The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 18 Issue 57

Tuesday 5 November 1996

Contents

o Cutting off husband's cybersex leads to assault
Mich Kabay
o ``Software explosion rattles car makers''
Daniel P. B. Smith
o No power ==> no-see windows
Mich Kabay
o Lawyers eager for millennium cases
stayton
o More risks in the supermarket; polymorphic buttons
Dan Ruderman
o ATM Fraud in Israel - The Polish Gang
Jonathan Rosenne
o IRS to send tax information to mortgage brokers by e-mail!
Erann Gat
o Tracking Smart Cash
Edupage
o Office 97, VBA 5.0, and macro viruses
Rob Slade
o Re: Aeroperu
Peter G. Neumann
o Re: Tote Board Crash at Breeder's Cup
Ben Morphett
o Fault-induced crypto attacks and the RISKS of press releases
Paul C. Kocher
o Re: A new attack on DES
Vadim Antonov
o Unintentional Accesses
John R. LoVerso
o Accidental Shootdown of the F-15, once again
Chiaki Ishikawa
o -32768, hopefully for the last time
Kurt Fredriksson
o Info on RISKS (comp.risks)

Cutting off husband's cybersex leads to assault

Mich Kabay <75300.3232@CompuServe.COM>
01 Nov 96 16:04:02 EST
Here's yet another RISK, from erasing programs:

Marion Walton, an Arkansas man, was discovered having a cybersex affair with
a Canadian woman.  In response, his wife Pat apparently erased his mail
program.  In retaliation, he apparently beat her, twice.  ``Police are
suggesting she file charges.''  [Source: Man beats wife after she pulls plug
on cybersex, Reuters World Report, datelined Little Rock, 31 Oct 1996, via
CompuServe's Executive News Service, PGN Abstracting.]

  [Perhaps her husband will have to use his credit card to charge files --
  that is, the kind that can be used to file down the iron bars?  PGN]


``Software explosion rattles car makers''

"Daniel P. B. Smith" <dpbsmith@world.std.com>
Tue, 5 Nov 1996 09:29:45 -0500 (EST)
Automakers [are facing] runaway growth in the lines of code their engineers
must write and manage as microprocessors take over automotive functions...
``Software is where the problem is today,'' said William Powers, VP of
research at Ford.  ``Today, if you change a line of code, you're looking at
the potential for some major problems.  Hardware is very predictable, very
repeatable.  Software is in much more of a transient state.''  The volume of
code is exploding as processors proliferate behind the dashboard and under
the hood.  The typical auto has 10 to 15 processors; high-end cars can have
as many as 80 ... ``An engine controller can have 100,000 lines of code''
[according to a Bosch VP].  [``Software explosion rattles car makers'',
*Electronic Engineering Times*, 28 Oct 1996, front page.]

Daniel P. B. Smith  dpbsmith@world.std.com

 [Auto-mation has certainly arrived.  PGN]


No power ==> no-see windows

Mich Kabay <75300.3232@CompuServe.COM>
04 Nov 96 17:01:04 EST
Here's a tidbit from the ever-interesting INNOVATION 96.11.04 (editors John
Gehl & Suzanne Douglas <gehl@newsscan.com>, <douglas@newsscan.com> [The
folks who bring you Edupage]:

  Electric Shade

  Researchers at Vrije University in the Netherlands have developed a
  light-blocking window film that can be adjusted by turning a switch.  The
  film uses yttrium hydride, a metallic compound, which can block the sun
  completely, partially, or can be made transparent by using a small battery
  to alter the voltage passing across the film.  The higher the voltage, the
  more hydrogen atoms, which causes the film to change from a metal to a
  semiconductor.  The result is a clear window.  Scientists plan to use the
  new product in automobiles, sunglasses, houses and other applications.
  (*Popular Science*, Nov 1996, p31)

Great, eh?  One needs a voltage in order to have a clear window.  Lose power
in your automobile and you lose visibility through your window.  Let's hope
they build in appropriate fail-safes in automotive applications....

