The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 19 Issue 69

Wednesday 22 April 1998

Contents

o Pentagon to take stronger computer security measures
Edupage
o Hackers claim major U.S. defense system cracked
PGN
o Risks of placing too much trust in large site operators
Drew Hamilton
o Report on new En Route Centre NERC for UK ATC
Pete Mellor
o Internet Jurisdiction
Rob Bailey
o Euro changeover tougher than Y2K?
David Wittenberg
o Re: Only 1/3 of popular Microsoft apps are Y2K compliant
Michael Levi
Mark Stalzer
o Y2K on the road
Evan McLain
o Re: Y2K and the eagle talon
Paul Thompson
o GSM Alliance Clarifies False & Misleading Reports of Cloning
Geoff Goodfellow
o Re: Mobile phones in gas stations
Michael Bacon
o Re: HP200 data integrity woes
Morten Norman
o Risk: Going to jail innocently over a speeding ticket
Steven Murphy
o Reminder on Privacy Digests
PGN
o Info on RISKS (comp.risks)

Pentagon to take stronger computer security measures

Edupage Editors <educom@educom.unc.edu>
Sun, 19 Apr 1998 12:54:19 -0400
Learning of numerous vulnerabilities in the security of the computers
accessed by its 2.1 million users worldwide, the Department of Defense is
formulating new plans to tighten security systems.  In a recent military
exercise called "Eligible Receiver," cyber attacks were able to access the
military's command and control structure in the Pacific (and could have shut
it down); the attacks also could have turned off the entire electrical power
grid in the U.S.  (*Washington Times*, 17 Apr 1998; Edupage, 19 Apr 1998)

  [Eligible Receiver used well-known penetration techniques.  The
  *WashTimes* article quoted Pentagon spokesman Kenneth Bacon saying
    "Eligible Receiver was an important and revealing exercise that taught
    us that we must be better organized to deal with potential attacks
    against our computer systems and information infrastructure."
  This should have been no surprise to anyone except perhaps whomever
  in the Pentagon doesn't read RISKS and security newsgroups.  PGN]


Hackers claim major U.S. defense system cracked

"Peter G. Neumann" <neumann@csl.sri.com>
Wed, 22 Apr 98 9:45:17 PDT
A Reuters article by Andrew Quinn in today's print and electronic media
notes that a group calling itself Masters of Downloading (a new MOD,
including members in the U.S., Britain, and Russia) claims that it has been
able to obtain secret files from a computer system used to control military
satellites, via the Defense Information Systems Network (DISN).  The files
include the DISN Equipment Manager (DEM), which controls the U.S. network
of military Global Positioning System (GPS) satellites.  MOD members
apparently informed John Vranesevich (who runs the computer security website
AntiOnline <www.antionline.com>) of their exploits.  [PGN Stark Abstracting]


Risks of placing too much trust in large site operators

Drew Hamilton <drew@drew-hamilton.net>
Mon, 20 Apr 1998 18:13:16 -0400 (EDT)
On a web page today, I saw one site had one of those "how to link to us"
pages that are getting more popular.  You know, the ones with different
banners, and the HTML code snippets that you paste into the page in order to
get the ad in there.

Well, this one had at the bottom:

   If you don't feel confortable adding that link yourself, we will be
   happy to do it for you. Email us at link@addme.com with the following
   information: 1) your ftp address 2) your userid and password.

It's scary that it's altogether conceivable that someone might actually
fall for that!

Drew Hamilton   http://winged.anime.net/

  [Perchance the Pentagon has been using this wonderful free service?  PGN]


Report on new En Route Centre NERC for UK ATC (re: Ladkin, R-19.18)

Pete Mellor <pm@csr.city.ac.uk>
Wed, 22 Apr 1998 15:42:19 +0100 (BST)
Further to the earlier report by Peter Ladkin in RISKS-19.18.

