The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 20 Issue 85

Friday 24 March 2000

Contents

o Northwest grounded for 3.5 hours after cable cut
Tim Dixon
o Patriot fails again
Lord Wodehouse
o Iridium insidium
PGN
o Leap-day banking ALERT!
Harlan Rosenthal
o Weather.com leaves visitors in the cold
Jay D. Dyson
o Cybercrime losses double to $10 billion
NewsScan
o Massive credit-card theft exposed
NewsScan
o Hacking credit cards is preposterously easy
Martin Minow
o Laptop Security
Steve Loughran
o Risks of Microsoft Passport
Avi Rubin
o Actor sues eBay for causing identity theft
Jim Griffith
o Re: MIT grade spreadsheet problem
Wm. Randolph Franklin
o There *still* ain't no such thing as a free lunch
Malcolm Pack
o Re: Hackers sued by software-filtering company
Bear Giles
o Re: Internet voting
Adam Shostack
o Report raises online privacy concerns
NewsScan
o TWA includes e-mail others' addresses in bulk mailing
RA Downes
o Re: Overdue Railtrack calls in the Army
Mark Nelson
o Info on RISKS (comp.risks)

Northwest grounded for 3.5 hours after cable cut

Tim Dixon <tdixon.no@spam.fwi.com>
Wed, 22 Mar 2000 19:14:26 GMT
When will people learn?  Computerworld reports that Northwest Airlines had
to cancel about 130 flights during a 3.5-hour outage at their Twin Cities
hub.  It seems a contractor accidentally bored into the cable cluster
containing both main and redundant fibre lines.
  [http://www.computerworld.com/home/print.nsf/CWFlash/000322CBDE]

When will people learn they need to know where their redundancy lies?
Cables run through the same conduit are only partially redundant, as events
like this will happily take out all the cables in a conduit, making the
conduit itself a single point of failure.

  [It sure is a common thread in RISKS!  Thanks to the others of you
  who noted this case also.  PGN]


Patriot fails again

Lord Wodehouse <w0400@ggr.co.uk>
Fri, 24 Mar 2000 16:38:04 +0000
>From the BBC:
http://news.bbc.co.uk/hi/english/world/americas/newsid_689000/689329.stm

Yet again the Patriot missile has hit the news.  Again units on high alert
status for long periods have developed problems.

  Tests have shown that missiles kept constantly on high
  alert have developed problems in receiving a radio
  frequency downlink, which guides the missiles in flight.

  General Kern said the Patriot's manufacturer,
  Raytheon Co., had guaranteed that the missiles would
  work properly if on high alert for a maximum of six
  months.

The full article provides ore details. However the risks are 1) the missile
fails when required to work (seen before in the Gulf War) and 2) people
believe that the missile works, when it may not. The former means it is a
less reliable form of defence and the latter means people might assume they
are safe.

  [Of course checking the Raytheon web site shows nothing about this on the
  top page.  A search of their site does not seem to feature the story
  either.  Another risk here: absence of information.  John]

Global Research Information Systems, Glaxo Wellcome, Gunnels Wood Road,
Stevenage SG1 2NY UK  +44 1438 76 3222 http://ds.dial.pipex.com/lordjohn/


Iridium insidium

"Peter G. Neumann" <neumann@csl.sri.com>
Thu, 23 Mar 2000 7:55:01 PST
Jo Le Guen, the Frenchman who is rowing solo across the Pacific, six weeks
into a four-month trip from NZ to Cape Horn in Chile, in hopes of raising
awareness of the plight of our oceans.
  [http://www.wired.com/news/print/0,1294,35077,00.html]

Rune Gjeldnes and Torry Larsen, two Norwegians, are attempting to be the
first known to ski from Russia to Canada over the North Pole.
  [http://dailynews.yahoo.com/h/nm/20000320/tc/iridium_norway_1.html]

What do they have in common?  Both efforts may lose their communications
lifelines when the plug is pulled on the Iridium satellite network at
midnight on 24 Mar 2000, after Iridium LLC failed to be rescued from
bankruptcy.  However, Motorola will attempt to keep the network running in
remote areas "for a limited period of time."  Le Guen gets his weather
forecasts from France, and talks with his doctor.  (He has some alternative
modes of communication, but with practical restrictions.)