M. E. Kabay, Ph.D. / Director of Education, NCSA (Carlisle, PA)

    [Now you can have an yttrium atrium.  If solar powered, it
    could blacken out on dark days when you need the light most.
    The next step might be pay-per-view windows?  PGN]


Lawyers eager for millennium cases

<stayton@ibm.net>
Mon, 04 Nov 96 20:37:33 -0500
  Lawyers eager for millennium cases: The year 2000 glitch that
  may trip up computer calendars could bring a slew of lawsuits,
    by Christian Plumb, Bloomberg Business News,
    *News & Observer*, Raleigh, NC, Sunday, 3 Nov 1996, page 5F

  "It's just a gold mine", "It's like a law-school case of tort issues".
  Charles R. Merrill, of McCarter & English, Newark, NJ.

Perhaps IT managers will take better notice of the year 2000 problem --
if lawyers start getting on their case.

  [The thought of lots of these little cases filled with
  surprises suggests tortellini, he said, saucily.  PGN]


More risks in the supermarket; polymorphic buttons

Dan Ruderman <dlr@quake.usc.edu>
Fri, 01 Nov 1996 15:46:48 -0800
I was shopping for our Halloween party the other day, picking out all sorts
of pricey nibbles and alcohol for our guests.  At our local Vons (one of So.
Cal's biggest supermarket chains) checkout is generally fast and
straightforward, and I do not out of habit bother to check my receipt.  But
this time the price just seemed too high (perhaps I should just un-refine my
tastes?)...

A quick glance revealed an obvious suspect: the same entry for a bottle of
wine, printed and charged twice.  The apologizing checker handed me the
correct refund, and I asked how this could happen.  Apparently the first
time you swipe alcohol through for the customer you are supposed to press a
button which confirms their legal age status.  But from that point on the
very same button means "buying two of those".  In my case, the checker
simply forgot that she had run a six pack through already by the time the
wine came, and so she "confirmed my age" twice.  I do not know how
widespread this particular system is, but if it is in all Vons stores, then
it's plenty wide enough to be a potential problem.  She noted and corrected
the mistake so quickly that I suspect this circumstance is anything but
rare.

RISKS readers are well aware of the danger associated with giving a single
control two widely different meanings.  If any job leaves a worker
especially prone to forgetfulness (just through the sheer repetitiveness of
the work), it's being a grocery store clerk.  Two lessons: 1) check those
receipts, and 2) keep all your liquor purchases together; that way the
checker is less likely to forget.

Dan Ruderman


ATM Fraud in Israel - The Polish Gang

Jonathan Rosenne <rosenne@NetVision.net.il>
Sat, 02 Nov 1996 17:05:24 +0200
Yediot Aharonot, October 23, 1996

A judge in Tel Aviv has ordered the remand in custody of two additional
suspects in a major ATM fraud case, who will join five businessmen from
Poland.  The gang are suspected of having prepared thousands of counterfeit
ATM cards.  The police claim they had purchased tens of thousands blank
plastic cards in Greece, on which they recorded the magnetic stripe and on
each there was a sticker with the PIN.  A Israeli computer expert, Daniel
Cohen of Ramat Gan, also in custody, obtained the codes and manufactured the
cards.  The Polish businessmen financed the operation, and planned to bring
foreign workers from Poland to use the cards to withdraw money from ATMs.
The police have photographs of suspects standing next to ATMs holding
quantities of forged cards.  They had used them to withdraw 1,500 Israeli
Sheqels (500 US Dollars) each, to a total of IS 600,000 (US$200,000).

Jonathan Rosenne, JR Consulting, PO Box 33641, Tel Aviv, Israel +972 50 246 522
 +972 50 246 522  http://ourworld.compuserve.com/homepages/Jonathan_Rosenne/


IRS to send tax information to mortgage brokers by e-mail!

Erann Gat <gat@aig.jpl.nasa.gov>
Sun, 3 Nov 1996 10:23:09 -0800 (PST)
  A prototype e-mail program linking IRS tax databases with participating
  mortgage lenders is scheduled to get underway in the next few months in
  California, run by the Fresno IRS office.  Under the prototype program,
  lenders will e-mail authorizations by home-loan applicants to the IRS,
  allowing the agency to quickly e-mail tax data -- typically the applicants'
  adjusted gross income for one or more years -- back to the lender.
  [*LA Times*, 3 Nov 1996, Business section first page]

The article goes on to say that this information will be used both to verify
the information on the loan application, and to trigger IRS audits in cases
where the income reported on loan applications is more than what was
reported on tax returns.

