The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 19 Issue 43

Weds 29 October 1997

Contents

o RC5-56 cracked
David McNett
o Stansfield Turner's new book includes near-war risk
PGN
o Stock market roller coasters
PGN
o Bug costs US$3.8 million
David Kennedy
o US DoD Break-in Statistic
David Kennedy
o Victim Ordered to Surrender Computer and Passwords
David Kennedy
o More on California's deadbeat dads' database
PGN
o More on Union Pacific congestion
PGN
o Security flaw in Rogers Cable's "Wave"
Hendrik
o Gerber net hoax
David Kennedy
o Smart VCRs & daylight savings time
Josef K
o Daylight savings brings down ATM network
Laszlo Herczeg
o Risks of daylight savings
Jim Griffith
o Windows 95 & daylight savings time
Dale K. Brearcliffe
o NT Screen Savers Considered Dangerous Also
Bill Elswick
o Re: Modern cars
Stefan Lindstrom
o RISKS predicted the San Francisco blackout!
Ken Hayman
o CFP Computer Security Foundations Workshop CSFW11
Simon Foley
o Info on RISKS (comp.risks)

RC5-56 cracked

David McNett <nugget@slacker.com>
Wed, 22 Oct 1997 16:14:40 -0500
  [via Dave Farber <farber@cis.upenn.edu>]

It is a great privilege and we are excited to announce that at 13:25 GMT on
19-Oct-1997, we found the correct solution for RSA Labs' RC5-32/12/7 56-bit
secret-key challenge.  Confirmed by RSA Labs, the key 0x532B744CC20999
presented us with the plaintext message for which we have been searching
these past 250 days.

The unknown message is: It's time to move to a longer key length

In undeniably the largest distributed-computing effort ever, the Bovine RC5
Cooperative (http://www.distributed.net/), under the leadership of
distributed.net, managed to evaluate 47% of the keyspace, or 34 quadrillion
keys, before finding the winning key.  At the close of this contest our 4000
active teams were processing over 7 billion keys each second at an aggregate
computing power equivalent to more than 26 thousand Pentium 200s or over 11
thousand PowerPC 604e/200s.  Over the course of the project, we received
block submissions from over 500 thousand unique IP addresses.

The winning key was found by Peter Stuer <peter@dinf.vub.ac.be> with an
Intel Pentium Pro 200 running Windows NT Workstation, working for the
STARLab Bovine Team coordinated by Jo Hermans <Jo.Hermans@vub.ac.be> and
centered in the Computer Science Department (DINF) of the Vrije Universiteit
(VUB) in Brussels, Belgium.  (http://dinf.vub.ac.be/bovine.html/).  Jo's
only comments were that "$1000 will buy a lot of beer" and that he wished
that the solution had been found by a Macintosh, the platform that
represented the largest portion of his team's cracking power.
Congratulations Peter and Jo!

Of the US$10000 prize from RSA Labs, they will receive US$1000 and plan to
host an unforgettable party in celebration of our collective victory.  If
you're anywhere near Brussels, you might want to find out when the party
will be held.  US$8000, of course, is being donated to Project Gutenberg
(http://www.promo.net/pg/) to assist them in their continuing efforts in
converting literature into electronic format for the public use.  The
remaining US$1000 is being retained by distributed.net to assist in funding
future projects.

Equally important are the thanks, accolades, and congratulations due
to all who participated and contributed to the Bovine RC5-56 Effort!
The thousands of teams and tens of thousands of individuals who have
diligently tested key after key are the reason we are so successful.

The thrill of finding the key more than compensates for the sleep,
food, and free time that we've sacrificed!

Special thanks go to all the coders and developers, especially Tim Charron,
who has graciously given his time and expertise since the earliest days of
the Bovine effort.  Thanks to all the coordinators and keyserver operators:
Chris Chiapusio, Paul Chvostek, Peter Denitto, Peter Doubt, Mishari Muqbil,
Steve Sether, and Chris Yarnell.  Thanks to Andrew Meggs, Roderick Mann, and
Kevyn Shortell for showing us the true power of the Macintosh and the
strength of its users.  We'd also like to thank Dave Avery for attempting to
bridge the gap between Bovine and the other RC5 efforts.

