The RISKS Digest
Volume 20 Issue 57

Wednesday, 15th September 1999

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…


o Leaving a field blank wipes out 13.2 billion pounds UK
David Parkinson
o Dumb computers & the instantaneous nature of e-business
David Parkinson
o Smile for the US Secret Service
Monty Solomon
o NOAA predicts early winter
Bill Seurer
o The real story on Centaur/Milstar
Peter B. Ladkin
o If it quacks on 1/1/2000, it must be a Y2K duck
Win Treese
o Food expiry date misreading risks
John Stockton
o Army dumps NT, moves to Mac
Martin Minow
o New Hotmail breach reported
Keith A Rhodes
o New ICQ Trojan
CJNN via Patrick O'Beirne
o Macro viruses and Word'97's built-in macro detector/disabler
Gisle Hannemyr
o Microsoft Installs US Spy Agency with Windows
Andrew D. Fernandes
o Commentary on Back Orifice
Bruce Schneier
o CPSR Conference: The Internet Gold Rush of '99
Susan Evoy
o Info on RISKS (comp.risks)

Leaving a field blank wipes out 13.2 billion pounds UK

David Parkinson <>
Thu, 09 Sep 1999 13:28:42 +0100
from *The Times* (London), 9 Sep 1999

Leave one field blank and....

AN INADVERTENT sell order for Vodafone AirTouch sent shares in the heavily
weighted mobile telecoms group tumbling and wiped nearly 70 points from a
FTSE 100 index that was already reeling from an unexpected UK base rate

A dealer at a US securities house, believed to be Lehman Brothers, entered a
massive sell order for Vodafone at 1.40pm. The order is thought to have been
set without limits, which meant it matched all bids on the order book and
triggered a collapse in the shares from UKP12.29 to UKP10.13.

That sale temporarily wiped UKP13.2 billion from the value of the telecoms
giant, which, due to is 6.4 per cent weighting in the FTSE 100, pushed the
blue chip index 66 points lower.

Dumb computers & the instantaneous nature of e-business

David Parkinson <>
Thu, 09 Sep 1999 13:45:17 +0100
Retail outlet Argos ran an add that offered 21-inch Sony Nicam TV sets to
Internet customers for 3 pounds instead of 300.pounds.  A spokesman for
Argos said: "The pricing of the TV sets at UKP3 was clearly an error caused
by a computer.  We rectified this mistake and we will be contacting our
customers to apologise for any inconveniences and explain that their orders
cannot be accepted."  (One customer had ordered 1,700 sets.)  [Source: Adam
Fresco, *The Times* (London), 9 Sep 1999; PGN-ed]

Today's (instant?) electronic communication system means you haven't got
long to correct mistakes on your e-commerce web site before the word gets
out.  Also they can be at your door in seconds - even from the other side of
the world.

(I'm sure the neighbourhood store would cotton-on at the first transaction,
and even the most dim-witted store keeper would realise something was wrong
if the shop suddenly filled with people clamouring for the same stock item).


  [Also noted by Russell Middleton.  PGN]

Smile for the US Secret Service

Monty Solomon <>
Tue, 7 Sep 1999 23:31:47 -0400
Smile for the US Secret Service
by Declan McCullagh, Wired News, 7 Sep 1999

A New Hampshire company began planning in 1997 to create a national identity
database for the federal government, newly disclosed documents show.  Image
Data's US$1.5 million contract with the US Secret Service to begin
digitizing existing driver's license and other personal data was widely
reported early this year. But documents unearthed by the Electronic Privacy
Information Center reveal the details and scope of the project.

NOAA predicts early winter

Tue, 7 Sep 1999 09:42:21 -0500
As I ate breakfast this morning I listened to the weather report on the
local NOAA weather radio station.  As I watched hummingbirds feed from our
nectar feeders and squirrels scamper around the yard I was quite surprised
to hear that the temperature was 61 degrees F and the wind chill was 64
degrees below zero.  Time to break out the parkas!

