The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 20 Issue 01

Thursday 1 October 1998

Contents

o Computer collapse wipes out British Social Security records
PGN
o Calling All Traffic Lights in Dublin!
Fiachra O Marcaigh
o Y2K "fix" causes Dublin traffic jams
Mich Kabay
o Natural gas plant explosion in Victoria, Australia
Martin Gleeson
o Malaise in Malaysia hits satellite uplink
Mich Kabay
o Bank of Montreal card functions paralyzed by bug
Mark Brader
o Bad power strip knocks out Net service
Andrew Brandt
o "Cyberdeath' raises privacy issue
Scott Peterson
o How to bypass those pesky firewalls
Mark Jackson
o Hacking, Irish-Style
Fiachra O Marcaigh
o Re: X-rated net suit
Rishiyur S. Nikhil
o Re: Sexy risks of searching for MP3
John Mee
Don Byrd
o Y2K risk in Netscape cookies
J Seymour
o Re: "Windows NT Security"
Russ Cooper
Joe Thompson
o Enquiry re: problems at universities
Pete Mellor
o REVIEW: "Decrypted Secrets", F. L. Bauer
Rob Slade
o Info on RISKS (comp.risks)

Computer collapse wipes out British Social Security records

"Peter G. Neumann" <neumann@chiron.csl.sri.com>
Thu, 1 Oct 98 17:12:24 PDT
A major outage of the British Department of Social Security (DSS) national
insurance register computer system (NIRS) has created a turmoil.  Payments
are being made manually without the usual vetting of eligibility.  DSS is
apparently being very coy about the situation, fearing a flurry of false
claims.  This occurred during the cutover to the new system (being developed
by Andersen Consulting under a 170-million-pound project, reportedly the
biggest and most complex information technology project in Europe).  DSS
officials anticipate that NIRS could be down until at least the end of
October, although Andersen folks think they are close to solving the
problem.  Stay tuned.  [Source: An article by David Brindle, Guardian
Weekly, 20 Sep 1998, p. 10, courtesy of David Stringer-Calver; PGN
Abstracting]


Calling All Traffic Lights in Dublin!

"Fiachra O Marcaigh" <fiachra@iol.ie>
Tue, 29 Sep 1998 13:57:32 GMT
Getting into, or out of, Dublin City Centre by car was much more difficult
than usual yesterday (Sept 28th, 1998). The journey that should have taken
me 25 minutes (long after normal rush-hour at 9.30) took over an hour
instead. During rush hour, one motorist reported taking an hour and a half
to cover a mile and a half. In my case the congestion was so severe in the
inner city that I kept expecting to round a corner and find some major
obstruction such as a collapsed building, or two stalled trucks side by
side.

The answer was much simpler - an incomplete "upgrade" had disconnected the
traffic lights at 140 junctions from the Dublin Corporation control
centre. The lights are normally regulated to cater for traffic conditions,
but without communications they were left to get on with the job
themselves. They ran through preprogrammed sequences without allowing for
traffic conditions, or proper synchronisation between them. Gridlock
resulted.

PS: Yesterday's jams were so bad that traffic today was much *lighter* than
usual. Thousands of people must have taken to public transport.

Full story: http://www.irish-times.com/irish-times/paper/1998/0929/fro2.html

  [Also noted by
    Niall Smart <nialls@euristix.ie>,
    Bernard Lyons <bernardl@indigo.ie>.
  See the next item from Mich Kabay, which provides a Y2K link! PGN]


Y2K "fix" causes Dublin traffic jams

Mich Kabay <mkabay@compuserve.com>
Tue, 29 Sep 1998 09:12:43 -0400
Chris Parkin of *The Press Association News* (UK) reported that the Dublin
traffic snarl on 29 Sep 1998 was due to poor quality assurance in a new
version of the software controlling traffic signals led to fixed cycles with
no allowance for longer cycles at peak traffic times.  Ironically, the
software was installed to prevent Y2K problems.  [PGN edited]

This case illustrates
* the general danger of introducing new bugs in any "fix" if QA
  procedures are inadequate;
* the specific danger of pushing Y2K fixes into production without
  proper QA;
* the vulnerability of electronically-controlled infrastructure to
  interference.

