The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 20 Issue 3

Tuesday 13 October 1998

Contents

o Computerized gas-pump cheat
Conrad Heiney
o Trojan Horse infests 15,000 Internet chat users
Monty Solomon
o Computer glitch trips up Dow Jones industrial average
Cliff Sojourner
o IE4 and its "magical" features
Chenxi Wang
o Unreliable reception of e-mailed WP documents
Daniel P. B. Smith
o Microsoft web site denies access based upon Windows regional settings
Eric Ulevik
o Risks of installing Microsoft's Media Player
Wade Ripkowski via James Love
o Insidious SQL interpreter bug messes up files
David Tonhofer
o Netscape Netcenter password hint
Dan Pritts
o Radio clock blows daylight savings
Ian Macky
o The risks of "keep it simple" [Martin D Kealey)
o Finland: Fraud with copied banking cards
Kimmo Ketolainen
o Offensive information warfare deemed offensive?
PGN
o Hackers stay a step ahead of China's cyber-police
PGN
o LA 911 outage...backup worked!
Thomas Maufer
o Some good Y2K news: whisky will be on tap for Hogmanay 1999
Declan McCullagh
o Military preparations to mobilize for Y2K
Declan McCullagh
o Void where prohibited by date
Rob Slade
o Info on RISKS (comp.risks)

Computerized gas-pump cheat

"Conrad Heiney" <conrad@universityaccess.com>
Fri, 9 Oct 1998 12:55:06 -0700
Today's *Los Angeles Times* reports that the county district attorney has
filed charges against four men who are alleged to have replaced computer
chips in electronic gas pumps, thus cheating customers of between 7%-25%
of their gasoline.

The url to the full story is
http://www.latimes.com/HOME/NEWS/METRO/t000091711.html

According to the story, the problem was hard to detect partly because
the chips were programmed to generate accurate results in the five- and
ten-gallon amounts used for testing the accuracy of pumps.

The RISK here is twofold: That misplaced trust in digital technology can
lead consumers not to check things like gas pumps, and that it's easier
to fool the regulators with an intelligently programmed cheat.

Conrad Heiney conrad@universityaccess.com Manager, Systems & Development
University Access, Inc. http://www.universityaccess.com

  [Also noted by David Lesher, heard on NPR, and Richard Schroeppel.  PGN]


Trojan Horse infests 15,000 Internet chat users

Monty Solomon <monty@roscom.com>
Fri, 9 Oct 1998 01:22:14 -0400
Due to a Trojan horse on Internet Relay Chat, Back Orifice (see RISKS-19.90)
was apparently made available to up to 15,000 IRC users who transferred
files.  This was discovered by GeoCities when it received thousands of
requests for the nfo.zip file.  [Source: Trojan Horse Infests 15,000
Internet Chat Users, By Andy Patrizio, TechWeb, 8 Oct 1998,
http://www.techweb.com/wire/story/TWB19981008S0019]


Computer glitch trips up Dow Jones industrial average

Cliff Sojourner <cls@cisco.com>
Thu, 08 Oct 1998 12:02:46 -0700
The Dow Jones Industrial Average was erroneous for the first 12 minutes
Thursday morning 8 Oct 1998, resulting from the merger of, with the
resulting Citigroup using Citicorp's ticker symbol, CCI.  The previous
night's closing price of Citicorp (in the $70s) was used instead of the
Citigroup opening price (31.75).  [Source: Computer glitch trips up Dow
Jones industrial average, By Margaret Kane, ZDNet, 8 Oct 1998; PGN
Abstracting]

Cliff Sojourner, Cisco Systems Inc.  cls@cisco.com
(408) 527-7637   170 W. Tasman Drive, SJ CA 95134  bldg H2/cube E2-7
  [Also noted by Doneel Edelson]


IE4 and its "magical" features

Chenxi Wang <cw2e@cs.virginia.edu>
Mon, 12 Oct 1998 10:25:34 -0400
Last week my Windows 95 machine refused to boot, citing a protection error
in the IO unit. My system staff, after laboring over my machine for some
time, told me that it was due to a bug in the IO, and that according to
Microsoft, the only way to fix it was to install IE4! So IE4 was installed,
and sure enough, it fixed whatever problem the machine was having. I was
doing some disk cleaning up this past weekend, and I accidently deleted some
files that appeared to have been installed by the IE installation. Curious
to see if IE still worked, I double clicked on the icon. Guess what
happened? -- It launched my netscape communicator to the URL of the IE
download site! I was incredulous...