Once again, a heartfelt clap on the back goes out to all of us who have run
the client.  Celebrations are in order.  I'd like to invite any and all to
join us on the EFNet IRC network channel #rc5 for celebrations as we regroup
and set our sights on the next task.  Now that we've proven the limitations
of a 56-bit key length, let's go one further and demonstrate the power of
distributed computing!  We are, all of us, the future of computing.  Join
the excitement as the world is forced to take notice of the power we've
harnessed.

Moo and a good hearty laugh.

Adam L. Beberg - Client design and overall visionary
Jeff Lawson - keymaster/server network design and morale booster
David McNett - stats development and general busybody


Stansfield Turner's new book includes near-war risk

"Peter G. Neumann" <neumann@csl.sri.com>
Wed, 29 Oct 97 10:24:00 PST
In his book, ``Caging the Nuclear Genie'', Admiral Stansfield Turner,
describes an incident that occurred on 3 June 1980 when he was President
Carter's CIA director.  Colonel William Odom alerted Zbigniew Brzezinski at
2:26 a.m. that the warning system was predicting a 220-missile nuclear
attack on the U.S.  It was revised shortly thereafter to be an all-out
attack of 2200 missiles.  Just before Brzezinski was about to wake up the
President, it was learned that the ``attack'' was an illusion -- which
Turner says was caused by ``a computer error in the system.''  His book
makes various suggestions that would greatly reduce the threats of
accidental nuclear war.  ``We have had thousands of false alarms of
impending missile attacks on the United States, and a few could have spun
out of control.''  [Source: Keay Davidson, *San Francisco Examiner*, in the
*San Francisco Sunday Examiner and Chronicle*, 19 Oct 1997, p. A-17.]


Stock market roller coasters

"Peter G. Neumann" <neumann@csl.sri.com>
Wed, 29 Oct 97 9:14:17 PST
The good news is that the computer systems of the major stock exchanges
(notably NYSE and NASDAQ) seem to have held up superbly during the recent
monster trading days on 27 and 28 October 1997.  Yesterday, the NYSE and
NASDAQ each handled over a billion shares for the first time ever, with the
former at 175% of the previous blockbuster day.

The bad news is that those folks who relied on the Internet to do their
panic trading were in for a rough time.  There were huge numbers of e-trades
already queued up before opening, causing an early traffic jam.  Joseph
Konen of AmeriTrade Holding blamed some of the delays on limitations of its
firewall technology.  Many would-be Internet buyers and sellers simply could
not get access, in part because their Internet service providers were
saturated.  Many customers were blocked out because others were tying up
lines just to monitor the market.  Illustrating the extent to which Internet
trading has become a part of the markets, Schwab normally does 35 percent of
its trading on-line; yesterday's trading of more than 300,000 on-line
transactions more than doubled their Monday load and tripled their typical
day.

[Various sources, including a front-page item by Herb Greenberg in the
*San Francisco Chronicle*, 29 Oct 1997.]


Bug costs US$3.8 million

David Kennedy <76702.3557@compuserve.com>
Sun, 26 Oct 1997 03:45:55 -0500
HUD Firing, By JENNIFER ROTHACKER, Associated Press Writer
Courtesy of Associated Press via CompuServe's Executive News Service,
AP US & World  21 Oct 1997

> WASHINGTON (AP) -- A computing error the government says cost it $3.8
> million has led to the firing of the financial services firm accused of
> making the mistake.  The Department of Housing and Urban Development has
> ordered Hamilton Securities Advisory Services Inc. to reimburse the money
> and suggested it may order further retribution pending an investigation.
> The Washington, D.C.-based firm defended its work for HUD, and claimed the
> department owed it $1.6 million for work successfully completed.

o  Hamilton was engaged in '93.

> An investigation ordered by HUD Secretary Andrew Cuomo to ferret out abuse
> and fraud throughout HUD concluded that Hamilton "failed to provide
> accurate financial advisory services to the mortgage note sales program"
> since its contract started in 1992, HUD said in a news release.

o  Washington Times newspaper reported Monday, that the failure was in
"erroneous instructions" to a computer model Hamilton used to evaluate the
value of mortgage notes.  HUD has not accused Hamilton of deliberate
misconduct.


