The RISKS Digest
Volume 20 Issue 30

Friday, 16th April 1999

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…


Fake web page cause 20% stock surge and then retreat
Avi Rubin
Glitch causes 4 billion euro overdraft
Monty Solomon
Raytheon probes e-mail moles
Keith A Rhodes
Security is still a human problem
Jeremy Epstein
Y10K: not just for April Fools
Tom Swiss
The Risk of 1 Apr
David Frank
RISKS April Foolery, Melissa, security, and frequencies of RISKS
GPS setup error affects dredging in California
W.T. Shymanski
Potential RADHAZ
Paul Walczak
Space character in number causes silent Excel miscalculation
Ben Bederson
Security Hole in Java 2
Gary McGraw
Re: Vancouver Hospital
Doneel Edelson
Microsoft reschedules Memorial Day
Benjamin B. Bederson
Risk of not backing up PGP Key Ring files
Herman D. Knoble
Responses to Melissa
Chuck Karish
Risks of "Melissa passed this way"
Charles Arthur
Melissa and poor security model of Word Macros
Scott M Keir
Mainframe virus
Henry Schaffer
Millennialism in the Western Hemisphere
Richard Landes
Info on RISKS (comp.risks)

Fake web page cause 20% stock surge and then retreat

Avi Rubin <>
Thu, 8 Apr 1999 19:38:42 GMT
There is a story in *The New York Times* 8 Apr 1999 about a web spoof that
cost people serious money.  Apparently, somebody set up a Web page that
looked exactly like a commercial financial Web site.  The claim was made
that PairGain Technologies (PAIR) was set for a takeover.  On this
speculation, the price shot up 20% the same day.  Once the hoax was proven,
the stock came back down, but presumably not all the people who bought high
got out on time.

While such an event is unfortunate, there is a taste of "I told you so" to
see that one of the dangers we've been preaching about for so long actually
caused loss of revenue.  I believe this is the first of many such swindles
to come.

Avi Rubin

  [Also noted by Jim Reisert.  A PairGain employee, Gary Dale Hoke was
  subsequently arrested at home in Raleigh NC, despite ``an effort to
  access the Internet anonymously'', according to the *San Francisco
  Chronicle, B1, 16 Apr 1999.  PGN]

Glitch causes 4 billion euro overdraft

Monty Solomon <>
Tue, 13 Apr 1999 01:16:57 -0400
Glitch causes 4 billion euro overdraft (IDG, 12 Apr 1999)
by Mary Lisbeth D'Amico

Although the January switch to the single European currency was smooth at
most European banks, a prominent German discount bank and its customers this
week were acutely aware that not all possible euro-caused glitches have been
found.  Customers of Bank 24, a discount bank owned by Deutsche Bank AG,
were astonished [on 6 Apr 1999?] to find that their securities accounts
appeared to be overdrawn to the tune of 4 billion euro ($4.32 billion). An
oversight connected to the change to the euro was responsible for the error,
affecting 55,000 customers.

Raytheon probes e-mail moles

"Keith A Rhodes" <>
Mon, 05 Apr 1999 15:35:31 -0500
Yahoo! subpoenaed to identify messagers; Raytheon execs resign

At least two Raytheon employees have resigned in the wake of proprietary
messages appearing on Yahoo message boards.  Raytheon is accusing 21
employees, and has subpoenaed Yahoo! to the identify the senders of
anonymous e-mail.  [Source: CNNfn, 5 Apr 1999, PGN-ed]

Security is still a human problem

"Epstein, Jeremy" <>
Mon, 12 Apr 1999 14:32:47 -0700
Just in case you thought that security problems were solved by computers,
we're reminded yet again that it all comes down to trusted people doing the
right thing.  I wonder if John Deutch got a copy of the Melissa virus,
potentially sending classified files to his closest friends?

