The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 19 Issue 77

Saturday 30 May 1998

Contents

o German phone cards cracked
Erling Kristiansen
o Berlin trains: when all Hell breaks loose...
Debora Weber-Wulff
o Social Engineering 101: ACLU website wiped
Mich Kabay
o Millions of small firms at Y2K risk
Doneel Edelson
o "Unfixable" error in InterNIC database
Douglas Moran
o CompuServe manager sentenced on probation
Klaus Brunnstein
o CzERT group of hackers ravage Czech & Slovak cyberspace
Steven Slatem
o Information Warfare in Israel
Epstein Family
o Re: Review of RISKS comments on Frankston
Bob Frankston
o Backups; hospital power outage in Washington
Richard Cook
o Galaxy IV: multiple system single point of failure
Frederick Roeber
o Galaxy IV: Going around your elbow
Steve Holzworth
o Navigation and Accuracy
Dave Pierson
o PanAmSat correction to correction
Dave Weingart
o Re: Navy turns to off-the-shelf PCs to power ships
Ray Todd Stevens
Joel Upchurch
o Information Survivability Workshop 1998 Call for Participation
John Knight
o Info on RISKS (comp.risks)

German phone cards cracked

Kristiansen <ekristia@xs4all.nl>
Mon, 25 May 1998 21:15:39 +0200 (CEST)
According to the Dutch press, a group of Dutch fraudsters has broken the
security of German prepaid phone cards, allowing them to recharge spent
cards. They buy spent cards from collectors (these cards are popular
collector's items) for a few cents, recharge them and sell them at a reduced
price.  Allegedly, the losses so far amount to some 60 million DM (30 M$),
meaning a few million cards have been forged!

The article did not give any details about the nature of the crypto or the
attack method used.

Does anybody have more details?

Erling Kristiansen


Berlin trains: when all Hell breaks loose...

Debora Weber-Wulff <weberwu@tfh-berlin.de>
Tue, 26 May 1998 10:54:05 +0200
... it can only be with the help of a computer.

RISKS readers will remember the the new automated switch in Hamburg that
caused days of chaos a while back (the problem was a stack overflow in a
real-time system :-(), as well as the new automated switch causing problems
in Wannsee and then again the new automated switch for the city train
(S-Bahn) in Berlin. All made by the same company. Sunday the German Bahn
introduced its new automated switching system at the newly renovated train
depot Berlin-Rummelsberg and the new automated switching system in
Ostbahnhof (which was renamed on the same day from Hauptbahnhof, let's just
do all the changing on the same day...). Nothing new under the sun:

The plan to run 360 trains a day over the new connection through Berlin
(which used to be divided into an East and a West) failed miserably on the
first two days of operation. A train is to be switched through the area
approx. every 10 minutes. Just a few hours after the operations began, there
were delays of 1-2 hours for trains *originating* in Berlin. As the crowds
gathered on the platforms, the new customer information system crashed. The
information boards went blank, the railroad personnel had no information
whatsoever what train was expected when or where. Some engineers, in
addition, forgot that they were not to go to Lichtenberg anymore but to the
new Ostbahnhof, and managed to get their trains to Lichtenberg (how on earth
can that happen?!)

Trains had 3-4 hours delays by mid-afternoon, many trains where just
cancelled in the hopes of easing things, to no avail. Since there was no
information, many travelers (after waiting for hours) missed their
trains. The newspaper has descriptions of old ladies, a school group of
children, business people and such that were disgusted and angry at the
whole thing.

Even when they managed to coax the information system to display
"J\"uterborg" on the board, the train that was on the tracks showed
a terminus much earlier. Seems the train boards couldn't handle
names with umlauts or blanks, such as "Bad Libenwerda".

The press is having a field day, there was even a report in the
"Tagespiegel" today with technical information: The switching
system ist Simis-C, Sicheres Mikrocomputersystem von Siemens,
Generation C (secure microcomputer system from Siemens), which is
to control 140 signals, 234 new signals, 279 switches (265+14?) and
398 axle counting stations. The system was accepted by the Bahn from
Siemens without any problems being noted, they practiced with the
system for a week and trained the engineers by showing them videos.
Train spotters noticed lots of 3-person crews, meaning that there
must still be a lot of engineers out there that have no idea where they
are....