Chenxi Wang  University of Virginia <cw2e@cs.virginia.edu>


Unreliable reception of e-mailed WP documents

"Daniel P. B. Smith" <dpbsmith@world.std.com>
Fri, 9 Oct 1998 09:55:45 -0400 (EDT)
Some unpleasantness occurred in a meeting recently. Person A said that the
reasons he hadn't performed a task was because he was still waiting for
Person B to supply some needed information. Person B said he'd supplied it a
week ago in a specific memo which he'd distributed via e-mail.  Person C
said, "I got it and I'm almost sure I saw A on the distribution list."
Person A said "I got the earlier version where all of those numbers were
blank, but I've never gotten anything that had the numbers." Person B said
"What version where the numbers were blank?" Person E said "You know, the
one you sent out about a week ago.  I never got the one with the numbers
filled in, either."

On comparing notes, it turned out that a single version of the memo had been
e-mailed, and when opened by about half the participants a critical table was
complete and had information visible in all columns, and about half of them
had a column in which all cells were blank.  All recipients of the damaged
version had simply assumed that the blank cells were intentional.

Incidentally, this was a 100%-pure-Microsoft situation, involving no version
of Word more than a year old (no version skew of more than one version) and
involved RTF format which is the format Microsoft specifically designates
for document transfer.  There was no obvious pattern to the problem; the
originator used Word 97 on a PC, and some receivers using Word 98 on a Mac
received it correctly while some receivers using Word 97 on a PC got blank
columns.  We don't know the full story but it is suspected that the set of
fonts installed, the OS version, the screen dimensions and resolution, and
the kind of printer the user is connected to may all play some part in this
crazy equation.

The RISK here is the same as with any other kind of unreliable communication
that is falsely _assumed_ to be reliable.  Notice that, in general, when you
send a word-processing document to someone else, _the sender has no reliable
way to confirm what the receiver will ultimately see and print.  Unless the
user guesses there is something wrong and complains, the problem is likely
to go undetected.  Even when the problem is detected, it is usually hard to
resolve, because nothing in the system logs all the configuration
information that would be needed to resolve it.  Unless the recipient is a
colleague in an adjacent cubicle and is willing to experiment with you in
real time, problems of this kind are likely to remain unsolved.

Daniel P. B. Smith  <dpbsmith@world.std.com>


Microsoft web site denies access based upon Windows regional settings

"Eric Ulevik" <eau@astsun.fujitsu.com.au>
Tue, 6 Oct 1998 18:59:44 +1000
I use home.microsoft.com as my home page under Internet Explorer 4.01 SP1
running on Windows NT 4.0. I have customized the data; I like the
presentation.

Today, I found that I can no longer access my home page. The browser is
redirected to ninemsn.com.au - a local web site put together by Microsoft
and Channel 9 (an Australian TV station). ninemsn tells me that this is "MSN
strategy".

But other PCs in the same office are not redirected. The significant
difference appears to be that the other PCs are set to US date formats.

The risk is that configuring your computer's date format has surprising
consequences.

Eric Ulevik <eau@ozemail.com.au>


Risks of installing Microsoft's Media Player

James Love <love@cptech.org>
Sat, 03 Oct 1998 17:21:44 -0400
James Love, Consumer Project on Technology, P.O.Box 19367, Washington, DC 20036
http://www.cptech.org love@cptech.org  202.387.8030, fax 202.234.5176

 <--begin message from Wade Ripkowski-->

Subject: RE: Sony PC & Windows 98 Licensing
Date: Fri, 2 Oct 1998 14:21:23 -0400
From: "Ripkowski, Wade" <Wade.Ripkowski@psc.BellHowell.com>
To: "'James Love'" <love@cptech.org>

I just hate being abused by Microsoft.  I just encountered a whole new issue
with Microsoft's "new" Media Player that you may be interested in as well.
I installed it and it changed EVERY multi-media association on the machine
to use itself as the player.  The problem here is that the media player I
was using up until then utilized the hardware based MPEG decoder and
subsequently played MPEG video better (no jumping).  MS Media Player also
redirected the CD Audio player to itself.  Again the audio player I used
before was much better.