Sometime last year NOAA began to broadcast forecasts, current conditions
reports, and other relatively "fixed" information via a computer generated
voice system.  Either someone entered bad data or whatever computes the wind
chill was broken this morning.  A person reading the current conditions
would probably have caught the error and certainly would not have kept
repeating the bad data.

Bill Seurer,, Compiler Development, IBM, Rochester, MN

The real story on Centaur/Milstar (RISKS 20.36, 20.39, 20.49)

"Peter B. Ladkin" <>
Tue, 03 Aug 1999 11:54:50 +0200
*Aviation Week* points out on 26 Jul 1999 (p27) that the Centaur upper-stage
failure was in fact caused by a programming error.  Someone entered a
roll-rate filter constant at one-tenth of its proper value (-0.1992476
rather than -1.992476). Not only that, but the USAF investigation determined
that "officials overlooked information present during the launch process
that a software flaw existed".

Whether or not evidence was present during the launch process, how come such
an error wasn't caught during debugging, inspection, component bench test,
integration test, and all those other things software and system developers
are supposed to do?

  [To my knowledge, this is only the second verified and public example of a
  simple programming error (equivalent to a typo) that I know of in
  aerospace.  The first one was Mariner, and as far as I know that's the
  only one in the RISKS archives.  There has been some discussion on certain
  mailing lists about examples of simple programming errors in critical
  systems. PBL]

Prof. Peter Ladkin Ph.D.
University of Bielefeld, Germany     Mobile: +49 (0)171 755 8838

If it quacks on 1/1/2000, it must be a Y2K duck

Win Treese <>
Tue, 07 Sep 1999 00:14:29 -0400
I received a notice recently that one of Verisign's root keys expires at the
end of 1999, and users of Netscape browsers (version 4.05 and earlier) need
to get an updated certificate to avoid warnings about expired keys.

This in itself isn't a big problem--we expect certificates to expire,
although it can be rather inconvenient. The problem comes from the timing:
anyone seeing odd behavior (such as an extra dialog box) on or near 1/1/2000
is likely to blame it on a Y2K problem, whether that's appropriate or not.

Apparently this fact has not been lost on Verisign's competitors, at least
according to Verisign's FAQ on the matter, at:

Moral of the story: schedule software dates when nothing else important
is known to be happening.

Win Treese, Open Market, Inc.

Food expiry date misreading risks

Dr John Stockton <>
Fri, 10 Sep 1999 07:48:50 +0100
[This topic is raised in]
There is a little more in my Web page

Subject : Y2K - User Misinterpretation of Food Expiry Dates

Confusion between two digits meaning Year 20## and meaning Year 19## is well
understood; misidentification of ## fields in dates between Y, M, D has been
discussed in Y2K newsgroups; the food trade will understand the date formats
on their products.

However, one problem is perhaps not well-realised : the use of ## fields in
expiry dates on the packaging of foods, together with the circumstances of
domestic food storage, leads to the probability that many of those who
finally use these packaged foods may misunderstand the dating formats.

For example, an item sold in March 2000 may be marked for use by "OCT 01" -
does it have a six- or an eighteen- month life? If it is discovered in the
back of the cupboard on 2000-09-20, should it be eaten soon, or is there a
safe year left?  Many errors can be expected.

Remember that some food travels, some amateur cooks travel, date formats
vary, ...

If the famed cook, Great-Aunt Philomena o'Kerry, on her first trip ever out
of Erin, visits the kitchen of her Great-Niece in Troy, AL, USA, will she be

John Stockton, Surrey, UK.

