The RISKS Digest
Volume 20 Issue 43

Friday, 4th June 1999

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…

Contents

A THAAD Day in Black Rock
PGN
Ghost bridge
Meine van der Meulen
Y2K Test Knocks Out Fiji's Telecommunications
Doneel Edelson
Hackers take down FBI and Senate Internet sites ...
Keith A Rhodes
Crackers do for gov't what critical infrastructure report couldn't
John Gilmore
Errors in the Cox report on Chinese nuclear spying
PGN
Hoax takes down country's phone networks
Lloyd Wood
Symbols silently slip south: it's not Greek to pdf
Bryan O'Sullivan
John Denver and interfaces
Lindsay Marshall
Smart Identity Card to debut in Malaysia
Anonymous
Late-night movie viewing and computerized ticket sales
Steve Fenwick
Senator Hatch - Trademark
Alan Barclay
BUGTRAQ may be banned in Australia
Peter Jeremy via Seth David Schoen
Re: Microsoft "fixes" the MS Office ... vulnerability
David Mediavilla
We don't care, we don't have to, we're the phone company!
John Pettitt
Firewall risks
Robert David Graham
Re: Allaire defects are nobody's fault?
Adam Shostack
A Problem with Biometrics
Andrew J Klossner
Re: Biometric risks
Ron Ruble
California will sell confidential wage data
PGN
Privacy Digests
PGN
Info on RISKS (comp.risks)

A THAAD Day in Black Rock

"Peter G. Neumann" <neumann@csl.sri.com>
Wed, 26 May 99 11:22:54 PDT

The Pentagon halted a test of the Theater High-Altitude Area Defense (THAAD)
missile-defense system, when a Hera target rocket malfunctioned.  THAAD is
under scrutiny after seven consecutive failed tests.  [Source: Reuters item,
26 May 1999, seen in the *San Francisco Chronicle*.]

  [Maybe this renewed attempt to develop the Star Wars technology should be
  left to George Lukas, who seems to do it much better.  Perhaps animating
  the system without ever building it would be the most cost-effective
  strategy.  PGN]


Ghost bridge

Meine van der Meulen <M.van.der.Meulen@simtech.nl>
Wed, 2 Jun 1999 16:32:10 +0200

Kropswolde, Monday. The bridge on the Meerweg in the village Kropswolde
manifested itself as a ghost bridge during the weekend. A car driver was
trapped when he passed the bridge and both barriers suddenly closed. The
police managed to rescue the man. Just after this rescue action, the bridge
suddenly opened and closed without apparent reason. The village closed the
bridge.  [Source: *Algemeen Dagblad*, 1 Jun 1999]

M.J.P. van der Meulen <meine.van.der.meulen@simtech.nl>


Y2K Test Knocks Out Fiji's Telecommunications

"Edelson, Doneel" <doneeledelson@aciins.com>
Wed, 26 May 1999 13:13:43 -0400

Fiji's telecommunications services were completely shut down for several
hours on 24 May 1999 when a Y2K test by Telecom Fiji Ltd. caused the entire
system to crash.  [See http://www.tfl.com.fj/.  Source: Yahoo Asia News -
Technology, Newsbytes item by Adam Creed, Post-Newsweek Business
Information, Inc., 24 May 1999: PGN-ed.]


Hackers take down FBI and Senate Internet sites ...

"Keith A Rhodes" <rhodesk.aimd@gao.gov>
Fri, 28 May 1999 13:13:37 -0500

Both FBI and Senate Web sites were attacked on 27 May 1999, evidently in
retaliation for the FBI's harassment of certain hacker groups — including
one that apparently cracked the White House site earlier this month (for
which Eric Burns (Zyklon) was indicted.  Both sites were removed from
service, although only the Senate site was penetrated and altered.  [Source:
Associated Press item by Ted Bridis, 28 May 1999; PGN-ed.]

