According to the Dutch press, a group of Dutch fraudsters has broken the security of German prepaid phone cards, allowing them to recharge spent cards. They buy spent cards from collectors (these cards are popular collector's items) for a few cents, recharge them and sell them at a reduced price. Allegedly, the losses so far amount to some 60 million DM (30 M$), meaning a few million cards have been forged! The article did not give any details about the nature of the crypto or the attack method used. Does anybody have more details? Erling Kristiansen
... it can only be with the help of a computer. RISKS readers will remember the the new automated switch in Hamburg that caused days of chaos a while back (the problem was a stack overflow in a real-time system :-(), as well as the new automated switch causing problems in Wannsee and then again the new automated switch for the city train (S-Bahn) in Berlin. All made by the same company. Sunday the German Bahn introduced its new automated switching system at the newly renovated train depot Berlin-Rummelsberg and the new automated switching system in Ostbahnhof (which was renamed on the same day from Hauptbahnhof, let's just do all the changing on the same day...). Nothing new under the sun: The plan to run 360 trains a day over the new connection through Berlin (which used to be divided into an East and a West) failed miserably on the first two days of operation. A train is to be switched through the area approx. every 10 minutes. Just a few hours after the operations began, there were delays of 1-2 hours for trains *originating* in Berlin. As the crowds gathered on the platforms, the new customer information system crashed. The information boards went blank, the railroad personnel had no information whatsoever what train was expected when or where. Some engineers, in addition, forgot that they were not to go to Lichtenberg anymore but to the new Ostbahnhof, and managed to get their trains to Lichtenberg (how on earth can that happen?!) Trains had 3-4 hours delays by mid-afternoon, many trains where just cancelled in the hopes of easing things, to no avail. Since there was no information, many travelers (after waiting for hours) missed their trains. The newspaper has descriptions of old ladies, a school group of children, business people and such that were disgusted and angry at the whole thing. Even when they managed to coax the information system to display "J\"uterborg" on the board, the train that was on the tracks showed a terminus much earlier. Seems the train boards couldn't handle names with umlauts or blanks, such as "Bad Libenwerda". The press is having a field day, there was even a report in the "Tagespiegel" today with technical information: The switching system ist Simis-C, Sicheres Mikrocomputersystem von Siemens, Generation C (secure microcomputer system from Siemens), which is to control 140 signals, 234 new signals, 279 switches (265+14?) and 398 axle counting stations. The system was accepted by the Bahn from Siemens without any problems being noted, they practiced with the system for a week and trained the engineers by showing them videos. Train spotters noticed lots of 3-person crews, meaning that there must still be a lot of engineers out there that have no idea where they are.... Monday was just as bad, 30 trains were cancelled outright to try and ease the situation. The Bahn insists (http://www.bahn.de/konzern/news/pm80525.htm) that it is not computer problems that they are having, and apologizes for "any inconveniences". They offer a trip on the S-Bahn over the new tracks for "only 2 DM" "sometime in the future" as little present. And maybe they will pay hotel costs and taxis for the folks trapped in Berlin. If this was not enough, a gas explosion interrupted the North-South trains yesterday as well. We hope they get the trains sorted out sometime before Jan 1, 2000... Me? I'm driving my car this weekend! Prof. Dr. Debora Weber-Wulff, Technische Fachhochschule Berlin, FB Informatik, 13353 Berlin, Germany email@example.com http://www.tfh-berlin.de/~weberwu/
