Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
According to the Spanish journal "El Pais", 5 Feb 1999 (quoting "Levante"), the Spanish bank Bancaja bought 1000 million pesetas (> 6 million euros) in shares of the Telepizza fast-food company, following a request for 1000 shares by a customer. It was a human error. The bank system was expected to detect transactions over 25 million pesetas but on the 4th of January, after switching to Euro-ready programs, this check was not enabled. The difference between the quantities bought and sold to the customer was held by the bank. Fortunately the value of the stock rose 30%. David Mediavilla Ezquibela
The computer system of online security firm E-Trade crashed on Friday for the third consecutive day. "It was just a software glitch. I think we were all frustrated by it," says an E-Trade executive. Industry analyst James Mark of Deutsche Bank is essentially sympathetic: "It's sort of a black eye for them. They've been claiming that their architecture is superior. But it's the application on a large scale. As soon as E-Trade's volumes started spiking up, they had the same problems as others." Marks adds: "If you call a broker, he may be on the phone or away from his desk or on vacation. There are all sorts of times you can't get through and once you put an order through there's no guarantee on terms. Here you have a customer base that is paying 5 percent to 10 percent of what it was paying for service in the full-commission environment and it's demanding service above what was available in the full-service environment. And they feel it's their right." (*The Washington Post*, 6 Feb 1999; Edupage, 7 February 1999)
We recently suffered temporary loss of copier privileges for my graduate course because we went over our quota. It seems the machine says we made 4,294,967,026 copies in the last two weeks, and the caretakers accepted it as a correct number because it came from a computerized accounting system (a familiar RISK). They asked, with a straight face, what in the world we had been copying. I tried pointing out that this is suspiciously close to 2**32 and that it is far more likely the number -272 printed with an unsigned print format, but that argument didn't do me any good. I didn't waste time trying to do the page/minute calculation vs. elapsed wall time for them... So I think the fix is we'll reset the counter to zero and hope it doesn't happen again. And no, I have no idea how we got a negative number to start with. Phil Koopman — koopman@cmu.edu — http://www.ece.cmu.edu/~koopman
A friend of mine (Malcolm) related an alarming tale this lunchtime. He was helping a friend by driving her daughter to school. As they pulled up at the school gates, she took a Furby out of her bag. "You'd better not take that to school." said Malcolm. "Leave it in the car." As he explained over lunch: "The worst decision I ever made. The
State of the states in Y2K readiness
Edupage Editors <edupage@franklin.oit.unc.edu> Tue, 02 Feb 1999 15:05:09 -0500A recent survey by the General Accounting Office shows only a third of the 421 computer systems used by the states to manage seven welfare programs are Y2K-compliant, with Medicaid the lowest at 16%. Systems that deal with child-care and child-welfare are about 50% compliant. An ongoing survey of state readiness conducted by the National Association of State Information Resource Executives (NASIRE) indicates that a narrow majority have completed repairs on more than half their critical systems and expect to finish the rest in the next few months. But the rest of the states are way behind, with Alaska in last place with only 15% of its computer systems repaired. "For a state, if you're not ready, you're out of the game," says Steve Kolodney, director of Washington state's information services and chairman of NASIRE's year 2000 committee. It's estimated that states will spend close to $3.5 billion in bringing their computer systems to compliance, more than half of the amount spent by the federal government to do the same. (*Los Angeles Times*, 1 Feb 1999; Edupage, 2 February 1999)
The NT Blue Screen of Death
Bruce Wampler <bruce@objectcentral.com> Wed, 10 Feb 1999 13:05:29 -0700Submitted without any additional comment needed, taken from the MSDN Flash, Volume 3, Number 3, February 8, 1999 e-newsletter: MSDN Flash Tips MSDN Online Members-we have a new Tip for you each week at http://msdn.microsoft.com/ 19) FORCE NT TO REBOOT AFTER A CRASH From Exploring Windows NT If you spend any time administering Windows NT, you're far too familiar with the Blue Screen of Death (BSOD) which displays the cause of the crash and gives some information about the state of the system when it crashed. The BSOD will sit on the screen until someone reboots the system, which could be very bad for a system that should be running 24 hours a day, like an Exchange server. You can force NT to automatically reboot after a crash by setting the value of HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\CrashControl\AutoReboot to 1. Once you've changed this value, NT will reboot after writing the crash log file. Bruce E. Wampler, Ph.D. bruce@objectcentral.com http://www.objectcentral.com
The risks of "standard" software?