M. E. Kabay, PhD, CISSP / Director of Education
ICSA, Inc. <http://www.icsainc.net>


Natural gas plant explosion in Victoria, Australia

Martin Gleeson <gleeson@unimelb.edu.au>
Mon, 28 Sep 1998 09:30:59 +1000
Shortly before 1pm on 25 Sep 1998, a series of explosions ripped through the
Number 1 Plant at the Esso gas processing installation at Longford in
eastern Victoria. Two workers were killed and seven injured. Effectively all
residents of the state (~5 million) have been required to turn off their gas
supply and it is not known when services will be restored. It could be days,
weeks or even months.

RISKS? This looks like an all-your-eggs-in-one-basket problem. There are
four plants at the Longford facility, but an incident like this means that
they must all be shut down until the cause of the explosion is
established. A new gas pipeline from a neighbouring state was finished six
weeks ago, but it can only bring enough gas in for hospitals and nursing
homes and to keep the gas pipeline network itself from going completely
belly-up (it is absolutely vital that gas stays in the pipes and no air or
water gets in).  It is expected that industry will be losing upwards of $100
million per day and thousands of workers will be stood down.

Further information can be seen at <http://www.theage.com.au/special/gas/>.

Looks like cold showers for a while. :-(

Martin Gleeson, Webmaster, The University of Melbourne, Australia.
<URL:http://www.unimelb.edu.au/%7Egleeson/>

  [Also noted by
    "Martin, Mike" <mmartin@sbnsw.com.au>, who noted the effects
       on industry and on the spectators of the Australian Football
       League grand final in Melbourne (perhaps linked to Victoria losing
       to South Australia because they did not want cold showers?),
    Toby Stevens <Toby.Stevens@pa-consulting.com>, who noted that
      the crematoriums were shut down, and
    "Peter J. Cherny" <peterc@arquebus.com.au>.
  PGN]


Malaise in Malaysia hits satellite uplink

Mich Kabay <mkabay@compuserve.com>
Mon, 28 Sep 1998 17:15:38 -0400
As most readers will know, there is political unrest in Malaysia because
the government has accused the former finance minister Anwar Ibrahim
(who was also the deputy prime minister) with various unsavory crimes
(which he and his supporters characterize as a smear campaign).

The following detail at the end of an article entitled, "Matathir cracks
down on protests" by Nick Hopkins in this week's (1998.09.27) _Guardian
Weekly_ (p. 4) caught my eye:

"Diplomatic relations were further strained when broadcasters, including the
BBC, discovered that their reports were being censored by the Malaysian
authorities.  Footage of the clashes between police and protesters demanding
the resignation of Dr Matathir was blacked out by hackers, who intercepted
transmissions bound for a satellite link."

Jamming itself is hardly new, but if -- and I stress _if_ -- this report
is correct, it represents a rare case of known information warfare
through an attack on communications satellites.

M. E. Kabay, PhD, CISSP / Director of Education
ICSA, Inc. <http://www.icsainc.net>


Bank of Montreal card functions paralyzed by bug

Mark Brader <msb@sq.com>
Wed, 30 Sep 98 05:30:57 EDT
Yesterday morning at 5:30 am, a new software version was loaded on the
computers that control all electronic card transactions at the Bank of
Montreal.  It was intended to upgrade the system to better handle the
upcoming Christmas season.  Instead the result was MasterCard credit
authorizations denied, debit cards denied, and ATMs shut down.

According to today's *Toronto Star*, "bank technicians ... immediately set
up 'war-rooms' -- rethinking pages and pages of computer code, desperately
trying to find a quick solution."  The article is silent on the possibility
of quickly reverting to the previous version.  Anyway, at 1:30 pm the system
"went down hard" and it wasn't until 4:30 that things were working again.

The Bank of Montreal is the third-largest in Canada, and the largest
MasterCard issuer.  The Star article refers to 2,000,000 cardholders,
but isn't clear as to whether this is the total number of them or the
number who actually use their cards in one day -- the figure seems to me
too low for the one and too high for the other.


Bad power strip knocks out Net service

Andrew Brandt <anb@lanminds.com>
Wed, 16 Sep 1998 11:06:55 -0700
What follows is a message send by the sysadmin at my employer's office. The
company for which I work has a huge number of employees who use their Net
connection daily as part of their job duties.

