The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 18 Issue 64

Monday 2 December 1996

Contents

o Amtrak ticket system breaks down
PGN
o Bell Atlantic/Northern Telecom upgrade failure
Christopher Palermo
o Shetland Islands newspaper hyperlink controversy
Lance Hoffman
o RISKS of misidentified versions
John Pelan
o Risks not limited to technology
Rich Mintz
o Czech hackers allegedly rob banks
Mich Kabay
o Data diddling in cockroach races
David Kennedy
o Scary spelling correction
Geoff Kuenning
o Web-based auto update of Microsoft's Java support
Tim Panton
o E-mail solicitation on the rise
Scott C. Savett
o ATMs zapped
Bruce Wampler
o Radiation and crypto
Jean-Jacques Quisquater
o Re: Smart cards and radiation
Jean-Jacques Quisquater
o Workshop on Human Error and Systems Development
Nancy Leveson
o Info on RISKS (comp.risks)

Amtrak ticket system breaks down

"Peter G. Neumann" <neumann@csl.sri.com>
Sun, 1 Dec 96 20:04:04 PST
On Friday, 29 Nov 1996, Amtrak's nationwide reservation and ticketing system
bellied up during what is usually the heaviest travel weekend of the year.
The outage caused enormous confusion and delays, because agents typically
had no printed schedules and fare tables.  [Source: An item from *The New
York Times* in the *San Francisco Chronicle*, 30 Nov 1996, A6.]


Bell Atlantic/Northern Telecom upgrade failure

Christopher Palermo <cpalermo@next.com>
26 Nov 1996 21:09:34 GMT
Bell Atlantic Customers Put on Hold by Directory Assistance
[Source not specified, 26 Nov 1996.  PGN Abstracting.]

Hundreds of thousands of would-be telephone callers in nine states from NJ
to WV could not get prompt directory assistance from Bell Atlantic on 25 Nov
1996, because of flaws in new database software installed by Northern
Telecom that affected the entire customer area.  The problems affected all
of the about two dozen directory-assistance centers throughout the day,
until the old version could be resuscitated.  Operators were noting requests
and calling customers back when assistance could be attained (with delays
typically from three minutes to half an hour).  Northern Telecom said that
the new upgrade was intended to correct some minor errors in the earlier
version, and had previously been used without incident by at least two other
large telcos.  Blame was allocated to a technician who had installed the
software.  This was reportedly one of the biggest outages of this kind ever.


Shetland Islands newspaper hyperlink controversy

hoffman <hoffman@seas.gwu.edu>
Sat, 30 Nov 96 08:43:11 -800
The Shetland Islands have a 124-year-old print weekly (*Shetland Times*) and
a 1-year-old online daily (*Shetland News*).  The *News* includes titles of
*Times* articles as hypertext links to the *Times*.  Robert Wishart, the
*Times* managing director (who once fired his former editor, Jonathan Wills,
who is now the *News* publisher), has demanded that the links be removed;
Wills has refused, although he did add asterisked footnotes.  Wishart then
invoked Scotland's Court of Session, which issued an interim interdict
against the hyperlinks.  A full hearing is pending.  If the interim
judgement is upheld, this is seemingly a landmark case in Scotland and
potentially the UK, including issues such as the differences between a web
site and a cable TV service, and whether newspaper headlines constitute
copyrightable literary works.  [Source: Scottish Case Tests `Right to Link',
By Pamela Mendels, *The New York Times* CyberTimes, 30 Nov 1996.  PGN
Abstracting] <http://www.nytimes.com/library/cyber/week/1130shetland.html>

  [So, perhaps the *Times* really wants the *News* to stop a little horsing
  around, and pony up?  But the ponies are so small there.  PGN]


RISKS of misidentified versions

John Pelan <johnp@am.qub.ac.uk>
Wed, 27 Nov 1996 00:33:32 +0000 (GMT)
A recent security announcement was made to the 'linux-alert' security list
describing how the 'lpr' utility suffers from the (now infamous) buffer
overrun problem.  This could be exploited as a security vulnerability in
the case where it has the suid bit set.