Rob Slade <rslade@sprint.ca> Wed, 10 Feb 1999 13:31:58 -0800I use the term "standard" here so as not to get into any arguments about "monopoly." Most of the people in my wife's office use Microsoft Word as a word processor. (Not terribly surprising, I grant you.) They also use a number of other programs, some of them specialty programs for vertical markets. The office has, up to now, standardized on 1 1/2" labels for most things, since almost all of the programs used had a setting for that format. Most of the labels have been printed by database programs, and not through the word processor. Thus it was, that, until very recently, nobody realized that the new upgrade to Word (the entire office upgraded to Office 97 in May) did not have a setting for 1 1/2" labels, at least not "built in." And, having had some stock on hand for most of this year, it came as a shock when they recently submitted an order for 1 1/2" labels, and were told that the size was not available. At least, not in the generic house brand that they are used to ordering. Special label sizes can be ordered from a premium manufacturer like Avery, but are not available as house brands from any of the three main distributors that the office deals with. When pressed, representatives for the companies all had the same story. Nobody uses that size anymore, because Word doesn't use it. Therefore it is no longer a standard size, and no longer a standard stock item. rslade@vcn.bc.ca rslade@sprint.ca robertslade@usa.net p1@canada.com
You are still in France
Adam Shostack <adam@netect.com> Fri, 5 Feb 1999 12:02:52 -0500In RISKS-20.17, John Young reports on the French liberalization of crypto laws. Short-timers will remember the "You are now in France" attack mentioned in RISKS-19.74. I am unable to find a patch for Windows that addresses this change, which means that people continue to be vulnerable because of a law now repealed. The risk, at a high level, is building vulnerabilities into software because of a law. The problems will survive long after the law is replaced.
It gets weirder every day...
Fred Cohen <fc@all.net> Tue, 2 Feb 1999 18:18:44 -0800 (PST)On two fronts... [relating to separate items from Fred in RISKS-20.19] The error message from Windows was because the file named "sensitive countries" was read protected on the remote file server. The error message was simply confusing because it didn't identify that as a file name, but rather as the reson it stopped. The country it failed to process was indeed a 'sensitive' country (according to US policy today) so it took some time to figure out what really went wrong. The PGP 'Trojan' is now being called a virus by folks who I believe wrote it (although they claim that they are not the authors, the set of things they know seems to suggest their authorship). They feel that it is illegal for those on the Internet to flood them with files and that they are going to suffer from denial of service. They brag that they have already gotten two sites that filled their FTP server with filenames shut off the Internet by ISPs and they threaten to get more shut off because they believe it is illegal to download files into their public write-only access area. They also assert that writing a virus is legal and that possessing unauthorized access control devices is legal... law enforcement seems to disagree. My response has been rather less then generous. I have indicated that they could demonstrate their sincerity by: 1) disabling the remote ftp esrvice for user anonymous with the password specified in the (now declared) virus. 2) Notifying all sites that have in the past and will in the future try to download to that address that they have the virus and provide instructions for mitigating the harm. 3) Providing all of the information required to track down the person who is receiving the information uploaded to that server and cooperating with local law enforcement to have them arrested. To date, their (two of them so far) response has been less than positive, but I hope to convince them to do what they can to mitigate the harmful effects of this executable code regardless of their involvement. Naturally, I also saw the DTK audit records of an attempted anonymous login against the ftp server port on one of the machines that somebody used to send a message to the named site at a time corresponding roughly to the time they sent the first e-mail on the subject. Fred Cohen at Sandia National Laboratories at tel:925-294-2087 fax:925-294-1225 Fred Cohen & Associates: http://all.net - fc@all.net - tel/fax:925-454-0171 [Fred's long disclaimer separating his two roles is omitted, as usual. PGN]
The risks of shopping at Amazon