The risk in this case is obvious. Major network hubs should have proper
electrical power connections (with uninterruptable power supplies) for
their servers and associated network hardware. Kludgy solutions aren't
appropriate for large businesses. I can only assume somebody blew it when
they didn't install the appropriate electrical hookups in their server room,
and tried to cover their error by using power strips.  Replacing the power
strips is only a temporary fix, though I doubt more will be done to correct
the problem.

How many other ISPs use $5-20 power strips on their $10,000+ hubs, routers,
and servers, instead of wiring their offices correctly from the beginning? I
suppose we'll just have to live with this idiocy for a while.

> Last night, two of the power strips feeding power to our network
> equipment in [city name deleted] failed. Power has been restored as
> well as our ability to surf the web and replicate using an ISP.

> The outage began sometime yesterday evening at around 6:45 PM and was
> temporarily fixed.  This morning we noticed another outage which lasted
> for about 20 minutes.  We're waiting to hear from our ISP to know more
> about the second outage.  Our guess is that this morning's brief outage
> was necessary to transfer our equipment to new power strips.  I'll
> confirm with our ISP this later today.


"Cyberdeath' raises privacy issue

Scott Peterson <scottp4@ibm.net>
Fri, 25 Sep 1998 15:24:25 -0700
An article yesterday in my local paper crediting Cox News service relates
the story of a woman who applied for a loan at her bank. However, the credit
check indicated that Social Security said she was dead.

An investigation uncovered that a claims agent at the SSA's Belle Glade FLA
office named Jorge Yong had had a fight with the woman in an internet chat
room and was banned from it. In retaliation, he used a co-workers terminal
to put a date of death on the woman's record.

Yong resigned and was ordered to pay $700 to the victim and pay a $100 fine
after pleading guilty to one count of falsifying personal data

This story came out in testimony by acting inspector general James Huse
before the Senate Governmental Affairs Committee as part of an ongoing
investigation of whether private information is safe on government
computers.

Scott Peterson <ScottP4@IBM.NET>


How to bypass those pesky firewalls

Mark Jackson <mjackson@wc.eso.mc.xerox.com>
Tue, 29 Sep 1998 11:30:43 PDT
The United Media website (very popular as it is the home of the
"Dilbert Zone") is advertising "Comic Explorer - the NEW way to read
comics." Turns out (http://www.unitedmedia.com/explorer/index.html)
that it's a free "Java" applet that facilitates browsing their comics
archives - if you have a Pentium running Windows (hence the quotes
around "Java").

But click on "System Requirements" and one finds the following
advisory:

  Firewalls:

  Some companies have firewalls that make it difficult to run Java
  applets with multiple classes. If this is the case, you can make
  some adjustments to use the software with Internet Explorer 4.0.
  Follow these instructions:

  Internet Explorer 4.0: Select Internet Options (Under the view
  menu), and click on the "security tag." Under the Zone pull down
  menu, select "Trusted sites zone." (The security level "Low"
  should be selected.) Click on "Add Sites," then type in
  "http://umweb2.unitedmedia.com" Uncheck "Require server
  verification (https:) for all sites in this zone."

  Click "OK" twice.

Everybody out there who sets firewall security policy comfortable with that?

Mark Jackson - http://www.alumni.caltech.edu/~mjackson


Hacking, Irish-Style

"Fiachra O Marcaigh" <fiachra@iol.ie>
Tue, 29 Sep 1998 13:57:32 GMT
No backdoors or Trojans required for a four-man gang that wanted to
incapacitate the phone-monitored alarms in a rural area in the south of the
country. They busted in the door and took hammers to the exchange equipment,
in an attack that left 500 families without telephone service.

It is ironic that the provision of extra services such as alarm monitoring
by the phone company has made its exchanges a target of attack. Perhaps they
should install a decent alarm system?

Full story: http://www.irish-times.com/irish-times/paper/1998/0929/hom16.html


Re: X-rated net suit (PGN's comment in RISKS-19.97)

"Rishiyur S. Nikhil" <r.s.nikhil@mediaone.net>
Fri, 25 Sep 1998 19:48:15 -0400
> [Combine digital photography with the see-through infrared camera
> technology described in RISKS-19.93 and we get undie-lewded truth?  PGN]

Beware of geeks baring gifs.