There is no mention in the article about what if any measures are being
taken to ensure that this sensitive data is protected and authenticated.
Given the ease and regularity with which e-mail is misdirected, intercepted,
and forged, and the power that the IRS has to completely screw up your life,
I'd say this is the scariest thing I've seen in a long time (and as recent
readers of RISKS can attest, that is saying something).

Erann Gat         gat@jpl.nasa.gov       gat@power.net


Tracking Smart Cash (Edupage, 3 November 1996)

Edupage Editors <educom@elanor.oit.unc.edu>
Sun, 3 Nov 1996 15:41:37 -0500 (EST)
A senior Justice Department official has urged makers of smart carts to
include a mechanism for tracking transactions over a certain dollar amount.
Assistant Attorney General Robert Litt also called for "sensible limits" on
how much value can be stored or transferred on a single card or PC.  The
government hopes it can work with industry without stifling smart card
development, and without compromising individual rights.  "We don't want to
dictate how these features are designed, but there are certain reasonable
parameters that industry should build into their systems," says Litt.  (BNA
Daily Report for Executives 29 Oct 96 A24)


Office 97, VBA 5.0, and macro viruses

Rob Slade <roberts@mukluk.hq.decus.ca>
Thu, 31 Oct 1996 15:47:41 EST
Good news from those fun guys and gals at Microsoft!  According to an
article on page 19 of the October 1996, edition of Datamation, Office 97
will include VBA (Visual Basic for Applications) 5.0 as the scripting and
integration language for Access, Excel, PowerPoint, and Word.  Not only
that, but Microsoft has followed up on its promise to license VBA to other
vendors: upcoming releases of Visio (Visio), Chameleon (NetManage),
Photoshop (Adobe), and even AutoCAD (Autodesk) will use VBA 5.0.

To date, with the possible (though unlikely) exception of the recent Excel
macro virus, successful macro viruses in the wild have been confined to
Visual Basic for Word.  The report has no details regarding the level of
"backward compatibility" of VBA 5.0 with VBW, so I don't know yet whether
Concept and its ilk will continue to propagate on through Office 97 and
other VBA 5 compliant applications.  Even if they require patching, the new
VBA 5 viruses will have a much greater platform base, and therefore faster
creation and wider spread.

Office 97 shipments will begin to selected customers in December, with boxes
due on retail shelves in late January of 1997.

roberts@decus.ca         rslade@vcn.bc.ca         slade@freenet.victoria.bc.ca
link to virus, book info at http://www.freenet.victoria.bc.ca/techrev/rms.html


Re: Aeroperu crash (Ladkin, RISKS-18.51)

"Peter G. Neumann" <neumann@csl.sri.com>
Tue, 5 Nov 96 8:31:05 PST
A possible cause of the Aeroperu crash is mentioned in the media this
morning.  Crash investigators are considering whether some of the plane's
sensor ports (``static ports'') might have been left with protective duct
tape covering them when the plane took off.  (*San Francisco Chronicle*,
CNN, etc.)  It is apparently normal maintenance procedure to cover the ports
(marking them with bright "Remove Before Flight" markers), to prevent them
from getting clogged.  [Indeed, it might seem surprising that forgetting to
remove the covers does not happen more often.]


Re: Tote Board Crash at Breeder's Cup (Harminc, RISKS-18.56)

Ben Morphett <ben@jna.com.au>
Tue, 5 Nov 1996 16:16:40 +1100 (EST)
> Hmmm... $35,000.  Do you suppose a bet of oh, say $32,767 might have
> worked?

I'm tired of dumb bugs like this tripping us up.

To my mind they are as silly as bugs which arise in programmes because of
fixed length strings, such as the famous one in sendmail where it didn't
check the size of a string it was strcpy'ing into a fixed length buffer.
(Internet worm bug - brought down 10% of the Internet.)

