The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 20 Issue 56

Friday 3 September 1999

Contents

o Online gambling software flaw
Matthew Schmid
o Test page for dangerous ActiveX controls
Richard M. Smith
o Intuit strikes again
Gary Cattarin
o Danish UPS
Finn Jensen in rec.humor.funny
o Tandy bug?
Lindsay Marshall
o E*Trade and the Dow Jones
Theodore Y. Ts'o
o U.S. top-secret messages go astray
Andrew Johnson
o UPenn bug report
Rebecca Mercuri
o Local company stung by Y2K bug
Doneel Edelson
o Smart Card Forum annual meeting
Donna Farmer
o Info on RISKS (comp.risks)

Online gambling software flaw

"Matthew Schmid" <mschmid@rstcorp.com>
Fri, 3 Sep 1999 05:26:02 -0700 (PDT)
Regardless of its quasi-legal status, online gambling presents an entire
raft of risks.  Key questions include: Will your personal information be
handled securely (for example, will the credit card number you're paying
with be stolen or the fact that you're gambling at all be leaked)?  What if
the gaming site is hacked?  Could you be playing against cheating insiders
or players acting in collusion?  Are the games implemented correctly and
fairly?  Is the software secure?  In response to the last question, we have
demonstrated that the answer is no.

The Software Security Group at Reliable Software Technologies
(www.rstcorp.com) has discovered a serious flaw in the implementation of
Texas Hold 'em Poker that is distributed by ASF Software, Inc.
(www.asfgames.com).  We have exploited this flaw in the lab.  Our exploit
allows a player (us) to calculate the exact deck being used for each hand in
real time.  That means a player using our exploit knows the cards in every
opponent's hand as well as the cards that will make up the flop (cards
placed face up on the table after rounds of betting).  We can win every
time.  A malicious attacker could use our exploit to bilk innocent players
of actual money without ever being caught.  ASF Software has been notified
of the flaw.

Currently we know of three online casinos (www.planetpoker.com,
www.purepoker.com, and www.deltacasino.com) that appear to use ASF
Software's implementation of Texas Hold 'em Poker.  All three Websites allow
players to compete for real money.  There is also a demo casino
(www.casinococo.com) that allows players to gamble with play money.  We have
only used our exploit against the demo casino.

The flaw exists in the card shuffling algorithm used to generate each deck.
Ironically, the code was publicly displayed at www.planetpoker.com/ppfaq.htm
with the idea of showing how fair the game is to interested players (the
page has since been taken down).  In the code, a call to randomize() is
included to produce a random deck before each deck is generated.  The
implementation, built with Delphi 4 (a Pascal IDE), seeds the random number
generator with the number of milliseconds since midnight according to the
system clock. That means the output of the random number generator is easily
predicted.  A predictable "random number generator" is a very serious
security problem.

There are a number of other problems in the implementation that could lead
to complete security compromise.  We have only exploited the easiest one at
this time.

The broad take-home message from this work is simple: when software
misbehaves, bad things can happen.  Our mission in the Software Security
Group is to stamp out insecure code before it is placed in service.  Members
of the group involved with the Gambling exploit are: Brad Arkin, Frank Hill,
Scott Marks, Matt Schmid, and TJ Walls.  The Software Security Group is led
by Dr.Gary McGraw.

Matt Schmid, Reliable Software Technologies  <mschmid@rstcorp.com>


Test page for dangerous ActiveX controls

"Richard M. Smith" <smiths@tiac.net>
Sun, 29 Aug 1999 14:04:32 -0400
There are a number of outstanding problems with ActiveX controls that are
awaiting patches from Microsoft.  I've put together a test page which will
determine which dangerous ActiveX controls are installed on a system.  Here
is the URL:

    http://www.tiac.net/users/smiths/acctroj/axcheck.htm

I think the best solution for right now is to turn off ActiveX in IE4 and
IE5.

The "bad guys" can use these controls to do all sorts of nasty stuff in Web
pages, HTML E-mail messages, and even newsgroup messages.  Affected products
are Internet Explorer, Outlook, Outlook Express, and Eudora.

Note: the test page requires IE4 or IE5.  Netscape users are safe because
Navigator does not support ActiveX controls.

Richard


Intuit strikes again

"Gary Cattarin" <gcattari@nortelnetworks.com>
Wed, 1 Sep 1999 20:54:13 -0700
Intuit blows it again.  Should we be surprised?

Go to:  http://privacy.intuit.com/  Read all the high and mighty "We're so
careful about your privacy it hurts" crap.

