The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 20 Issue 83

Wednesday 8 March 2000

Contents

o Gallup hacked
PGN
o Aum Shinri Kyo affiliate develops Japanese government software
PGN
o Computer releases prisoner
Bob Church
o Online broker blames outages on software maker
NewsScan
o Boeing loses space station parts
PGN
o Arizona primary is first binding election with Internet voting
Sidney Markowitz
o New Zealand's INCIS Crime Information System
Richard A. O'Keefe
o Risks of Web information on heart attacks
PGN
o Census fiasco
Bob Frankston
o UK ISPs leave themselves open to potential abuse
Pedt Scragg
o Judge sends message to network vandals: "go to jail"
NewsScan
o The scary MSWord residue feature
Avi Rubin
o Re: "Unstable" postal addresses
Peter Corlett
o ADSL snooping
David
o Risks of Leap Years and Dumb Digital Watches, quadrennial posting
Mark Brader
o Leap-day 2000
Chris Kuan
o Leap-day 2000: VCR
Bob Erkamp
o Leap-day 2000: Checkbook magazine
Jeremy Epstein
o Getting Jenni arrested
Keith Schon via sragsdale
o Privacy risks as mid-sized orgs decide that Web access is cool
Daniel P.B. Smith
o Info on RISKS (comp.risks)

Gallup hacked

"Peter G. Neumann" <neumann@csl.sri.com>
Tue, 07 Mar 2000 21:31:34 -0800
The Gallup Organization's Internet site was hacked, shortly before today's
primary elections.  The hacked Web page appeared to be the work of John
Vranesevich's AntiOnline, although JV denies it and Gallup also believes
that his identity was spoofed.  Gallup's 65-year historical polling data
remained unchanged -- because their internal site won't be connected until 1
Sep 2000.  But this certainly gives them an incentive to make sure their
internal site is more secure.

  [Source: Vandal alters Gallup Internet site just before primaries, cnn.com,
  7 Mar 2000, courtesy of Dave Stringer-Calvert.  See also
    * On the Net: Gallup's Web site: http://www.gallup.com
    * AntiOnline's Web site: http://www.antionline.com
    * Image of Gallup's hacked site:
      http://www.attrition.org/mirror/attrition/2000/03/05/www.gallup.com/
  I guess the archival history items might be known as "Gallup-agos".
  Studying them tortoise a lot.  PGN]


Aum Shinri Kyo affiliate develops Japanese government software

"Peter G. Neumann" <neumann@csl.sri.com>
Sun, 5 Mar 2000 14:15:01 -0500
An affiliate of Aleph, the cult formerly known as Aum Shinri Kyo (known for
its nerve gas attacks in Tokyo subways), has apparently been a subcontractor
on Japanese Defense Agency contracts for the development of a secure
communication network, and is suspected of planting a security trapdoor.
Police notified the Agency the day before operation was scheduled to begin.
The company also developed software for the Construction Ministry, the Posts
and Telecommunications Ministry, the Education Ministry, and NTT (among
others).  This discovery follows on several recent attacks on Japanese
government Web sites, whose attackers were not identified.  [Source:
Doomsday Cult Linked to Government, 29 Feb 2000, courtesy of John Lowry.
http://library.northernlight.com/EB20000229590000030.html?cb=0&dx=1006&sc=0#doc
PGN-ed]


Computer releases prisoner

Bob Church <churchr@oak.cats.ohiou.edu>
Mon, 6 Mar 2000 13:06:21 -0500
The Southeastern Ohio Jail is a recently completed facility to serve four or
five counties in Southeast Ohio.  It was the subject of several news stories
about delayed and poorly done construction.  Executive Director Cochran
publicly accused the contractors of "piddling around" instead of finishing
work.

The following article appeared in the March 5, 2000 issue of the 'The Sunday
Messenger' in Athens, Ohio.

Escaped Inmate Still at Large

  An inmate who escaped from an unsecured door at the Southeastern Ohio Jail
  Wednesday evening remained at large Saturday afternoon.  [descriptions of
  Tharpe, accused of armed robbery of a carry-out and considered dangerous
  ...]  Tharp was able to walk out of the jail when the emergency evacuation
  system failed and unlocked all outside security doors to the jail, Cathy
  Cochran, Executive Director explained.  If the system would have been
  working correctly, a two-minute warning would have occurred before the
  door unlocked and the officer on duty would either give the go-ahead or
  discontinue the command.  Instead the doors were unlocked automatically
  and Tharp walked out.  The alarm company that installed the system was on
  the site Thursday and reviewed with officers a number of possibilities
  that could have occurred.  Regional Jail Captain John Morris said Friday
  "to insure nothing like this incident could ever occur again, we have
  taken all the fuses out of the outer security doors.  Only officers with
  keys will have the availability to unlock the door for exit purposes."