To make a long story short.  I opted to "uninstall" it think my system would
be put back the way it was.  Boy was I wrong.  It uninstalled itself and
changed all the multi-media associations to use Microsoft ActiveMovie!  Now
I am left with a system in which I must reinstall the Audio/Video
applications I want in order to use them, and to top it off, my RealAudio
player no longer works either!  I spoke with a friend of mine this morning
and he ran into the exact same problem I did, although he has a Gateway
machine.

I think this is somewhat along the lines of the "browser battle".  It looks
as if Microsoft knows they lost the battle, but if they cant own that, then
they will own the multi-media portion of the machine.  They advertise
"forget all the plug-ins, all media, one player".  So I should have read the
literal meaning -- my mistake.  And they are dumping this product free to
everyone on the internet.  This will surely hurt Real, Inc., and possibly
other similar companies.

I am not opposed to one vendor writing all the software for the PC I use, if
that software works properly and at an acceptable performance level.  If one
vender wants all the business, fine, make software that earns it on merit,
not on price / availability!!!   [...]

 <--end message from Wade Ripkowski-->


Insidious SQL interpreter bug messes up files

<David_Tonhofer@ept.lu>
Tue, 13 Oct 1998 12:08:56 +0200
Recently, the informatics department  of our company found out - quite by
accident - that the SQL interpreter on our midrange server (made by a
well-known manufacturer) exhibited an interesting bug - in interactive and
dynamic/compiled-in SQL queries.

An UPDATE query with an assignment of a constant value to a numeric field
'a' set 'a' field to '0' in case of a simultaneous assignment with any
field
on the right-hand side of that assignment and a 'WHERE'-condition, like so:

  UPDATE table SET a = 10, b = b+b WHERE c > 10

resulted in 'a' having value 0 for all c > 10, whereas

  UPDATE table SET a = 10.0, b = b+b WHERE c > 10

succeeded. Yuck!

With a bug like this, your company database might slowly turn belly-up
without anyone noticing.

Anyway, after the manufacturer's help-desk had analyzed the problem, we
applied patch SF47057 and everything was well ever after (we hope).

Risk: Do not forget to apply your patches. Also, the system your are
building on or upgrading to might be flakier than you thought.

-- DaTo



Netscape Netcenter password hint

Dan Pritts <danno@us.itd.umich.edu>
Mon, 12 Oct 1998 16:02:36 -0400
My Netscape is part of Netscape Netcenter, the service that Netscape is
pushing as its entry to the Net portal business.  My Netscape has, like
most such services, a new account sign-up form.

This form is available via a 320+char URL which i have omitted for the
sake of buggy mailers, and via the red "personalize" button in the
upper left corner of http://my.netscape.com/ (presumably only if you
aren't already a member).

On this (non-encrypted) page, next to a field labeled "Enter a password
hint:", you're given the following explanation of a password hint:

    If you forget your password, Netcenter will present you this
    password hint to help jog your memory. Example hint:"same password
    as my bank acct.".

The risks are obvious.

Amusingly, my initial attempt to send this report to Netscape failed;
the "Feedback" link at the top of the same page is broken.

danno  dan pritts


Radio clock blows daylight savings

Ian Macky <imacky@us.oracle.com>
Thu, 8 Oct 98 16:21:25 PDT
For the first time in many years I foolishly purchased a new high-tech
consumer product: a clock with built-in radio receiver which listens to
broadcast time standard and keeps synchronized.  It's been accurate to the
second since I turned it on... until last week, when one morning it was
exactly one hour early.  It ended daylight savings time too soon!

Naturally, you can't force this clock in any way.  You can't set the time,
or change whether it honors daylight savings.  You're at the mercy of a
distant radio transmitter.

KISS!  I should have known better.  It's too bad noone is manufacturing any
of Harrison's old designs (has everyone read "Longitude"?).