  [Thanks to Mark Brader and George Mannes for the source material.]


Leap-day banking ALERT!

Harlan Rosenthal <H.Rosenthal@Dialogic.com>
Wed, 22 Mar 2000 09:37:17 -0500
This came from one of my staff. - harlan

> Check the bank statements carefully this month!!!
> My bank missed a posting made 29 Feb 2000.
>
> I was about to panic when I checked with the company to be paid - they did
> have the payment, received 29 Feb.  My bank account statement went from 28
> Feb to 1 Mar, the payment wasn't shown, and it looks like the amount was
> not accounted for.


Weather.com leaves visitors in the cold

"Jay D. Dyson" <jdyson@techreports.jpl.nasa.gov>
Mon, 20 Mar 2000 08:09:52 -0800 (PST)
The risk here?  Total reliance on a website.  Fortunately, my reality check
(an open window) gave me the 0day info on the genuine weather conditions.

This morning, I was told by my sweetie to go look at http://www.weather.com/
to see what the daily forecast is.  You can only imagine my surprise when I
saw this week's forecast for ZIP code 91109!

    http://www.weather.com/weather/us/zips/91109.html

    TODAY   Windy       hi 18F
                lo 7F
    TUE Partly cloudy   hi 19F
                lo 9F
    WED Partly Cloudy   hi 21F
                lo 9F
    THU Partly Cloudy   hi 22F
                lo 9F
    FRI Mostly Cloudy   hi 22F
                lo 9F
    SAT Showers     hi 19F  *
                lo 8F
    SUN Partly Cloudy   hi 22F
                lo 46F

    * I'd like to know how we're going to have "showers" when it's
      19 degrees F, too.

Now either I'm re-acclimated to Iowa-like weather very darn quick, or the
database is mixed up between Celsius and Fahrenheit.  This parka of mine is
just too darn warm, I tell ya!

Thanks go to my sweetie for mentioning this to me this morning, otherwise
I'd have froze to death!  ;)


Cybercrime losses double to $10 billion

"NewsScan" <newsscan@newsscan.com>
Wed, 22 Mar 2000 08:25:15 -0700
Financial losses attributed to malicious hacking, online corporate espionage
and other computer crimes probably doubled last year, according to a survey
by the Computer Security Institute.  The survey covered 643 major
corporations and public agencies that estimated their computer crime losses
at $266 million in 1999.  Based on that number, CSI estimates that total
losses attributable to computer crime are around $10 billion annually,
mostly from financial fraud and proprietary information theft.  However,
only one company in four surveyed reported the crimes in 1999, down 32% from
1998.  Suspected reasons for the decline are fear of bad publicity and
distrust of the FBI.  Based on the survey responses, 59% of the companies
said the computer attacks initiated from the Internet, while 38% said they
initiated from internal company computers.  [*Los Angeles Times*, 22 Mar
2000, http://www.latimes.com/business/20000322/t000027053.html, NewsScan
Daily, 22 Mar 2000]


Massive credit-card theft exposed

"NewsScan" <newsscan@newsscan.com>
Fri, 17 Mar 2000 09:43:17 -0700
In Jan 1999, a computer vandal stole information on 485,000 credit cards
from an e-commerce site and then secretly stored them in a database on a
U.S. government agency's Web site.  Although the theft was discovered in
March 1999 when a government administrator noticed that "a lot of the memory
(on the Web site) was chewed up for no reason, so he checked and found the
file (containing the stolen data)," many of the credit cards remain in use
today because credit-card companies and card-issuing credit unions decided
that it would be too much trouble to shut down the accounts and issue new
numbers, according to an unnamed source.  There is no evidence that the any
of the cards have been used to commit fraud, and Secret Service spokesman
Jim Macken says investigations point to an Eastern European perpetrator.
It's unclear why the data was deposited on a government Web site, although
Macken suggests that it may be the online equivalent of thumbing one's nose
at U.S. authorities. [MSNBC 17 Mar 2000 http://www.msnbc.com/news/382561.asp
NewsScan Daily, 17 Mar 2000]


