The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 20 Issue 74

Sunday 9 January 2000

Contents

o Y2K multiple billings
PGN
o 100 years overdue
PGN
o Sprint PCS network problems on 1 Jan 2000
Chenxi Wang
o MKS Toolkit Y2K glitch
Ray McCormack
o Y2K archives
Lindsay Marshall
Keith Rhodes
o Pete de Jaeger bit by Y2K
Debora Weber-Wulff
o Northwest Airlines may have leaked credit-card numbers
Jeremy Epstein
o Risks of assuming a friendly radio environment
Fernando C Pereira
o Re: Just found my first Y2K bug!
Dana Carpender
o NTSB website has Y2K test data mixed in with real data
John Clarke
o Bogus message in live service for Quicken
Stephen Page
o Re: Microsoft MSIE Y2K Insanity: The last word?
Andrew D. Fernandes
o Teenage computer vandal sentenced to year in jail
NewsScan
o What has changed
Bertrand Meyer
o Network Associates WebShield -- Mail Content Alert
N/A
o SSH: an ineffectual "feel-good" security measure
William Colburn
o Jail for possessing a debugger? More on DVD encryption cracked
Hamie Marson
o CFP: Workshop on Security and Privacy in E-Commerce
Anup K. Ghosh
o Info on RISKS (comp.risks)

Y2K multiple billings

"Peter G. Neumann" <neumann@csl.sri.com>
Sat, 8 Jan 2000 12:20:13 PST
The approximately 100,000 merchants using CyberCash's IC Verify transaction
software were given the opportunity to install a free upgrade for Y2K, but
some of the merchants apparently did not get the fixes.  Those who did not
do so are apparently rebilling each customer transaction in the new year
once each day until the fix is installed.  Visa and Mastercard have
installed software that attempts to catch the multiple transactions,
but you'd better check your statements anyway.


100 years overdue

"Peter G. Neumann" <neumann@csl.sri.com>
Fri, 7 Jan 2000 16:43:45 PST
In one of many reports of off-by-one-hundred Y2K effects, a few dozen
Florida truckers received bills saying the were 100 years late in payments.
Some people received bills for 100 years' back interest.  There were even
reports of people whose bank accounts temporarily showed 100 years'
accumulated interest.  No surprises there to long-time RISKS readers.

Asymmetrically, we have also had a few reports of people being credited with
100 years worth of interest, although these seem rather specious if you are
getting interest from 1900 to 1999, rather than from 1999 to 1900.


Sprint PCS network problems on January 1st

Chenxi Wang <cw2e@cs.virginia.edu>
Fri, 7 Jan 2000 17:41:35 -0500 (EST)
I spent the new year in Manhattan and yes, I was in Times Square new year's
eve.  After the ball dropped, I started calling friends to wish them a happy
new year, and I was not able to make a single call on my Sprint PCS phone
despite the very strong PCS signal I got. What made it worse was I could not
receive any calls or voice mail during the day on the 1st and my outgoing
calls (including calls to check voice mail) were switched to digital roaming
calls despite the fact that Manhattan was in Sprint's service area. The
problem lasted all day on the 1st, and into parts of the morning on the 2nd.

A later conversation with a Sprint's service representative revealed that
Sprint's network was jammed in several metropolitan areas including New York
city during the 1st, and they were routing some of their traffic through
Bell Atlantic or AT&T's network, which explained the mysterious roaming
calls.

Chenxi


MKS Toolkit Y2K glitch

Ray McCormack <raymccormack@home.com>
Sun, 02 Jan 2000 09:34:40 +0000
MKS Toolkit Scheduler (Version 6.1) seems to have a problem with the Y2K
date rollover.  The application runs fine and must work off the system
clock which also appears to be fine .  The "Next Event" status how ever,
shows that the next backup is on June 9, 2005 even though it performs
daily backups properly.