Rishiyur S. Nikhil (nikhil@acm.org)


Re: Sexy risks of searching for MP3 (Markowitz, RISKS-19.97)

John Mee <jmee@ns.net>
Sat, 26 Sep 1998 08:33:01 -0700
In RISKS-19.97, "Sidney Markowitz" <sidney@sidney.com> pointed out that a
number of porn sites will add meta tags pointing to rock bands.  In a recent
investigation at my workplace, we (I work in Information Security)
discovered that an alarmingly high number of the sites are using
www.disney.com as either a link or a meta tag so that children will find
these sites when they go out and look for pictures of Mickey and Goofy.
Parents would be well advised to check the global history and cache files of
their browsers to see if this has happened and also have a talk with their
children about things.  My own son, while doing some research on the
U.S. Govt. found out that Whitehouse.com does NOT contain government info
:-)

Moral: Maintain open communication with your children and monitor their Web
usage.


Re: Sexy risks of searching for MP3 (Larry, RISKS-19.97)

Don Byrd <dbyrd@cs.umass.edu>
Mon, 28 Sep 1998 11:48:03 -0400
[...] Actually, the Web-search companies are well aware of unscrupulous
Webmasters trying to manipulate their search systems, and they have been
taking countermeasures for quite a while. See for example the following
discussion, at http://searchenginewatch.com/webmasters/rank.html :

    Meta tags are what many web designers mistakenly assume are the "secret"
    to propelling their web pages to the top of the rankings. HotBot and
    Infoseek do give a slight boost to pages with keywords in their meta tags.
    But Excite doesn't read them at all, and there are plenty of examples
    where pages without meta tags still get highly ranked. They can be part of
    the recipe, but they are not necessarily the secret ingredient.

    Search engines may also penalize pages or exclude them from the index, if
    they detect search engine spamming. An example is when a word is repeated
    hundreds of times on a page in a row, to increase the frequency and propel
    the page higher in the listings. Search engines watch for common spamming
    methods in a variety of ways, not the least by following up on complaints.

I don't know that this description is totally accurate but I'm confident
it's basically correct. And I have seen the ignoring-Meta effect. A while
ago, one of my colleagues built a simple Web search system and used it to
search for "biochemistry" (or some such, I'm not sure any more). One of the
top hits was a university department page which neither used the word
"biochemistry" heavily nor seemed particularly relevant to it; however, it
did repeat the word numerous times in a META tag. But one of the well-known
search services we tried (Alta Vista? Infoseek? I forget) was not fooled at
all.

Don Byrd, Center for Intelligent Information Retrieval (CIIR), Computer Sci.,
University of Mass., Amherst, MA 01003  1-413-545-3147  dbyrd@cs.umass.edu


Y2K risk in Netscape cookies

<jseymour@au1.ibm.com>
Sat, 26 Sep 1998 00:58:13 +1000
How did the following happen?

The Netscape cookies specification (url below) states that the expires
field of the cookie string is formatted as:

     Wdy, DD-Mon-YY HH:MM:SS GMT

A 2 digit year! In a specification from circa 1994-95!! What planet am I
on?!!!

More seriously, how many web applications will stop working around the year
2000 because of differing interpretations of what YY means?

http://developer.netscape.com/docs/manuals/communicator/jsguide4/cookies.htm


Re: "Windows NT Security" (Frankston, RISKS-19.95)

Russ <Russ.Cooper@rc.on.ca>
Fri, 25 Sep 1998 15:30:57 -0400
First, Bob Frankston mentioned that Windows NT "has been C2 certified,"

Then, John Nolan said it was Windows NT 3.51.

Actually, it was Windows NT 3.5 (Workstation and Server) with Service
Pack 3.

In <http://www.radium.ncsc.mil/tpep/epl/entries/CSC-EPL-95-003.html> the
NSA state that the highest level NT 3.5/SP3 could meet and satisfy all
criteria is class C2.

- It's correct that the evaluated platforms were not networked.
- Extensive modifications were not made to the system registry (some
were, but considering the size and scope of the registry the mods could
not be called "extensive").
- Like all evaluations, it was done on specific hardware that was also
specifically configured (sans floppy, for example). Compaq Intel and Dec
Alpha configs were evaluated.