  [The Department of Interior and a Govt facility at Idaho Falls
  were also hit on 31 May 1999.  Other attacks were reported
  subsequently.  PGN]


Crackers do for gov't what critical infrastructure report couldn't

John Gilmore <gnu@toad.com>
Thu, 03 Jun 1999 19:05:50 -0700

"There's a government-wide effort to make sure that our computer systems
remain secure," White House Press Secretary Joe Lockhart said in a briefing.

        http://www.zdnet.com/zdnn/stories/news/0,4586,2268574,00.html

As usual, the computer underground is doing a service to the country by
making it clear just how shallow the government's understanding of computer
security is.  They are quite curiously refraining from damaging anything in
their intrusions but the egos of the bureaucracies involved.  As usual, the
first response of the Feds is to threaten dire punishment for the
messengers.  But they are being prodded into actually attempting to keep
serious attackers out, a novel idea somewhat overdue for consideration.

Perhaps this is heresy, but has the computer underground considered
demonstrating that it can break into electrical power distribution
computers, and the phone network, so those will get secured too?

John


Errors in the Cox report on Chinese nuclear spying

"Peter G. Neumann" <neumann@csl.sri.com>
Fri, 4 Jun 1999 16:35:12 PDT

An article by James Oberg on the ABC News Science website documents
many misstatements in the Cox report.

http://www.abcnews.go.com/sections/science/DailyNews/oberg990602.html


Hoax takes down country's phone networks

Lloyd Wood <L.Wood@surrey.ac.uk>
Tue, 11 May 1999 00:16:27 +0100 (BST)

http://news.bbc.co.uk/hi/english/world/middle_east/newsid_340000/340104.stm

Article claiming:

1. Lebanese radio station broadcasts hoax claiming cellular networks
   are affected by Chernobyl virus (the current popular student excuse
   for tardy wordprocessed reports, if my experience is at all typical).

2. Lebanese immediately stop using popular cellular networks,
   and switch to landline networks to warn each other of anticipated
   cellular problems. (Israel's also known for its heavy cellular use.)

3. Landline networks are promptly overloaded due to normally-large
   and now-displaced cellular use and warnings of problems. The radio
   broadcast has prompted a flash crowd and service outages result.

4. Conspiracy theorists suspect underlying motives in finger-pointing
   wake, while ignoring the risks of behaving rationally when armed
   with false information and not having meme countermeasures in place.

Handling and selectively discarding the majority of calls from flash crowds
caused by e.g. television phone-ins is trivial; it's arranged in advance (if
the media people know their jobs...) and you know where the flash calls are
going. But how do you effectively deal with a many-to-many surge like this?

Dimensioning telco switch capacity for expected use doesn't lead to graceful
degradation under heavy load, but hey, that's Erlang for you.

Legacy local loop is the real constraint/problem; degrading the quality of
digitised voice traffic in the pleisynchronous backbone and restoring at the
other end to increase capacity is a trivial codec application, and just a
minor step up from silence suppression.

I think this is something like the sinister inverse of the oft-cited
disaster scenario, where network damage is suffered and any remaining
functional cellular and landline capacity would be immediately overwhelmed
by people trying to locate loved ones. The callers are behaving rationally
and selfishly; the networks can't cope effectively. I'd say 'tragedy of the
commons' if it wasn't for the fact you pay for phone service.

This is far more impressive than that "if someone tells you to dial #91,
don't" meme, which got through multiple countries to users of all types of
mobile networks recently. But the "withdraw money from banks for Y2K to
avoid the financial crash the withdrawals contribute to" and the "don't
purchase Iridium handsets because Iridium are in trouble" memes may yet have
far more impressive results as self-fulfilling prophecies.

<L.Wood@surrey.ac.uk>PGP<http://www.ee.surrey.ac.uk/Personal/L.Wood/>


Symbols silently slip south: it's not Greek to pdf

"Bryan O'Sullivan" <bos@serpentine.com>
Wed, 2 Jun 1999 20:00:07 -0700 (PDT)

In the course of some exploratory work I am doing, I recently
downloaded a technical paper in Adobe's Portable Document Format:

  http://research.microsoft.com/copyright/accept.asp?path=http://research.microsoft.com/~hoppe/siggraph96pm.pdf&pub=acm

After a brief perusal of the abstract using Adobe's free Acrobat Reader for
Linux, I decided that the paper was interesting enough to print out, and
squirreled the hardcopy away for later perusal.