Ray McCormack, Solutions Consultant, McCormack Consulting
13215-C8 SE Mill Plain blvd. PMB 242 Vancouver, WA  98684 1-360-241-3092


Y2K archives

<Lindsay.Marshall@newcastle.ac.uk>
Wed, 5 Jan 2000 11:31:35 +0000 (GMT)
I'm sure you'll know about this, but just in case:

http://y2kmistakes.com

has a wonderful archive of screenshots of Y2K affected sites.

   http://catless.ncl.ac.uk/Lindsay


Y2K archives

"Keith A Rhodes" <rhodesk.aimd@gao.gov>
Wed, 05 Jan 2000 09:03:42 -0500
Some amusing, generally harmless, Y2K snafus can be seen at the following URL.
Look under "affected sites" in the upper left-hand corner.

http://kwikware.com/y2kmistakes/


Pete de Jaeger bit by Y2K

Debora Weber-Wulff <weberwu@tfh-berlin.de>
Thu, 6 Jan 2000 10:43:23 +0100
Sorry, I can' help this:
On http://www.year2000.com/y2kbugbytes.html
We have the following headline on Jan. 6, 2000:

Year 2000 Bug Bytes
Updated January 5, 1900 at 23:21 (UTC)

Pete de Jaeger has a nice article on "Why no Chaos?" at
http://www.year2000.com/y2kchaos.html, however.

Prof. Dr. Debora Weber-Wulff, Technische Fachhochschule Berlin
13353 Berlin, Germany weberwu@tfh-berlin.de http://www.tfh-berlin.de/~weberwu/


Northwest Airlines may have leaked credit-card numbers

Jeremy Epstein <jepstein@monumental.com>
Fri, 7 Jan 2000 16:26:03 -0500 (EST)
I saw the following AP item on InfoBeat, a clipping service, but have not
yet located it anywhere else.  In particular, I have not located this
information on NorthWest's web page.

Northwest Airlines is alerting customers who recently made purchases on its
Frequent Flier Web site that their credit-card numbers and personal
information were unprotected because of a programming glitch.  The problem
arose when a computer programmer doing maintenance on the site put the
system back on line, but forgot to restore the security system.  [PGN-ed]

Users have come to expect encrypted traffic, and frequently don't check
the icon.  Guess we need to be more careful!


Risks of assuming a friendly radio environment

Fernando C Pereira <pereira@research.att.com>
Fri, 07 Jan 2000 21:53:01 -0500
According to a BBC News story dated Jan 6, 2000
<http://news.bbc.co.uk/hi/english/sci/tech/newsid_592000/592972.stm>, pirate
broadcasters have learned how to use the Radio Data System (RDS) to force
car radios that implement the standard to stay tuned to the pirates'
broadcasts while within range of their transmitters. A radio with RDS active
will switch temporarily to any station that broadcasts the appropriate
embedded digital signal. This is intended to allow reception of brief
traffic announcements, but the pirates repeatedly send the signal in their
broadcasts to keep such radios tuned to them.  The problem can be avoided by
switching off the RDS feature on a radio, but then of course one loses
legitimate traffic information.

I only have the slightest acquaintance with RDS so I cannot evaluate the
accuracy of the story, but the RDS standards document "SPB 490 Universal
Encoder Communication Protocol (UECP)" obtainable from
<http://http://www.rds.org.uk/rds98/mainpublications.htm> does not mention
security at all.

Fernando Pereira

  [Also noted by Aydin Edguer and Russ E. Cage.  PGN]


Re: Just found my first Y2K bug!

Dana Carpender <dcarpend@kiva.net>
Wed, 05 Jan 2000 17:31:04 -0500
Newsgroups: alt.fan.cecil-adams

  [Forwarded to RISKS by msb@vex.net (Mark Brader)]

radio2@bigfoot.commm wrote:

> I was just in my friendly neighborhood health food store. Got into a brief
> discussion with the guy behind the counter, about Y2K.  He pointed out a
> box of Barbara's Cereal, which carried an expiration date of July 1900!
> Guess it's been sitting on the shelf, there at Flanagan's, for a mighty
> long time ...
> -- Geno

I win.  Ages ago I realized that my driver's license says it expired in 1000.
Boy, what's the penalty for driving on a millennium-overdue license?