Hacking credit cards is preposterously easy

"Minow, Martin" <martin.minow@thinklinkinc.com>
Fri, 24 Mar 2000 08:39:16 -0800
The Register <http://www.theregister.co.uk/000324-000017.html> reports that
is is "preposterously easy" to hack many sites that collect credit card
information.

  One computer enthusiast well known to The Register, who goes by the alias
  'Ksoze' (as in Kayser [Kaiser?] Soze), shows particular contempt for the
  security of the popular CGI log-in forms which enable consumers to enter
  their credit details when making a purchase on line. These Perl scripts
  are ripe for exploitation -- the real low-hanging fruit of the IP jungle.

  ... It's all too easy: "Just hit 'update account' and you get
  the form as filled in by customers," he says.

  ``**** are thieves, OK, but they're morons too. They supply a CGI to their
  customers named ccbill-local.cgi by default. Site administrators need that
  CGI to add users, update accounts, and so on; but **** supplies the CGI
  chmod-ed as world-readable, in a world-readable directory! Aren't they
  totally lame?''

Transcribed (with the CGI vendor name removed) by
Martin Minow, minow@pobox.com

  [Credit-card fraud worldwide is reportedly just under $1 billon a year,
  at about .7 percent of gross, but that represents only about 2% of banking
  losses.  Private communication.  PGN]


Laptop Security

"Steve Loughran" <slo2@iseran.com>
Fri, 24 Mar 2000 14:03:25 -0000
The BBC on line news, 24/March/00 covers an embarrassing laptop theft
     http://news.bbc.co.uk/hi/english/uk/newsid_688000/688814.stm

  MI5 laptop snatched
  Special Branch detectives are searching for a computer containing
  sensitive information on Northern Ireland after it was stolen from an MI5
  agent.  The 2,000-pound laptop was snatched as the agent stopped to help a
  passer-by at Paddington Underground station in central London.  Its data
  was encrypted and security officials are thought to be confident it could
  not be accessed.

The article continues with some opinions on how there is no such thing as a
``completely safe encryption system'', and the implications of the loss.

One must hope that the ``hibernate'' partition and swap file of the notebook
is also suitably encrypted, and that in the unlikely event that they are
using Windows 2000's encrypting file system, that all the files have
innocuous names.

As a recent Microsoft knowledge base article describes:
http://support.microsoft.com/support/kb/articles/Q248/7/23.ASP , their
encrypting file system only encrypts the contents of files, not the file
names.  Whereas an encrypted file ``secret plan to subvert the
government.html'' would not be readable, the fact that you had a secret plan
would be widely known...

    -Steve


Risks of Microsoft Passport

Avi Rubin <rubin@research.att.com>
Tue, 21 Mar 2000 14:33:05 GMT
Dave Kormann and I took a look at Microsoft's Passport protocol and
examined the risks. Our full paper is available at

  http://cs.nyu.edu/rubin/passport.html

Here is the abstract:

Passport is a protocol that enables users to sign onto many different
merchants' web pages by authenticating themselves only once to a common
server. This is important because users tend to pick poor (guessable) user
names and passwords and to repeat them at different sites.  Passport is
notable as it is being very widely deployed by Microsoft.  At the time of
this writing, Passport boasts 40 million consumers and more than 400
authentications per second on average. We examine the Passport single signon
protocol, and identify several risks and attacks.  We discuss a flaw that we
discovered in the interaction of Passport and Netscape browsers that leaves
a user logged in while informing him that he has successfully logged
out. Finally, we suggest several areas of improvement.