The Fourth Report by the Environment, Transport and Regional Affairs
committee of the House of Commons was printed on 27th March 1998.  It is
available on:-

http://www.parliament.the-stationery-office.co.uk/pa/cm199798/cmselect/cmenv
tra/360iv/et0402.htm

However, I had a problem accessing it directly using that URL,
and anyone who has difficulty might care to try the general URL ...

http://www.parliament.the-stationery-office.co.uk

... and do a keyword search on "NATS", which will call up several
sections of the report including the main contents list, together
with the answers to some questions asked in parliament on the subject.

The gist of the report (which I do not have time to summarise in any greater
detail now) is that here is a classic software disaster happening right
before our eyes, and the committee have requested an independent review with
cancellation as one of the identified options.

Peter Mellor, Centre for Software Rel., City University, London EC1V 0HB, UK.
+44 (171) 477-8422  p.mellor@csr.city.ac.uk, http://www@csr.city.ac.uk/


Internet Jurisdiction

Rob Bailey <wm8s@pobox.com>
Sat, 18 Apr 1998 15:56:12 -0400
Financial risks of technology come in many flavors. In the year 2000, I'll
have a dangerous combination: a BS in Comp Sci with 15 years of programming
and electrical engineering experience, and a JD. I can't walk anywhere
without playing "spot that tort."

Have you thought about the risk to your bank account of retaining local
counsel in every country on the planet? If you have a web page (or worse, a
whole site), have you considered that it might subject you to the pleasures
of a no-expenses paid trip to Saudi Arabia to answer in a Saudi court why
your web page displays a woman's thigh? Or to Paris to explain why your page
isn't translated into French as required of all media available in France to
French citizens? Or explain to a Russian court . . . You get the picture.

Lawyers call it "personal jurisdiction" - the authorization a court has to
hale a person (corporate, natural, or otherwise) who is not a resident of
the court's forum into that court to answer charges (criminal or civil) as a
defendant. You might call it something else (e.g., a name with only four
letters).

And you might be surprised at the answer. In the United States, the law is
still developing slowly and inconsistently. For example, the level of
interactivity your site employs might be a factor in whether or not a court
a couple of thousand miles away can haul in your posterior because you
offended someone there.

[For more information, find a copy of the Washington and Lee University Law
Review, Vol. 54, p. 1269, and read "WORLD WIDE WEB ADVERTISING: PERSONAL
JURISDICTION AROUND THE WHOLE WIDE WORLD?" by Christopher W. Meyer. (Of
course, I'm a little biased about how good Mr. Meyer's legal education has
been, but the article has been widely acclaimed as top notch, and cited by
some pretty heavy hitters already.)

To read the article, go to http://www.wlu.edu/~lawrev/text/543/Meyer.htm, go
here http://www.wlu.edu/~lawrev/ for contact information, or write:

  Washington and Lee Law Review
  Washington and Lee University School of Law
  Lexington, Virginia 24450]

Rob Bailey, wm8s@pobox.com, Washington and Lee University, School of Law


Euro changeover tougher than Y2K?

David Wittenberg <dkw@cs.brandeis.edu>
Tue, 21 Apr 1998 15:42:59 -0400 (EDT)
"Euro changeover makes year 2000 bug look easy",
*The New York Times* 21 Apr 1998 (electronic edition, http://www.nytimes.com/)

The problems range from the trivial (most computer's OSs have no
representation for the euro symbol) to the administrative (everybody is busy
with Y2K, so it's hard to find people to work on the euro conversion.)

Like Y2K, the euro conversion requires converting historical data so that it
can be compared with new data.  It also requires running a system which can
handle both the euro and the old currency simultaneously.  A further
complication is that to change from one existing currency (say Italian lira)
to another (say French francs), you are required to first convert the lira
to euros (rounding to the nearest cent), and then convert from euros to
francs.  I expect someone to take advantage of the rounding errors.

David Wittenberg  dkw@cs.brandeis.edu


Re: Only 1/3 of popular Microsoft apps are Y2K compliant (R-19.68)

Levi_M <Levi_M@BLS.GOV>
Fri, 17 Apr 1998 14:55:49 -0400
According to the Microsoft Web site,
    34 products are Y2K compliant
    21 are "Compliant with minor issues"
    3 are non-compliant.
This is not nearly as dire as the previous post implies.