Dana W. Carpender  http://www.holdthetoast.com
Author, How I Gave Up My Low Fat Diet -- And Lost Forty Pounds!

  [In case you wondered, YES, it showed 1000 as a 4-digit year.
  She lives in Indiana.  MSB]


NTSB website has Y2K test data mixed in with real data

"John Clarke" <jclarke@nortelnetworks.com>
Tue, 4 Jan 2000 11:05:42 -0600
The National Transportation Safety Board maintains a database of all
aviation incidents in the US, and provides web access to capsule
descriptions of various accidents.  These are available by month
(http://www.ntsb.gov/aviation/months.htm), so I suspected that there might
be some issues with the display or breakdown of the data once we rolled into
2000.  The website seems to be working correctly, however, with the
exception of a strange entry in January 2000.  The accident location
(normally City,State) shows "TESTVILLE" and the link is
http://www.ntsb.gov/aviation/DCA/99A999.htm (note the 99A999.htm is normally
an incident number).  The link itself fails to be retrieved, so I assume the
test data has been removed from part of the database.

I'm sure we'll see many similar manifestations of Y2K testing in the coming
weeks and months.

John Clarke

P.S.  Apologies to the citizens of TESTVILLE if it really does exist and a
plane crashed there this month.


Bogus message in live service for Quicken

Stephen Page <mcaa87@dial.pipex.com>
Sun, 02 Jan 2000 19:26:16 +0000
Intuit, who make Quicken (a popular personal and small business financial
management application) provide an online service to update share prices,
currency rates etc.

Recently users connecting to Intuit's UK server have been automatically
offered an application upgrade with the following message:

"There is an upgrade available to updated [sic] your current version of
Quicken 2000.  Would you like to download the update now ? Don't be afraid,
it is just a test : My name is Nour".  Clicking on "Tell me more" gives the
message "This version has some improvements in all the area [sic]".

This raises two issues:

1.  Either test code has leaked into live service or their site has been
hacked.  In either case, it is a serious security breach for software which
is trusted (e.g., a Trojan horse could create access to users' personal
financial data).

2.  Intuit has a policy of sell-cheap / charge-lots-for-support which means
that there is no way to find out what has happened without waiting for the
New Year holiday period to be over, then paying $1/minute.  How nice: the
opportunity to pay to get information about their operational failures :-)

This is a major breach of trust and it is to be hoped that Intuit will take
it seriously.  Perhaps a public apology via RISKS?


Re: Microsoft MSIE Y2K Insanity: The last word?

"Andrew D. Fernandes" <andrew@cryptonym.com>
Wed, 05 Jan 2000 15:11:36 -0500
I guess I'd only say that if a web developer wanted to use dates in
JavaScript, they would:

1) have to do a lot of nit-picky detective work, reading documentation from
Netscape, Microsoft, and the EMCA, to discover the "correct" way to display
the year,

2) end up with a script that still wouldn't work on most people's browsers,
and,

3) learn that they shouldn't have bothered anyway, since some standards
group will no doubt later change the "standard" yet again in a way that
breaks all previously written scripts.

Yeesh. All this pain, sweat, and confusion just to display a bloody date on
a bloody web browser. Small wonder that software reliability issues are
gaining attention in the new century...

