The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 20 Issue 75

Sunday 16 January 2000

Contents

o More on Pentagon satellite data outage
PGN
o Credit-card data used for extortion
Steven M. Bellovin
o British Visa source-code compromised
Frank Markus
o Greek tax information system experiences black-out
Diomidis Spinellis
o Berlin Fire Department with Y2K Problem?
Debora Weber-Wulff
o Kremlin press office Y2K problems
Greg Lastowka via Declan McCullagh
o Re: Y2K99?????
Drew Davis via Mark Brader
o Sidekick98 Y2K bug squashed
Michael Froomkin
o Lookout Outlook!
Bruce Sterling
o Resume system creates "Profile" for you... without permission
Tom Malaher
o Woman ordered to pay back four pence
Alan Barclay
o More on RISKS-20.73
Clive D.W. Feather
o Info on RISKS (comp.risks)

More on Pentagon satellite data outage (RISKS-20.72)

"Peter G. Neumann" <neumann@csl.sri.com>
Sat, 15 Jan 2000 22:21:16 PST
We noted in RISKS-20.72 that the Pentagon satellite intelligence system was
unable to process data for 2.5 hours after the midnight GMT Y2K rollover.
Apparently the situation was much worse than initially realized.  UPI
reported on 12 Jan 2000 that the problem was actually self-inflicted,
resulting from a misguided supposedly preventive software patch in a
sensitive NRO intelligence program called Talent Keyhole at Fort Belvoir.
For the next few days, there was only a trickle of data from 5 satellites.


Credit-card data used for extortion

"Steven M. Bellovin" <smb@research.att.com>
Mon, 10 Jan 2000 14:31:29 -0500
*The New York Times* today reported an extortion attempt involving credit
card numbers stolen from online merchant CD Universe.  Someone who called
himself "Maxim" and claimed to be Russian said that he had copied 300,000
credit card numbers from their system, and that he would post them on the
Internet unless he was paid $100,000.  The article quoted the chairman of
eUniverse, the company that operates the site, as confirming that Maxim did
indeed have their data.  eUniverse declined to pay the $100,000; Maxim
posted 25,000 card numbers to a Web site.  Several thousand people
downloaded the file before it was yanked.

What's interesting, though, is not that this can occur.  In fact, security
folks have been warning for years about wholesale theft of card numbers.  But
most sites can't or won't do anything about it.  Consider, for example, the
security statement currently posted on the cduniverse.com Web site (I saw
no mention of the incident):

  Security - Is Internet Shopping Safe?

  We have all heard a lot of talk about whether shopping on the internet is
  safe. The main concern of online shoppers is that their credit card
  information will somehow end up in the wrong hands. We use Netscape's
  Secure Commerce Server technology, which encrypts your order information,
  keeping it private and protected. It's a Netscape technology called "SSL"
  (Secure Sockets Layer) and it's used by us and all the other major
  commercial shopping sites, including: The Wall Street Journal, Barnes &
  Noble Books, FTD Flowers, Microsoft, and Netscape itself. It is actually
  safer to transmit your credit card info over the Internet than it is to
  use your credit card around town.

By focusing on transport encryption, they miss the point entirely.  The
real risk is bulk theft, as has happened here.  Consider the following
text from their Web site:

  If you have previously placed an order and want to use the same credit
  card, you can select the "Use previous credit card info" option. You do
  not need to enter your credit card information unless your credit card
  expiration date has passed.

By maintaining this information online, they (and many other Web merchants,
of course) are inviting trouble.

It is tempting to say "use SET", which would provide for digitally-signed
payment authorization.  Unfortunately, SET may send your credit card number
to the merchant anyway.  Many stores use credit card numbers as the database
key for user purchasing patterns; they didn't want to lose the link if SET
ever took off.  But this means that card-number data still exists on the
merchant's site somewhere.

The CD Universe security statement concludes with this note:

  What most people don't realize is that shopping with your credit card is
  actually safer than paying by check. In the event that there is a problem
  with your purchase, the credit card company will remove the purchase from
  your bill and the on-line merchant is not paid. In the event that your
  credit card number is stolen, the credit card companies do not hold you
  responsible for any unauthorized purchases.