  A routine check of former CIA Director John Deutch's home turned up
  31 files classified secret on his personal computer after he had
  stepped down and was retained as a consultant.  No prosecution is
  planned, because the violations were not deemed criminal.  [PGN-ed
  from various sources, mostly Associated Press, 11 Apr 1999]

Y10K: not just for April Fools

Tom Swiss <>
Sat, 3 Apr 1999 21:09:06 -0500
So maybe I'm an April Fool, but it seems to me that the Y10K issue is worth
a little serious thought.

There are areas of human endeavor in which 8000 years is not an extreme time
span. At present, we deal with these long time spans only in modeling things
like geological and cosmological events. But it is not unreasonable that
within the next century, we may begin to build very high technology systems
with mission durations of thousands of years - for example, a system to
contain radioactive wastes, or a probe to another star system.

Y2K issues have raised our consciousness about timer overflows, but it's
quite possible that this may fade in succeeding generations. There's no
reason not to start setting standards now.

     Perhaps all time counters should be bignums?

== Tom Swiss/ ==

The Risk of 1 Apr (Re: Computer crash creates nonpersons in Zurich)

"David Frank" <>
Wed, 07 Apr 1999 23:12:00 +0200
I'm hardly the first to point this out, but there is a certain risk in
a) abstracting too much and
b) doing this on 2. April and
c) doing it with articles on such risk-worthy topics   ;-)

Why? This story makes perfect sense to any Risk-Reader but it's an April
Fool's joke. (I myself expected them, but this one is hardly detectable.)
The *Tages-Anzeiger* story goes on telling people to go to the townhall and
register themselves to avoid losing their citizenship.

Anyway: you should have backup tapes!

David Frank, Dietlikonerstr. 14, CH-8304 Wallisellen, Switzerland
+41 (0)1 830 6506,

  [Unfortunately, not all of the 1 Apr material is on hand in time.]

RISKS April Foolery, Melissa, security, and frequencies of RISKS

"Peter G. Neumann" <>
Fri, 16 Apr 1999 10:16:08 PST
Regarding the plethora of foolacious items in RISKS-20.26-29, RISKS has a
general policy of NOT explicitly identifying foolish material around 1 Apr
each year.  You are all on your own, and expected to read discriminatingly.
Besides, sometimes the most ridiculous sounding risks are quite real.

I received a few pieces of e-mail questioning the validity of one particular
item or another, which suggests to me that some of you must have taken many
of the other items as genuine!  This is somewhat surprising, but will not
alter our policy in future years.  An unexpected exception to this policy
was Lauren Weinstein's Inside Risks column on the risks of teleportation in
the April 1999 issue of the Communications of the ACM.  Although neither he
nor I wanted any explicit April Foolish disclaimers on the column, our CACM
editor decided to add an explicit warning — perhaps fearing that some of
you were ready to try this technology anyway.  For those of you who are not
CACM subscribers, Lauren's column is on my Web site, Start with and click on "Inside Risks".

Also on my Web site ( is my
testimony for yesterday's hearing of the House Science Committee
subcommittee on technology, in which I consider Melissa as the tip of a very
large iceberg — the abysmal state of computer and communication security.
My testimony, plus that of Keith Rhodes and others, will also be at — click on committee hearings,
then subcommittees, and find the 15 Apr hearing, supposedly by the end of
the House working day EDT.

Incidentally, newer readers sometimes ask why RISKS comes out so
irregularly.  The answer of course is that I run it in odd moments, whenever
I can.  If you ever think you missed an issue or think that your
subscription might have been dropped, please check the various RISKS Web
sites and mirrors for the latest issue.  (Even when I prune the list
militantly from previous invalid addresses, I sometimes receive as many as
300 bounces on the next issue.  I gather that USENET loses an issue now and
then as well.)

GPS setup error affects dredging in California

"W.T. Shymanski" <>
Sat, 03 Apr 1999 17:04:39 -0500
The 22 Feb 1999 "Engineering News Record" in an item titled "Dredge
spoil misplaced due to alleged GPS programming error" reports that 600,000
cubic yards of dredged spoil were dumped almost half a mile from an approved
site, off the coast of Orange County, California, due to an error in keying
in co-ordinates into a GPS receiver.