Ross Anderson <Ross.Anderson@cl.cam.ac.uk> Tue, 09 Feb 1999 10:15:12 +0000Today I tried to order a book from Amazon. Their server asked for a credit-card number and I duly filled out the form. At the bottom it demanded a password. According to Amazon, this means that `you won't need to give us your credit-card number again unless you enter a new shipping address'. I tried to enter the order without a password but it was refused. What is the risk? Well, merchant retention of credit card numbers is a well known vulnerability; card numbers are much more likely to be stolen from merchant servers than while in transit on the net. Forcing customers to choose a password adds four extra risks. Firstly, the customer may choose a bad password; secondly, if he doesn't, he will probably write it down somewhere; thirdly, it will be kept on Amazon's system somewhere; and fourthly, it is likely to cause problems for people who have a dispute with their bank. I have acted as an expert witness in a number of court cases of disputed cash machine transactions, and the bank usually says `you must have written the PIN down somewhere'. If everyone who shops at Amazon must choose a password which discloses their credit card details, then banks might turn away all complaints from people who've ever shopped there. There's another problem, which neatly highlights the tension between the USA and Europe over data protection law. The Amazon server also refused my order when I refused to give them a telephone number. This isn't necessary for the transaction, so compelling disclosure is dubious under European law. So I tried ordering from amazon.co.uk, which ought to abide by our local laws. This server also insisted on a password and a phone number, and even on a town in the address form (despite the fact that I live in the countryside). It also didn't turn on SSL for the credit card capture form, so the card number was sent in clear. This is bad news, as we Brits don't have the benefit of US consumer protections: if my credit card number is stolen and abused, my bank will likely charge me the whole lot, and it's not clear what evidence I will have that it was Amazon's fault. So amazon.co.uk appears to be in breach of the Data Protection Act of 1984. I therefore went to the Data Protection Registrar's Website at <http://www.dpr.gov.uk/> and did a register search: > Search terms: name=amazon and other=amazon.com > > No documents have been found that contain the above search terms. > Please return to the form to begin a new search. This looks highly illegal: under the Act, part 2, sections 5(1) and 5(5) compel everyone in the UK who holds personal data to register. (See <http://www.hmso.gov.uk/acts/acts1984/1984035.htm>.) I have e-mailed the Registrar, and will be interested to see what happens. For several years now, the media have been hailing Amazon as the miracle of the age, the model that all net based businesses - indeed all businesses everywhere - should follow. I find that rather worrying, Ross Anderson, Cambridge University ross dot anderson at cl dot cam dot ac dot uk
Re: Risks of successful security software (RISKS-20.19)
Pete Mellor <pm@csr.city.ac.uk> Tue, 2 Feb 1999 11:38:40 GMTNick Brown <Nick.BROWN@coe.fr> reported on the "hacker's revenge" story from the Daily Torygraph. There were one or two other interesting details, and the story as it appeared is a bit misleading. At first glance, a reader might imagine that it was the "Access Denied" system that had been broken, which I think is not the case. The challenge to the hackers to break their super firewall system was actually issued by the manufacturer, Gen Technology. Paul Smith (age 29) was described as *a* creator of Access Denied, not *the* creator. This implies that he was one member of the development team, and makes me wonder why he was personally singled out for retribution. Gen Technology claim that over a period of several weeks, 240,000 attacks were made, but none breached the firewall. (How do they know the number of attacks, I wonder?) Apparently, the defensive features of Access Denied include checking a "user profile" and serial number on any computer seeking access, as well as the usual user name and password. The vengeful hacker telephoned Mr. Smith, and said that he was part of a team of hackers (interesting in itself), and that he had been humiliated in front of his friends by being unable to fulfil his boast that he would get through the firewall in five minutes. There are fascinating clues to hacker psychology here. He was described by Mr. Smith as having a "British voice". (Why is that so newsworthy, I wonder? Maybe to make it clear to foreigners that our crooks are just as clever as your crooks? :-) Since, presumably, Paul Smith's personal credit records were not kept on the