> AOL Boosts Security After ACLU Site Hacked, By Craig Menefee, > 29 May 1998, from Newsbytes via PointCast: > A vandal who hacked the American Civil Liberties Union (ACLU) site at > America Online [NYSE:AOL] has caused the giant online service to change > procedures to make customer passwords more secure. Key points from the article: * Criminal hacker harassed AOL support staff by repeatedly phoning to demand a new password for ACLU Webmaster's account. * There are 6,000 AOL tech support staffers. * Eventually happened upon an AOL staffer who assigned and divulged the new password. * ACLU site wiped out. * Hacker called AOL to boast about his achievement. * AOL staff member fired. * Procedures now require such demands to be routed to a small group of better-trained customer reps. M. E. Kabay, PhD, CISSP (Kirkland, QC), Director of Education, International Computer Security Association (Carlisle, PA) <http://www.icsa.net>
A new Wells Fargo bank study found that almost 5 million small businesses are at risk from the Y2K problem. Three-fourths of those have not yet taken any action, and half have no plans to do so before Y2K. [Business Wire, 27 May 1998, PGN Very Stark Abstracting. Although probably intended primarily for media folks, a summary copy of Small Business and the Year 2000 Problem can apparently be obtained by calling the media relations department of Wells Fargo Bank at 415/396-3606, or NFIB Education Foundation, Denny Dennis, 202/554-9000]
Anecdote: classic database problems with the most visible single database on the Internet: the InterNIC Whois database (of domain names and contacts). A friend of mine has a small business that creates and manages web sites for various local small businesses. Hence, she has her own domain name and is proxy for several others. Very common. Suddenly, she started getting calls, e-mail, and US Mail from various suppliers of materials for "adult entertainment" web sites. She was perplexed (major understatement) until one of the callers mentioned a domain name that was an obvious "adult entertainment" site. I found that she was listed in the InterNIC database as the site's Billing Contact. A little further sleuthing revealed that the owners of this site also had a site whose name differed from her (innocuous) primary domain name by a single character. OK, probably a data entry problem, not someone trying to get their domain registration bills paid by someone else. Now things get interesting. The InterNIC authorization/validation scheme allowed her to remove herself as Billing Contact (since she was *listed* as an authorized contact), but does not allow her to remove the association between the domain name and her company's name and address: there are different procedures for the two types of changes. So since she is not actually the owner of the domain name, she cannot get herself unlisted as the owner of the domain name through the normal procedures. She spent weeks trying to get around the automatic replies that tell her she is not authorized to submit this request. The person who built the website was similarly unsuccessful in getting InterNIC to fix the problem, for similar reasons. The official owners of the site have been unresponsive, at least in this area. Finally, she had an inspiration. The reason that she couldn't change the name attached to the site was that it was a two part operation: removing her name and assigning someone else's, and it was the second operation that she was not authorized to perform (legitimately). However, what was to keep her from simply de-registering the site? She tried it, it worked, and that fixed the problem (at least from her perspective).
A lower Bavarian court sentenced a former top manager of CompuServe Germany to 2 years in prison for having made available hard pornography via Internet to German CompuServe customers. While this sentence is on probation for 2 years, the manager was charged to pay 100,000 DM to some beneficial social institution. This sentence seems to be rather hard, as both the manager`s attorney and the state attorney had finally pleaded "not guilty" following expertises which argued that the manager had hardly any possibility to filter pornographic although making pornography available is a criminal act according to German penal code. Both the manager`s attorney and the state attorney said that they think of requesting a revision in a second trial. Comments in media regard this court decision as "hindering economic development of Internet in Germany". While this is not unlikely, one must also observe that it may be regarded unethical when a technical development enforces legal changes against the common consent of some society concerning protection of its elementary values. In Germany and other European countries (esp. with recent experiences in children abuse which were often related to activities in distributing