A new GPS unit had been installed on a tug, and apparently the operator
keyed in the co-ordinates in base 60 ( degrees, minutes, seconds) instead of
in base 100 ( degrees, minutes, decimal fraction of a minute) that the new
GPS used.  The error was detected when the crew of the tug noticed another
tug and barge dumping spoil in the approved site.

Misinterpretation of the display units of measurement is a fairly common
problem in user interface design and is probably responsible for no end of
wasted paper, misprogrammed VCRs, and in at least one case ( the 767 "Gimli
Glider" incident) a serious threat to air safety.

W. T. Shymanski <>

Potential RADHAZ

Thu, 8 Apr 1999 13:42:06 -0400
[From an anonymous source]

I worked with the PRC-138 for over 5 years now.  I was teaching some Korean
soldiers how to operate it with a wire antenna hanging out the window.  Well
this is not the most optimum antenna and it provide not to be by being able
to watch smoke start curling off my finger tips while operating the radio.
The manual on this radio states that the radio must be grounded and the 20
watt manpack set comes with a strap and small ground rod.  The PRC-104 has
this same problem if you build a poor antenna that the radio cannot match
to.  It probably stand the same that 125 watt systems in vehicles need to be
grounded also.

 Subject:      [SIGNET] AN/PRC-138 Potential RADHAZ

1. Testing of the AN/PRC-138 HF radio by the Canadian Military has revealed
a non-ionizing radiation hazard.

2. This message is posted to inform you and to find out if any similar
incidents have occurred with radios with US forces.  Also, if this condition
is known, what are we doing about it to prevent this hazard?

3. The Canadian PM for the 138's received reports from users in Bosnia that
electrical shocks were received from the AN/PRC-138 in a man-pack
configuration and when used as a temporary communications system in a
vehicle.  It had also been reported that electrical shocks were being
experienced by users of the 138 when installed in a vehicle mounted 125 Watt
Power amplifier system in the Canadian ILTIS (jeep-type) vehicle.

4. The investigation revealed the AN/PRC-138 radio produced electrical
shock/RF burn hazards when configured as a man-pack or installed as in the
ILTIS in the 125 Watt configuration.  A man-pack operator would feel
electrical sensations from any conductive part on the radio front-panel and
uninsulated screw on the handset during transmission.  The investigation
also revealed that the sensations were worst when humidity conditions were
dry.  In the ILTIS, the RF burn sensation was not limited to the radio
equipment but also any other uninsulated and ungrounded conductors such as a
watch bracelet.  The electrical sensations created by the contact current
could also cause a knee-jerk reaction which in itself could cause an

5. The man-pack tests utilized the radio at 20 Watts over several
frequencies with both the whip antenna, model number AT271A/PRC (NSN
5985014248333) and the dipole antenna, model 1903AD (NSN 5985013567620).  A
safe distance of 0.75 metres from the whip and 1.5 metres from the dipole
transmitting antennae was measured.  In order to eliminate any potential
confusion when antennae are exchanged, a safe distance of 1.5 metres should
be observed for both antennae.

6. Personnel requiring more information or a copy of the complete test
results should send their requests to the undersigned.

 Major RK (Kevin) Ferguson
 Canadian Forces Liaison Officer - Signals
 714 Signal Towers
 Fort Gordon, GA  30905-5680

 Phone:        Comm    (706) 791-4163
       DSN     780-4163
 Fax:  Comm    (706) 791-7829
       DSN     780-7829

Space character in number causes silent Excel miscalculation

"Ben Bederson" <>
Thu, 15 Apr 1999 17:50:14 -0400
Error of US$19,130 !

I have found Microsoft Excel to be very good at mixing different data types
without having the user to specify those types.  However, the fact that the
types are not specified explicitly pose a risk. I recently had a budget
submitted and approved that turned out to add up to US$19,130 over what the
grand total said it did.  The problem was that the $19,130 item was actually
listed as "19, 130" The space character was barely distinguishable on the
screen (partially because of the use of a proportionally-spaced font and the
fact that the space was directly after a comma).  It was only when I printed
the spreadsheet later on that I noticed it (after the budget was approved).