When I went to read the paper today, I was a little surprised to find that
it had not reproduced very well.  In particular, much of the mathematical
notation in the paper was garbled or missing; Greek characters and curly
braces were notable by their absence.  All of this information was
represented correctly on-screen by Acrobat Reader; it was silently mangled
when I printed the document out.

Worried, I did a little more experimentation.  The free gv viewer had no
trouble displaying the paper on my screen (but I didn't try printing it
out).  The free xpdf viewer dropped most of the mathematical notation, but
the author at least documented this shortcoming (relating to embedded
fonts).

As I am not near a printer at the moment, I am going through my hardcopy of
the paper with a pen, adding the missing characters.  Most disturbingly of
all, as I began to make these corrections, I found that the mathematical
symbol for inequality (an "equals" symbol with a slash through it) was
misrendered on paper as that for equality.

The RISK seems clear - technical papers presented for downloading in PDF can
be arbitrarily garbled by viewers in ways that may be difficult to spot.


John Denver and interfaces

<Lindsay.Marshall@newcastle.ac.uk>
Tue, 1 Jun 1999 13:55:50 +0100 (GMT)

<http://www.asktog.com/columns/027InterfacesThatKill.html> describes
how John Denver was killed because of a modified interface in the plane
he was flying.

  http://catless.ncl.ac.uk/Lindsay

    [The builder had changed the designer's plans, placing the fuel-tank
    selector controls rather weirdly over the pilot's shoulder, unlabelled,
    with up for off, down for the right tank, and to the right for the left
    tank.  There are more curiosities in the NTSB report, at www.ntsb.gov.
    PGN]


Smart Identity Card to debut in Malaysia

<[Identity anonymized]>
Tue, 1 Jun 1999 09:29:15 +0100 (BST)

Malaysia's compulsory National Registration Identity Card (NRIC), required
for doing anything official or semi-official (such as banking, buying a car,
etc) is to become SMART and include financial and health data, driving and
travel rights and criminal offences in addition to the residence address and
thumbprints on the current laminated paper version.

The thumbprint, currently underused, is set to become the standard
computerised ID biometric used by government agencies.

The new NRIC may also become the national payment system.

NRIC numbers are issued at birth (on the birth certificate) but the card
itself is issued at the age of 12, and must thereafter be carried at all
times.

I have no information about the private company that has won the contract to
supply the new smart cards.  Nor have I heard of any public scrutiny
mechanism to ensure that the technology does not contain flaws that will
enable this data to fall into the wrong hands.

  [Source: article by Philip Golingai, Your smart IC Card with personal data
  of holder expected out in August next year, The Star, 1 Jun 1999.]


Late-night movie viewing and computerized ticket sales

Steve Fenwick <scf@w0x0f.com>
Thu, 20 May 1999 19:43:20 -0700

If you're an after-midnight movie-goer, check your tickets!

I bought tickets last weekend for "Phantom Menace", dated Wednesday, May
19th, 12:15AM. Bright RISKS readers can guess what's coming next...

The theatre's computer apparently does not recognize midnight as the break
between two days, it uses the normal box office opening time (11AM) as the
break. So their 12:15AM 5/19 show was really on 5/20 at 12:15AM.

Oops.

So I wound up seeing the show on 5/18 (according to their computer), a full
day before the movie officially opened. Take *that*, Darth Vader!

Steve Fenwick <scf@w0x0f.com> http://www.w0x0f.com

  [Star Warps?  PGN]


Senator Hatch - Trademark

Alan Barclay <gorilla@elaine.drink.com>
Thu, 27 May 1999 12:55:40 -0400

ABC News apparently thinks that Senator Orin Hatch has registered
his name as a trademark, in
http://www.abcnews.go.com/sections/tech/DailyNews/netbombs990525.html

  "The amendment, sponsored by Sens. Orrin Hatch [*R*] of
  Utah and Dianne Feinstein (D) of California, does not make
  it illegal to simply provide the information, However."

Here "[*R*]" designates the \256 code that prints as the circle-R
registered-trademark symbol.  Obviously we're seeing some sort of
translation between (R) and the circle-R, even though in this case the
(R) is the correct text. An old story of over-enthusiastic substitution.