pornography with children), pornography is still a major offence against inherited value systems, and many people don't see why a technical development should enforce related changes of their value and legal systems. Even when such changes seem unavoidable in the long range, mastering risks of such developments would need some education. Concerning technical filtering, the consent of both attorney`s that content filtering is technically impossible may be true for CompuServe in its actual stage of development, but such a statement is not generally justified, and related expertises may not reflect the actual knowledge. The author admits that "content filtering" is a hot issue where Free Flow of Information seems to be regarded as value with absolute priority. Klaus Brunnstein (30 May 1998)
I don't know if a country on earth exists whose high profile Web sites have been repeatedly hacked for over two years with the perpetrators still on the loose as in the Czech Republic (Czechia) and Slovak Republic (Slovakia). As reported by IntelliTech Media's Networked Business & Information Security News (NBISN), http://www.intellitech-media.cz/sa/nbisn, on 18May1998, the CzERT group of Czech and Slovak hackers continue to ravage the net, claiming over 200 hacked Web sites (CzERT is pronounced "chairt" which sounds like the Czech word "Cert" which means "devil" or "demon"). 36 of these hacks (23 in Czechia, 13 in Slovakia, total of 28 sites hacked with 7 sites twice-repeatedly hacked and one site thrice-repeatedly hacked) are archived at http://www.intellitech-media.cz/sa/cee-hack-archive and include hacks of the Czech Army, a bank, a Web chat site (hackers posted list of alleged software pirates), a search engine site, a magazine for police, ISPs (little animated e-man sauntered across the screen and pissed on the ISP's logo), a couple of daily news sites, a press agency (delivered their own news story), a computer magazine site, UNICEF's site, software vendors' sites, schools, various ministries and more. Some of the latest hacks have boldly taunted the Police captain who is solely responsible for catching the hackers. The latest hack, 16May1998, featured a picture purported to be that of the police captain... it was indeed the picture of a pleasant and compassionate looking "sea captain" kind of a guy featured on packages of "Captain Igloo" frozen fish sticks. NBISN's 4,775 word story "CzERT lives on," presents plenty of views into the CzERT members' cyber-personalities and clues as to their identities... but they remain on the loose and boldly claim to have done a hell of a lot more than just hack a few publicly visible Web sites. Perhaps the risk of most interest to foreigners is in doing business in countries like Czechia and Slovakia where there is plenty of money being spent and made on computing, networking and communications hardware and software but far too little money available for crime-fighters. One view is that the USA and other countries are, in essence, blindly putting technology into the hands of criminals. A police major in the capital city of Prague with almost 15 years of service makes only about US$ 500 per month and the police are way behind, for the most part, when it comes to technology. Most police I have interviewed who do have PCs are using 386- or 486-based machines and police Internet connectivity is very scarce. Many IT companies, whether US, Canadian, West European, Asian or whatever, come here to make lots of money but totally ignore developments in crime and law-enforcement. Perhaps it's about time that they all pitched in and made a big donation to help bring crime-fighters up to speed. Steven Slatem, Editor-In-Chief, Networked Business & Information Security News (NBISN), IntelliTech Media, Inc. http://www.intellitech-media.cz
The cover story on this week's "Jerusalem Report" http://www.jreport.virtual.co.il/ (a bi-weekly magazine covering news from Israel) is titled "www.terror: Can Enemy Hackers Cripple Israel". The material is familiar to practitioners in the security field, including potential threats to infrastructure such as telecommunications, military systems, power grids, etc. There's a brief analysis of Israel's neighbors to wage information warfare against it. Perhaps the most interesting part of the article to me was what wasn't there: quotes from well known academics or big-time Israeli security companies (e.g., Checkpoint). Unfortunately, the article is not available on the Web.