Monday was just as bad, 30 trains were cancelled outright to try and
ease the situation. The Bahn insists
(http://www.bahn.de/konzern/news/pm80525.htm) that it is not computer
problems that they are having, and apologizes for "any inconveniences".
They offer a trip on the S-Bahn over the new tracks for "only 2 DM"
"sometime in the future" as little present. And maybe they will
pay hotel costs and taxis for the folks trapped in Berlin.

If this was not enough, a gas explosion interrupted the North-South
trains yesterday as well. We hope they get the trains sorted out
sometime before Jan 1, 2000... Me? I'm driving my car this weekend!

Prof. Dr. Debora Weber-Wulff, Technische Fachhochschule Berlin, FB Informatik,
13353 Berlin, Germany weberwu@tfh-berlin.de  http://www.tfh-berlin.de/~weberwu/


Social Engineering 101: ACLU website wiped

Mich Kabay <Mich_Kabay@compuserve.com>
Sat, 30 May 1998 02:53:55 -0400
> AOL Boosts Security After ACLU Site Hacked, By Craig Menefee,
> 29 May 1998, from Newsbytes via PointCast:

> A vandal who hacked the American Civil Liberties Union (ACLU) site at
> America Online [NYSE:AOL] has caused the giant online service to change
> procedures to make customer passwords more secure.

Key points from the article:

* Criminal hacker harassed AOL support staff by repeatedly phoning to demand
  a new password for ACLU Webmaster's account.
* There are 6,000 AOL tech support staffers.
* Eventually happened upon an AOL staffer who assigned and divulged the new
  password.
* ACLU site wiped out.
* Hacker called AOL to boast about his achievement.
* AOL staff member fired.
* Procedures now require such demands to be routed to a small group of
  better-trained customer reps.

M. E. Kabay, PhD, CISSP (Kirkland, QC), Director of Education, International
Computer Security Association (Carlisle, PA) <http://www.icsa.net>


Millions of small firms at Y2K risk

"Edelson, Doneel" <doneeledelson@aciins.com>
Wed, 27 May 1998 11:41:27 -0500
A new Wells Fargo bank study found that almost 5 million small businesses
are at risk from the Y2K problem.  Three-fourths of those have not yet taken
any action, and half have no plans to do so before Y2K.  [Business Wire, 27
May 1998, PGN Very Stark Abstracting.  Although probably intended primarily
for media folks, a summary copy of Small Business and the Year 2000 Problem
can apparently be obtained by calling the media relations department of
Wells Fargo Bank at 415/396-3606, or NFIB Education Foundation, Denny
Dennis, 202/554-9000]


"Unfixable" error in InterNIC database

Douglas Moran <moran@ai.sri.com>
Fri, 29 May 1998 14:27:47 -0700
Anecdote: classic database problems with the most visible single database
on the Internet: the InterNIC Whois database (of domain names and contacts).

A friend of mine has a small business that creates and manages web sites
for various local small businesses.  Hence, she has her own domain name
and is proxy for several others.  Very common.

Suddenly, she started getting calls, e-mail, and US Mail from various
suppliers of materials for "adult entertainment" web sites.  She was
perplexed (major understatement) until one of the callers mentioned
a domain name that was an obvious "adult entertainment" site.

I found that she was listed in the InterNIC database as the site's Billing
Contact.  A little further sleuthing revealed that the owners of this site
also had a site whose name differed from her (innocuous) primary domain name
by a single character.  OK, probably a data entry problem, not someone
trying to get their domain registration bills paid by someone else.

Now things get interesting.  The InterNIC authorization/validation scheme
allowed her to remove herself as Billing Contact (since she was *listed* as
an authorized contact), but does not allow her to remove the association
between the domain name and her company's name and address: there are
different procedures for the two types of changes.  So since she is not
actually the owner of the domain name, she cannot get herself unlisted as
the owner of the domain name through the normal procedures.  She spent weeks
trying to get around the automatic replies that tell her she is not
authorized to submit this request.  The person who built the website was
similarly unsuccessful in getting InterNIC to fix the problem, for similar
reasons.  The official owners of the site have been unresponsive, at least
in this area.