  [By the time I checked it out the next day, it had been fixed.  PGN]


BUGTRAQ may be banned in Australia

Peter Jeremy <peter.jeremy@AUSS2.ALCATEL.COM.AU>
Thu, 27 May 1999 08:21:26 +1000
To: BUGTRAQ@netspace.org

  [Forwarded to RISKS by Seth David Schoen <schoen@loyalty.org>.  PGN]

This message is intended as a call-to-arms for BUGTRAQ subscribers as
well as a warning to subscribers in other countries.

Yesterday, the Australian Senate (Upper House of the Federal Government)
passed legislation to censor the Internet (I don't have a URL for the final
legislation at present).  This legislation mandates the censorship of
Internet content (which includes mailing lists) as if it was a film.  All
Australian ISPs are required filter overseas content that would be rated X
or RC under the Australian classification guidelines (see
http://www.oflc.gov.au/PDFs/Film%20&%20Video%20Guidelines.pdf).

The RC (Refused Classification) category states:

"The Classification Code sets out the criteria for refusing to classify
 a film or video. The criteria fall into three categories. These include
 films that: ...  promote, incite or instruct in matters of crime or
 violence."

and later

"Films and videos will be refused classification: or if they contain:
 ...  detailed instruction in: matters of crime or violence,"

BUGTRAQ is a full-disclosure list and regularly contains detailed
descriptions of how to break into computers.  Breaking into computers is
a crime in Australia.  It is therefore possible that BUGTRAQ could be
classified "RC" and hence banned in Australian.

Refer to http://www.efa.org.au/ for further information.

Peter Jeremy (VK2PJ)                    peter.jeremy@alcatel.com.au
Alcatel Australia Limited
41 Mandible St                          Phone: +61 2 9690 5019
ALEXANDRIA  NSW  2015                   Fax:   +61 2 9690 5982

----- End forwarded message -----

Seth David Schoen <schoen@loyalty.org>
http://ishmael.geecs.org/~sigma/  (personal)  http://www.loyalty.org/  (CAF)

  [Ah, yes, and Linux source code contains some dirty words.  PGN]


Re: Microsoft "fixes" the MS Office ... vulnerability (R 20 42)

Mediavilla David <davidme.Forum@BigFootNOSPAM.com>
Thu, 27 May 1999 14:59:53 +0200

After reading RISKS 20.42, it came to my mind a combination of risks. Paul
Walker mentioned the Microsoft plan to sign Office 2000 macros.  In "German
government criticizes own style in Word documents", Debora Weber-Wulff
mentions that Office automatically fills author and organization information
from the current machine.

I am not sure if this means Microsoft may have enabled that every macro that
came to my system without signing, say an Office 97 virus that I
inadvertently loaded, will come out as signed by me. Then, everybody who
trusts me will become infected (and I will be blamed).

I asked Paul Walker (the original poster to RISKS). According to the MS
document, with security settings as 'high' unsigned macros are silently
disabled. Set to 'low', Office 2000 will silently run them. Set to 'medium',
Office 2000 will ask the user.

<PAUL WALKER>
Reading the document further does not explicitly state what happens to the
macro when it is opened under low security settings.  It would appear that
the macro will run, but it will not be signed.  Signing a macro appears to
be something that you have to do yourself.

It would appear that this won't be a danger, but...

Can you have an untrusted vb code make a function call that would sign the
macro?  In current versions of word, almost every menu function (maybe all,
I have not checked) can be done through the vb macros.  Until I get a copy
of the software in my hands, I won't be able to confirm this...
</PAUL WALKER>

  David Mediavilla Ezquibela    <davidme.forum@bigfootNOSPAM.com>
  [ES/EN/EO/EU] (Lan)


We don't care, we don't have to, we're the phone company!

John Pettitt <jpp@cloudview.com>
Tue, 25 May 1999 16:47:14 -0700

I recently made a couple of trips to the UK on business and not wishing to
spend the entire US GDP on phone bills (UK hotels phones should be avoided
at all costs) I used my MCI card to call home and check e-mail.

When I got back my MCI bill was full of "operator assisted" calls from the
UK to the US (billed at more than $2 per min).  I called MCI and after they
dialed the number and confirmed that it was indeed a modem and that no their
operators could not speak V.90 I got a credit for $200 or so.