I shouldn't be surprised that the general response has been to tell me (personally) why things have to be the way they are. I've even been told both why there are three compasses and also that there are only two. Of course I know there are very good reasons for the current approaches. But where is the outrage and dissatisfaction with such a cumbersome and limited approach to building and, more important, evolving systems? Implicit in many of the responses is a naive notion that system boundaries are well-defined. It's as if I was back listening to ATT in the 70's explaining why it civilization would end if I were allowed to plug my telephone into the phone network! (Yes, really!) There are those of us who, in the 70's took the toys such as the Apple ][, and made them the tools choice for trillion dollar calculations such as the national budget. From the thread about sextants, the Navy is discovering that the retail marketplace has become the driver. (Are there sextants in the cockpits?) As to the complaints about the limitations of GPS (of which I and the pilots are well aware), why is there no incentive to address them? Perhaps adding level indicators and reasonableness checking? They already have batteries. One can evolve "toys" much more quickly than "commercial" equipment as long as the linkage with the other systems is arms-length and there is sufficient mutual suspicion. It would be great to have the position data available on the in-plane IP network. Not only would one be able to add equipment (such as terrain maps) without recertifying the plane, it would allow passengers to use their PCs to enrich the view from the window. I'm not sure how to respond to the safety issue. While I do wear my seat belts during the entire flight it's a non sequitur. Of course I understand the difference between safety and reliability but it is more than a simple matter of retreating into semantics and formalisms. Safety is not absolute "freedom from accidents or losses". So I'll fan the flames by asking why flying is safer than driving? The reason is that the marketplace does demand it. Plane crashes are much worse PR per capita than car crashes. So we spare no expense to make planes not crash. Those who can't afford it risk their lives driving (see the 27 May 1998 NY Times business section). Have we simply shifted the risk? Only respond if you are dissatisfied with business as usual. Post no rationalizations. Bob Frankston http://www.mit.edu/~bobf
Subsequent to the Galaxy IV outage there have been a number of events of interest, including the one noted below. The defenders of complex technology often point to user's failure to provide adequate backup systems to handle outages. This sort of nonsensical approach actually blames the consumers of technology for dependence on it -- conveniently ignoring the many incentives to abandon the old ways of doing things in order to reap the benefits of the new technology. New systems are typically so expensive that they make sense only if they replace their predecessors. But the outage described below makes it clear that even substantial efforts to provide backups may fail. Systems that are large and complex are especially difficult to backup effectively. Their shear size and connectedness makes immediate, automatic, uninterrupted use of backups difficult or impossible. This is true for power systems, most obviously, but also for computer devices and communications systems. Often backups don't work or simply provide such limited service in comparison to the original that the system collapses. It is particularly interesting that backup systems end up having complexity on the scale of the systems they back up. This poses its own problems, as the backup systems themselves become susceptible to the same sorts of failure that dog the primary systems. Indeed, this particular failure mode was unforeseen and involved the connection between the primary and the backup system -- making both unusable. Of particular note in the episode described below is the public relations effort that ends up claiming that nothing of substance happened. The claim that "There was no one hurt and no one in jeopardy." Such a claim is, of course, nonsense. The jeopardy was immense and the fact that no one died in a way directly attributable to the outage is not evidence that there was no hazard. This ability to recast failure as a neutral event without significance is remarkable, especially in light of organizational willingness to look for "human error" in practitioners as the source of catastrophic failure. It is also interesting that this episode demonstrates the powerful adaptive abilities of people in the face of brittle, unwieldy technological failure. People were the key to recovery. The fact that the event described took place at a time when weather conditions were good, when other hospitals were available to take patients, and when the phone system worked was both fortuitous and essential. One can easily imagine other circumstances that would have made recovery much more difficult. rec'd from Redrose@aa.net: >Here in Washington State, the power went out in Renton and when their >back-up system didn't come back up they evacuated the whole Valley Medical >Center to 8 other hospitals and finished some surgery by flashlight. >[See the *Seattle Times*, 29 Apr 1998 and 1 May 1998, abstracted for RISKS.]