Army dumps NT, moves to Mac

Martin Minow <>
Fri, 10 Sep 1999 08:38:15 -0700
Slashdot reports that the Army got bit once too often by script kiddies and
moved their web servers to Macs running WebStar. The Army press-release is
at: <>

Martin Minow,

  [See also Army Bombs NT, Buys Mac, by James Glave, 13 Sep 1999,,
  which notes that, subsequent to a wave of breakins to their Website,
  the Army is now using a WebSTAR server and an Apple computer for the
  Army's homepage.  Diversity is of course highly desirable in attempting
  to attain security.  Having nothing but a single system that is flawed
  is clearly a bad idea.  Having different systems that are flawed is also
  a bad idea, so ultimately we need some meaningfully secure servers! PGN]

New Hotmail breach reported

"Keith A Rhodes" <>
Wed, 15 Sep 1999 13:09:12 -0500
Another — albeit potentially less serious — flaw has emerged in
Microsoft's Hotmail service.  This one displays a bogus login screen, and
captures the password.  The flaw was found by Georgi Guninski, a Bulgarian
security consultant.  All it takes is a little JavaScript in an HTML "STYLE"
tag in an e-mail message.  The flaw appears to have many other nasty uses as
well.  According to Guninski, "This is not a browser problem, it is
Hotmail's problem."  [Source: CNN, 14 Sep 1999; PGN-ed]

New ICQ Trojan (CJNN51)

"Patrick O'Beirne" <>
Mon, 13 Sep 1999 05:43:12 +0100
>From: CJNN <>
>Subject: CJNN51 — Japan e-biz news
>Date: Mon, 13 Sep 1999 11:25:52 +0900
>* * * * C O M P U T I N G J A P A N --- N E W S N E T * * * *
>A weekly roundup of news and information from Computing Japan
>                   (
>SIGN UP:      Send e-mail to:
>               (no subject or body text is needed)
>LETTERS:      Send e-mail to:
>               (use also for making inquiries)
> [...]
>-> New ICQ Trojan
>A new Trojan horse circulating the Internet disguised as a
>JPEG image is stealing ICQ passwords from users hard drives
>and take control of the ICQ accounts.  There are more than
>42m ICQ accounts, but apparently only those with early-
>registered shorter ID lengths are vulnerable.  If this has
>happened to you, you can get your registration
>re-authenticated at  (Source: CJNN extract from
>CNET,, Sep 9, 1999)
>-> Backup Exec fix
>Running Seagate's Backup Exec program may cause errors on
>Microsoft Windows 95, giving the error message: "Bewin32
>reported the start catalog failed - unknown error 0x1."
>You can fix the problem by deleting the catalog files.
>     1) Close Backup Exec.
>     2) Open Windows Explorer.
>     3) Browse to [path]\Seagate\Backup Exec\system\catalogs
>       directory.
>     4) Delete all the files in that directory.
>     5) Attempt to open Backup Exec.
>(Source: CJNN extract from BugNet, Sep 8, 1999)

Patrick O'Beirne B.Sc. M.A. FICS.  Systems Modelling Ltd, Tara Hill, Gorey,
Co. Wexford, IRELAND  +353 (0)55 22294

Macro viruses and Word'97's built-in macro detector/disabler

Gisle Hannemyr <>
15 Sep 1999 13:08:29 +0200
Some recent virus profiles has described Word macro viruses that — it is
claimed — will turn off the macro warning/disabling feature of Word 97.

For example, see the following descriptions of W97M/Cont.A:

and the following, of a (different?) strand called W97M/Thus.A:

If these alerts say what I believe they say, there is great cause for

IMHO. virus protection software can not be relied on as the _only_ measure
to prevent macro virus activation. There is a number of reasons for this,
but the main reason is that there always elapses some time between emergence
of a new computer virus and when new virus signature files covering the new
virus becomes available to end users such as myself.

Therefore, I have always relied om the built-in macro warning/disabling
feature of Word'97 as additional protection. If an (unknown) document is
reported by Word to contain macros when opened, I use this built-in feature
to disable all macros before proceeding.  So far, I have believed that this
practice has provided me with full protection against macro virus infection.

If this built-in detection can be circumvented or disabled, then this belief
is clearly false.  Instead, it seems that opening Word documents created by
third parties should be avoided, and one should instead inform all parties
one exchange documents with that one will only accept documents in a
macro-less format (such as plain text or RTF).