Fixed length integers have the same kind of problems.  If they are limited
to 2 bytes or 4 bytes at compilation time (either because the author
"knows" that there will never be the need for them to be any bigger, and
then the programme is used by someone else, or more usually, the author
didn't think about it at all), then all someone needs to do is enter
5000000000 at the prompt, and it will behave much more stupidly than if you
try a number in the range that the programme is expecting.

What I'd like is compiler support for integers, not a subset of them, in
much the same way that you get compiler support for strings, not just
strings of a fixed length.

Presumably it would malloc some space, and might have to do arithmetic in
more than one machine instruction, and yes, this would be much slower than
having a fixed 4 bytes sitting there.  But often I don't care if programmes
are slow, just as long as they are correct.

Ben Morphett  ben@jna.com.au  (02) 9935 5746  International: +612 9935 5746


Fault-induced crypto attacks and the RISKS of press releases

"Paul C. Kocher" <pck@best.com>
Fri, 1 Nov 1996 05:59:54 -0800
I've been watching the recent announcements about fault-induced
cryptanalysis with interest [e.g., RISKS-18.50,52,54,55,56].  Whereas the
attacks are extremely powerful tools, they aren't at all new to the crypto
community -- there has been widespread discussion for years about these,
they've been implemented by criminals and security system evaluators, and
they are reasonably well documented.

For example, NIST specifically discuss such attacks and the need to prevent
them.  FIPS PUB 74-1 (see http://csrc.nist.gov/fips), "Guidelines for
Implementing and Using the NBS Data Encryption Standard," was published way
back in 1981 and says in section 5.2.2 on Error Handling:

>       Errors associated with the primary encryption device should be
> detected and handled by the secondary device. Physical tampering detectors
> (vibration or intrusion sensors) may be used to detect physical tampering
> or unauthorized access to the encryption unit. Sensors which detect
> abnormal changes in the electrical power or the temperature may be used to
> monitor physical environment changes which could cause a security problem.
> However, the major requirement for error detection or correction involves
> the application itself. The type of error control utilized will depend on
> the sensitivity of the data and the application. The method selected may
> range from no error handling capability for some systems to full redundancy
> of encryption devices in other systems. Errors may be ignored when detected
> or the entire system may be immediately shutdown.  Errors which could
> compromise the plaintext or key should never be ignored.

Anyone interested in issues relating to secure hardware design should also
study FIPS 140-1, "Security Requirements for Cryptographic Modules."  It's
the best public document I know of for anyone designing tamper resistant
hardware and does a great job of covering the basics and also describes
measures to prevent these attacks, suggests using "two independent
cryptographic algorithm implementations whose output are continually
compared in order to ensure the correct functioning of the cryptographic
algorithm," etc.  In general, these attacks are fairly straightforward to
implement once the appropriate errors are available.

In addition to published sources, I've had many discussions with other
cryptographers error attacks and other hardware issues.  (Ross Anderson in
particular is extremely knowledgeable about hardware attacks and has done
much to raise awareness about them.  [See RISKS-18.52]) It's also important
to note that there are also quite a few other attacks which haven't been
published but which are widely known to the community.  (For example, I've
discussed widely my work on using timing attack math to analyze power
consumption, use of error analysis to reverse-engineer secret algorithms,
implementations of attacks using software pointer errors to damage secret
keys and encryption function tables, etc.)

With the timing attack I was alarmed by the amount of confusion and
misinterpretation that followed my initial release of the paper (though I
didn't send out any press releases or contact any reporters), even though
it been reviewed by many cryptographers prior to its release and was
available online.  I haven't seen the actual Bellcore paper yet and don't
know whether it was reviewed before they sent press releases to the media,
but in general I worry about the consequences of the public trying to
evaluate the importance, novelty, and quality of unreviewed work.

Paul Kocher  pck@cryptography.com (or http://www.cryptography.com)


Re: A new attack on DES (Lauck, RISKS-18.54)

Vadim Antonov <avg@pluris.com>
Fri, 1 Nov 1996 15:07:24 -0800
I would venture to guess that a simple replication of the encryption
circuitry, combined with a circuit that would suppress output if results are
different would make the box fairly resistant against DFA.