My next MCI bill was for $4000+ - with exactly the same problem (in this
case close to $3000 in over billing).  This time they would not issue a
credit (they can't tell me why - I'm not allowed to talk to the people who
decide these things).

There are a whole bunch of risks here:

1) Systems that are wrongly configured  and over bill even when used
   according to the instructions (and still do it a month after first
   reported)

2) Customer service systems that prevent customers from talking
   to decisionmakers.

3) No exception system to allow issues to be escalated.

I'm reminded of the well know phrase "We don't care, we don't have to, we're
the phone company".

John Pettitt (ex MCI customer, about to hand the whole mess to the lawyers)


Allaire firewall RISKS

"Robert David Graham" <rob-risks@netice.com>
Tue, 1 Jun 1999 19:49:15 -0700

In the past couple months, hundreds (if not thousands) of web sites using
Allaire's ColdFusion have been hacked (their web pages have been defaced).
When interviewed by the press, one site administrator said, "We are
installing a firewall so that this won't happen again".

However, firewalls do not protect against this particular hack.

Explanation: Firewall technology is based on "port filters". The average web
server has many ports open for a variety of reasons, but needs only port 80
in order to serve web pages. However, ColdFusion runs as part of the web
server reachable at port 80. QED, placing a firewall in front of web server
provides no protection against the ColdFusion hack.

Firewalls do not "prevent" hacks, as most people believe. They simply reduce
RISKS by reducing the number of ports or IP addresses that may be exposed
inadvertently on the Internet. The remaining ports (such as e-mail, web, and
FTP servers) can often be hacked.

In practice, firewalls probably increase RISKS overall. Consider a study of
Berlin taxi drivers who were given anti-lock breaks: the taxi drivers
started driving more aggressively, and had more accidents. Therefore, the
study concluded that anti-lock actually INCREASES RISKS. What is really
going on is that firewalls/ABS only decrease RISKS if behavior is left
unchanged, but the added security encourages RISKy behavior.

The ColdFusion bug was not really Allaire's fault — the bug was in a sample
script that Allaire recommends be removed from a production web server.
Almost every web-site creation package like ColdFusion has the same problem,
including Microsoft's ASP scripting, FrontPage web hosting, and sample CGI
programs. Administrators feel safe behind firewalls and do not diligently
check their web servers for these problems. For the most part, crackers who
intend to deface web pages or steal credit card information from web servers
do not care about firewalls that might protect the target servers.

Robert Graham
http://www.networkice.com/advice


Re: Allaire defects are nobody's fault? (Graham, RISKS-20.43)

Adam Shostack <adam@homeport.org>
Thu, 3 Jun 1999 12:31:20 -0400

Robert David Graham wrote:
| The ColdFusion bug was not really Allaire's fault — the bug was in a
| sample script that Allaire recommends be removed from a production web
| server. Almost every web-site creation package like ColdFusion has the
| same problem, including Microsoft's ASP scripting, FrontPage web
| hosting, and sample CGI programs. Administrators feel safe behind

I'm sorry, but thats not the case.  The ColdFusion bug was Allaire's fault.
They wrote and shipped crap sample code that has security flaws in it.  That
code has probably been modified into other vulnerable programs.  There are a
reasonably large number of secure programming FAQs available; Matt Bishop
has one, there's one in Garfinkel and Spafford, there's one I wrote.

I've seen academic references in 1976 or so that programs that don't
validate their input are vulnerable to attack.  To absolve a company of
blame for shipping bogus code is wrong.  They screwed up.  They got lots of
people in trouble.  They wasted lots of people's time.

If you don't have time to do the sample code right, don't ship it.  Its been
a long time since a problem like this was found in Apache; NCSA had a slew,
and the web folks learned.  You can read the history of it in the bugtraq
archives.


A Problem with Biometrics

Andrew J Klossner <andrew@pogo.WV.TEK.COM>
Thu, 27 May 1999 13:37:07 -0700

Unlike account numbers and PINs, biometrics suffer from the Universal
Identifier problem.  I can use a different account number and password at
each of several institutions, and can change them at need.  Switching to
iris scan would have me use the same immutable password everywhere.