office machines at Gen Technology, the hacker must have attacked the records held by a central credit rating agency. This has alarming implications. If Paul Smith's credit rating can be falsified, then anybody could suffer the same fate. (It is probably not surprising that these agencies are sloppy about security, but it would seem that Paul Smith would have a prima facie case against them for negligence.) Apparently, the hacker also described on the 'phone exactly what he was going to do. (In which case, why did Mr. Smith not alert the credit rating agency?) What the hacker apparently did was to insert six false "default notices" (as would result from persistent failure to keep up repayments on a credit card or loan, when you are deemed to have breached the terms of the contract) and one "County Court judgement" (an order to pay, made by a civil court in favour of a mortgage company when instalments are seriously in arrears, or of a local government authority when the defendant has not paid Council Tax). In the British system, the County Court judgement is the real killer when it comes to obtaining future credit. (If the hacker would care to contact me in confidence, I might like a few things taken *off* my credit record! :-) Peter Mellor, Centre for Software Reliability, City University, Northampton Square, London EC1V 0HB, UK. Tel: +44 (171) 477-8422 p.mellor@csr.city.ac.uk
Re: Government computer withholds benefits ... (R-20.19)
Pete Mellor <pm@csr.city.ac.uk> Mon, 8 Feb 1999 11:16:50 GMTThe "Money Box" programme on BBC Radio 4 on Sat Jan 30 carried an item about problems with a UK government computer system which have led to underpayment of widows' pensions and other benefits. The computer system involved is the new NIRS 2 system installed by the UK Government Department of Social Security (DSS), at a total cost of 140 million pounds sterling, which was said to be the largest civilian system in Europe. The system was originally scheduled for completion in February 1997. The contractors now expect the remaining subsystems to be installed in March of this year. Problems have apparently been caused by "software bugs", although it was not clear from the programme to what extent software faults, as opposed to late and incomplete delivery, are responsible for the trouble. NIRS 2 holds records of National Insurance (NI) contributions. (For non-UK readers, this is a form of tax, normally deducted at source along with income tax, but shown as a separate deduction on salary advice slips. NI contributes to the government fund used to pay state pensions, unemployment benefit and sickness benefit.) It appears that it has not been possible to input complete and up-to-date records of all National Insurance contributions, on which the amounts of certain benefits are calculated. This has forced benefits to be calculated by "guesswork" for more than one million claimants. One effect has been that women entitled to widow's benefit have been underpaid. Among those affected are 160,000 new pensioners, whose underpayment is 1.30 pounds per week *on average*, with some losing up to 100 pounds per week, for periods of up to two years. The problems with NIRS 2 have also meant that the government has failed to pay a total of one billion pounds into private and occupational pension schemes. There are a lot of angry widows beating on the doors of the Department of Social Security. So far, they have not received an awful lot of help. A short time ago, the Liberal Democrat MP David Rendell drew attention to the scandal by a question in Parliament. Steven Timms, Minister of State for Social Security, said in interview on the programme that, from the 6th January of this year, all *new* claimants would be paid correctly. He stated that the NI contribution records would be up-to-date by the end of March, and that existing beneficiaries whose total underpayment exceeded 100 pounds, and whose payment due for lost interest exceeded 10 pounds, would automatically be reimbursed by lump sum payments for both underpaid benefits and interest. This seems to be a continuation of the problem which surfaced in the middle of 1998, to which the DSS was reluctant to admit in case it led to a spate of fraudulent claims for unemployment benefit (since the payment offices could not check the bona fide of any claimant by going on-line to the system). The government has set up a task force to deal with enquiries:- NI Benefit Task Force, Benefits Agency Department ST, Quarry House, Quarry Hill, Leeds LS2 7AU Sources for the above are the Money Box programme itself (followed up by a 'phone call to Radio 4 enquiries), and their fact sheet. Anyone who requires further details should send a SAE to:- Fact Sheet Week 5, Money Box, Room 6239, BBC Television Centre, Wood Lane, Shepherds Bush, London W12 7RJ Apparently, reports from current affairs programmes such as Money Box are not held on the BBC's Website, due to lack of staff to input them. However, a report also appeared in The Times on 26th January. The National Audit Office report on National Insurance Fund Account 1997/98 is available on: www.open.gov.uk/nao The fact sheet quotes two addresses and 'phone numbers (available on request) from where hard copies of the NAO report may be ordered. Peter Mellor, Centre for Software Reliability, City University, Northampton Square, London EC1V 0HB, UK. Tel: +44 (171) 477-8422 p.mellor@csr.city.ac.uk