At the bottom, find a link that reads, "If you would like to review or
change your contact preferences, please click here."  Enter your last name
and ZIP code.  No, wait, enter ANYONE'S last name and ZIP code who you think
might use any Intuit product.  It's not hard to think of someone who might.
Of course, you are taken - without any verification whatsoever - right to
that individual's privacy profile, where you can determine your friend's,
neighbor's, enemy's, or mother's choice of receiving junk snail mail,
e-mail, and/or phone solicitations from Intuit, or whether Intuit may spread
their information across the globe (only to "vigorously screened companies"
of course!!!).  You can even change their e-mail - so perhaps you can use
someone else's profile to create SPAM into your favorite enemy's inbox!
(Oh, if Dick Nixon were still alive...)

Risk?  Privacy statements and policies mean nothing if the company maintains
no control over the information required to implement them.  Weak attempts
at "privacy control" allow easy abuse and further multiply the problem.

So go ahead!  Protect your neighbor from junk mail.  I did.  (He'd thank me
for it if he ever knew I could do that.)

Gary Cattarin - cattarin@ma.ultranot.com
(Humans will guess the real address - e-mail address-grabbing scanners will
not!)


Danish UPS

Finn Jensen <f_jensen@mail.tele.dk>
Tue, 31 Aug 1999 19:30:00 PDT
  [Courtesy of Aram Khalili, Jim Griffith, and Julian Thomas]

To good to be true, but it is.  From the Tele Danmark (ISP) homepage,
translated from Danish.

>This morning, Tele Denmark Internet was out of order, because the power
>supply failed. It meant that customer couldn't connect to the Internet.
>
>The problem occu[r]red at 7:45, when a truck drove into the cabinet that
>supplies Tele Denmark Internet with power. The truck was delivering a new
>uninterruptible power supply, and therefore the old UPS had been disconnected.
>At 9:00 the power returned and the different system began to reestablish, and
>everything is expected to return to normal again by 10:30. Tele Denmark
>Internet regrets the disturbance to its customers.

[http://www.opasia.dk/online/tele_danmark/index.html, English here cleaned up
    a bit for humor's sake - ed.]


Tandy bug?

<Lindsay.Marshall@newcastle.ac.uk>
Fri, 3 Sep 1999 14:09:52 +0100 (GMT)
The following story was recently forwarded to the EGR mailing list. I
wonder if anyone knows anything more about it?  L.

2) William Slattery shares the following personal experience. All you
reporters out there might take special note.

   Y2K is here!

   I got a check in the mail last week from Tandy Corporation:
   $891.24. A nice chunk of change that there is no way in the world
   they could owe me.

   Here is what I think happened. Because of my odd habit of paying
   off most of my bills to the nearest ten dollars OVER what I
   actually owe (it makes the math easier when I balance my
   checkbook), I had a small credit on my Radio Shack credit card.
   Their computer looked at the end of the billing period, which
   fell after the infamous 9/9/99, and said Wowza!, this guy has had
   a five dollar credit on our books since January 1 of 1900. Since
   company policy is to pay off credits on inactive accounts, I'm
   going to calculate the interest and cut this guy a check.

   So here we are. I phoned Tandy headquarters (817-415-3011) and
   talked with the person in charge of this sort of thing, Lisa
   Mapes. I told her there was no way Radio Shack could owe me 900
   bucks because I hadn't spent that much money in their stores in
   my whole life. I told her I thought they had a Y2K problem. She
   laughed at me. It was not a good laugh. It was the "you're so
   ridiculous it's hilarious" kind of laugh. Ms. Mapes told me to go
   ahead and cash the check. Radio Shack really owes me this money,
   she says, even though they are completely unable to explain WHY
   they owe me the dough.

   I told reporters at The New York Times and National Public Radio
   that all their stories warning about Y2K were finally starting to
   pay off. I figured that after years of running Chicken Little
   stories -- the sky is gonna fall! the sky is gonna fall! -- it
   would make a good little story when the first chunks of sky
   actually started landing on people's heads. Apparently not. They
   seem profoundly uninterested.

   To a mind as comprehensive as yours, I am sure the potential for
   gaining fabulous wealth is immediately apparent. The key to
   getting rich off Y2K is to open numerous small accounts under
   assumed names, lodge small credits in them, and wait for the
   checks to roll in. If I'd thought of it sooner -- and could get
   rid of this pesky conscience -- I'd be a rich man today.


E*Trade and the Dow Jones

"Theodore Y. Ts'o" <tytso@mit.edu>
Thu, 2 Sep 1999 16:33:57 -0400
After suffering through the E*Trade / Red Hat fiasco, where each time I
talked to a human being, I was really impressed, but each time I had to deal
with the web page software I was less than impressed, I suppose I shouldn't
be surprised about much from E*Trade's web page.