--ian


The risks of "keep it simple" [Re: Cohen, RISKS-20.02)

Martin D Kealey <martin@kurahaupo.gen.nz>
Mon, 05 Oct 1998 12:40:46 +1300
Sometimes simplicity can be deceptive; once again an example of making a
simple stand-alone system in the present, without considering how it
shifts complexity into other systems, either now or in the future.

Fred Cohen wrote:
> Rule 2: You can sign up or off the list in the same way as you
> make submissions to the list.

With respect, I'd like to suggest this isn't such a good idea.

> Because we are fully moderated, it all goes to the same place anyway.

In short, this is a non-sequitur, and irrelevant from the list subscribers'
point of view...

It is always possible to start with multiple addresses aliased together;
it's a lot harder to start with one address and later get everyone out there
to stop using it for everything, especially as most of the people you would
want to stop will be people you've never heard from before (new subscribers)
and therefore won't have had the chance to tell them that it's changed.
It's very difficult to un-make an omelet.

At some point in the future you may wish to revise your configuration; there
are many reasons why it might need to be changed, but, for example, you may
wish to have multiple moderators, while keeping list management under the
control of a smaller group (even just one person).  When that happens, it
will be a lot easier to maintain the list with separate addresses for the
separate functions.

As a secondary effect, not publishing such a standard address indirectly
impacts on other mailing lists -- which necessarily may have separate
addresses for some or all of submissions, subscriptions, administration,
anonymizing, accounting and transport -- by not discouraging people from
sending requests to the submissions addresses.

Not everyone running a mailing list has the time or dedication to
hand-moderate everything, so I'd rather not encourage newcomers to make
random broadcasts; "please add me to your list" gets to be quite an
irritation to subscribers who are quite unable to do anything about it,
while the list maintainer won't even see such a request unless they read (or
moderate) the list.

-Martin


Finland: Fraud with copied banking cards

Kimmo Ketolainen +358 40 55555 08 <kk@sci.fi>
Thu, 8 Oct 1998 07:47:27 +0300 (EET DST)
Someone apparently succeeded last Saturday in the old trick of copying
banking cards' magnetic stripes and reading then the PIN codes from the
keypad over the shoulder. What makes this scam spectacular is that the
artist(s) had attached an additional "small black" card reader on top of the
opening of the real reader in the cash dispenser.

They managed emptying some 60 accounts worth roughly 180 000 FIM (36 600
USD). In all, 500 customers have to renew their cards after using that
particular cash dispenser on Aleksanterinkatu in Helsinki during the
evening. No one has been arrested yet.

The three largest banks started to issue banking cards with a chip on top
last year, but all cards still come with a magnetic stripe as well. Using
a banking card in the chip card slot instead of the other one would have
prevented this type of attack.

Kimmo Ketolainen, Finland <kk@sci.fi> <iki.fi/kk> +358 40 55555 08
  [GREAT address: sci.fi!  PGN]


Offensive information warfare deemed offensive?

"Peter G. Neumann" <neumann@csl.sri.com>
Tue, 13 Oct 1998 7:12:13 PDT
``Hackers calling themselves the Electronic Disruption Theater allege the
Pentagon used illegal offensive information warfare techniques -- a charge
DoD officials deny -- to thwart the group's recent computer attack.  At
issue is whether in fighting back against the hackers, the Pentagon crossed
the line into so-called offensive information warfare, and perhaps violated
US laws that prohibit anyone from covertly accessing another's computer.
The issue of computer crimes, however, is highly controversial because US
legislation has not kept up with the capabilities of computer technology.''

This arose after a 9 Sep 1998 attack against DefenseLink, DoD's primary
public information Internet site.  The Pentagon apparently created Java
applet (``Hostile Applet'') that shut down targeted browsers of hackers
contributing to the collaborative attack.  [Source: Hackers take offense at
Pentagon defense; Experts Say DoD response treads fine legal line, *Defense
News*, By George L. Seffers, 7 Oct 1998; PGN Very Stark Abstracting]


Hackers stay a step ahead of China's cyber-police

"Peter G. Neumann" <neumann@csl.sri.com>
Tue, 13 Oct 98 5:52:01 PDT
Computer crime is increasing in China, with more than 100 cases in the past
two years, one involving theft of $1.2M.  As a result, China is ratcheting
up its Internet police and surveillance capabilities.  Previous efforts have
concerned pornography and undesirable political messages.  Penetrations are
now illegal, subject to up to five-year sentences.  [Source: *People's
Daily*, via Reuters News Service, 12 Oct 1998; PGN Abstracting]



LA 911 outage...backup worked!