While this may be the sensible approach anyway, it will be a huge task (at
least in my environment) to convince all my colleagues and collaborators
that they should stop using Word's .doc format as a document interchange

- How paranoid should I be  :-) ?
- How technically feasible is it for a macro virus to disable the
  built-in macro detector?
- Has the claim about Word'97's built-in macro detection/disabling
  being flawed in this way been confirmed by other sources than by
  the specific companies(*) that are my sources.

(*)They are all fine companies, but they are _also_ in the business of
 selling virus protection and therefore they also have a clear interest
 in making the public distrust Word'97's built-in measures against the
 macro virus problem.)

- gisle hannemyr  ( - )

Microsoft Installs US Spy Agency with Windows

Wed, 08 Sep 1999 22:20:59 +0000
Research Triangle Park, NC - 31 August 1999 - Between Hotmail hacks and
browser bugs, Microsoft has a dismal track record in computer security.
Most of us accept these minor security flaws and go on with life. But how is
an IT manager to feel when they learn that in every copy of Windows sold,
Microsoft may have installed a 'back door' for the National Security Agency
(NSA - the USA's spy agency) making it orders of magnitude easier for the US
government to access their computers?

While investigating the security subsystems of WindowsNT4, Cryptonym's Chief
Scientist Andrew Fernandes discovered exactly that - a back door for the NSA
in every copy of Win95/98/NT4 and Windows2000. Building on the work of Nicko
van Someren (NCipher), and Adi Shamir (the 'S' in 'RSA'), Andrew was
investigating Microsoft's CryptoAPI architecture for security flaws. Since
the CryptoAPI is the fundamental building block of cryptographic security in
Windows, any flaw in it would open Windows to electronic attack.

Normally, Windows components are stripped of identifying information. If the
computer is calculating
  number_of_hours = 24 * number_of_days
, the only thing a human can understand is that the computer is multiplying
a = 24*b.  Without the symbols "number_of_hours" and "number_of_days",
we may have no idea what 'a' and 'b' stand for, or even that they calculate
units of time.

In the CryptoAPI system, it was well known that Windows used special numbers
called cryptographic public keys to verify the integrity of a CryptoAPI
component before using that component's services. In other words,
programmers already knew that windows performed the calculation
  component_validity = crypto_verify(23479237498234...,crypto_component)
, but no-one knew exactly what the cryptographic key "23479237498234..." meant

Then came WindowsNT4's Service Pack 5. In this service release of software
from Microsoft, the company crucially forgot to remove the symbolic
information identifying the security components. It turns out that there are
really two keys used by Windows; the first belongs to Microsoft, and it
allows them to securely load CryptoAPI services; the second belongs to the
NSA. That means that the NSA can also securely load CryptoAPI services... on
your machine, and without your authorization.

The result is that it is tremendously easier for the NSA to load
unauthorized security services on all copies of Microsoft Windows, and once
these security services are loaded, they can effectively compromise your
entire operating system. For non-American IT managers relying on WinNT to
operate highly secure data centers, this find is worrying. The US government
is currently making it as difficult as possible for "strong" crypto to be
used outside of the US; that they have also installed a cryptographic
back-door in the world's most abundant operating system should send a strong
message to foreign IT managers.

There is good news among the bad, however. It turns out that there is a flaw
in the way the "crypto_verify" function is implemented. Because of the way
the crypto verification occurs, users can easily eliminate or replace the
NSA key from the operating system without modifying any of Microsoft's
original components. Since the NSA key is easily replaced, it means that
non-US companies are free to install "strong" crypto services into Windows,
without Microsoft's or the NSA's approval. Thus the NSA has effectively
removed export control of "strong" crypto from Windows. A demonstration
program that replaces the NSA key can be found on Cryptonym's website.

Cryptonym: Bringing you the Next Generation of Internet Security, using
cryptography, risk management, and public key infrastructure.