    [The RISKS archives have a bunch of computer-related prison screwups.]


Online broker blames outages on software maker

"NewsScan" <newsscan@newsscan.com>
Fri, 03 Mar 2000 08:56:53 -0700
National Discount Brokers, and online brokerage, says the outages it
experienced recently were the result of "hacker-like" attacks by an unnamed
Web software maker.  The company had originally said its problems "had the
earmarks of a hacker attack."  Apparently, the periodic disruptions were the
result of software incompatibility with products made by the outside company
that resulted in denial-of-service-type outages.  NDB says it's considering
whether to pursue "appropriate judicial relief" through legal action against
the company.  The outages meant that NDB customers had to wait an average of
43.9 seconds to reach its site, twice as slow as the next slowest online
trading site, and prevented 200,000 customers from placing stock orders
online, although they could still relay orders over the phone.
[http://www.techweb.com/wire/story/reuters/REU20000303S0001 Reuters/TechWeb
3 Mar 2000; NewsScan Daily, 3 Mar 2000]


Boeing loses space station parts

"Peter G. Neumann" <neumann@csl.sri.com>
Mon, 6 Mar 2000 14:20:52 PST
Two nitrogen and oxygen tanks (worth $750,000) still in their crates (5 feet
on a side) for use by space-station astronauts were apparently accidentally
sent off to the Huntsville dump after being moved outdoors temporarily to
make room inside the Boeing plant.
http://dailynews.yahoo.com/h/ap/20000303/sc/space_station_trash_1.html


Arizona primary is first binding election with Internet voting

"Sidney Markowitz" <sidney@sidney.com>
Tue, 7 Mar 2000 13:09:31 -0600
The Associated Press has a fairly upbeat article about the Arizona
Democratic Primary as the first binding election in the US with votes cast
over the Internet.

  http://www.mercurycenter.com/svtech/news/breaking/ap/docs/288268l.htm

Other mainstream coverage is in Time
  http://www.time.com/time/digital/daily/more/0,2845,0,00.html

The online voting is being conducted by Election.Com
  http://www.election.com/

But the darker side can be found at the Web site of the group that sued to
stop the online election, Voting Integrity Project,
  http://www.voting-integrity.org/
where their case is made more strongly than in the brief summary of the AP
article.

RISKS readers may be interested in the security of the voting process.
According to the elections.com website, each voter receives a PIN via postal
mail that gets them access to the voting web page. A voter also has to
answer "several questions" to confirm their identity. The instructions also
remind the potential voter that "[...] it is a Class 5 felony offense to
knowingly vote at an election when not entitled to do so." That is not the
same as verification of the identity of the person who knows the PIN and
knows the answer to the several personal questions, but then I've never had
to show a photo id when I have gone to a polling place to vote.

VIP's objections appear to have less to do with security and more with the
effects of unequal access by the poor and minorities who are less likely to
have a computer and an Internet connection. Easier voting for one group is
seen to mean more voting power for that group.

Sidney Markowitz <sidney@sidney.com>


New Zealand's INCIS Crime Information System

"Dr Richard A. O'Keefe" <ok@atlas.otago.ac.nz>
Thu, 09 Mar 2000 14:57:20 +1300
The New Zealand Police had 18 databases that were nearing the end of their
useful life in 1990.  They came up with the idea of combining them, plus a
bunch of other stuff, to form the Integrated National Crime Information
System.  The business case was drawn up in 1993, and a contract signed with
IBM in 1994.  Last August, IBM pulled out, with only Increment 1 (of three
Increments) completed.  The project was three years late and running later
all the time.  The money was also blowing out: it was originally expected to
cost NZD 80 million but was up to NZD 134 million when IBM pulled out.  The
government sued and IBM counter-sued, but that is now settled.

The Report of the Justice and Law Reform Committee on the CARD and INCIS
systems can be found at
  http://www.gplegislation.co.nz/incis/incis.html

Since that report was issued last year, we have a new government, which has
promised a fuller enquiry into the INCIS affair, but not the Royal
Commission that many people were expecting.

About NZD 50 million of the cost was for hardware: 3000-odd PCs (although
the amount spent on PCs seems rather higher than I would have expected),
networks, buildings, and an S390 mainframe at about NZD 7.5 million, which
the government now want to sell because it costs NZD 0.5 million/month to
run.  See
  http://www.govt.nz/news/detail.php3?id=400
which has a link to a recent report on Police & Justice IT requirements.