Normally, this error stands out because Excel by default left-justifies text
and right-justifies numbers.  However, I had specifically right-justified
the column in question earlier. The issue here is that the "19, 130" was
interpreted by Excel as text rather than as a number.  Since Excel doesn't
generate warnings when adding text, but rather interprets it as 0, I had no
notification of the problem.

This is an instance of a general risk in the trade-off that often comes with
making interactive systems usable in that many mundane tasks are automated
(such as type specification), and warnings are eliminated resulting in the
user not knowing how things are interpreted.

Prof. Ben Bederson, Computer Science Department, HCIL, University of Maryland
College Park, MD 20742 1-301-405-2764

Security Hole in Java 2

Gary McGraw <>
Mon, 5 Apr 1999 08:57:43 -0400 (EDT)
Karsten Sohr <> at the University of Marburg
in Germany has discovered a very serious security flaw in several current
versions of the Java Virtual Machine, including Sun's JDK 1.1 and Java 2
(a.k.a. JDK 1.2), and Netscape's Navigator 4.x.  (Microsoft's latest JVM is
not vulnerable to this attack.)  The flaw allows an attacker to create a
booby-trapped Web page, so that when a victim views the page, the attacker
seizes control of the victim's machine and can do whatever he wants,
including reading and deleting files, and snooping on any data and
activities on the victim's machine.

The flaw is in the "byte code verifier" component of the JVM.  Under some
circumstances the verifier fails to check all of the code that is loaded
into the JVM.  Exploiting the flaw allows the attacker to run code that has
not been verified.  This code can set up a type confusion attack (see our
book "Securing Java" for details which leads to
a full-blown security breach.

We have verified that the flaw exists and is serious.  Attack code (in both
applet and application form) has been developed in the lab to exploit the
flaw.  Sun and Netscape have been notified about the flaw and they are
working on a fix.

What?! RISKS in mobile code?  We're happy to alert you to yet another lesson
regarding the classic tradeoff between security and functionality.

Dr. Gary McGraw                      Prof. Edward W. Felten
Reliable Software Technologies       Secure Internet Programming Lab                      Dept. of Computer Science
                                     Princeton University

  [Reportedly fixed in 1.2.1.  PGN]

Vancouver Hospital (Re: RISKS-20.23)

"Edelson, Doneel" <>
Thu, 18 Mar 1999 12:07:39 -0500
I spoke with Mr. Lee on the phone and he said that he stands by his story.
He also said that some of the specific wording in the Risks Digest summary
of the story was significantly different from his actual story.
He also requested that the Risks Digest not carry any more material from his
column.  To that end I plan to no longer forward his column to you.

Here is my statement on the matter. I am CC:ing the hospital, and plan to
send them a copy of the actual posting from Risks when it is published.
   [Sorry for the delay.  I've been away too much.  PGN]

In RISKS-20.23, I noted a report from Leonard Lee's Glitches of the week,
Newsbytes News Network<<<>, 24 Feb 1999, concerning
problems in the Vancouver Hospital computer system that resulted in errors
in patient medical records. In response, I received the following
communication from Murray T. Martin, President & CEO of Vancouver Hospital:
"As you are in error, we write to ask you to remove the postings, to
apologize to VHHSC, and to initiate steps to advise those who may have
accessed the information.  Vancouver Hospital and Health Sciences Centre
takes very seriously these defamatory statements, and has advised the
software vendor of our concerns.  We reserve the right to take legal action
on the alarming and libelous statements.

In particular, your statement as fact that the software and process errors
had the effect of "significantly delaying treatments and discharges, and
increasing costs" is incorrect and defamatory.  There is no evidence to our
knowledge of any of these effects, and ask that if you have such evidence,
you provide it to us."

I apologize to Vancouver hospital for any harm that this has caused.