US DoD Break-in Statistic

David Kennedy <76702.3557@compuserve.com>
Mon, 27 Oct 1997 16:04:21 -0500
Courtesy of the COMTEX  Newswire via CompuServe's Executive News Service:
24 Oct 1997

Hacker Threats To Defense Computer Systems

> WASHINGTON, DC, U.S.A., 1997 OCT 24 (Newsbytes) -- By Bill Pietrucha.  The
> US Defense Department's unclassified computer systems are as susceptible
> to hacking as commercial and other civilian computer systems and networks,
> according to the director of the National Security Agency (NSA), who
> predicted the number of attacks will double this year from the more than
> 250 break-ins in 1996.

> NSA Director US Air Force Lt. Gen. Kenneth Minihan told the Association of
> Former Intelligence Officers' annual convention that more than 250
> unclassified Defense Department computer systems were "penetrated" last
> year, a number which could double in 1997.  Minihan's remarks underscored
> a classified report released to the White House this past Monday by the
> President's Commission on Critical Infrastructure Protection (PCCIP),
> warning that America's infrastructure is becoming increasingly vulnerable
> to the risk of computer attack.  ...

> "We have evidence that our known network and computer communications
> vulnerabilities are being exploited by real-world attackers," Minihan
> said. Minihan did not elaborate, nor say who the attackers are or have
> been.

Dave Kennedy [CISSP] Director of Research, National Computer Security Assoc.


Victim Ordered to Surrender Computer and Passwords

David Kennedy <76702.3557@compuserve.com>
Mon, 27 Oct 1997 03:02:58 -0500
Cyber Allegations (AP US & World  21 Oct 1997)

>   PONTIAC, Mich. (AP) -- A woman who said she was sexually assaulted by a
> man she met through an on-line "chat room" has been ordered to turn over
> her computer for examination by the defendant's lawyer.  Circuit Judge
> Alice Gilbert issued the order Oct. 8 after the defendant said another
> computer user told him that the woman had bragged on-line -- in a chat
> room called "Man Haters" -- about making up the story.  The woman was
> also ordered to reveal her password and on-line aliases.

o The accused, a 26-year old is alleged to have pulled a knife and attacked
the victim after a date on Feb 28th.  Prosecutors have said they will
appeal.

> "In my view, turning over somebody's computer these days is the same as
> asking to go through their diary or mail," said prosecutor John
> Pietrofesa.  Inspecting computer records from the opposing side, while
> relatively new in criminal cases, has become common in civil cases, said
> Michigan lawyer and computer law expert Robert A. Dunn.  In civil cases, a
> judge will institute safeguards such as making both sides sign a
> confidentiality agreement that information gleaned from computer records
> will not be disclosed outside of court, he said.

Dave Kennedy CISSP, National Computer Security Assoc


More on California's deadbeat dads' database (RISKS-19.12)

"Peter G. Neumann" <neumann@csl.sri.com>
Wed, 29 Oct 97 10:12:45 PST
We noted in RISKS-19.12 that there are serious development difficulties in
connection with SACSS, the California Statewide Automated Child Support
System.  The California Assembly continues to get inadequate answers on
whether the system will ever work and how much more it will cost beyond the
current 200% overrun. The technical problems include human interface woes --
the system has 357 screens and 57 ways of opening and closing them; data
disappears, and sometimes migrates from one case to another; payments are
miscalculated; and there are difficulties in communicating with other
agencies.  One risk is that if the system is not working adequately by the
October deadline, California could lose 5% of its federal welfare funding.
[Consequently, cynics might expect the system will be declared a success,
even if it does not work.]  Lockheed-Martin IMS is the developer of SACCS.
On the up side, Lockheed also developed a smaller system for Los Angeles
(with 28% of the state's cases), and that system has been running
successfully since early 1995.  [Source: AP item in the *San Francisco
Chronicle*, 21 Oct 1995, p. A21.]