Interview Contact:
   Andrew Fernandes <>
   Telephone: +1 919 469 4714  Fax: +1 919 469 8708
Cryptonym Corporation, 1695 Lincolnshire Boulevard, Mississauga, Ontario
Canada  L5E 2T2

Commentary on Back Orifice

Bruce Schneier <>
Thu, 26 Aug 1999 16:39:12 -0500
Back Orifice 2000 [1]

Back Orifice is a free remote administration tool for Microsoft Windows.
It's also one of the coolest hacking tools ever developed.  Originally
released last July, Back Orifice 2000 (BO2K) is the current release of the
software.  It works on Windows 95, Windows 98, and Windows NT.  It is much
better written than the original Back Orifice.  And it's free, and open source.

There are two parts: a client and a server.  The server is installed on the
target machine.  The client, residing on another machine anywhere on the
Internet, can now take control of the server.

This is actually a legitimate requirement.  Perfectly respectable programs,
like pcAnywhere or Microsoft's own Systems Management Server (SMS), do the
same thing.  They allow a network administrator to remotely troubleshoot a
computer.  They allow a remote tech support person to diagnose problems.
They are mandatory in many corporate computing environments.

Remote administration tools also have a dark side.  If the server is
installed on a computer without the knowledge or consent of its owner, the
client can effectively "own" the victim's PC.

Back Orifice's difference is primarily marketing spin.  Since it is not
distributed by a respectable company, it cannot be trusted.  Since it was
written by hackers, it is evil.  Since its malicious uses are talked about
more, its benevolent uses are ignored.  That's wrong; pcAnywhere is just as
much an evil hacking tool as Back Orifice.

Well, not exactly.  Back Orifice was designed by a bunch of hackers with
fun in mind.  Not only can the client perform normal administration
functions on the server's computer — upload and download files, delete
files, run programs, change configurations, take control of the keyboard
and mouse, see whatever is on the server's screen — but it can also do
more subversive things: reboot the computer, display arbitrary dialog
boxes, turn the microphone or camera on and off, capture keystrokes (and
passwords).  And there is an extensible plug-in language for others to
write modules.  (I'm waiting for someone to write a module that
automatically sniffs for, and records, PGP private keys.)

Back Orifice is also designed to hide itself from the server's owner.
Unless the server's owner is knowledgeable (and suspicious), he will never
know that Back Orifice is running on his computer.  (Other remote
administration tools, even SMS, also have stealth modes; Back Orifice is
just better at it.)  Anti-virus software has been updated to detect default
Back Orifice configurations, but that will only solve most of the problem.
Because Back Orifice is configurable, because it can be downloaded in
source form and then recompiled to look different...I doubt that all
variants will ever be discovered.

Okay, so who's to blame here?  The Cult of the Dead Cow wrote and released
Back Orifice.  Surely the world is not a safer place because, as CDC's Sir
Dystic put it: "every 14-year-old who wants to be a hacker will try it."
BO2K's slogan is "show some control," and many will take that imperative
seriously.  Back Orifice will be used by lots of unethical people to do all
sorts of unethical things.  And that's not good.

On the other hand, Back Orifice can't do anything until the server portion
is installed on some victim's computer.  This means that the victim has to
commit a security faux pas before anything else can happen.  Not that this
is very hard: lots of people network their computers to the Internet
without adequate protection.  An attacker can even ask the victim to
install Back Orifice (social engineering might help); the Worm.ExploreZip
worm of this spring did exactly that.  Still, if the victim is sufficiently
vigilant, he can never be attacked by Back Orifice.

But what about Microsoft's computing environment?  One of the reasons Back
Orifice is so nasty is that Microsoft doesn't design its operating systems
to be secure.  It never has.  Any program that runs in Microsoft Windows 95
and 98 can do anything.  In Unix, an attacker would first have to get root
privileges.  Not in Windows.  There's no such thing as limited privileges,
or administrator privileges, or root privileges.  Microsoft assumes that
anyone who can run a program can reformat the hard drive.  This might have
made some sense in the age of isolated desktop computers; after all, if you
could run a program, you were standing in front of the machine.  But on the
Internet, this is absurd.