Finally, she had an inspiration.  The reason that she couldn't change the
name attached to the site was that it was a two part operation: removing her
name and assigning someone else's, and it was the second operation that she
was not authorized to perform (legitimately).  However, what was to keep her
from simply de-registering the site?  She tried it, it worked, and that
fixed the problem (at least from her perspective).


CompuServe manager sentenced on probation

Klaus Brunnstein <brunnstein@informatik.uni-hamburg.de>
Fri, 29 May 1998 10:41:13 +0200
A lower Bavarian court sentenced a former top manager of CompuServe Germany
to 2 years in prison for having made available hard pornography via Internet
to German CompuServe customers. While this sentence is on probation for 2
years, the manager was charged to pay 100,000 DM to some beneficial social
institution.

This sentence seems to be rather hard, as both the manager`s attorney and
the state attorney had finally pleaded "not guilty" following expertises
which argued that the manager had hardly any possibility to filter
pornographic although making pornography available is a criminal act
according to German penal code. Both the manager`s attorney and the state
attorney said that they think of requesting a revision in a second trial.

Comments in media regard this court decision as "hindering economic
development of Internet in Germany". While this is not unlikely, one must
also observe that it may be regarded unethical when a technical development
enforces legal changes against the common consent of some society concerning
protection of its elementary values. In Germany and other European countries
(esp. with recent experiences in children abuse which were often related to
activities in distributing pornography with children), pornography is still
a major offence against inherited value systems, and many people don't see
why a technical development should enforce related changes of their value
and legal systems. Even when such changes seem unavoidable in the long
range, mastering risks of such developments would need some education.

Concerning technical filtering, the consent of both attorney`s that content
filtering is technically impossible may be true for CompuServe in its actual
stage of development, but such a statement is not generally justified, and
related expertises may not reflect the actual knowledge. The author admits
that "content filtering" is a hot issue where Free Flow of Information seems
to be regarded as value with absolute priority.

Klaus Brunnstein (30 May 1998)


CzERT group of hackers ravage Czech & Slovak cyberspace

Steven Slatem <steven.slatem@intellitech-media.cz>
Tue, 26 May 1998 21:25:10 +0200
I don't know if a country on earth exists whose high profile Web sites have
been repeatedly hacked for over two years with the perpetrators still on the
loose as in the Czech Republic (Czechia) and Slovak Republic (Slovakia). As
reported by IntelliTech Media's Networked Business & Information Security
News (NBISN), http://www.intellitech-media.cz/sa/nbisn, on 18May1998, the
CzERT group of Czech and Slovak hackers continue to ravage the net, claiming
over 200 hacked Web sites (CzERT is pronounced "chairt" which sounds like
the Czech word "Cert" which means "devil" or "demon"). 36 of these hacks (23
in Czechia, 13 in Slovakia, total of 28 sites hacked with 7 sites
twice-repeatedly hacked and one site thrice-repeatedly hacked) are archived
at http://www.intellitech-media.cz/sa/cee-hack-archive and include hacks of
the Czech Army, a bank, a Web chat site (hackers posted list of alleged
software pirates), a search engine site, a magazine for police, ISPs (little
animated e-man sauntered across the screen and pissed on the ISP's logo), a
couple of daily news sites, a press agency (delivered their own news story),
a computer magazine site, UNICEF's site, software vendors' sites, schools,
various ministries and more. Some of the latest hacks have boldly taunted
the Police captain who is solely responsible for catching the hackers. The
latest hack, 16May1998, featured a picture purported to be that of the
police captain... it was indeed the picture of a pleasant and compassionate
looking "sea captain" kind of a guy featured on packages of "Captain Igloo"
frozen fish sticks.