An as-yet unmentioned Galaxy IV problem: this ABC news article http://www.abcnews.com/sections/tech/DailyNews/satellite980519.html notes Galaxy IV was a single point of failure for a system and its "backup": "When our [radio] feed went down, we paged the manager of our 24-hour classical music program, but he of course never got it." Frederick Roeber
With the recent hoopla surrounding the Galaxy IV "crisis", all of the local TV stations in the Research Triangle area of NC were lamenting their loss of weather data, which was apparently distributed via this satellite. As with many TV markets, the weather forecast is THE item driving the ratings wars for the evening news time slot. During a newscast about Galaxy IV et al, one of the local stations happened to mention that the provider for the data was actually located about 100 meters from the TV station, however, they were still re-aiming their dish to pick up a feed from another bird, yielding a 34K-mile roundtrip to travel an effective 100 meters... You'd think they could've just dragged a cable over there... :-) Steve Holzworth, Senior Systems Developer, SAS Institute - Open Systems R&D VMS/MAC/UNIX Cary, N.C. firstname.lastname@example.org
>In the meantime, the US Naval Academy has announced that middies will no >longer have to learn to navigate by sextant [...] Or, perhaps, faith in the INS and Sundry Other navaids available. I believe there are still backup satnavs, independent of GPS... Dave Pierson, Digital Equipment Corporation, 334 South St, Shrewsbury, Mass USA email@example.com
As borne out by subsequent research, and having been pointed out to me by a great many people, PanAmSat *does*, in fact, own the Galaxy IV satellite. They, in turn, are owned by Hughes, who is owned by GM Dave Weingart, AccuStaff Inc. firstname.lastname@example.org phone: 516-682-1470
Sounds to me as if it won't be long until the US no longer is a viable naval power. ;-) Security and Windows NT Server are most definitely inverse concepts. At least it is more secure than it is reliable. One of the worst things that Microsoft does is networking. Of course the only thing they do well is marketing. Ray Todd Stevens, Senior Consultant, Stevens Services R.R. # 14 Box 1400, Bedford, IN 47421, (812) 279-9394 Raytodd@tima.com
Chiaki Ishikawa wrote: > I shudder to think that Win95 is used to control > real-time embedded systems and such... Actually Microsoft is making a big push for Windows CE in embedded systems and it's only a matter of time before it appears in some military systems. When you consider that Microsoft development systems for Windows CE are a lot cheaper than the competition and there are a lot of programmers out there that already know Visual C++, I wouldn't be surprised if Microsoft owns a big chunk of the RTOS market in short order.
"Protecting Critical Infrastructures and Critical Applications" Wyndham Safari Resort, Orlando, Florida USA, 28-30 October 1998 Organized by CERT* Coordination Center, Software Engineering Institute Sponsored by the IEEE Computer Society Program Chair: John C. Knight, University of Virginia General Chair: Howard F. Lipson, Software Engineering Institute Information survivability (IS) has become a new area of concern for many industrial and government organizations, and is an active area of interest to those in the research community. IS is more than security, more than safety, and more than fault tolerance. It is a combination of quality attributes that assures that even if significant portions of a system are damaged by an attack, accident, or failure, the mission of the network, software, or service will continue. The systems that are the primary focus of concern are highly distributed, networked systems that support critical infrastructures and critical applications. At the first Information Survivability Workshop (ISW'97), some of the fundamental issues associated with IS were clarified and several research areas that have the potential to make significant contributions to this field of study were identified. The second Information Survivability Workshop (ISW'98) will focus on the domain-specific survivability requirements and characteristics of up to four different critical infrastructure and critical application areas (e.g., banking, transportation, electric power, and telecommunications). The primary goal of the workshop is to foster cooperation and collaboration between domain experts and the survivability research community to improve the survivability of critical, real-world systems. Another important goal is to continue to identify and highlight new survivability research ideas that can contribute to the protection of critical infrastructures and critical applications. [4-page-max position papers due electronically by 15 Jul 1998. Contact John Knight for details.] For further information: Please send any questions or comments about the workshop to "email@example.com". Additional information will be posted periodically in the workshop home page: http://www.cert.org/research/isw98.html John C. Knight, Dept of Computer Science, Univ. of Virginia, Thornton Hall, Charlottesville, VA 22903, 1-804-982-2216 firstname.lastname@example.org FAX 804-982-2214
Please report problems with the web pages to the maintainer