Avi


Actor sues eBay for causing identity theft

Jim Griffith <griffith@netcom.com>
Tue, 21 Mar 2000 14:17:58 -0800 (PST)
Jerry Orbach ("Law and Order", _DIRTY DANCING_, _FX_, and many others) is
suing eBay for allegedly allowing a user to auction two of his old acting
contracts.  Reportedly, the scanned images of the contracts showed his
Social Security number, which allegedly resulted in credit card fraud.

http://www.cnn.com/2000/SHOWBIZ/News/03/21/showbuzz/#story2


Re: MIT grade spreadsheet problem (Lutton, RISKS-20.84)

Wm. Randolph Franklin <wrf+risk@mab.ecse.rpi.edu>
Tue, 21 Mar 2000 17:38:49 -0500
That sort of problem is a constant worry to large-course coordinators, who
have to assemble grades submitted by various graders into one database,
while adding and deleting students from the classlist.  As students are
added, formulae must be copied, relatively, and summation ranges must be
extended.  One wrong mouse click can invisibly drag a cell somewhere else.

One obvious check, which was not made, is to sample a few students, and
check for reasonableness.  An after-the-fact check is to give the students
complete info about the inputs and outputs for their individual grades.
However, that's not so easy.  At times, I've used nested shell scripts to
e-mail each student.  At other times, I've created a separate AFS directory
for each student, permitted to only that person.

One deep reason for the problem is as follows.  It's hard to destroy or
mutilate info on paper.  It's easy to delete info from a computer file.
This sort of user interface and metaphor problem is one of the areas in
which Computer Science has not advanced in decades.

Does anyone remember the Florida contractor who used Lotus to prepare a bid,
which was too small since his summation range was too small?  He won the
bid, then sued Lotus, leading to a cover story in (I think) Business Week.

Wm. Randolph Franklin       wrf+risk@mab.ecse.rpi.edu (PGP available)
http://www.ecse.rpi.edu/Homepages/wrf/

  [WRF is undoubtedly referring to the SYMPHONY case:
    Lawsuit vs Lotus' Symphony dropped (omitted General Costs
    proposal section)(ACM Softw.Eng.Notes 11, 5, RISKS section,
    pp.11-12, October 1986, and SEN 12 1, January 1987.  PGN]


There *still* ain't no such thing as a free lunch

Malcolm Pack <mpack@email.com>
Sun, 19 Mar 2000 08:05:19 +0000
On 14 Mar 2000, Stephen King's latest Novella, published only as an
Electronic Book, was made available "free of charge" by Barnes and Noble on
the company's web site.  Thanks to recent upheavals in the UK Telco/ISP
marketplace, for once this truly was a "free" offer, since I would be able
to download the book without incurring metered telephone call charges.

The book was available in three formats:

o RocketBook
  Only for owners of a NuvoMedia's physical Rocket Book device.
  Those of us in possession of the eBook software were SOL.

o GlassBook
  A new (to me) format that required the download of a
  free-of-charge reader that includes Adobe PDF technology,

o Adobe PDF
  To be sent by e-mail.

Having discovered that the Rocket edition was not available to me, I
requested an e-mail copy (for which I am still waiting) and decided to
download the free GlassBook version with its free viewer.

I won't go into the length of time it took to connect to clearly- overloaded
servers at bn.com and glassbook.com.  Needless to say, I was not permitted
to get the book until I had finished downloading the 7MB reader, which I
eventually managed to do, and installing it.

The reader installed, and asked me to reboot my Windoze NT4 SP6a PC to
enable it, which I did.  The PC restarted, got to the "blue startup screen",
restarted itself, got to the "blue startup screen", restarted itself, got to
the "blue startup screen", restarted itself, got to the "blue startup
screen", restarted itself...