Regular readers of comp.risks will find no real surprises in the report,
including the fact that there are worries about data quality in the main Law
Enforcement System data base (fields are not being used for their intended
purposes, and the Courts don't bother filling some of the fields in anyway).

Quick summary:
 - ambitious project (there wasn't anything like it available)
 - customer demanded major architectural changes part way through
 - requirements took a long time to discover
 - customer kept asking for new features
 - management problems (top level customer people who didn't get on,
   rapid project management turnover at IBM)

Mind you, it helped bring down the New Right government, so it's an ill wind
as they say...


Risks of Web information on heart attacks

"Peter G. Neumann" <neumann@csl.sri.com>
Wed, 08 Mar 2000 13:21:23 PST
The following letter appears on the Rochester General Hospital Web site
[http://www.viahealth.org/via_news/99_news/99_august_news/heartattack.htm]

  Important Notice Regarding the article
  "How to Survive a Heart Attack When Alone."

  Hundreds of people around the country have been receiving an e-mail chain
  letter entitled "How to Survive a Heart Attack When Alone." This article
  recommends a procedure to survive a heart attack in which the victim is
  advised to repeatedly cough at regular intervals until help arrives.  The
  source of information for this article was attributed to ViaHealth
  Rochester General Hospital. This article is being propagated on the
  Internet as individuals send it to friends and acquaintances - and then
  those recipients of the memo send it to their friends and acquaintances,
  and so on.  We can find no record this was produced by Rochester General
  Hospital.  Furthermore, the medical information listed in the article can
  not be verified by the medical literature.  Please help us combat the
  proliferation of this misinformation. We ask that you please send this
  e-mail to anyone who sent you the article, and please ask them to do the
  same.

  Sincerely, John Turner,
  Director of Public Relations ViaHealth Rochester General Hospital

    [This is of course not a unique case.  I include it here simply
    as one more reminder of the risks of unauthenticated e-mail.
    Incidentally, speaking of e-mail, the ever-vigilant French have
    now rejected the use of the term "e-mail" (and many other terms)
    as further incursions of American/English into francais.  It is not
    clear whether the fact that "email" is a perfectly good old French
    word (relating to enameling) had anything to do with the matter.
    (New RISKS readers in the past four years might want to look at
    my lead note in RISKS-17.95.)  PGN]


Census fiasco

"Bob Frankston" <rmf2gOther@bobf.Frankston.com>
Wed, 8 Mar 2000 11:36:35 -0500
Apparently all the informational mailings about the 2000 census [US] put an
extra digit before hour numbers so that 23 Main St can become 123 Main St.
Apparently the solution is to tell the postal workers to ignore the first
digit.

Sounds reasonable except that this is the 2000 census and the real address
is in the barcode not the printed version. Seems similar to the assumption
that the Post Office made in changing some zip codes in 021 to 024 -- the
number is now a database key, not a physical delivery route.

So I looked a little further and saw
http://www.census.gov/Press-Release/www/2000/cb00cn21.html which said that the barcodes are, in fact, correct. So it is just a minor
labeling error at the end point.

The real risk in news reports passing on factoids without understanding the
underlying issues and thus giving a misleading report. Alas, this is the
norm. The good news [NPI - No Pun Intended] is that they are not the sole
gatekeepers of information even though the newspapers still don't provide
links to their sources even if the source is a standard press release.

Of course, there's the whole issue of this being the last paper-based census
but that is beyond the scope of riskoids.

Bob Frankston  http://www.Frankston.com


UK ISPs leave themselves open to potential abuse

Pedt Scragg <pedt@signpost-design.co.uk>
Tue, 7 Mar 2000 17:41:46 +0000
A number of the new 'free' UK ISPs have left themselves open to potential
abuse with certain e-mail/website addresses being available for the general
public that should perhaps be not available.

I happen to be sysadmin@network-operations.freeserve.co.uk and also
network_operations@tesco.net amongst others - all via the signup page on
their web sites and I get web sites to match the name.

Risks: I could put up a web site detailing non existent problems or post to
newsgroups using these addresses and they may well be believed as being from
someone who works at the relevant NOC. Joe Public might well believe a site
at http://www.network-operations.freeserve.co.uk or at
http://www.network_operations.tesco.net as being legitimate sites for the
ISP if found on a Search Engine.