That can be improved further if several substantially different
implementations are used, so that identical environmental factors will not
cause identical failures.  The added benefit is better resistance against
current-draw and timing attacks.

: It seems reasonable that NSA knew of Differential Fault Analysis in the
: 1970's.

The idea to break the "black box" to learn something about it is certainly
not new.  In fact, this is one of the most powerful tools in neuroscience
and psychology (applying chemicals or current and watching the results,
or investigating injuries to different parts of brain).  However, there's
a long way from the idea to the practical application.

--vadim

  [A similar replication notion was also suggested by
    Laurentiu Badea <bytemare@lmn.pub.ro>.]


Unintentional Accesses (Re: Wanted Poster, Eckenwiler, RISKS-18.51)

"John R. LoVerso" <j.loverso@opengroup.org>
Fri, 11 Oct 1996 15:10:47 -0400 (EDT)
In RISKS-18.51, Mark Eckenwiler wrote:
> Of course, the FBI has had the Ten Most Wanted up in a web page here
> in the US for some time; see http://www.fbi.gov/mostwant/tenlist.htm

My favorite thing to do when handed such a URL is to strip off the filename
and try to access the directory.  The URL http://www.fbi.gov/mostwant/
brings up a conveniently hyper-linked listing of all the contents of that
directory.  This is usually not what the creator of those web pages
intended.  Sometimes there are additional documents or images that you
wouldn't otherwise be able to find, because they are not referenced from any
of the links in an advertised URL.

Using the terms "filename" and "directory" in the previous paragraph is
old-style web talk.  New-speak suggests the terms "trailing path component"
and "containing object", respectively.  This is to emphasize that "web
space" doesn't necessarily map into files and directories, but can be
ephemeral data.

Unfortunately, the use of abstract terminology combined with the default
settings on web servers tend to confuse the neophyte "web designer".  Their
lack of understanding leads them to create collections of pages in which
there are files that they *think* are hidden from view.

In the FBI example, everything in the directory listing was referenced from
a link on original URL.  Many times this is not the case.  Another example
comes from a company that hired an outside `expert' to create a survey for
people visiting their web site to fill out.  The survey was made accessible
at a URL ending in ".../survey/surveyform.htm".  Trying a URL with just the
ending directory component (".../survey/") brought up a surprise.  Not only
did it give a directory listing showing the files making up the survey, but
also included the a file holding the results posted to the survey form!
Very interesting reading, especially for their competitors!

Not all web servers will automatically convert directory accesses into fancy
indices this way.  Most have this as an option.  Usually an index is created
only when there is no manually created index file (commonly called
"index.html").  In fact, had the files "topten.htm" or "surveyform.htm" in
these examples been called "index.html", then not only would the URLs have
been shorter, but a directory listing would have been made unobtainable.

Hence, the solution is a combination of: avoid letting neophytes create your
web pages, fix your server, and know what you are doing before you release
it to the world.  Of course, there is far too much momentum on the WWW for
any of these to come into play these days.

As a parting thought, I wonder if any of the common web search engines strip
off trailing path components when indexing sites.  Normally a spider will
work by collecting the graph of pages available by walking the "advertised"
pages (which, in my own work, is called a "weblet").  By trying a path
stripping approach, they might end up with a slightly "richer" index.

John R. LoVerso, Open Group Research Institute


Accidental Shootdown of the F-15, once again

Chiaki Ishikawa <ishikawa@personal-media.co.jp>
Fri, 1 Nov 1996 21:41:12 +0900 (JST)
Earlier [RISKS-18.18, 18.41], I reported on the accidental shootdown of a
Japanese air force F-15 plane by a sidewinder missile from another plane
during training and the subsequent handling of the case by the air force and
the prosecutor's office.

Now, the Japanese Air Force has taken an unusual step of adding a new
finding to its previous report citing that the 30 years pilot in question
changed its testimony to "he may have possibly turned off the safety
mechanism although he had no clear recollection of having done so" from the
earlier "he had not touched the safety mechanism".  (Translation mine.)