It wasn't until after this first announcement that it was realised that
various Linux distributions have different ideas about the version number of
the *same* lpr source. Of course, this could cause much confusion and
prompted a follow-up message drawing people's attention to this somewhat
annoying and misleading situation.

The RISKS are that, especially in the case of freely-redistributable
source, users may not know the 'true' version that they are running and
may be deluded into thinking that they have a 'fixed' or 'safe' version.
Of course, the program *could* differ in all but name but in any case
some co-ordination, clarity and careful thought should be exercised by all.
A case for truth in advertising ?

John Pelan (J.Pelan@qub.ac.uk)


Risks not limited to technology

Rich Mintz <mintz@netresponse.com>
Tue, 26 Nov 1996 15:16:33 -0500
The following item from WhiteBoard News (posted without permission of
the author joeha@microsoft.com; for list info,
http://www.vantagepoint.com/ghayes/Lists/news.html) reminds us that
risks are possible in the case of any system that's relied upon,
whether or not that system is technological in nature:

== begin excerpt ==

Jackson, Tennessee: Cathy Mullikin's bird is cooked, and her calendar is
toast.  Mullikin had her Thanksgiving turkey dinner already cooked on
Thursday [Nov. 21], "and my friends and family are coming on the 28th and
they're going to think I'm a kook," she said.

She should never have believed that free calendar.  Jackson-Madison County
General Hospital gave out 40,000 of them last year and every last one said
Thanksgiving was on the 21st instead of the 28th. "I wouldn't have known it
was wrong except my niece called and asked what I was doing. When I told her
I was finishing up Thanksgiving dinner, she said 'A week in advance?'"
Mullikin told The Jackson Sun on Thursday.... "We've had a number of calls
from people who have seen the error and called it to our attention," [JMCG
Hospital] spokesman Ken Marston said.

  [Various power outages were reported on Thanksgiving Day, when it was
  stormy and windy in parts of the western U.S.  Many turkeys apparently
  were left partly cooked during the outages.  PGN]


Czech hackers allegedly rob banks

Mich Kabay <75300.3232@CompuServe.COM>
27 Nov 96 16:08:25 EST
>From "Central & East European Secure Systems Strategies (CEESSS)" with
permission of the copyright holder:

    Secret incidents of hackers' attacks upon Czech banks
    and release of Czech citizens' personal information
    by Steven Slatem <sslatem@intellitech.cz>
    Copyright (c) 1996 IntelliTech

    Hackers stole 50 million Kc ($1.9 million) during
    attacks upon unnamed Czech banks and, in another
    incident, obtained and posted to BBSs a file of Czech
    citizens' personal information, we learned in an
    interview at INVEX (Brno, 22 -- 26. October) with Jiri
    Mrnustik, CEO of the Brno-based anti-virus and
    encryption software developer AEC s.r.o.//
    (ss961112-002) (630 words) (STS)

Central & East European Secure Systems Strategies (CEESSS) is delivered via
e-mail and the Web.  See http://www.intellitech.cz/ceesss/ for details.

[To preempt our esteemed moderator, I will immediately warn readers that
the facts will have to be Czeched before giving credence to this report.]