The risk: reading too quickly, or perhaps just looking too hard for
confirmation that Microsoft really is the devil.

Michael Levi

  [Perhaps, or maybe only 21 (not yet 34) were compliant when the article
  was written.  Incidentally, the MS Web site indicates that "compliant with
  minor issues" includes the DIR command displaying the date as only 2
  digits instead of 4, and dates after 2000 requiring four-digit input.
  PGN]


Re: Only 1/3 of popular Microsoft apps are Y2K compliant (R-19.68)

Mark Stalzer <stalzer@macaw.hrl.hac.com>
Fri, 17 Apr 1998 08:54:26 -0700
Most of these products have been developed in the last few years by some of
the best minds in software (or so we are told). There is simply no excuse
for Y2K noncompliance. Perhaps Microsoft's real objective is to force
everyone to upgrade next year -- thereby turning the Y2K problem into a
profit opportunity.

Mark Stalzer, mas@acm.org


Y2K on the road

Evan McLain <emclain@top.net>
Thu, 16 Apr 1998 22:05:10 -0500
I recently hosted a visit from a group of engineers that are assisting us
with Y2K verification.  As they were leaving, one of them said, "Say, you
don't have a 1979 Toyota, do you?"  Apparently the engine computer in these
cars uses "00" in the year field as a code for "complete engine shutdown".
I wonder if it would cause a moving vehicle to quit, or just one that was
turned off overnight on the 31st?


Re: Y2K and the eagle talon (RISKS-19.68)

Paul Thompson <thompson@athenet.net>
17 Apr 1998 02:07:19 GMT
It seems the reports of Eagle Talon/Mitsubishi Eclipse ECU controller
failures was a little premature.  Or a late April Fool.  Here is the text of
the moderator's retraction available at

ftp://talon:eclipse@ftp.dsm.org/Archive/980415.txt

Date: Wed, 15 Apr 1998 12:00:01 -0700
>From: talon-owner@dsm.org
To: talon-digest@dsm.org
Subject:   Talon Digest for 04/15/98
Sender: owner-talon@dsm.org
Reply-To: talon@dsm.org

[Well, it looks like some of you took the Y2K thing a bit too seriously.
Being the computer geek I am, I sometimes forget what is common knowledge
and what is not.  I was just a little sick of the "me too" posts on the Y2K
thing and wanted to add a little DSM content.  By the time I was done, I
once again figured out a good prank for April 1 a few days too late (happens
to me every year).

I'm getting sick of the press overstating the Y2K problem.  They often
mention "planes falling from the sky" and "intersections with all lights
green".  As if there weren't a million other possible bugs in the software
that control these insanely complex systems that could cause problems, right
here, right now.  At my day job, we have to certify that we are "Year 2000"
compliant - huge amounts of paperwork - meanwhile, we have several other
bugs in our code that we *don't* need to sign paperwork about...  Just
doesn't make too much sense to me.  A bug is a bug - how come people don't
go around talking about stack overflow problems in the same tone of voice?

A lot of the problems surrounding Y2K problems involve the abbreviation of
the year 19xx into just xx.  Bytes don't overflow at 100 or 2000.  They
overflow at 256 or 65536, etc.  Almost all computers since the invention of
Unix seem to mark time as some number of seconds past a baseline like 1970
or 1980.  These systems don't overflow years at nice round numbers - a lot
of the Microsoft DOS stuff will roll at 2036 or 2047.

As far as I know, there are currently *no* ECUs on the market that keep
track of time.  Most of them keep track of mileage if they are trying to
stamp the error codes, or maybe seconds elapsed since car started.  The
problem is that the ECU could never have any concept of what time it really
is unless the driver could update it somewhere.  Also, I have yet to see a
PC clock that didn't lose less than 3 seconds/day.  Given the temperature
extremes inside a car, I don't think it could be done easily.  Even at a
conservative 3 secs/day, you'd be +/- 3 hours at the end of ten years.  Not
really useful except for relative time.