Two hours, and much detective work later (thanks to my being able to
dual-boot into SuSE Linux and see my NT partition outside its crippled OS
host), the culprits turned out to be a SYS and a VXD (tpkd.*) that the
software had installed.  Both were "InterLok(R)" files created by "PACE
Anti-piracy, Inc".  My PC had been crippled by anti-piracy measures applied
to a "free" software product I'd installed to read a "free" book.  It is
entirely feasible that others were locked out of their systems for good by
this software.

Epilogue

Fortunately, some things in life *are* free (if one owns the right
Advertisement-blocking software ^-^), so I was able to use dialpad.com to
telephone the US-based support desk for Glassbook using my PC as a
telephone. After a 30 minute hold, I was put through to a technician, and
explained the problem.  While sympathetic, the response boiled down to "This
is Beta software.  I'll log the report for action."

I've heard nothing since, and I still haven't got a copy of the book.

Malcolm Pack <mpack@email.com>


Re: Hackers sued by software-filtering company (RISKS-20.84)

Bear Giles <bear@coyotesong.com>
Mon, 20 Mar 2000 09:25:32 -0700 (MST)
There is *far* more going on here than meets the eyes.  Those programmers
are involved in the Peacefire anti-censorship group
(http://www.peacefire.org).  The site has had detailed instructions for
getting around censorware software for months, without any legal action from
the companies.

But for some odd reason Symantec (I-Gear) threatened legal action only after
Peacefire cracked their encrypted blacklist and determined that 76% of the
sites in a quick sample (the first 50 .edu sites) were erroneously blocked.

Likewise Mattel (CyberPatrol) sued only after Peacefire cracked their
encrypted blacklist and published the results.

To a critical mind, several questions scream out:

 - why are the blacklists encrypted?  Is this to block access by
   competitors, or is it really to prevent parents and libraries from
   performing their own quality checks?  (If it's an anticompetitive
   measure, why are the companies treating it as a "hackers, kids and
   porn" case?)

 - how would knowing that a site is on the blacklist permit a kid
   to access the blocked site?  How many kids have the technical
   knowledge to edit the blacklist... and how hard would it be to
   check an MD5 checksum every so often?  (Since the blocking software
   only works when the computer is on the 'net, it is trivial to
   automatically download the checksum every Nth request.  If they
   don't match, download a new copy of the blacklist.)

 - why would the legitimately blocked sites have a problem with this?
   AFAIK most legitimate porn sites are more than willing to cooperate
   with censorware companies because it reduces their legal exposure -
   they can demonstrate a good-faith effort to prevent access by minors.
   The only sites that have a beef with this issue are ones that are
   blocked due to judgement calls, e.g., the pro-censorware Christian
   group that was was shocked to discover itself on a blacklist because
   of its firm, principled stand against homosexuals and heathens.

Further complicating the issue is the apparent attempts to invoke the DMCA
(essentially criminalizing political debate if one party uses even trivial
encryption of key evidence; it brings to mind the 80's fad of putting a
lawyer into every meeting so the company could claim lawyer-client
confidentiality) and the pending UCITA legislation (which would explicitly
criminalize badmouthing software).  And we must never forget the absurdity
of a U.S. judge telling a Swedish ISP that it can't host material for two
Canadian residents - do all courts have worldwide jurisdiction in the
prenatal millennium?

I strongly recommend anyone interested in this topic review the Censorware
Project's report on an analysis of the logs of all Utah schools and
libraries. (http://censorware.org/reports/utah/) This report has been widely
misquoted as proving that censorware works.  The 0.0006% (or "1-in-6
million," as was allegedly misquoted at one point in the Bush-McCain
slugfest) error rate is a total fiction; any sane analysis shows that about
1-in-20 blocked sites are blocked in error in practice.

*** Late update: according to Slashdot
(http://slashdot.org/article.pl?sid=00/03/20/0845236) Mattel (CyberPatrol)
has not only sent mass mailings to all mirrors of the the critical webpages,
they have allegedly added these mirror sites (and the author's homepages) to
their blacklist *under all categories.* Slashdot also reports that Declan
McCullagh, respected journalist for _Wired_ who has never hosted the essay
in question has also received legal threats.