NBISN's 4,775 word story "CzERT lives on," presents plenty of views into
the CzERT members' cyber-personalities and clues as to their identities...
but they remain on the loose and boldly claim to have done a hell of a lot
more than just hack a few publicly visible Web sites. Perhaps the risk of
most interest to foreigners is in doing business in countries like Czechia
and Slovakia where there is plenty of money being spent and made on
computing, networking and communications hardware and software but far too
little money available for crime-fighters. One view is that the USA and
other countries are, in essence, blindly putting technology into the hands
of criminals.

A police major in the capital city of Prague with almost 15 years of
service makes only about US$ 500 per month and the police are way behind,
for the most part, when it comes to technology. Most police I have
interviewed who do have PCs are using 386- or 486-based machines and police
Internet connectivity is very scarce. Many IT companies, whether US,
Canadian, West European, Asian or whatever, come here to make lots of money
but totally ignore developments in crime and law-enforcement. Perhaps it's
about time that they all pitched in and made a big donation to help bring
crime-fighters up to speed.

Steven Slatem, Editor-In-Chief, Networked Business & Information Security
News (NBISN), IntelliTech Media, Inc.  http://www.intellitech-media.cz


Information Warfare in Israel

Epstein Family <jepstein@mail.mnsinc.com>
Wed, 27 May 1998 03:26:09 -0400
The cover story on this week's "Jerusalem Report"
http://www.jreport.virtual.co.il/ (a bi-weekly magazine covering news from
Israel) is titled "www.terror: Can Enemy Hackers Cripple Israel".  The
material is familiar to practitioners in the security field, including
potential threats to infrastructure such as telecommunications, military
systems, power grids, etc.  There's a brief analysis of Israel's neighbors
to wage information warfare against it.

Perhaps the most interesting part of the article to me was what wasn't
there: quotes from well known academics or big-time Israeli security
companies (e.g., Checkpoint).

Unfortunately, the article is not available on the Web.


Re: Review of RISKS comments on Frankston (RISKS-19.73)

<Bob_Frankston@frankston.com>
Thu, 28 May 1998 01:39 -0400
I shouldn't be surprised that the general response has been to tell me
(personally) why things have to be the way they are. I've even been told both
why there are three compasses and also that there are only two.

Of course I know there are very good reasons for the current approaches. But
where is the outrage and dissatisfaction with such a cumbersome and limited
approach to building and, more important, evolving systems? Implicit in many
of the responses is a naive notion that system boundaries are well-defined.

It's as if I was back listening to ATT in the 70's explaining why it
civilization would end if I were allowed to plug my telephone into the phone
network! (Yes, really!)

There are those of us who, in the 70's took the toys such as the Apple ][,
and made them the tools choice for trillion dollar calculations such as the
national budget. From the thread about sextants, the Navy is discovering
that the retail marketplace has become the driver. (Are there sextants in
the cockpits?)

As to the complaints about the limitations of GPS (of which I and the pilots
are well aware), why is there no incentive to address them? Perhaps adding
level indicators and reasonableness checking? They already have
batteries. One can evolve "toys" much more quickly than "commercial"
equipment as long as the linkage with the other systems is arms-length and
there is sufficient mutual suspicion.

It would be great to have the position data available on the in-plane IP
network. Not only would one be able to add equipment (such as terrain maps)
without recertifying the plane, it would allow passengers to use their PCs
to enrich the view from the window.

I'm not sure how to respond to the safety issue. While I do wear my seat
belts during the entire flight it's a non sequitur. Of course I understand
the difference between safety and reliability but it is more than a simple
matter of retreating into semantics and formalisms. Safety is not absolute
"freedom from accidents or losses".

So I'll fan the flames by asking why flying is safer than driving? The
reason is that the marketplace does demand it. Plane crashes are much worse
PR per capita than car crashes.  So we spare no expense to make planes not
crash.  Those who can't afford it risk their lives driving (see the 27 May
1998 NY Times business section). Have we simply shifted the risk?

Only respond if you are dissatisfied with business as usual. Post no
rationalizations.