This will also lead to unwanted pooling of data by commercial and
government interests.  Dig out any article on the evils of the
U.S. Social Security Number as identifier and change "SSN" to "iris
scan" throughout.

  -=- Andrew Klossner (andrew@pogo.wv.tek.com)


Re: Biometric risks

Ron Ruble <raffles1@worldnet.att.net>
Mon, 24 May 1999 05:33:33 -0400

In RISKS-20.41, Dan Wallach and Paul Lewis Gittins both mentioned risks
involving lack of an alternative to biometric identification.  They
identified the risk of not servicing visually impaired individuals whose
irises can't be scanned.

In the US, failure to provide a fallback method of identification may well
place the owners of the system at legal risk.

Not having a fallback may well be considered a violation of the Americans
With Disabilities Act. The ADA does not spell out specific rules or
requirements, but does make the statement that 'reasonable accommodation'
must be made for all persons with disabilities. It would be up to the jury
to decide whether having a card and PIN as a fallback for the biometric
system was reasonable.

Some might argue that many visually impaired people would go to the human
tellers anyway, and during banking hours, this may be an acceptable
accommodation. But it does not provide the 24-hour availability of the ATM.

In addition, the manufacturers of the devices may be at risk if they
install or recommend installing the devices without fallback options.

I seem to recall that several European nations have similar laws that
require similar accommodations for the disabled. I hope some of the
Europeans who frequent this forum will comment on that.

Ron Ruble, Raffles Software Development, Inc.


California will sell confidential wage data

"Peter G. Neumann" <neumann@csl.sri.com>
Fri, 4 Jun 1999 16:33:19 PDT

California will begin selling confidential wage data of 14 million of its
residents to private information companies, car dealers and creditors
wanting to check an individual's annual income.  [...]  No data would be
shared without the written permission of the individual, state officials
said.  However, private companies that are deemed qualified to access the
data would operate on an honor system and would not be required to show
proof of each individual's written permission before accessing the
information.  [Do you believe this one?  See nandotimes, 3 Jun 1999,
http://www.nandotimes.com/noframes/story/0,2107,55865-89293-634754-0,00.html]


Privacy Digests

<RISKS moderator>
17 Apr 1997

Periodically I remind you of TWO useful digests related to privacy, both of
which are siphoning off some of the material that would otherwise appear in
RISKS, but which should be read by those of you vitally interested in
privacy problems.  RISKS will continue to carry general discussions in which
risks to privacy are a concern.

* The PRIVACY Forum is run by Lauren Weinstein.  It includes a digest (which
  he moderates quite selectively), archive, and other features, such as
  PRIVACY Forum Radio interviews.  It is somewhat akin to RISKS; it spans
  the full range of both technological and nontechnological privacy-related
  issues (with an emphasis on the former).  For information regarding the
  PRIVACY Forum, please send the exact line:
     information privacy
  as the BODY of a message to "privacy-request@vortex.com"; you will receive
  a response from an automated listserv system.  To submit contributions,
  send to "privacy@vortex.com".

  PRIVACY Forum materials, including archive access/searching, additional
  information, and all other facets, are available on the Web via:
     http://www.vortex.com

* The Computer PRIVACY Digest (CPD) (formerly the Telecom Privacy digest) is
  run by Leonard P. Levine.  It is gatewayed to the USENET newsgroup
  comp.society.privacy.  It is a relatively open (i.e., less tightly moderated)
  forum, and was established to provide a forum for discussion on the
  effect of technology on privacy.  All too often technology is way ahead of
  the law and society as it presents us with new devices and applications.
  Technology can enhance and detract from privacy.  Submissions should go to
  comp-privacy@uwm.edu and administrative requests to
  comp-privacy-request@uwm.edu.

There is clearly much potential for overlap between the two digests,
although contributions tend not to appear in both places.  If you are very
short of time and can scan only one, you might want to try the former.  If
you are interested in ongoing discussions, try the latter.  Otherwise, it
may well be appropriate for you to read both, depending on the strength of
your interests and time available.  PGN

Please report problems with the web pages to the maintainer

x
Top