FMICS4 call for papers
Diego Latella <d.latella@cnuce.cnr.it> Mon, 8 Feb 1999 14:36:22 +0100 (MET)ERCIM Working Group on Formal Methods for Industrial Critical Systems 4th International Workshop on Formal Methods for Industrial Critical Systems Trento, Italy, July 11-12 1999 http://www.cnuce.pi.cnr.it/cnuweb/research/resgroups/conc-meth/FMICS/WS/Trento99/workshop.html http://www.cnuce.pi.cnr.it/cnuweb/research/resgroups/conc-meth/FMICS/WS/ Trento99/workshop.html Submission date 30 Mar 1999. Satellite meeting of FLoC'99 (http://www.cs.bell-labs.com/cm/cs/what/floc99/). S. Gnesi, CNR-IEI, Via S. Maria 46, I56126 Pisa - ITALY phone: +39 050 593489
REVIEW: "Mercury Rising", Douglas Pearson Ryne
Rob Slade <rslade@sprint.ca> Fri, 5 Feb 1999 08:42:14 -0800BKMERRIS.RVW 981113 "Mercury Rising", Douglas Pearson Ryne, 1998, 038002945 %A Douglas Pearson Ryne %C 1350 Avenue of the Americas, New York, NY 10019 %D 1998 %G 038002945 %I Avon Books/The Hearst Corporation %O +1-800-238-0658 %T "Mercury Rising" Well, the other day I read "Mercury Rising." That's right, read, not watched. Actually, the movie was based on a book originally published as "Simple Simon," and, of course, the book was re-issued in conjunction with the movie release. The book is about an autistic boy who, in the idiot savant way that sometimes comes with autism, is able to crack mathematically encrypted messages simply by looking at them. Unlikely? True. But I wouldn't want to bet against the abilities of organic computers. They can do some amazing things. No, I'll stick to the computer and encryption stuff I know. It's hairy enough. (By the way, I was amused to find out that Bruce Willis is Black.) Let's start with the satellite. Now, this is a KH designation satellite, so no wonder it needs a crypto upgrade. Except, hold on a minute. The description of what it does doesn't have anything to do with spying or intelligence gathering. This is a plain, old, ordinary comsat, picking up messages and relaying them. It doesn't need encryption capability any more than a piece of copper wire needs encryption: it just passes bits. The bits might be encrypted at source and decrypted at the destination, but that doesn't matter to the bits. In fact, if the message *isn't* encrypted at source, there is no point in encrypting it enroute. But just suppose we do need encryption. OK, we'll send up the upgrade. Ready the command mode for reprogr... What? You're sending up a black box on the shuttle? And not just a tape, or anything: this is a module that is going to have to be swapped out for the box that is there? Well, let's leave the satellite for the moment, shall we? Right, we have this new, super duper encryption algorithm. (Seems to be an awful lot like DES, what with S boxes and all. Hmmm. Seems to be even more like someone's misunderstood version of triple DES, but we'll let that pass.) (Has one heck of a key length, though. Wouldn't be very effective on short messages. Sorry, OK, back to the review.) Everybody is to use it. NSA, diplomatic corp, CIA, FBI, everybody. Same algorithm. Same crypto gear. Same key. Ummm, excuse me? (Good thing it's a long key, I guess. No, wait, that doesn't make any more sense...) Right, let's move on to hackers. Now, of course, everyone who is any good at using computers is unhygienic. Or crippled. Or both. (This also applies to mathematicians, apparently.) And, of course, any evil hacker is completely undetectable as he slides down the T-1s of the nation, slipping into computers that have no connection to outside networks at all. Especially one who is working for the government because he got caught doing this. OK, I've believed enough impossible things before breakfast. If we have to get into white hat/black hat Illuminati, both groups completely occult, my brain is going to start to hurt. copyright Robert M. Slade, 1998 BKMERRIS.RVW 981113 rslade@vcn.bc.ca rslade@sprint.ca robertslade@usa.net p1@canada.com Find virus, book info http://victoria.tc.ca/techrev/rms.htmPlease report problems with the web pages to the maintainer
xTop