Bob Frankston  http://www.mit.edu/~bobf


Backups; hospital power outage in Washington

Richard Cook <ri-cook@uchicago.edu>
Wed, 27 May 1998 06:56:46 -0500
Subsequent to the Galaxy IV outage there have been a number of events of
interest, including the one noted below.

The defenders of complex technology often point to user's failure to provide
adequate backup systems to handle outages. This sort of nonsensical approach
actually blames the consumers of technology for dependence on it --
conveniently ignoring the many incentives to abandon the old ways of doing
things in order to reap the benefits of the new technology. New systems are
typically so expensive that they make sense only if they replace their
predecessors.

But the outage described below makes it clear that even substantial efforts
to provide backups may fail. Systems that are large and complex are
especially difficult to backup effectively. Their shear size and
connectedness makes immediate, automatic, uninterrupted use of backups
difficult or impossible. This is true for power systems, most obviously, but
also for computer devices and communications systems. Often backups don't
work or simply provide such limited service in comparison to the original
that the system collapses.

It is particularly interesting that backup systems end up having complexity
on the scale of the systems they back up. This poses its own problems, as
the backup systems themselves become susceptible to the same sorts of
failure that dog the primary systems. Indeed, this particular failure mode
was unforeseen and involved the connection between the primary and the
backup system -- making both unusable.

Of particular note in the episode described below is the public relations
effort that ends up claiming that nothing of substance happened. The claim
that "There was no one hurt and no one in jeopardy." Such a claim is, of
course, nonsense. The jeopardy was immense and the fact that no one died in
a way directly attributable to the outage is not evidence that there was no
hazard. This ability to recast failure as a neutral event without
significance is remarkable, especially in light of organizational
willingness to look for "human error" in practitioners as the source of
catastrophic failure.

It is also interesting that this episode demonstrates the powerful adaptive
abilities of people in the face of brittle, unwieldy technological
failure. People were the key to recovery. The fact that the event described
took place at a time when weather conditions were good, when other hospitals
were available to take patients, and when the phone system worked was both
fortuitous and essential. One can easily imagine other circumstances that
would have made recovery much more difficult.

rec'd from Redrose@aa.net:
>Here in Washington State, the power went out in Renton and when their
>back-up system didn't come back up they evacuated the whole Valley Medical
>Center to 8 other hospitals and finished some surgery by flashlight.
>[See the *Seattle Times*, 29 Apr 1998 and 1 May 1998, abstracted for RISKS.]


Galaxy IV: multiple system single point of failure

<Frederick Roeber>
Tue, 26 May 1998 15:09:55 -0700
An as-yet unmentioned Galaxy IV problem: this ABC news article
http://www.abcnews.com/sections/tech/DailyNews/satellite980519.html
notes Galaxy IV was a single point of failure for a system and its "backup":

  "When our [radio] feed went down, we paged the manager of our
  24-hour classical music program, but he of course never got it."

Frederick Roeber


Galaxy IV: Going around your elbow

Steve Holzworth <sch@unx.sas.com>
Tue, 26 May 1998 22:35:22 -0400
With the recent hoopla surrounding the Galaxy IV "crisis", all of the local
TV stations in the Research Triangle area of NC were lamenting their loss of
weather data, which was apparently distributed via this satellite.  As with
many TV markets, the weather forecast is THE item driving the ratings wars
for the evening news time slot.

During a newscast about Galaxy IV et al, one of the local stations happened
to mention that the provider for the data was actually located about 100
meters from the TV station, however, they were still re-aiming their dish to
pick up a feed from another bird, yielding a 34K-mile roundtrip to travel an
effective 100 meters...

You'd think they could've just dragged a cable over there... :-)

Steve Holzworth, Senior Systems Developer, SAS Institute - Open Systems R&D
VMS/MAC/UNIX  Cary, N.C.  sch@unx.sas.com


Navigation and Accuracy

<pierson@gone.ENET.dec.com>
Fri, 29 May 98 12:37:01 EDT
>In the meantime, the US Naval Academy has announced that middies will no
>longer have to learn to navigate by sextant [...]

Or, perhaps, faith in the INS and Sundry Other navaids available.
I believe there are still backup satnavs, independent of GPS...