See http://www.radium.ncsc.mil/tpep/process/procedures.html if you're
interested in the RAMP process.

MS went the ITSEC route with NT 3.51, and received an E3 assurance level in
the U.K. in 1996 <http://www.itsec.gov.uk/cgi-bin/cplview.pl?docno=27>. From
a marketing perspective, it was a better schpiel (NOS certification rather
than OS), especially since they were already allowed to sell into the
.gov/.mil by virtue of the NSA C2 evaluation on 3.5SP3 (which purchasing
managers seem to gleefully ignore btw). Novell contends its not a "network"
evaluation
<http://developer.novell.com/research/appnotes/1997/november/02/05.htm>.

NT 4.0 (Workstation and Server) are under ITSEC E3,F-C2 functionality
evaluation with AISEP (DSD Australia)
<http://www.dsd.gov.au/epl/os.html> but have not, as far as I know,
completed it anywhere.

Personally, I think all of this evaluation junk (at this level) is just
that. I feel much better passing an ISS scan or an Axent audit than I do
knowing some pseudo-spooks had a gander at it. IMO, anything below B is
intended to keep responses to RFPs to a minimum and make purchasing somewhat
simpler.

Russ - NTBugtraq moderator
Join the NTBugtraq list, see <http://ntbugtraq.ntadvice.com>


Re: "Windows NT security"

Joe Thompson <joe@orion-com.com>
Fri, 25 Sep 1998 23:48:27 -0400
There was a forum on InfoWorld Electric (http://www.infoworld.com/) about
this about a month or so ago.  The actuality of NT's C2 certification is
dependent on the following:

* One of two or three (I seem to remember two Compaqs and one Digital
system) very specifically detailed hardware configurations must be used.
These do not include any kind of external connectivity (network card,
modem).

* The version of NT that was certified was NT 3.5 with Service Pack 3
applied, and no networking or comm drivers installed.  3.51 is not
certified, nor is 3.5 without SP3.  4.0 has not, to anyone's knowledge,
begun the process of certification, and Microsoft declined to comment.

The forum was started by InfoWorld columnist Nicholas Petreley, who spoke
with a fellow named Ed... I can't recall his last name, but he headed up
Lone Star Systems, the company which developed the testing software that
Microsoft used to gain the seal of approval.  He alleges that Microsoft has
both actively and passively misrepresented the security of NT to, among
others, government agencies, and that Microsoft reneged on promises to
distribute his compliance-testing software.

It was a very interesting forum.  Petreley sent a comprehensive list of
questions to Microsoft and their answer was a blanket "no comment."  Most
of the questions were not even speculative in nature, but were seeking
comment on facts that could easily be verified independently (e.g., details
about Microsoft displays at various trade shows).

Nicholas will be happy to comment I'm sure, and the forum discussion should
still be archived (I'd provide direct addresses and URLs, but my copy of
Netscape is flaky today). -- Joe


Enquiry re: problems at universities

Pete Mellor <pm@csr.city.ac.uk>
Tue, 22 Sep 1998 10:48:43 +0100 (BST)
I am interested in any information regarding software disasters that have
affected administrative systems in universities, such as student records,
registration systems, etc.

These need not be recent. (In fact, my enquiry is prompted by an
acquaintance telling me that several incidents resulting in permanent loss
of student records occurred back in the 1970's, when universities were
either just getting computerised or else upgrading to new mainframes.)

Please reply to me directly, rather than to RISKS. I will post a summary of
any interesting incidents, unless the respondent indicates that the
information is confidential, in which case I will treat it as such.

Many thanks.

Peter Mellor, Centre for Software Reliability, City University, Northampton
Square, London EC1V 0HB, UK. Tel: +44 (171) 477-8422, Fax: +44 (171) 477-8585
E-mail: p.mellor@csr.city.ac.uk