Andrew D. Fernandes <mailto:andrew@cryptonym.com>, Cryptonym Corporation
<http://www.cryptonym.com>  Telephone +1 919 469 4714


Teenage computer vandal sentenced to year in jail

"NewsScan" <newsscan@newsscan.com>
Wed, 22 Dec 1999 07:31:37 -0700
Described by his lawyer as "a disturbed young man" suffering from
depression, 19-year-old Jay Satiro of New Rochelle, NY, has been sentenced
to one year in jail for cracking into America Online computers and causing
an estimated $50,000 in damages. Satiro had been an AOL technical support
volunteer and had used knowledge obtained from his job to break into the
company's systems and replace AOL programs with his own. [AP/*USA Today*,
21 Dec 1999) http://www.usatoday.com/life/cyber/tech/ctg955.htm;
NewsScan Daily, 22 Dec 1999, reproduced with permission]


What has changed

<Bertrand_Meyer@eiffel.com>
Thu, 30 Dec 99 13:57:45 PST
Call me naive, but I can't help marvel, risks or not, at what is going on.
Here I am, on the penultimate day of the millennium (OK, I know, that will
be next year, but what's wrong with celebrating twice?), listening through
minuscule speakers on my computer to a broadcast of perfect sound quality
from a site half-way around the world.  It's playing something I know, but I
can't just recall what it is.  So I catch four Italian words on the fly and
type "senza perdere un momento", not forgetting the quotes, into AltaVista.
A second later, and perhaps fifteen seconds after I first asked myself the
question "what is this?", I have the answer, thanks to someone at Stanford
who keeps the full text of Donizetti's "Don Pasquale" on his Web pages.

Just a few years ago none of this would have been possible.  I wouldn't have
had a clue where to begin my search.  Even a trip to the UCSB library would
have been unlikely to help.

The prospects of using computers for advancement of human knowledge are all
around us; they are staggering.  Let's remember this as we continue (as well
we should) worrying about the associated risks.

Bertrand Meyer, Interactive Software Engineering/Monash University
http://eiffel.com, http://tools-conferences.com


Network Associates WebShield -- Mail Content Alert

<[irrelevant]>
Tue Jan 04 04:17:31 2000
Network Associates WebShield SMTP V4.5 Beta 2 on prometheus2 intercepted a
mail from <owner-risks@csl.sri.com> which caused the Content Filter HTTP to
be triggered.

  [Lots of RISKS issues lately have been blocked.  Perhaps Y2K is now
  considered to be a dirty word.  In some other cases RISKS copies were
  rejected because they were too long.  Apparently some temporary Y2K virus
  filters believe that if mail is longer than 10K, it might contain a virus
  or Trojan horse. The assumption that viruses are bigger than 10K seems
  specious.  PGN]


SSH: an ineffectual "feel-good" security measure

"Schlake ( William Colburn )" <schlake@nmt.edu>
Mon, 20 Dec 1999 00:34:14 -0700
When I first read the report of RST breaking the netscape algorithm I was
caught up in the moment.  Netscape should have known better than do
something so foolish!  Then I read the next comp.risks and I felt like a
fool.  There is a great risk in pretending to have security when you really
have none.

I think many people believe that ssh protects them from wrong-doers, and
that nothing bad can happen to them if they use ssh.  The authors of the
Internet Auditing Project(1) have a good story to tell about ssh, as do the
people who run the web site for rootshell.org(2).  Some sys-admins here at
work are rabid about ssh.  They have disabled telnet and rlogin for
"security" reasons, and naively believe that ssh is somehow more secure.

Ssh protects the data stream between two secure machines.  Anyone sitting
between the two machines can't tell what is going on in the ssh stream
because of the encryption.  The risk to the user is assuming that either end
is secure.

Where I work, the important servers don't run telnet or rlogin, because
those protocols are "insecure".  The servers only run ssh.  Our network is
switched.  In order to sniff packets an attacker either needs to be in the
machine room with a cable plugged into the switch, or they need to be on
either of the two machines that the traffic is going between AND they need
to be root.  If they are root on either machine, then they can:
  a) read the unencrypted TTY instead of the encrypted stream
  b) read the local secret keys and decode the stream on the fly
  c) replace ssh with a Trojan
  d) trace the program and extract the unencrypted data from the write()s
  e) many more things I can't think of right now

If no one has compromised my system, then it is safe to use telnet to login
between machines.  If someone has compromised my system however, I might as
well use telnet since I can't trust ssh anymore.  If no one has compromised
my system, and I need to login over an untrusted network, and I have a
secure machine to login from, then ssh is the perfect tool.