Dave Pierson, Digital Equipment Corporation, 334 South St, Shrewsbury, Mass
USA  pierson@gone.enet.dec.com


PanAmSat correction to correction

Dave Weingart <dweingart@chi.com>
Wed, 27 May 1998 09:08:24 -0400
As borne out by subsequent research, and having been pointed out to me by a
great many people, PanAmSat *does*, in fact, own the Galaxy IV satellite.
They, in turn, are owned by Hughes, who is owned by GM

Dave Weingart, AccuStaff Inc.  dweingart@chi.com  phone: 516-682-1470


Re: Navy turns to off-the-shelf PCs to power ships (RISKS-19.76)

"Ray Todd Stevens" <raytodd@tima.com>
Mon, 25 May 1998 14:01:20 +0000
Sounds to me as if it won't be long until the US no longer is a viable naval
power. ;-) Security and Windows NT Server are most definitely inverse
concepts.  At least it is more secure than it is reliable.  One of the worst
things that Microsoft does is networking.  Of course the only thing they do
well is marketing.

Ray Todd Stevens, Senior Consultant, Stevens Services
R.R. # 14 Box 1400, Bedford, IN 47421, (812) 279-9394  Raytodd@tima.com


Re: Navy turns to off-the-shelf PCs to power ships (RISKS-19.76)

Joel Upchurch <upchurch@bellsouth.net>
Sat, 30 May 1998 17:48:25 GMT
Chiaki Ishikawa wrote:

> I shudder to think that Win95 is used to control
> real-time embedded systems and such...

Actually Microsoft is making a big push for Windows CE in embedded systems
and it's only a matter of time before it appears in some military
systems. When you consider that Microsoft development systems for Windows CE
are a lot cheaper than the competition and there are a lot of programmers
out there that already know Visual C++, I wouldn't be surprised if Microsoft
owns a big chunk of the RTOS market in short order.


Information Survivability Workshop 1998 Call for Participation

John Knight <jck@cs.virginia.edu>
Thu, 28 May 1998 17:52:26 -0400 (EDT)
    "Protecting Critical Infrastructures and Critical Applications"
    Wyndham Safari Resort, Orlando, Florida USA, 28-30 October 1998
 Organized by CERT* Coordination Center, Software Engineering Institute
               Sponsored by the IEEE Computer Society

        Program Chair: John C. Knight, University of Virginia
    General Chair: Howard F. Lipson, Software Engineering Institute

Information survivability (IS) has become a new area of concern for many
industrial and government organizations, and is an active area of interest
to those in the research community. IS is more than security, more than
safety, and more than fault tolerance. It is a combination of quality
attributes that assures that even if significant portions of a system are
damaged by an attack, accident, or failure, the mission of the network,
software, or service will continue. The systems that are the primary focus
of concern are highly distributed, networked systems that support critical
infrastructures and critical applications.

At the first Information Survivability Workshop (ISW'97), some of the
fundamental issues associated with IS were clarified and several research
areas that have the potential to make significant contributions to this
field of study were identified. The second Information Survivability
Workshop (ISW'98) will focus on the domain-specific survivability
requirements and characteristics of up to four different critical
infrastructure and critical application areas (e.g., banking,
transportation, electric power, and telecommunications). The primary goal of
the workshop is to foster cooperation and collaboration between domain
experts and the survivability research community to improve the
survivability of critical, real-world systems. Another important goal is to
continue to identify and highlight new survivability research ideas that can
contribute to the protection of critical infrastructures and critical
applications.

[4-page-max position papers due electronically by 15 Jul 1998.  Contact John
Knight for details.]  For further information: Please send any questions or
comments about the workshop to "isw-98@cert.org".  Additional information
will be posted periodically in the workshop home page:
                http://www.cert.org/research/isw98.html

John C. Knight, Dept of Computer Science, Univ. of Virginia, Thornton Hall,
Charlottesville, VA 22903, 1-804-982-2216 knight@virginia.edu FAX 804-982-2214

Please report problems with the web pages to the maintainer

Top