    [For starters, a very cursory search of the RISKS archives
    (for example, ftp://ftp.sri.com/illustrative.ps or pdf) found these
    references to RISKS (R i j) and ACM SIGSOFT Softw.Eng.Notes S (i j)
    (with earlier references to RISKS):
  Computer blunders blamed for $650M student loan losses (S 14 2)
  New Zealand student grants debited instead of credited (S 14 5)
  Brown University senior's account mistakenly given $25,000 (S 12 2)
  Ontario removes privacy controls on students' personal information (R 19 48)
  New computer system duns students for loans not due (S 18 2:9)
  Univ. Central Florida did not cut off student registration (S 12 3)
  On-line class registrations deleted by other students at UBC (S 18 1:19)
  ``Computer error" affects hundreds of UK A-level exam results (R 19 40)
  British school examination program gave erroneous grades (S 11 5)
  Computer gives law student wrong exam, passes him, after disk fix (S 12 2)
  16-year-old boy cracks university computer security (S 21 2:20)
  Vandalism disrupts service at Stirling University for days (S 19 4:13)
    PGN]


REVIEW: "Decrypted Secrets", F. L. Bauer

"Rob Slade" <rslade@sprint.ca>
Tue, 29 Sep 1998 10:32:31 -0800
BKDECSEC.RVW   980804

"Decrypted Secrets", F. L. Bauer, 1997, 3-540-60418-9, U$39.95
%A   F. L. Bauer
%C   175 Fifth Ave., New York, NY   10010
%D   1997
%G   3-540-60418-9
%I   Springer-Verlag
%O   U$39.95 212-460-1500 800-777-4643
%P   447 p.
%T   "Decrypted Secrets: Methods and Maxims of Cryptology"

Cryptology is the study of the technologies of taking plain, readable
text, turning it into an incomprehensible mishmash, and then
recovering the initial information.  There are two sides to this
study.  Cryptography is the part that lets you garble something, and
then recover it if you have the key.  Cryptanalysis is usually seen as
the "dark side" of the operation, because it is the attempt to get at
the original meaning when you *don't* have the key.  Most current and
popular works on cryptology actually only speak about cryptography.
For one thing, nobody wants to get into trouble by telling people how
to break encryption.  However, it is also much easier to blithely talk
about key lengths and algorithms and pretend to know what you are
doing if you don't have to understand enough math to try to figure out
how to go about cracking a particular cipher.

Bauer examines both sides, which is an important plus.  If you need to
decide how strong an encryption algorithm or system is, it is
important to know how difficult it might be to break it.

Chapter one looks at Steganography, the science of hiding in plain
sight, or concealing the fact that a message exists at all.  In this
he first demonstrates a wide ranging historical background which is
quite fascinating in its own right.  Basic encryption concepts are
introduced by the same historical background, but move on to a very
dense mathematical discussion of cryptographic characteristics in
chapter two.  Encryption functions are started in chapter three, and
it is delightful to have examples other than Julius Caesar's
substitution code.  Polygraphic substitutions are in chapter four and
the math for advanced substitutions is in chapter five.  Chapter six
introduces transpositions.  Families of alphabets, and rotor
encryptors such as ENIGMA, are reviewed in chapter seven.  Keys are
discussed in chapter eight, ending with a brief look at key
management.  Chapter nine covers the combination of methods resulting
in systems such as DES (Data Encryption Standard).  The basics of
public key encryption is introduced in chapter ten.  The relative
security of encryption is introduced in chapter eleven, leading to
part two.  However, it also ends with a discussion of cryptology and
human rights, concentrating mainly, although not exclusively, on the
US public policy debates.

Part two examines the limits of functions used in cryptography, and
thus the points of attack on encryption systems.  Chapter twelve
calculates complexity, and thus the size of brute force attacks.
Known plaintext attacks are the basis of chapters thirteen to fifteen,
looking first at general patterns, then at probable words, and finally
at frequencies.  Frequency leads to a discussion of invariance in
chapter sixteen.  Chapter seventeen follows with a look at key
periodicity.  Alignment of alphabets is covered in chapter eighteen.
Of course, cryptographic users sometimes make mistakes, and chapter
nineteen reviews the different errors and various ways to take
advantage of them.  Chapter twenty one looks at anagrams as an
effective attack on transposition ciphers.  The concluding chapter
muses on the relative effectiveness of attacks and of cryptanalysis
overall.

Those seriously interested in cryptology will really need to be
serious: brush up on your number theory if you want to use this book
for anything.  On the other hand, Bauer's history and vignettes from
the story of codes and the codebreakers are interesting, amusing, and
accessible to anyone.

copyright Robert M. Slade, 1998   BKDECSEC.RVW   980804

Please report problems with the web pages to the maintainer