It is, I believe, accurate, though there may still be $50 liability to the
consumer under U.S. law.  (And they don't say anything about credit card
numbers belonging to non-Americans, even though they list shipping charges
for international destinations.)  But *someone* is going to have to swallow
the fraudulent charges -- and we won't see an overall improvement in
computer security until the *real* injured parties apply appropriate
pressure.

  [The NYT article also noted by Scott Lucero.  PGN]


British Visa source-code compromised

"Frank Markus" <fmarkus@pipeline.com>
Sun, 16 Jan 2000 09:44:26 -0500
According to an article by Jon Ungoed-Thomas and Stan Arnaud in the *Sunday
Times* of London for 16 Jan 2000, British hackers have compromised the
source code for the Visa card system and have sought ransom for it.
Excerpts from the story which I found online under the headline ``Hacker
gang blackmails firms with stolen files'' follow:

  Visa confirmed last week that it had received a ransom demand last month,
  believed to have been for 10M pounds.  "We were hacked into in mid-July
  last year" [despite layers of firewalls], said Russ Yarrow, a company
  spokesman.  It is understood the hackers stole critical source code, and
  threatened to crash the entire system.  Visa's system handles nearly 1
  trillion pounds of business a year from customers holding 800M Visa cards.
  No further incursions were detected.  [PGN-ed]

But this begs the question of what they should have done -- if anything --
after receiving notification that their system had been penetrated.  After
CD Universe's credit-card database was compromised by a hacker/blackmailer,
their system was (apparently) shut down temporarily and its customers
notified (of which I, alas, was one.)  Visa seems to have had no fall back
plan for this crisis except to call in the police and hope for the best.  If
the hackers have not disseminated the code more widely, Visa has been very
lucky and the damage has been controlled.  But how certain can anyone be of
that?  And how certain can they be that there was only one penetration?


Greek tax information system experiences black-out

Diomidis Spinellis <dspin@aegean.gr>
Fri, 14 Jan 2000 13:04:38 +0300
According to the Athens financial newspaper "Naftemporiki" (14 Jan 2000,
p. 7) the Greek tax information system TAXIS has been down since Tuesday
January 11th.  All computerised regional state finance offices (DOY) have
been affected as they are unable to connect to the system's main computer.
I was personally able to verify this at my local state finance office where
tax liability certificates were not issued on Wednesday.  According to
Naftemporiki, the affected services include the provision of tax liability
certificates, the issue of new tax registry numbers (AFM), and the
validation of ledgers and receipts.  Many of these services are needed for
the lawful conduct of business.

According to sources within the ministry (department) of finance, the
system's hard disk was overloaded by the large number of applications that
were running on it.  Another source claims that while data was transferred
from one hard disk to a larger one an error resulted in the loss of all
data.  The disk (referred to in the article as "the system's main memory")
has been sent to the United Kingdom to be repaired and to attempt to recover
the lost data.

Some of the above accounts are contradictory: it is not clear whether the
disk suffered a catastrophic failure, or the problem is a result of a human
error.  In any case, the reported attempt to recover data from the disk in
question suggests that database resiliency, backup and recovery procedures,
and contingency planning were not adequate.  In addition, it appears that a
system whose failure can disrupt business, trade, and everyday life of
millions of citizens (tax liability certificates are needed for many
important transactions) was not designed to withstand centralised failures.

Diomidis Spinellis, University of the Aegean
http://kerkis.math.aegean.gr/~dspin


Berlin Fire Department with Y2K Problem?

Debora Weber-Wulff <weberwu@tfh-berlin.de>
Wed, 12 Jan 2000 12:04:39 +0100
There has been heated debate in the Berlin newspapers about the fire
department's computer problems over New Year's. It seems that just after
midnight the dispatching systems broke, but they broke in an unexpected way:
they told the dispatchers that an alarm had been given to a fire station,
when in reality the fire station did not receive the alarm, and kept playing
cards and wondering why there were no fires this nice New Year's Eve.  [This
is in itself a very hard to avoid security risk.] At one point an
exasperated police car drove to a fire station, which was just around the
corner to ask if they needed an engraved invitation or what?!