I thought the placement of the article after a Mac/Tandy love- note would
tip people to the comment being phony.  I guess my pointing it out at the
top of the digest kinda backfired (no pun intended).  Sorry if I scared
anyone...

Best comment received: Someone wondering when the Galant VR4s
would roll since they were built in Japan...

-talon mgr]


GSM Alliance Clarifies False & Misleading Reports of Cloning

"the terminal of Geoff Goodfellow" <geoff@iconia.com>
Fri, 17 Apr 1998 22:08:41 -0700
[Sent by Geoff_Goodfellow@Iconia.com, s.r.o.   tel/mobil +420 (0)603 706 558
Vsehrdova 2, 110 00 Praha 1, Czech Republic    fax +420 2 5732 0623]

  [Because this item is based almost entirely on an open press release,
  we do not feel that reproducing it in its entirety constitutes any
  copyright infringement.  PGN]

GSM Alliance Clarifies False & Misleading Reports of Digital Phone Cloning
GSM Remains the Most Secure Commercial Wireless Technology
(Business Wire; 04/17/98)

A coalition of wireless Personal Communications Services (PCS) providers has
released [on 17 Apr 1998] facts to correct some misconceptions generated by
the recent claim that several California researchers had found a weakness in
the security of Global System for Mobile communications (GSM) technology,
the world's most popular digital wireless standard.

The North American GSM Alliance, LLC - consisting of the eight largest GSM
network operators in the United States and Canada - provided the following
information in response to a number of erroneous published reports.

1. GSM phones are not vulnerable to cloning.

Researchers only claimed that, through a process of trial and error, they
figured out how to copy information from the Subscriber Identity Module
(SIM) card - a unique GSM feature that contains a customer's individual
network access code. Duplicating a SIM card is not like cellular cloning
since the network only recognizes one copy of a GSM phone number at a
time. This is an important distinction, since it does not permit would-be
thieves to fraudulently capture, duplicate and utilize a customer's phone
number and account information by intercepting over-the-air transmissions
and deciphering the data.

By contrast, information from ordinary analog cellular phones can be pulled
out of the airwaves, copied and re-used multiple times. This illegal
process, also known as "sniffing," is still not possible to do with GSM
technology. The California group said that it needed physical access to a
SIM card in order to duplicate it. While they believed copying theoretically
could be done remotely, the group admitted that it was, in fact, unable to
do so.

2. There is no risk to subscribers.

GSM's design process and proven functionality continues to offer the
strongest level of commercial wireless security. GSM customers can have the
highest degree of confidence that they are protected from over-the-air
cloning.

In fact, thieves can more easily steal GSM phone service simply by stealing
wireless handsets rather than producing counterfeit SIM cards. Once someone
steals a SIM card, there's no need to copy it. The notion is as ridiculous
as a someone stealing an armored car full of money, then copying the bills
inside!  And since the GSM networks allow only one call at a time from any
phone number, having multiple copies of a SIM is worthless. As an additional
level of security GSM operators have procedures in place which would quickly
detect and shut down attempted use of duplicate SIM card codes on multiple
phones.

Nevertheless, customers should protect their wireless phones and SIM cards
the same way they would protect their wallets and bank cards. Subscribers
who lose their phone or SIM card should report it immediately to their
wireless service company. The lost or stolen SIM can be de-activated to
prevent others from using the account.

3. There is no risk of over-the-air eavesdropping.

The level of encryption used by GSM makes over-the-air eavesdropping nearly
impossible. So far, no one claims that they can listen to the content of
conversations or monitor data transmitted over the air on the GSM network,
including governments and network operators. Confidentiality of GSM customer
conversations remains intact and uncompromised.