Microsoft reschedules Memorial Day

"Benjamin B. Bederson" <>
Thu, 8 Apr 1999 09:59:10 -0400
Microsoft Outlook 98 has scheduled Memorial Day for May 24, 1999 instead of
May 31, 1999.  I thought this kind of power was reserved for the Federal
Government!  According to my Microsoft contact, this feature is included in
Office 2000 as well - and so apparently there is not much quality assurance
in the data that Outlook comes with.

This is actually a fairly serious problem for those of us that rely on
Outlook.  I managed to schedule a visitor coming from another Country to
give a talk on what turns out to be Memorial Day.  If the plane tickets the
visitor bought are non-refundable, we could have some trouble.  I'm sure
that the Microsoft licensing agreement absolves them from responsibility for
this kind of error.  So, the risk is, make sure you trust your data

Prof. Ben Bederson, Computer Science Department, University of Maryland,
College Park, MD 20742  1-301-405-2764

Risk of not backing up PGP Key Ring files

Herman D. Knoble <>
Wed, 07 Apr 1999 14:04:35 -0400
A professor and psychologist at Penn State kept state mandated records for
each client in a separate Word file. He obtained PGP 5.0 for Windows 95 and
set up a Username and Passphrase. He then used PGP to encrypt each client
file. He backed up the encrypted client files and after reassuring himself
that he could recover any encrypted file, he erased the plain text files.

Then his fixed disk crashed. He installed a new fixed disk and installed PGP
5.0 again, and attempted to re-establish what he called "the key" by using
the same Username and Passphrase.  He had never backed up the key ring file
(secring.skr) thinking that he could re-create what he thought was "the PGP
key". Needless to say his 150 or so encrypted client records are not
decipherable. Thus, for all practical purposes, that data is lost and the
encrypted files may as well be erased.

Moral: When encrypting any data, find out how to and what to back up for
BOTH the data and key(s) . Then secure each of these backed up media,
probably under lock and key, with a copy not in the same building as the
computer. At least periodically verify that backed up data can be decrypted
successfully on an independent computer.

Herman D. Knoble, Penn State Center for Academic Computing, University Park,
PA  16802-2101  +1 (814) 865-0818

Responses to Melissa

Chuck Karish <>
Mon, 05 Apr 1999 01:24:07 -0700
This evening I watched an item on the Melissa virus on a cable TV technology
newsmagazine show.  The reporters talked to someone at a company that
monitors Internet performance, who attributed two days during which
performance was degraded by 20% to 23% to many downloads of virus checking
tools and information about the virus.

Then they asked people from a virus-checking software company how to defend
against such viruses.  They said "Always run a virus checker, and update
your database frequently".

This struck me as being incomplete.  Why does virus defense have to be
reactive?  I'd heard that Microsoft has a free downloadable Word viewer that
wouldn't have the macro security hole.  So, off to the Microsoft Web site.

The prominently-displayed short note there on Melissa wasn't much different
from what the virus-checker guys said on TV.  "Turn off macros, use a virus
checker, update it frequently."  No mention of what to do if your machine
has already been infected (so that turning off macros might not be
possible), no mention of a macro- ignorant doc viewer.

I found the download index that showed the Word document viewer.
Unfortunately I couldn't download it, because my browser (IE4.0) reported a
programming error in the download page.

So, I settled for downloading a white paper on security features in Office
2000.  This was a Word document packaged in a self-extracting executable
program.  Not the ideal format to inspire confidence in this reader!  The
paper (o2ksec.exe) does contain useful information, including the registry
settings to disable VBA macros or add-ins, and suggestions for locking
critical sections of the registry without interfering unduly with user
activities.  Any guesses as to how many sysadmins and self-admins will
follow those instructions?

Doesn't anybody get it?

