogosweb.com


Re: Risks of random-number servers (Re: Rescorla, RISKS-18.91)

Przemek Klosowski <przemek@rrdjazz.nist.gov>
26 Mar 1997 13:08:09 -0500
I wonder how many people looked into the random number generator
incorporated into Linux kernel. It tallies the random events happening in a
running system (various interrupt intervals---keystroke, disk access, etc),
and constructs random bits based on them.  It is written to block if you try
to read too many bits ('entropy pool' emptied out).

I haven't looked into the implementation, but I'm sure there are people on
this list who can pass a judgement on the strengths/weaknesses of this
approach.

przemek klosowski, Reactor Division, National Institute of Standards and
Technology Gaithersburg, MD 20899 1-301-975-6249 <przemek@nist.gov>

Please report problems with the web pages to the maintainer