Thomas Maufer <tmaufer@acm.org>
Mon, 12 Oct 1998 13:37:44 -0700
Wow, a backup system that actually worked.  Of course, if the 911 sytem had
had more than one source of electrical power, the backup might never have
needed to be activated.  Tom

<http://dailynews.yahoo.com/headlines/local/state/california/>

>L.A.'s 911 Goes Out For 17 Hours - (LOS ANGELES) -- Los Angeles police
>are pleased their 911 backup system works...following a 17-hour
>breakdown in the 911 system.  Not a single emergency call was lost
>during the switch-over.  The emergency system was knocked out during a
>fire in an underground storage area at City Hall on Saturday afternoon,
>when water from the sprinklers seeped into the electrical system below.
>Authorities shut down power to the system, and the backup system kicked
>in...re-routing all calls to either individual police stations or the
>California Highway Patrol.  The fire began in some unstable, illegal
>fireworks being kept for an investigation.


Some good Y2K news: whisky will be on tap for Hogmanay 1999

Declan McCullagh <declan@well.com>
Fri, 25 Sep 1998 06:13:45 -0700 (PDT)
http://www.scotsman.com/interactive/it16nips980923.1.html

   Distiller is 100% millennium proof
   Whisky drinkers should be assured of their tipple being on tap for
   Hogmanay 1999, says Alan Crawford

Whisky tipplers can rest easy after the announcement last week that a
technological crisis that had threatened to halt the flow of Scotch has been
narrowly averted. Burn Stewart Distillers, whose brands include Tobermory
Single Malt and Wallace Liqueur, has declared that its computer systems will
be millennium compliant by the end of the year.

Although the whisky industry is steeped in tradition, it relies heavily on
computers to control many aspects of production and marketing. Burn Stewart
alone sells about 18 million bottles a year to 500 major customers. Failure
to deal with the millennium bug - which threatens global computer meltdown
due to an inability to recognise the date change from 1999 to 2000 - could
result in widespread disruption of the distilling, bottling and marketing
processes.  [...]

POLITECH -- the moderated mailing list of politics and technology To
subscribe: send a message to majordomo@vorlon.mit.edu with this text:
subscribe politech
More information is at http://www.well.com/~declan/politech/


Military preparations to mobilize for Y2K

Declan McCullagh <declan@well.com>
Sat, 10 Oct 1998 14:30:52 -0700 (PDT)
[Declan notes that the Wisconsin National Guard is preparing to mobilize
for Y2K http://www.jsonline.com/news/1007y2k.asp, as are Toronto-area army
reservists, considering stockpiling food and generators.  2000 cyberglitch
the major concern for Canadian forces, By Patrick Cain]


Void where prohibited by date

Rob Slade <rslade@sprint.ca>
Wed, 7 Oct 1998 14:48:02 -0800
Yesterday my wife brought home a copy of a letter that her organization had
received from their insurance broker.  As could be expected, this document,
produced by the Insurance Bureau of Canada, warns that insurance is probably
not going to pay out if something happens that is related to a Y2K bug.
(They use more words to say it, of course.)

The pamphlet warns about a number of things that should be checked, and
could be used to generate a reasonable list of items to be confirmed.
Unfortunately, how you might go about checking them isn't covered.  (There
is one sidebar on checking the BIOS clock for a PC.)

However, that wasn't all that came in the mail yesterday.  There was a
catalogue from a company that sells promotional material related
specifically to anniversaries.  With it was a covering letter congratulating
them on their tenth year in business, coming up this spring.

The institution my wife works for was founded in 1889.

rslade@vcn.bc.ca     rslade@sprint.ca     slade@freenet.victoria.bc.ca
virus, book info at http://www.freenet.victoria.bc.ca/techrev/rms.html

Please report problems with the web pages to the maintainer

Top