More on Union Pacific congestion (RISKS-19.41)

"Peter G. Neumann" <neumann@csl.sri.com>
Wed, 29 Oct 97 9:45:42 PST
This was a banner year for corn, wheat, and soybean crops.  However, the
Union Pacific tie-ups noted in RISKS-19.41 have caused massive backlogs and
storage problems.  Grain elevators are full.  Empty railroad cars are also
in short supply, because with train movements in many cases running a month
late, many cars are in essence being used as storage, waiting for
locomotives.  [Source: USA Today, 26 Oct 1997]

  [It may sound *corny*, but *rye* humor is not funny in *oat cuisine*,
  especially if we do not have *enuf wheat* in *neuf huit* (98).  PGN]


Security flaw in Rogers Cable's "Wave"

Hendrik <hendrik@uvic.ca>
Mon, 27 Oct 1997 13:56:14 -0800
Security flaw found in Wave, by Geoffrey Rowan (*The Globe And Mail* News Wire)

Everybody wants to move fast on the Internet, but some users of the
high-speed access service called the Wave have inadvertently given up
privacy and security to get their fast connection.  Jim Carroll, co-author
of The Canadian Internet Handbook and a user of the Wave, a service provided
by Toronto-based Rogers Cablesystems Ltd., said he discovered the security
flaw by accident and has published the details in the 1998 version of his
book.  He fired up his computer, checked his network connections, and found
that he could look into, copy, change, delete and print files from the
computers of some of his neighbours who are also Wave customers.  Rogers,
which knows about the problem and has been trying to warn its customers,
said the computers of susceptible Wave users can also be infiltrated by
other non-Wave Internet users. (Only customers who have connected more than
one computer together and are sharing files are vulnerable.)  "One fellow's
[Toronto-Dominion] bank folder, for on-line banking, was right there,"
Mr. Carroll said.  Another machine the author found open to him belonged to
a Mississauga lawyer.  "These were very confidential, very sensitive
documents sitting there, wide open to the world," Mr. Carroll said. "It's as
if you're browsing your own machine."  Mr. Carroll said he called the
lawyer, leaving him a detailed message warning of the security breach, but
received no acknowledgment.  "One fellow who I called said he was aware of
the problem and was trying to figure out how to close it off."  The security
problem affects Wave customers who have hooked up more than one computer to
their cable modem, creating their own computer network.  When these
customers turn on features in their computers' software that allows them to
share files, they become vulnerable.  There are only about 8,000 Wave
customers, but the service is being rolled out gradually across Canada and
is now available to 1.1 million households.  Wave's security problem wasn't
that tough for Mr. Carroll to discover. Wave officials are aware of it and
warn customers at every opportunity to protect themselves. But few computer
users read all the documentation.  "It's on our Web site, in our end-user
agreement, in the manual and in the quick reference card," said Frank
Kotter, general manager of the Wave service.  A quick search of Wave's World
Wide Web site produced a detailed warning of the problem, examples of how it
might arise and ways to fix it. [ Ed.: see www.wave.ca/HelpSec.html ] "We
clearly recognize it's a problem and it's in our best interests to make sure
[subscribers] are aware of the risk," Mr. Kotter said.  The Wave agreement
also states that when customers subscribe, they are only paying to link one
computer to the service. Customers who connect more than one computer into a
network and then use the Wave for Internet access, including Mr. Carroll,
are in violation of that agreement.


Gerber net hoax

David Kennedy <76702.3557@compuserve.com>
Mon, 27 Oct 1997 03:03:08 -0500

Gerber Hoax, By MARY R. SANDOK, Associated Press Writer, Courtesy of
Associated Press via CompuServe's Executive News Service, 22 Oct 1997

> MINNEAPOLIS (AP) -- On a single day this week, 15,000 pieces of mail from
> across the nation poured in to a defunct post office box in response to
> what the U.S. Postal Service calls the "Gerber Myth."  The deluge, which
> has plagued a Minneapolis post office for months, stems from a rumor
> circulating on the Internet that the baby-food company is giving away $500
> savings bonds as part of a lawsuit settlement.  To share in the
> settlement, parents are told to send copies of their child's birth
> certificate and Social Security card to the Minneapolis post-office
> box. ...

> Van Hindes, a spokesman for Fremont, Mich.-based Gerber, said the hoax has
> been circulating since January and it appeared to peak about three weeks
> ago. He doesn't blame the Internet alone.  "It's more a product of the
> ease of electronic information generally now," he said. "The Internet,
> e-mail, the prevalence of fax and copy machines all have contributed." ...