M. E. Kabay, Ph.D. / Director of Education
National Computer Security Association (NCSA)/ http://www.ncsa.com


Data diddling in cockroach races

David Kennedy <76702.3557@CompuServe.COM>
25 Nov 96 23:51:06 EST
Criminal group made money by manipulating ...
COMTEX Newswire  25 Nov 1996

SARATOV, November 25 (Itar-Tass) -- A well-organised criminal group that
made more than 800 million roubles every month by manipulating computer
files in gambling has been exposed by police in the Saratov region, the
middle Volga.  A source in the regional directorate in charge of fighting
organised crime told Itar-Tass that computer-added swindling was exposed by
police for the first time in Russia, although crimes of this sort have been
reported in many regions of Russia.  The source described the technology of
fraud: the operator used a false file to influence the outcome of the
"cockroach races" in a way that ensured that the victory was won by the
cockroach chosen by the operator.  [Or perhaps the file was altered to
select the designated "winner"?  PGN]

The experience accumulated in the process reportedly will enable the law
enforcers in other regions of Russia to take into account computer swindlers
who have escaped responsibility until now.  (The net take was about US$5,500
daily.)

Dave Kennedy [CISSP] Research Team Chief, National Computer Security Assoc.


Scary spelling correction

Geoff Kuenning <geoff@ficus.cs.ucla.edu>
Wed, 27 Nov 1996 10:55:20 -0800
Here's a verbatim quote from the Orchestra List, which is occupied by
musicians and conductors.  Apparently spelling correctors are getting
RISKier all the time.  Note that this was *automatic* spelling correction,
so apparently the user didn't even get a chance to override the incorrect
decision.

> Subject: Parts are a MESS
...
> >Here's a warning on the E.C. Scarier parts to the Mozart Vespers, K. 321.
> In
>
> Well, I typed E.C. S-c-h-i-r-m-e-r. I must figure out how to disable my
> automatic spell correcting program so it doesn't do this to me again. But
> then again, given the condition of the parts, maybe scarier is the better
> term anyway.

    Geoff Kuenning  g.kuenning@ieee.org geoff@ITcorp.com
    http://fmg-www.cs.ucla.edu/geoff/

  [But a MASS is a MESS(E) (in German, French) is AMISS (from Latin, MISSA).
  You'll have to vesper more softly ven you perform.  PGN]


Web-based auto update of Microsoft's Java support

Tim Panton <tpanton@ibm.net>
Wed, 27 Nov 1996 11:18:20 +0100
  [Here is a frightening snippet from Microsoft's website I'm not sure I
  understand the full implications of it, but I don't doubt that there are
  risks involved.]

http://www.microsoft.com/java/sdk/getstart/javac007.htm :

Updating the Java Support on a User's Machine

If you are placing an applet that uses COM on an HTML page accessible from
the Internet, you must ensure that any users who encounter that page have a
version of the Java Support for Internet Explorer that fully supports
Java/COM integration.

To do this, you must insert the following tag on the HTML page
containing your applet (or on the introductory page of your Web site):

<OBJECT
CLASSID="clsid:08B0E5C0-4FCB-11CF-AAA5-00401C608500"
CODEBASE="http://www.microsoft.com/java/IE30Java.cab#Version=1,0,0,1">
</OBJECT>

This tag causes the user's Internet Explorer to check the version of its
Java support. If the version installed on the user's machine is not
up-to-date,
Internet Explorer downloads the latest version of Java support from
http://www.microsoft.com and updates the user's machine.

 - - - -

The potential risks are endless. Say I know of a security hole in a
specific version of IE, I can automatically get visitors to
my website to install it, then attack them through the hole.
Some questions:
Does it ask the user first ?
Can I force a  'down'grade, i.e., install an older version ?
What happens if the user uses two sites that require different versions?
Is the code signing strong? (i.e., stronger than MS's CD keys ?), can I
fake a CAB file?

Tim Panton, Westhawk Ltd, Frederik Hendriklaan 89, 2582BW Den Haag. The
Netherlands  tpanton@ibm.net   +31 6 5348 1795   http://www.westhawk.co.uk


E-mail solicitation on the rise

"Scott C. Savett" <ssavett@CLEMSON.EDU>
Fri, 29 Nov 1996 18:30:06 -0500
I'm sure we're all increasingly aware of annoying unsolicited commercial
e-mail messages forced into our electronic inboxes.  But is this just the
tip of the iceberg?