But imagine my amusement when I looked at E*Trade's main web page, which
according to its Market Watch, as of 9/2/1999, at 2:49pm the Dow Jones
Industrial Average was $1.00, down $10936.88.  Somehow, I have a little bit
of trouble believing that.  Either that, or that stock market bubble that
Greenspan keeps worrying about was far more real than anyone ever believed!:-)

(Given that the Nasdaq has only dropped 21.5 points today, I'm assuming the
DJIA didn't really lose over ten thousand points.)

Obviously, E*Trade's software doesn't have any "that can't *possibly* be
right" checks, so when it somehow got the bogus data about the value of the
DJIA, the software very happily calculated that if the index is currently
worth one dollar, then it must have dropped $10,936.88 since yesterday.

Fortunately, it's pretty obvious that the DJIA on the Market Watch web page
couldn't possibly be right, but this brings up some obvious questions that
should be familiar to all Risks readers: what if some other dumb computer
program which was rigged to do program trading decided this meant it should
dump all of its holdings in a hurry?  (Or buy lots of stocks since obviously
everything is cheap.)  What if the numbers on E*Trade's Market Watch were
off by some significant amount, but not in a way which made it immediately
obvious that it was in space?  Could a human being be taken in by its a
likely-looking-but-wrong DJIA, and mistakingly make some trades based an
incorrect market index?

                        - Ted

P.S.  I've saved a copy of the gif image displayed by E*Trade's Market
Watch, for those who'd like to see this for themselves.  It can be found
at:
    http://web.mit.edu/tytso/www/etrade-djia.gif


U.S. top-secret messages go astray

"Andrew Johnson (A.J.)" <johnsy@clear.net.nz>
Fri, 3 Sep 1999 18:30:53 +1200
A common risk inherent in all of our communication technology is...well,
once again, human error.  Next week New Zealand hosts the APEC conference in
Auckland, being attended by a substantial number of world leaders, including
President Clinton from the U.S.

So imagine if Saji Phillips, a chicken farmer from Auckland, had been one of
those people who holds a grudge: He was accidentally faxed the security
arrangements for the U.S. Embassy and U.S. Delegation, including Mr Clinton,
today N.Z. time (3 September 1999).

See Newsroom.co.nz : http://www.newsroom.co.nz/story.asp?s=5469

  [Another story says this had happened repeatedly.]

The Risk here is very clear... imagine how much that information would be
worth to the right person!  Not that anyone would think that free trade is a
bad thing, of course. *ahem*...

Andrew Johnson <johnsy@clear.net.nz> http://critique.net.nz/aj/mania/


UPenn bug report

Rebecca Mercuri <mercuri@gradient.cis.upenn.edu>
Wed, 1 Sep 1999 17:51:43 -0400 (EDT)
Here's the report on what happened to cut Penn entirely off from the
Internet.  R.Mercuri

Date:         Tue, 31 Aug 1999 20:11:25 -0400
Reply-To: Network Administration <netadmin@ISC.UPENN.EDU>
From: Network Administration <netadmin@ISC.UPENN.EDU>
Subject:      ****EXTERNAL CONNECTIVITY RESTORED****
Comments: To: pennnet-announce@isc.upenn.edu
To: UUGP@LISTS.UPENN.EDU

Date:                   Tuesday August 31, 1999
Time:                   2:20pm - 7:30pm
Duration:               5 hours
Buildings Affected:     Entire Campus
Services Affected:      Internet Connectivity
Description:            At 2:20 this afternoon, the University's
  Internet connectivity was disrupted due to a problem with a Bell Atlantic
  high-speed line. By 7:30 this evening, Bell Atlantic had taken steps to
  restore our link to UUNet. There may be a brief interruption to our service
  in the next 24-48 hours while Bell Atlantic makes permanent repairs.

netadmin@isc.upenn.edu


Local company stung by Y2K bug

"Edelson, Doneel" <doneeledelson@aciins.com>
Fri, 3 Sep 1999 12:18:36 -0400
Y2K glitches happen to even the most computer savvy folks.  Wayne Moule,
president of Northwest Metrology, a company that calibrates electronic test
equipment for federal agencies and major corporations, is a case in point.
Moule sees the damage every day and still is counting losses - $80,000 and
growing - because software he owns fell victim to a year 2000 problem. ...
[Source: Marc Benjamin, *The Bakersfield Californian*, 24 August 1999;
PGN-ed]


Smart Card Forum annual meeting

"Donna Farmer" <dfarmer@smartcardforum.org>
Sun, 29 Aug 1999 17:40:30 -0400
Who: Leading privacy and Internet commerce technologists
What: Smart Card Summit '99: Privacy & Security in the New Millennium
When: September 22-23, 1999
Where: JW Marriott Hotel in downtown Washington, DC
Web-information: http://www.smartcardforum.org or call (202) 530-5306.

Please report problems with the web pages to the maintainer

Top