The systems also logged fire engines as being somewhere in use when they
were actually sitting in the fire house, and thus tried to alarm fire
engines that were further away from the fire.

There has been lots of finger-pointing. The systems were "Y2K-secure"
because they were tested for this 2 weeks ago. [Gosh, I didn't realize that
someone had found out how to prove by test that software functions properly!
-dww] The chief fire fighter had to be called in at about 1.30 am to figure
out what to do, eventually falling back on very old equipment: people, paper
and pencil.

The blame has been put on the massive number of calls to the fire department
during the night, which had overloaded the system. Maybe I ought to invest
in a second fire extinguisher...

Some on-line articles:
http://www.BerlinOnline.de/wissen/berliner_zeitung/archiv/2000/0103/lokales/0064/index.html
http://www.tagesspiegel.de/archiv/2000/01/04/ak-be-kr-13983.html
http://www.tagesspiegel.de/archiv/2000/01/06/ak-be-st-24269.html

Interesting too the article in August 1999
http://www.tagesspiegel.de/archiv/1999/08/05/ak-be-st-23279.html
where an official says that the fire department is just spreading panic by
saying that they will be having problems on New Year's Eve...

Prof. Dr. Debora Weber-Wulff, Technische Fachhochschule Berlin
weberwu@tfh-berlin.de, http://www.tfh-berlin.de/~weberwu/


Kremlin press office Y2K problems (via Declan McCullagh)

Greg Lastowka <greglas@yahoo.com>
Fri, 14 Jan 2000 06:28:09 -0800 (PST)
The Kremlin press office's computer communication system was victimized by
Y2K, blocking their ability to send e-mail.  Reportedly, they will have the
problem fixed by ``the end of the month''.  [Source: Agence France Presse,
13 Jan 2000]

Greg Lastowka, University of Virginia Law School  lastowka@virginia.edu
http://hobbes.itc.virginia.edu/~fgl2q/home.html


Re: Y2K99?????

<Drew Davis via Mark Brader>
Fri, 14 Jan 2000 23:07:02 GMT
Newsgroups: alt.fan.cecil-adams

"Wulfdog" <johnw@icok.net> excerpt:

>I turned on a 286 PC in my office today.  I looked at the date and it said
>Jan 05 2000.  Previously I had ran the date forward on my new HP and it went
>to 2099 and rolled back to 1980.  I quickly ran the 286 date up and to my
>surprise it went to 2099 and rolled back to 1980.   I wonder what those
>little diskettes with the Y2K test were actually checking for,  the size of
>your wallet/checking account?  My other question is.  Will any of us
>remember to tell the New Millennium babies that they are the ones who will
>see the "REAL Y2K bug"?

Hey, I've got a Y2K issue.   My fax driver/app "Delrina WinFax Lite 3.0 Fax
Administrator" can't recognize years 00 to 09 as the send date.   I have to
go and change the send date to 99 or before.   Neat.

-Drew


Sidekick98 Y2K bug squashed

"Michael Froomkin - U.Miami School of Law" <froomkin@law.miami.edu>
Tue, 11 Jan 2000 11:51:03 -0500 (EST)
Having assured everyone that Sidekick98 was Y2K OK, Starfish software's
calendar/scheduler product developed a bug last week in which attempts to
view your daily appointments produced a complaint of "Invalid file to
complete this action! mast:wk".  Some users also reported troubles with
past "to-do" items not done failing to appear on the current day's list.

Starfish have released <A HREF =
"ftp://ftp.starfish.com/pub/sk98/sk98patch.exe">a patch</A> that certainly
fixes the first problem and may fix the second too (I didn't have it so I
cannot report on this).

Although there is a Sidekick99, many users refuse to "upgrade" because the
feature set in '99 is a feeble subset of the more powerful '98.

No word from the company on what was missing from their testing procedure.

A. Michael Froomkin, U. Miami School of Law, P.O. Box 248087, Coral Gables,
FL 33124 USA  +1 (305) 284-4285   http://www.law.tm   froomkin@law.tm


Lookout Outlook!