A mass mailing recently ended up in my e-mail, promising e-mail marketing to
100,000 or 1,000,000 people for $195 or $995 respectively.  Ominously, the
message did not have a valid "From:" address in the header, and was passed
through at least two servers before being distributed to an undisclosed list
of recipients.  Does a $100 InterNIC registration and $15/month ISP charge
now give anyone the ability to saturate the Internet community with
unsolicited e-mail?

Besides carefully screening incoming e-mail, what recourse does one have
against acts of e-mail terrorism?  With many SMTP e-mail servers readily
accepting mail from anonymous senders, how can we stop the constant stream
of unsolicited commercial e-mail being forced down our throats?  This trend
gravely concerns me, as it should concern us all!

Scott Savett, Graduate Student in Analytical Chemistry, Clemson University
Webmaster, National Collegiate EMS Foundation  http://www.ncemsf.org/


ATMs zapped

<wampler@cs.unm.edu>
Fri, 29 Nov 1996 14:24:33 -0700 (MST)
Last week I was unable to use my cash card to pay for my groceries at the
local grocery store because the system wasn't working. The November 28, 1996
business section of the Albuquerque Tribune explained why:

"ATMs zapped: First Security's Albuquerque-area automated teller machines
and electronic funds-transfer stations at Smith's Food & Drug Stores went on
the blink last weekend when a new cellular-telephone company started service
using a microwave frequency that bled over to First Security's ATM and EFT
frequency. Service disruptions forced Smith's to shun electronic purchases
Saturday through Monday. "We apologize to our customers who were
inconvenienced and are working hard to fix the problem, but the problem of
jammed frequencies is just going to get worse," said Paul Bouschelle,
executive vice president for First Security Bank of New Mexico."

Two obvious RISKs revealed by this incident:

1. The unintended and unexpected problems caused by bringing
   a new system on-line. For whatever reasons, this problem
   took the whole weekend to resolve.

2. This article also reveals that the ATMs and EFT terminals
   communicate over microwave frequencies, and are thus
   subject to being tapped or monitored, perhaps more easily
   than if they were connected via wire or telephone lines.
   I guess I've assumed that most of these terminals were
   handled via phone line, which seems inherently more
   secure than a radio link. This may not be true. I don't
   recall much discussion in this group of the risks of
   using radio links vs. wire for financial data transfer.

Bruce E. Wampler, Ph.D., Adjunct Professor, Department of Computer Science,
University of New Mexico wampler@cs.unm.edu http://www.cs.unm.edu/~wampler


Radiation and crypto

Jean-Jacques Quisquater <jjq@dice.ucl.ac.be>
Mon, 02 Dec 96 09:23:18 GMT
Your electronic wallet in the Van Allen radiation belt, or
Electronic commerce at RISK in space?

Jean-Jacques Quisquater
UCL Crypto Group - Microelectronics Lab
November 30, 1996

[Note: This short remark was intended as a contribution to the rump session
of EUROCRYPT '97 but the subject is too hot to wait.]

>From end September until now many announcements were issued about the
so-called Bellcore attack against tamper-resistant chips (example: smartcard
or chipcard for electronic commerce). The attack is based on the
(theoretical) possibility of flipping some bits (at some random position) of
the secret key, stored in RAM or E2PROM, before or during the computations
done by the chip.  Another attack is to induce some decoding error during
the execution of one instruction (Anderson and Kuhn).

One crucial question is the effectiveness of such attacks by malicious
hackers.  In fact, this problem was very well studied in the contexts of
nuclear physics and of space applications (what about the behavior of
semiconductors in such hard environments?). In that area, there is the
concept of SEE (Single Event Effect) and it is what we are trying to study!
A SEE is an event induced by radiation, temperature, microwave, ..., having
some effect one time on a device.  There are many studies about that. What
we need to know are the SEEs
--- relatively well focused (one or few bits are flipped),
--- and/or at a given moment,
--- and/or for a very short time.