Pedt Scragg  Signpost Web Design, Wrecsam, North Wales
http://signpost-design.co.uk/


Judge sends message to network vandals: "go to jail"

"NewsScan" <newsscan@newsscan.com>
Mon, 06 Mar 2000 07:59:23 -0700
Federal judge Irma Gonzalez has imposed an 18-month prison sentence on a
27-year-old man who as leader of a 12-member ring of network vandals broke
into the computer systems of a number of major U.S. phone companies. In
passing the sentence, the judge said: "This is a crime which is becoming
more and more prevalent in our society. There has to be a message sent to
this community that people like you, who commit this type of crime, will be
punished." [AP/*San Jose Mercury News*, 5 Mar 2000; NewsScan Daily, 6 March
2000]


The scary MSWord residue feature

Avi Rubin <rubin@research.att.com>
Wed, 1 Mar 2000 21:16:53 GMT
I recently received a legal document as part of a personal negotiation that
I am doing. The document was e-mailed to me in MSWord format.  As I was
showing it to my lawyer (who happens to be my wife), we decided to put our
thoughts inline using the track changes feature of word. After selecting
Tools, and Track Changes, we clicked on "Highlight changes in document" and
voila, suddenly a whole bunch of red appeared on the screen. We looked at it
closely and realized that everything in red represented changes in the
document that my counterpart's lawyer had written. We got a good look at the
previous version of the contract, as well as a bunch of comments and
justifications that the lawyer wrote to his client. It was an eye opening
experience.

It appears that instead of selecting "Accept all changes" before sending it
to me, the other party to the contract simply turned off the highlighting to
the track changes feature.

This is obviously a case of an unsophisticated person misusing a feature.
However, it is very dangerous. Lawyers send word documents around all the
time, and many of them do not really understand all the features that they
use, nor should they have to. I imagine that I was not the first person to
see some behind the scenes conversation in an important word document, that
I was never intended to see.


Re: "Unstable" postal addresses (Re: Dellinger, RISKS-20.82)

Peter Corlett <abuse@cabal.org.uk>
Sun, 05 Mar 2000 15:18:47 +0000
The UK Post Office exacerbates this somewhat by providing a database that
will cleanse and correct addresses. This works by taking the house number
and the post code, and generating an address in the preferred format for the
Post Office. For example, the house number "234" and the post code "SW6 9XY"
(that I've just plucked out of the air) might produce the address:

234 Random Street
Fulham
London SW6 9XY

This is quite a good scheme as it goes, since many companies seem to use it
as an extra form of validation. If I phone a company who want my address,
I'll be asked for my post code - which gives the street name and a range of
house numbers - and will then be asked for my full address which they will
cross-check on the screen. If it doesn't match, they know there's an error,
and I'm asked to repeat it.

This is a great tool that stops misaddressing. Unless you're in a property
that has been split into flats and has not been coded by the Post Office.
For example, suppose 234 Random Street has been split into flats, and that I
live in flat number 1. The proper address that I give out would thus be:

Flat 1
234 Random Street
Fulham
London SW6 9XY

Mail is successfully delivered to me at such an address. Unfortunately, some
companies tend to lose the "Flat 1" because their database only has fields
for "street address", "local area" and "post town", or try to use the 1 in
the database, instead of 234. If you're lucky, 1 SW6 9XY is invalid, and it
gets flagged. If not, your mail's going to go astray, being sent over a
hundred doors down the road.

Other problems involve trying to bodge the "Flat 1" into the "street
address" field of the database, since the database designer was a bit
short-sighted. You will now see things put there as "Flat 1, 234 Random
Street", or sometimes "1 234 Random Street". You'd better hope the postman's
on the ball and there aren't a thousand houses on the street.

The Risk here is that some databases use aren't able to handle
sub-addressing or free-form addresses, yet the designers still thought that
their database would know somebody's address is what they claim it is. Time
for a PO Box, I guess, let's see how they cope with that.


ADSL snooping

David <da0g+@andrew.cmu.edu>
Fri, 25 Feb 2000 11:01:41 -0500
On my ADSL system, with tcpdump, I've noticed traffic between two other
machines.  The traffic was not going through my system.  But I was free to
observe it, and snoop on the telnet sessions.

This was not normal.  Bell Atlantic does not usually do this.  (They have
been informed, and will presumably take steps to correct this matter.)

However, it drives home the point that ADSL is *NOT* a substitute for decent
security (ssh, kerberized services, etc).


Risks of Leap Years and Dumb Digital Watches, quadrennial posting

Mark Brader <msb@vex.net>
Tue, 29 Feb 2000 13:32:05 -0500 (EST)
All right now, how many people reading this...
 -> saw a previous version of this message in Risks 6.34, 13.21, or 17.81,
 -> have watches that need to be set back a day because, unlike the smarter
    kind of digital watch, they went directly from 28 Feb to 1 Mar,
 -> and *hadn't realized it yet*?