"Peter G. Neumann" <neumann@csl.sri.com>
Sat, 15 Jan 2000 18:13:09 PST
>From: Bruce Sterling <bruces@well.com>
>Subject: Viridian Note 00124: Viridian Movement Officially

Viridian Curia Member Laura Stinson points out that people unwise enough to
use "Microsoft Outlook" cannot read the entire "Manifesto of January 3,
2000."  That's because one line of the text happens to begin with the word
"begin," followed by two spaces.  When Microsoft Outlook sees this, it
interprets everything that follows as an attachment.

I'll bet you didn't know that you could blind Microsoft Outlook readers
merely by placing the innocuous term "begin" in a text, thus giving a
preferential advantage to readers who spurn Microsoft products. Now you know
this.  I hope you don't put your newfound powers to any sinister use.


Resume system creates "Profile" for you... without permission

Tom Malaher <risks@netstart.com>
Thu, 13 Jan 2000 17:07:57 -0700
I got the following e-mail out of the blue today:

> We have added your resume to our Resume Database.  We have received your
> resume in response to an ad; or your resume was available in the resume
> database of an employment site to which we subscribe.

  [...description of Metro Information Services elided...]

> If you are interested in a position with Metro, please use the following
> URL to verify/update your e-Profile on Metro's Resume Database.  The URL
> below will connect you to a private area of Metro's website containing
> only your information.  The information you provide us is not publicly
> available on the Internet. Metro does not sell, trade, or publicly
> distribute any personal information we receive from any source.

> When updating your e-Profile, do not click the <Submit> button until after
> you have completed updating your resume information.  Once the <Submit>
> button is clicked, you will no longer have access to your e-Profile.
> After you have submitted changes to your e-Profile, if your expertise
> matches an open position, a recruiter may contact you about the
> opportunity.
>
> http://metroweb.MetroIs.com/eProfile/

Woman ordered to pay back four pence

Alan Barclay <gorilla@elaine.drink.com>
Tue, 11 Jan 2000 11:07:43 -0500
http://news.bbc.co.uk/hi/english/uk/scotland/newsid_598000/598625.stm

The BBC is reporting of the problems Mrs Pringle George is having after
receiving benefits in June & July last year, after being injured in a car
accident.  In November, she was contacted by the Credit Recovery Group of
the Benefits Agency, who informered her that she was accidentally overpaid
for one week of benefit Pounds 43.16, however when she wrote a cheque to
repay the overpayment, the cheque was for the amount 43.12, an underpayment
of 4 pence.

Mrs George said she was shocked when she received a letter at the weekend
informing her of the debt and telling her that legal action was being
considered.

A spokesman for the Benefits Agency said he was unable to discuss individual
cases but explained that if the agency received a cheque for the wrong
amount the computer automatically produced a generalised letter."The
computer cannot differentiate between 4p and 400 pounds," he said.

Two questions come to mind, first why was there a five month gap between the
overpayment and the first attempt to reclaim payment, and secondly why can't
the computer differentiate? It would seem simple to write off small amounts,
and indeed most billings systems do this.


More on RISKS-20.73

"Clive D.W. Feather" <clive@demon.net>
Mon, 10 Jan 2000 08:32:11 +0000
All following up to 20.73:

(1) Robert Rathbone <rr@dragonheart.net> writes:
> It would be like performing a check to see if there were more than 60
> seconds in a minute.

There can be 61 seconds in a minute.  It's called a "leap second".

(2) Andrew M Greene <agreene@pageflexinc.com> talks about *The New York
Times* changing its numbering.  Does this mean that numbers are going to be
duplicated for the next year or two, or will all references to issues since
1898 be suddenly invalid ?

(3) "John J. Francini" <francini@progress.com> writes:
> The UNIX98 standard changed the localtime() function so that the year
> value is redefined to be the "year in the current century"

This is the second time I've seen this claim recently.  As far as I know it
is false, since such a change would be incompatible with existing practice
and also with the ISO C Standard.  Can someone provide a URL for the UNIX98
definition?

Clive D.W. Feather <clive@demon.net>   +44 20 8371 1138
Internet Expert, Demon Internet   http://www.davros.org

Please report problems with the web pages to the maintainer

Top