    Chuck Karish    (650) 329-8655

Risks of "Melissa passed this way"

"Charles Arthur, The Independent" <>
Thu, 8 Apr 1999 15:36:57 +0100
Big financial institutions were quick to put in place automated safeguards
against the Melissa virus. Which didn't explain why one coworker received an
e-mail on Tuesday, eight days after the affair hit most UK sites, headed
"Important message from GWUser". It came from GWUser, who (the address
showed) was based at a UK "Big Four" high street bank. In fact, it was

The mail itself though did not contain the dreaded document, nor any
document; instead there was a message from the Bank's virus-checking
software saying it had removed the document. The address list, meanwhile,
showed 25 addresses - some inside, some outside the Bank (such as

However, almost simultaneous with this message came another one, by
automaton, from the Bank's security systems. "You have been infected by the
Melissa virus", it said (I'm busking a little - the colleague has since
deleted them). This message had been sent out to all the recipients on the
same list. The implication of the message was that it couldn't identify the
source of the message it was complaining about as being inside its walls,
and was blaming us for sending it, rather than warning us.

Even so, two clear risks:
1) doubling the load on mail systems by having two messages, even though
   the virus-checker did do its work and killed it (thus saving further
2) confusing the hell out of recipients who aren't savvy enough to follow
   what had happened - which included the original colleague here.

We however have reason not to worry about this. We run Macs, use an old
version of Word without macros but with forward compatibility, and use Lotus
Notes rather than Exchange or OExpress. Virus writers have not expanded to
fill that particular niche, if they ever can/will.


Melissa and poor security model of Word Macros (Waide, RISKS-20.26)

Scott M Keir <>
Tue, 6 Apr 1999 18:46:50 +0100 (BST)
> 4 Microsoft praised for having GUIDs in documents.

I certainly hope that 4) is followed by:

5 Microsoft is condemned for developing a language with a poor security

That Melissa can disable security-related menu commands and alter the
'security' features of the macro language interpreter shows what a poor
security model the language has.  Perhaps this was acceptable when the macro
language was used for simple templates in documents, but with the emergence
of macro virii and the expansion of the language to fairly effectively
control the machine, this is not acceptable any more.

Cross-platform languages such as Tcl and JavaScript have some security model
which attempts to reduce the ability of code to damage your system in some
way (e.g. Tcls Safe-Tcl security model is now fairly advanced, and allows
users to run scripts in 'Safe Mode' preventing scripts from accessing
sensitive parts of the machine).

That any 'security' in Word macros can appear to be overridden by macros is
poor show on Microsoft part.  They need to fix this, and soon.

Scott Keir |

  [Incidentally, there is confusion among the various news reports of
  Melissa as to exactly when and how the GUID entered into the
  identification of the perpetrator.  Can anyone who really knows
  enlighten us?  PGN]

Mainframe virus (Kabay, re: RISKS-20.29)

Fri, 9 Apr 1999 21:27:19 -0400 (EDT)
The Christmas Tree "virus" affected VM systems some 10+ years ago.  (IIRC
it really affected PROFS.)  I think it is  reasonably comparable to Melissa.

>  Microsoft engineers decided to dispense with a security kernel ...

If a computer has an integrated word processor in its mail software, then it
very well might not take supervisor privileges for a word processor macro to
send mail.  I think this was the source of the PROFS vulnerability.

--henry schaffer

Millennialism in the Western Hemisphere

Richard Landes <>
Wed, 7 Apr 1999 13:09:48 -0400

The Center for Millennial Studies at Boston University in conjunction
with the American Studies Department at Brandeis University announce the
upcoming conference sponsored by the Lilly Endowment Foundation, Boston
University, and Brandeis University.

November 7-9. 1999

An interdisciplinary inquiry examining the wide range of millennial
movements in the Americas: their origins, traditions, interpretations and
consequences, both religious and secular from the perspective of elite,
popular, or counter-culture.  Papers on the historiography of millennialism
in the Americas will also be considered for presentation.

DEADLINE For Abstracts Is JULY 1, 1999 [presentations 20 minutes in length]

Beth Forrest, Center for Millennial Studies at Boston University
704 Commonwealth Ave., Suite 205, Boston, MA 02215

  [Richard and his CMS colleagues at Boston University are looking at the
  BIGGER PICTURE of Millennialism!  PGN]

Please report problems with the web pages to the maintainer