Here are some references to begin the study. The reference newsgroup is
sci.engr.semiconductors (others?).

- The NASA ASIC guide, published by JPL and NASA, Chapter 4, Design for
  radiation tolerance, 1993.

- Hardening integrated circuits against radiation effects, J.-P. Colinge
  and P. Francis, November 1996, Notes (66 pp.), Microelectronics Lab,
  UCL, Louvain-la-Neuve, Belgium (yes!, my lab),

- Single-Event-Effect mitigation from a system perspective, IEEE Trans. on
  Nuclear Science, vol. 43, April 1996, pp. 654-660.

- Laboratory tests for Single-Event Effects, IEEE Trans. on Nuclear Science,
  vol. 43, April 1996, pp. 678-686.

- Microbeam studies of Single-Event Effects, IEEE Trans. on Nuclear Science,
  vol. 43, April 1996, pp. 687-695.

- Soft errors susceptibility ands immune structures in dynamic random access
  memories (DRAM's) investigated by nuclear microprobes, IEEE Trans. on
  Nuclear Science, vol. 43, April 1996, pp. 696-704.

- 32-bit processing unit for embedded space flight applications, IEEE Trans.
  on nuclear science, vol. 43, June 1996, pp. 873-878.

- Single Event Effect testing of the Intel 80386 family and the 80486
  microprocessor, IEEE Trans. on Nuclear Science, vol. 43, June 1996,
  pp. 879-885.

- Analysis of local and global transient effects in a CMOS SRAM,
  IEEE Trans. on Nuclear Science, vol. 43, June 1996, pp. 899-906.

- 1997 IEEE nuclear and space radiation effects conference, call for
  papers.

Jean-Jacques Quisquater, Universite catholique de Louvain, Place du Levant,
3, B-1348 Louvain-la-Neuve, Belgium tel 32.10.47.25.41 jjq@dice.ucl.ac.be


Re: Smart cards and radiation

Jean-Jacques Quisquater <Quisquater@dice.ucl.ac.be>
Mon, 2 Dec 1996 19:39:49 +0100 (MET)
A (corrected thanks to Arjen Lenstra) postscript version of

Attacks on systems using Chinese remaindering
by Marc Joye and Jean-Jacques Quisquater, Report CG-1996/9

is accessible at the following URL:

http://www.dice.ucl.ac.be/crypto/techreports.html


Workshop on Human Error and Systems Development

Nancy Leveson <leveson@cs.washington.edu>
Mon, 02 Dec 1996 02:33:56 PST
Workshop on Human Error and Systems Development
The Senate Room, University of Glasgow
20-22 March 1997
Co-chairs: Nancy Leveson and Chris Johnson
<http://www.dcs.gla.ac.uk/~johnson/HF_Engineering.html>

Recent accidents in a range of industries have increased concern over the
management and control of safety-critical systems.  Much recent attention
has focussed upon the role of human error both in the development and in the
operation of complex processes.  This workshop will, therefore, provide a
forum for practitioners and researchers to discuss leading edge techniques
that can be used to mitigate the impact of human error on safety-critical
systems.

Our intention is to focus the workshop upon techniques that can be easily
integrated into existing systems engineering practices.  With this in mind,
each day will have a different theme.  The session on Thursday 20th March
will focus on accident analysis and risk assessment techniques.  Friday,
21st will focus more narrowly upon interface and component design,
development, and testing.  We also encourage papers that cross these
boundaries.

Saturday 22nd March will provide the opportunity for informal discussion
about the issues raised during the workshop.  The day will be spent on the
Isle of Arran, off the west Coast of Scotland [not to be confused with
Aran].

Deadlines: Authors should submit extended abstracts to Chris Johnson, see
below, to arrive no later than January 17th, 1997.  [

                    
    

Please report problems with the web pages to the maintainer

Top