> A corollary accompanies the "Gerber Myth": that it is the work of people
> gathering Social Security numbers and birth certificates for such things
> as creating false IDs for illegal aliens.

(The story notes that the Postal Service has detected no malicious or
fraudulent intent in this particular instance.  [DMK: Yet!])

Dave Kennedy CISSP, National Computer Security Assoc


Smart VCRs & daylight savings time

"Josef K." <foo@bar.org>
Sun, 26 Oct 1997 11:07:00 -0400
While certainly not a risk, it is the cause of frustration.  My VCR has a
smart clock; it knows how many days to count for February, when to set the
clocks back and, presumably, when to set them forward.  (I haven't had it
long enough to have noticed the problem before.)

I could hear it happening in my half-sleep while the machine did its job.  I
was aware that at some point (let's say 2 am) it stopped recording, later on
(oh, about a half hour later) starting up again.  Not a great loss,
especially since the show in question is repeated later in the day.

Although this data drifted out of my head by the time I woke up, it was
sucked back in at that moment when, during playback, my show was replaced by
an infomercial.  It was quite obvious to my VCR what happened.  It was
supposed to record a show from 1:25 am to 2:35 am.  One second after 1:59:59
it became 1-o'clock again.  Not time to record yet; stop tape.  This
surprised me.  I would have expected it to keep recording for an extra hour.
Of course, at the new appropriate time, the VCR restarted its task.

It gives me a warm feeling inside to KNOW that this could never happen in a
crucial computer system.


Daylight savings brings down ATM network

Laszlo Herczeg <las@light-house.com>
Sun, 26 Oct 1997 15:15:38 +0000 ()
This morning in the early AM hours, I attempted to withdraw cash from a a
cash dispenser using the Interac Network. To my surprise, I received a
cryptic error message that the transaction could not be completed and that I
should contact my branch. I wanted to buy cigarettes so I went back home,
and pulled enough coins from the piggy bank to be able to pay for my
purchase.

The account I am using is over 12 years old and it is in good standing, so
obviously I was dazzled as to what was wrong. This afternoon I phoned my
bank and they were very apologetic and explained that their network went
down in the time period I was trying to use the ATM. This was the night when
our time zone reverted back to EST, and it appears that they experienced
problems due to the time change.

Obviously, the error message at the ATM machine contained no reference to
network errors.

There are two problems, as I see it:

1. If the Interac network crashes due to a predictable time zone change and
needs to be reset or taken off-line while the clocks are updated, it is not a
very robust system as far as time scheduling is concerned.

2. The error message at the ATM terminal is not granular enough to point out
what is really wrong, and it appears to blame the customer when there
is something wrong with completing a network transaction.


Risks of daylight savings

Jim Griffith <griffith@netcom.com>
Sun, 26 Oct 1997 02:23:27 -0800 (PST)
This is probably nothing new, but I thought I'd report my Daylight Savings
problem for this year.  I happened to be using my PC at 2:00 a.m. PDT,
casually minding my own business, wrapped up in a game of Heroes II, and
what should happen, but Win95 dumps me out of my game to tell me that it's
set my clock back an hour for me.  I thought that was mighty nice of it,
until I discovered that not only could I not resume my game (any attempt
said that the game had to be terminated), but my sound card freaked out with
a weird strobe effect.  [Sigh.]

So I shut down my computer as cleanly as possible (which wasn't very clean
at all), rebooted, noted that everything is OK, and continued my game from
where I happened to save it last, a few turns back of when I got booted.
And sure enough, the entire process repeats itself at 2:00 PST.

You would think that for $650 million in profit a quarter, they could get
a concept as basic as Daylight Savings correct.

Jim

  [Actually, no.  If that were the case, RISKS would not be able to
  report on such sagas TWICE EVERY YEAR, and actually more often
  because of the assorted switch-over dates around the world.  PGN]


Windows 95 & daylight savings time

"Dale K. Brearcliffe" <dbear@crl.com>
Sun, 26 Oct 1997 10:09:09
I watched Windows 95 attempt to adjust itself for the change from daylight
savings to standard time. At 2:00 AM, the OS set the time back to 1:00 AM
and presented an alert box notifying me of the change which I acknowledged.
And when it was 2:00 AM again, it changed the time back to 1:00 AM again.
Left unattended, this cycle may have just continued.  The Windows NT server
sitting next to the Windows 95 workstation seemed to handle everything
properly. The risk to software dependent on time-based events is obvious.