This additional finding to the accident investigation has been reported in
at least one Japanese national newspaper(ASAHI) and a major news channel,
NHK this morning. According to the NHK news the change of a finding issued
by an investigation committee has been very rare among defense community.

A little more detail.  After the case was sent to the local prosecutor's
office, the prosecutor's office decided that the pilot cleared the safety
mechanism. (I have absolutely no idea how the office reached this
conclusion.)  However, his case has not been sent to the court.  The
prosecutor's office decided not to pursue the case there.  (I don't know the
English phrase for this, but the office seems to think the merit of doing so
is considered less than the hassle/time/money of pursuing the case in the
court and is not worth the crime(? I am not sure if this is the right word
here.) committed.)

After the prosecutor's office concluded differently from its own
investigation committee, the Japanese air force questioned the pilot again,
and his testimony changed as noted above.  Originally, the report mentioned
possible unknown hardware (electric circuit and such) malfunction.

So the cause finally seems to me a human error of a sort.  Pilot himself,
and my main contention that whoever organized the training ought to have
missiles removed in the first place, and maybe ordered a placement of a
little gadget (even a paper cup will do as the previous discussion showed.)
over the safety switch to avoid accidental touching. I wish the higher-ups
are criticised more in the press, but not so far.

PS: I missed joining the discussion of publicly discussing the cause of
(air) accident in an open forum, which took place after my previous post re
prosecutor's office receiving the case of pilot.  Problem was that my
workstation was replaced and the printer hooked to it had to be
reconfigured. I usually print Risks digest on paper, and read it on the
commuter train. Only recently, the printer became back online and I printed
the backlog issues on paper and followed the thread. I can only observe the
following myself now.

 - Public scrutiny is not necessarily a bad thing during a formal
   investigation continues provided that the
   information accessible to the chosen "experts" is also made available.
   Beside the chosen experts, there are equally qualified people elsewhere.

 - Of course, the information may not be released to the public due to
   legal and other reasons. This makes it very difficult to expect
   "intelligent" discussion from the public, I agree.

 - I noticed that the military wanted to make sure the career of the
   pilot is not unnecessarily destroyed. His name was only revealed
   after there was news that his case was now handled by the local
   prosecutor's office.

   Today's Asahi newspaper, and NHK news in the morning
   didn't mention the name. Maybe because the prosecutor's office
   decided not to pursue the case in court?

 - When I think about this, the public debate can ruin the career of
   possibly innocent people. If the shoot down of the F15 had been
   really due to flakey hardware, the pilot would have been really
   in an uncomfortable position to convince others that it was the fault
   of hardware produced by contractors with billion-dollar budgets.

   The recent plight of a security guard who found the bomb in Atlanta
   during Olympics games comes to my mind.

   So we must consider about this human element when we discuss these
   things in an open forum, too. Someone pointed this out to me and
   this point is well taken.

At the same time, not that I want to take side in this discussion, but
please bear in mind that all the pieces I reported have already been
reported in Japanse mass media such as national newspapers (each has
circulation of a few million, I think) and national TV. (PGN kindly noted
this.) So, by the time you read about the topic, at least a few million
Japanese readers must have seen it already.

Anyway, just wanted to let you know what is going on in Japan.

Chiaki Ishikawa  Personal Media Corp.  Shinagawa, Tokyo, Japan 142
ishikawa@personal-media.co.jp


-32768, hopefully for the last time (Re: Brader, RISKS-18.55)

Kurt Fredriksson <etxkfrn@aom.ericsson.se>
Thu, 31 Oct 96 13:00:46 +0100
I read Mark Brader's contribution (18.55) and was a bit lost.  I can well
understand that badly designed compilers can cause problems, but what
puzzles me is that this discussion misses the fundamental background with
2's-complement representations: with 16 bits, -32768 is the smallest value
that can be represented, and 32767 is the largest value that can be
represented.  What more is there to say?

Kurt Fredriksson, Moelndal

  [Last time in RISKS?  That would be a first time!  The saga continues.  PGN]

Please report problems with the web pages to the maintainer

Top