Mark Brader, Toronto, msb@vex.net


Leap-day 2000

"Chris Kuan" <mrgazpacho@hotmail.com>
Wed, 01 Mar 2000 12:50:15 PST
My father's digital Casio wristwatch changed from Feb 29 to 30 Feb this year.


Leap-day 2000: VCR

Bob Erkamp <erkamp@arc.ab.ca>
Wed, 01 Mar 2000 09:17:39 -0700
I have a Sony SLV-940HF VCR with a nice feature that get's the date and time
over cable from any channel that broadcasts it (I think it's PBS). I had
programmed some shows to be recorded for Feb. 29/2000 and just happened to
notice that the VCR wasn't recording when it should be. I checked my
programming and the entries were there but the VCR wasn't taping? I then
checked the date and time and it said it was Monday, February 28! The only
way I could get me VCR to record anything yesterday was to switch to manual
date and time. I am not sure which channel was broadcasting the incorrect
time but I suspect others may have run into this?

Bob Erkamp, Alberta Research Council, 250 Karl Clark Road, Edmonton, Alberta
T6N 1E4 CANADA  1-780-450-5181   http://www.arc.ab.ca/individuals/erkamp/


Leap-day 2000: Checkbook magazine

Jeremy Epstein <jepstein@monumental.com>
Wed, 1 Mar 2000 14:04:53 -0500 (EST)
I'm sure there are lots of these.  Among them, Washington Checkbook magazine
(a consumer magazine) seems to have sent out erroneous subscription renewals
to some/all of their subscribers yesterday (February 29th).  They sent out
an apology e-mail, which is how I found out.


Getting Jenni arrested

<sragsdale@my-deja.com>
Thu, 02 Mar 2000 18:21:05 GMT
  [My friend Keith Schon <schon@supplybase.com> told me this story about
  Valentine's day, and I offered to post it to comp.risks for him.]

I decided to send my girlfriend flowers for Valentine's Day, and I ordered
them through the 1-800-Flowers website.  Where the field says "enter card
message" I typed "If I was there I would get myself a great big kiss from
you."  When the flowers arrived (3 days from the target date), the message
on the card had been truncated by a few crucial words.  The new mangled
message left off my name and ominously said "If I was there I would get
myself."  One of her co-workers was sufficiently disturbed and called
university security, who detained and questioned my girlfriend for most of
the morning about stalkers, bomb-threats, etc.  Basically I paid to have my
girlfriend arrested.

I sent e-mail to their customer service department through the same website.
They advertised a response within 12 hours.  4 days later, I got a form
letter offering a partial discount, which showed no sign of their actually
having read my e-mail.

The RISK seems to be "be careful when you automate."  If you're going to
rush the results out to customers before a human being checks them, at least
make good on your customer service.  I'll never use these guys again via web
or phone, and I have a feeling they made a lot of their other V-Day
customers feel the same way.


Privacy risks as mid-sized orgs decide that Web access is cool

"Daniel P. B. Smith" <dpbsmith@world.std.com>
Wed, 8 Mar 2000 13:43:38 -0500 (EST)
I belong to the singing organization SPEBSQSA (Society for the
Preservation and Encouragement of Barber Shop Quartet Singing in America),
a nonprofit organization with about thirty thousand members and an
increasingly sophisticated Web operation.

Recently I received an unsolicited e-mail announcement of their "members
only" area.  The e-mail, which of course wasn't secured in any way,
included a password for access to the account which happened to be a
single, correctly spelled English word six letters long.  On accessing the
account I find that any member is, among other things, able to obtain the
chapter roster of any chapter, complete with names, addresses, home,
work and fax phone numbers and e-mail address of every member in the
chapter.  (The chapters have to be accessed by their code number, but the
code numbers are sequential and readily available in SPEBSQSA
publications).  At very roughly 1000 chapters and 30 members per chapter,
it would be very feasible for a 'bot, or even a moderately patient human,
to obtain the complete membership list for the entire organization.

There's no terribly sensitive information here, and of course there is the
disclaimer: "The information contained on this site is confidential and
may only be used for official SPEBSQSA business by authorized Society
members.  Unauthorized use of this site or the data it contains is
strictly prohibited," which would presumably allow egregious abusers to be
successfully sued.  Still, this is AWFULLY sloppy.

The necessary expertise to make information available on a Web site is
propagating an awful lot faster than the expertise needed to keep it
secure.  And the customary practice seems to be "_first,_ let the cat out
of the bag; _then_ inform you that there's a cat and a bag."

Daniel P. B. Smith <dpbsmith@world.std.com>

Please report problems with the web pages to the maintainer

Top