NT Screen Savers Considered Dangerous Also

Bill Elswick <belswick@entertech.com>
Sat, 25 Oct 1997 10:44:50 -0700
John Long brought up the issue of screen savers consuming all available CPU
bandwidth in DoD's COE. I have run into a similar problem with Windows NT,
although not quite as dramatic.

NT ships with a number of Open GL based screen savers that can consume the
CPU. It appears that the screen savers run at full application priority, so
they can have a dramatic impact on the performance of processes that don't
involve user interaction, such as remote controlled apps and server jobs.

The good news is that Microsoft did two things right along with the
unfortunate setting of the screen saver's priority (which apparently cannot
be adjusted down):

  1. The default screen saver is "none".
  2. There is a "blank" screen saver available which seems harmless.

The Risk is that an idle user will pick the most visually interesting screen
saver while putzing with the machine, not realizing that by doing so he has
thrown away about 50% of the machine's CPU capacity. It might be interesting
for NT admins to have a look around their server room with this in mind.

Bill Elswick, Entertainment Technology Associates, Inc.


Re: Modern cars (RISKS 19.42)

"Stefan Lindstrom" <stefan.lindstrom@ki.ericsson.se>
Tue, 28 Oct 1997 18:42:23 +0100
I don't know much about electronics in modern cars, but as an additional
data point there was an incident here in Stockholm, Sweden just the other
week: A policeman sitting in his car with a handheld digital radio pressed
the send button, which triggered the airbag and threw the radio unit at
him. The policeman wasn't badly hurt, but a directive has been issued by the
Police Dept to not use these radios while in the front seat.

Conclusion: Even with Europe's rather high standards for EMC
(electromagnetic compatibility), there are insufficiently shielded
electronics on the market.

Stefan Lindstrom, Sylog AB    stefan.lindstrom@sylog.se
Tel: +46 70 833 06 26      stefan.anna-karin@swipnet.se

  [The "o" in Lindstrom is ISO \366, altered because of complaints that
  the entire issue would otherwise be blocked by noncompliant hosts.]


RISKS predicted the San Francisco blackout!

Ken Hayman <hayman@dg-rtp.dg.com>
Mon, 27 Oct 1997 14:12:50 -0500 (EST)
I hope the appropriate authorities in San Francisco read RISKS-19.42 when it
was released on 24 Oct 1997, so they would know in advance of the blackout,
reported there as happening on the morning of 25 Oct 1997.

Ken Hayman  hayman@dg-rtp.dg.com

  [TNX.  I fixed it (23 Oct 1997) in the archive copy.  PGN]


CFP Computer Security Foundations Workshop CSFW11

Simon Foley <snf22@ccsr.cam.ac.uk>
Wed, 22 Oct 1997 10:11:08 +0100
           11th IEEE Computer Security Foundations Workshop
             Rockport, Massachusetts, USA, 9-11 June, 1998

This workshop brings together researchers in computer science to examine
foundational issues in computer security. We are interested both in papers
that describe new results in the theories of computer security and in papers
and panels that explore open questions and raise fundamental concerns about
existing theories. The paper submission deadline is February 6, 1997.

General Chair                Program Chair             Publications Chair
Jonathan Millen              Simon Foley               Joshua Guttman
Computer Science Laboratory  CCSR,                     The MITRE Corporation
SRI International,           University of Cambridge,  202 Burlington Road
333 Ravenswood Ave.          10 Downing Street,        Bedford, MA 01730-1420,
Menlo Park, CA 94025, USA    Cambridge CB2 3DS, UK     USA
+1 650-859-2358              +44 1223 740100           +1 617-271-2654
millen@csl.sri.com           snf22@ccsr.cam.ac.uk      guttman@mitre.org

More on-line information at <URL:http://www.csl.sri.com/~millen/csfw/.>.

Please report problems with the web pages to the maintainer

Top