Windows NT was designed as a secure operating system, more or less.  There
are provisions to make Windows NT a very secure operating system, such as
privilege levels in separate user accounts, file permissions, and kernel
object access control lists.  However, the configuration that makes Windows
NT secure is very very far and distant from the default installed
configuration.  Microsoft admits this.  You have to make 300+ security
checks and modifications to Windows NT to make it secure in its default
configuration [2].  And on top of this, Microsoft assumes that most users
have Administrator access to their desktop machines anyway.  They only
really worry about network security, not host-end security, which is where
they are seriously vulnerable to attacks like Back Orifice 2000.  Windows
NT could be secure, but Microsoft refuses to ship the OS in that condition
(presumably they worry that their spiffy animated fading menu bars may be

Malicious remote administration tools are a major security risk.  What Back
Orifice has done is made mainstream computer users aware of the danger.
Maybe the world would have been safer had they not demonstrated the danger
so graphically, but I am not sure.  There are certainly other similar tools
in the hacker world — one, called BackDoor-G, has recently been discovered
-- some developed with much more sinister purposes in mind.  And Microsoft
only responds to security threats if they are demonstrated.  Explain the
threat in an academic paper and Microsoft denies it; release a hacking tool
like Back Orifice, and suddenly they take the vulnerability seriously.

Back Orifice Home Page:


Microsoft's Systems Management Server:


[1]  This essay originally appeared in Crypto-Gram, my monthly newsletter
on computer security and cryptography.  You can subscribe or read back
issues at

[2] Since writing this, I have been asked about the 300+ figure.  I heard it
second hand, so I queried the Usenet newsgroup asking if it was folklore or truth.
The consensus seemed to be that the number was somewhere between 50 and
3000, and 300 wasn't an unreasonable estimate.  A good checklist is
available at

CPSR Conference: The Internet Gold Rush of '99

15 Sep 1999 01:48:31 -0000
Now you can register online at
Early Registration rates end Friday, September 17th.

Computer Professionals for Social Responsibility annual conference

  2-3 October 1999  (9:00 am to 5:30 pm)
  Building 420 (Jordan Hall), Room 40, Stanford University, Stanford, CA

  2 October 1999 (6:00 - 8:00 pm)
  AT&T Patio (outside of Gates Hall), Stanford University, Stanford, CA

FEATURED SPEAKERS include Gray Brechin (Keynote talk on Historical Amnesia
in the Silicon Gold Rush) Eric Raymond, Larry Wall, Brian Behlendorf, Craig
Newmark, Cem Kaner, Barbara Simons, Peter Neumann, Madeline Stanionis, Seth
Fearey, Ben Politzer, Eric Sklar, Pavel Curtis, Scott Hassan, Laura Breedan.

Saturday sessions include

CPSR's prestigious Norbert Wiener Award for Social Responsibility in
Computing Technology is being awarded to the Open Source/Free Software
Movement. This movement profoundly challenges the belief that
market mechanisms are always best-suited for unleashing
technological innovation.  This voluntary and collaborative model for
software development is providing a true alternative to proprietary,
closed software.

CPSR ANNUAL MEETING, SUNDAY, 3 OCTOBER 1999, 9:30am - 2:30pm
Building 420 (Jordan Hall), Room 40, Stanford University, Stanford, CA

Conference Committee Karen Coyle, Paul Czyzewski, Jeff Johnson,
Coralee Whitcomb, Susan Evoy

Complete information at HTTP://WWW.CPSR.ORG/,
registration via

Susan Evoy, Deputy Director  <>  <>
Computer Professionals for Social Responsibility, P.O. Box 717, Palo Alto
CA 94302, Phone: (650) 322-3778, Fax: (650) 322-4748

Please report problems with the web pages to the maintainer