4. The ability to copy a SIM card is nothing new.

It was always known that this could be done. Last weekend's announcement is
really no different from processes GSM providers use all the time to encode
smart chips. For several years now, educational institutions and scientific
laboratories have demonstrated the capability to extract data from, and
copy, smart cards. But it is an extremely complex task and would not be
practical for stealing wireless phone service. Besides, even if a handset or
SIM card were stolen, GSM operators have the ability and technological tools
to shut down fraudulent service quickly.

5. The key code which protects a subscriber identity is not "fatally
   flawed."

This is a somewhat complicated subject. There are two different key codes:
first, an authentication code - the A3 algorithm- that protects the
customer's identity; second, an encryption code - the A5 algorithm - that
ensures the confidentiality of conversations. It has been alleged that the
authentication code (A3 algorithm) is weakened because only 54 of the 64
bits are used, with 10 bits being replaced by zeroes. In reality, those
final 10 bits provide operators with added flexibility in responding to
security and fraud threats.  Additionally, the GSM algorithm that the
researchers claimed to have broken is the "example" version provided by the
international organization that governs the use of GSM technology to its
approved carriers for them to create their own individual version. It may
not be what is deployed in the market. Several operators have already
decided to customize their codes, making them more sophisticated.

There has been some confusion about the various types of code used by GSM.
In addition to the 64-bit authentication cipher, there is a more powerful
voice encryption code (A5 algorithm) which helps keep eavesdroppers from
listening to a conversation. This code was not involved in last weekend's
announcement.  Also, the speculation that GSM's encryption algorithms have
been deliberately weakened because of pressure by the U.S. intelligence
community is absolutely false.

Conclusion

While no human-made technology is perfect, customers can still rely on the
privacy features and security of GSM's transmission technology. It remains
the most secure commercial wireless communications system available
today. More than 80 million customers in 110 countries use GSM phones and
not one handset has been cloned since the first commercial service was
launched in 1992.

North American GSM Alliance, L.L.C. is a consortium of U.S. and Canadian
digital wireless PCS carriers, which helps provide seamless wireless
communications for their customers, whether at home, in more than 1,000
U.S. and Canadian cities and towns, or abroad. Using Global Systems for
Mobile (GSM) communications, GSM companies provide superior voice clarity,
unparalleled security and leading-edge wireless voice, data and fax features
for customers.  Current members of the GSM Alliance include: Aerial
Communications, Inc., BellSouth Mobility DCS, Cook-Inlet Western Wireless;
Microcell Telecommunications Inc., Omnipoint Communications, LLC, Pacific
Bell Mobile Services, Powertel, Inc., and Western Wireless, Corp., which
continue to operate their own businesses and market under their own names.

CONTACT: For Additional Information:
         Terry Phillips, Omnipoint, (973) 290-2533 OR
         Mike Houghton, Communicreate, (703) 799-7383

  ["What, Me Worry?" -- A.E. Neuman]


Re: Mobile phones in gas stations (RISKS-19.68)

"Streaky_Bacon" <streaky_bacon@msn.com>
Sat, 18 Apr 1998 07:17:02 +0100
The Czechs are catching up.  Clearly there *is* potential for a mobile
telephone (which radiates in the electro-magnetic spectrum) to cause
interference.  Usually it would have to be pretty close to another device to
affect it, or be within a 'Faraday cage' with the other device - hence their
ban in crypto rooms (and battery rooms BTW).

More concerning (and I think posted here previously) is the RISK of causing
an explosion in a gas/petrol station by a spark from the aerial to ground
(say the canopy metalwork).  That's why their use in petrol stations in
banned by law in the UK.


Re: HP200 data integrity woes (Cohen, RISKS-19.68)

Morten Norman <marten.norman@intertex.se>
Fri, 17 Apr 1998 02:22:15 -0700 (PDT)
The HP200 story also points out the fact that even a small computer may keep
a lot of important information.  And thus should be on a regular backup
schedule.