Where am I going to find a secure machine outside my network?  I bet there
are lots of secure machines all over the place, but I will never know which
ones they are.  If security is really important to me, I will never log in
to any computer from any other computer I don't own (and hence trust)
myself.  That means I that if I need to login to work when I am off site,
that I need to have my own laptop that I keep powered down, encased in
cement, buried in a vault, and guarded by an army (and even then can I
really be sure it is secure)?

Last week I spent an entire day at work wondering how to protect my mail
server from all the trouble that is expected from people trying to hide
under the veil of Y2K.  I took ssh out of the inetd.conf, and told everyone
that they have to log in on console from now on.

(1): http://www.securityfocus.com/templates/forum_message.html?forum=2&head=32&id=32
(2): http://www.rootshell.org/mailinglist-archive/rs-25


Jail for possessing a debugger? More on DVD encryption cracked (20.66)

Hamie <hmarson@ibm.net>
Fri, 17 Dec 1999 08:29:03 +0000
"Daniel A. Graifer" <dgraifer@cais.com> makes an interesting point that a
debugger & a screwdriver may be analogous when comparing intent to commit a
crime.  But I believe that the menace behind the law & the practice of
encrypting region coded disks is far more insidious...

It's not about stopping casual, or even determined piracy. They can encrypt
& degrade all they like to try & foil copying. But at the end of the day, a
picture has to appear on a screen somewhere for someone to see it. There is
no way they can stop a determined person or corporation from taking a copy
of that unless they own & control everything in between.

Their attempt to push this law through is more akin to denying you access to
a screwdriver to fix your own lock in case it breaks, or because you don't
like the colour of the door... Why shouldn't I have the means to play a
legally bought DVD on my laptop using Linux? Why should I have to pay money
(If it were possible) to some faceless company who may perhaps come out with
a DVD player, that may create a player for my favourite OS, on my favourite
hardware?


CFP: Workshop on Security and Privacy in E-Commerce

"Anup K. Ghosh" <anup.ghosh@computer.org>
Wed, 5 Jan 2000 09:26:56 -0500
The First Workshop on Security and Privacy in E-Commerce
Athens, Greece, 4 Nov 2000  http://www.rstcorp.com/conferences/wspec00/

held in conjunction with the ACM Conference on Computer and Communications
Security, http://www.ccs2000.org

Preliminary Call for Papers

The First Workshop on Security and Privacy in E-Commerce seeks to bring
together practitioners and researchers to address the real-world security
and privacy concerns in e-commerce. We are seeking contributions on topics
in security and privacy that will enable the e-commerce systems of tomorrow
to be developed more securely and robustly without compromising individual
privacy rights. The workshop will focus on group discussion and
collaboration in identifying the important problems and potential solutions
in this important topic area.  Proceedings from the workshop will be
published and distributed to attendees. Highest quality papers will be
published in a book and widely distributed after the workshop. We are
seeking research papers, business case studies, or system designs that
address security and privacy concerns in any of the following topic
non-exclusive areas:

        - anonymizing e-commerce/Web transactions
        - component-based software in e-commerce
        - databases access control
        - denial of service attacks and countermeasures
        - detecting anomalous database transactions
        - detection and recovery from Internet-based attacks
        - e-commerce protocols
        - e-commerce systems
        - Internet client risks
        - malicious software or Trojan functionality
        - mobile agents in e-commerce
        - novel attacks and countermeasures
        - privacy negotiation/bartering
        - privacy risks with cookies/tokens/identifiers
        - software analysis and certification.

Submissions will be accepted for regular research papers, case studies, and
panel proposals.  Abstract submission deadline: May 1, 2000.

See http://www.rstcorp.com/conferences/wspec00/ for complete Call for Papers.

Anup K. Ghosh, Ph.D., Program Chair

Please report problems with the web pages to the maintainer

Top