Risk: Going to jail innocently over a speeding ticket

<Steven Murphy>
Mon, 20 Apr 1998 10:58:16 -0600
The Internet has brought forth several positive things in the world over the
past few years, and as most of us know, more and more negative things
continue to surface.  I was in an unfortunate position to be a "victim" of
one of these negatives that has been brought to light the hard way.  To make
this long story a bit shorter, here's what happened: On November 29, I was
traveling from St. Louis to Nashville, Tn.  In Paducha, Ky I was stopped for
speeding (81 in a 65).  Kentucky doesn't have "traffic lawyers", so it was
pay or be a fugitive.  Well, the Christmans season is always a little short
on cash, so I asked for an extension from the court clerk, and was granted
until late January to pay the $90 fine.  In mid January, a check was written
to the Court Clerk for the full amount.  End of story, or so I thought.
Here's where the risk comes in, and it very well could be happening in your
own home state.  On April 15, 1998, I received a letter from the state of
Missouri saying that my license would be suspended on April 14 if this issue
with Kentucky was not resolved due to a "violator's non-compliance pact"
that was setup via the internet. The suspension date had already passed, and
the state of Missouri would need proof from KY that the ticket had been paid
and a $20 reinstatement fee. This letter came via regular U.S. Mail.  I
contacted KY, and was told payment was never received, then checked with my
bank and found out the check had not cleared.

I overnighted the check, got a fax of the receipt, and had my license
reinstated by April 17, 1998.  The kicker is, in the state of Missouri, you
are subject to an automatic 90 days in jail for driving on a suspended
license.  The obvious risk here is simple.  Because of the internet
communications between states, a person in Missouri can have their license
suspended without even knowing it and wind up in jail for it!  If the
letters announcing suspension were sent via certified mail, that could fix
part of the risk, but it's still a dangerous policy to have in place, and it
may be the same where you live.  Heck, my check to the State of Kentucky was
lost- what if the letter from Missouri to me had been lost as well??  My
license would still be suspended, I wouldn't know it, and county lockup
might have a bed with my name on it just waiting for me!

With this in mind, I vote for shutting the Internet down. ;-)

Steve Murphy, St. Louis, Mo.


Reminder on Privacy Digests

<RISKS moderator>
17 Apr 1997
Periodically I remind you of TWO useful digests related to privacy, both of
which are siphoning off some of the material that might otherwise appear in
RISKS, but which should be read by those of you vitally interested in
privacy problems.  RISKS will continue to carry general discussions in which
risks to privacy are a concern.

* The PRIVACY Forum is run by Lauren Weinstein.  It includes a digest (which
  he moderates quite selectively), archive, and other features, such as
  PRIVACY Forum Radio interviews.  It is somewhat akin to RISKS; it spans
  the full range of both technological and nontechnological privacy-related
  issues (with an emphasis on the former).  For information regarding the
  PRIVACY Forum, please send the exact line:
     information privacy
  as the BODY of a message to "privacy-request@vortex.com"; you will receive
  a response from an automated listserv system.  To submit contributions,
  send to "privacy@vortex.com".

  PRIVACY Forum materials, including archive access/searching, additional
  information, and all other facets, are available on the Web via:
     http://www.vortex.com

* The Computer PRIVACY Digest (CPD) (formerly the Telecom Privacy digest) is
  run by Leonard P. Levine.  It is gatewayed to the USENET newsgroup
  comp.society.privacy.  It is a relatively open (i.e., less tightly moderated)
  forum, and was established to provide a forum for discussion on the
  effect of technology on privacy.  All too often technology is way ahead of
  the law and society as it presents us with new devices and applications.
  Technology can enhance and detract from privacy.  Submissions should go to
  comp-privacy@uwm.edu and administrative requests to
  comp-privacy-request@uwm.edu.

There is clearly much potential for overlap between the two digests,
although contributions tend not to appear in both places.  If you are very
short of time and can scan only one, you might want to try the former.  If
you are interested in ongoing discussions, try the latter.  Otherwise, it
may well be appropriate for you to read both, depending on the strength of
your interests and time available.
                                                  PGN

Please report problems with the web pages to the maintainer

Top