This means there is an excellent chance that this issue of comp.risks will
be unavailable to school children nationwide due to its shocking content of
nudity, explicit sexual depictions, violence, drug use, satanic acts,
gambling activities, etc.

The RISKS created by an "informed public debate" on the merits of
censorware, where the library patrons are quietly "protected" from
legitimate criticisms of one side of the debate should be obvious to
everyone.  This is *not* an example pulled out of thin air -- another recent
Slashdot discussion covered the Holland, Mich. debate on whether to mandate
this type of censorware in their libraries.  One can only shudder in
anticipation of the glorious day when nobody is even aware of this problem
as DMCA and UCITA ensure that no software, anywhere, ever has any
publishable defects of any kind.

On the bright side, this one petulant act may be enough to raise serious
constitutional issues of whether it will *ever* be legal for a government to
mandate the use of censorware on publicly access systems.  If this nonsense
is allowed to stand, we might as well appoint the CEO of Mattel Lord High
Emperor because he(?) will have demonstrated the ability to stifle the free
political debate that lies at the heart of our democracy.

(The preceding political screed was brought to you by the Drug-Running Child
Pornography Terrorists of America.)

Bear Giles <bgiles@coyotesong.com>

P.S., some people are already calling for a Barbie-Q to protest this.  I am
seriously torn between the attraction of torching a little Mattel
CEO-in-drag effigy on the steps of the state capitol (and passing out flyers
explaining the situation to passing legislators) and the horrid fact that
that means Mattel would get even one thin dime from me.

  [Does Barbie have a Mattelephone?  PGN]


Re: Internet voting (RISKS-20.83-84)

Adam Shostack <adam@zeroknowledge.com>
Sun, 19 Mar 2000 12:53:10 -0500
Regarding the question Steve Wildstrom poses in Risks 20.84, "Once you are
authenticated on line, how do you cast a secret ballot?"

One answer lies in a set of technologies called minimal disclosure
credentials.  These were invented by David Chaum, and substantially enhanced
by Stefan Brands.  The core of it is, you authenticate to some server, and
are granted a single-use credential which can not be linked to your
authentication.  The inability to link back to the authentication is
provided by a technique called blinding, where the client takes a set of
actions to prevent the server from knowing what it is signing.  This
technique forms the basis for anonymous electronic cash, and can be used to
create a 'coin' whose value is 'one vote.'  The state can allow each voter
to withdraw one coin, and ensure that each vote is 'paid for' with one valid
coin, thus assuring one person, one ballot, per election.  (This proposal
has a number of flaws, but is useful as a straw man if you understand
electronic cash.)

Schneier's Applied Cryptography, chapter 6, has a long list of electronic
voting protocols and systems which are intended to address these types of
questions.

Adam

  [Wait until you see Bruce's next book, forthcoming, which takes a less
  sanguine view of good crypto protocols in the presence of flawed
  implementations or weak system embeddings.

  Incidentally, Lauren Weinstein called to my attention an article on
  Arizona's experience with Internet voting that is of interest here:
      http://www.washingtonpost.com/wp-dyn/politics/A37369-2000Mar18.html
  PGN]


Report raises online privacy concerns

"NewsScan" <newsscan@newsscan.com>
Thu, 09 Mar 2000 09:57:08 -0700
A new Justice Department report, titled "The Electronic Frontier: The
Challenge of Unlawful Conduct on the Internet," has put privacy activists on
alert: "What the report amounts to is a law enforcement Internet wish list
of ways in which they can strip away privacy and free-speech protections in
order to get at what they claim is this criminal element online," says an
ACLU spokeswoman. The most controversial part of the report is a passage
that terms anonymous e-mail a "thorny issue": "Given the complexity of this
issue, balancing the need for accountability with the need for anonymity may
be one of the greatest policy challenges in the years ahead." A White House
deputy press secretary attempted to reassure ACLU officials, saying the
administration understands the importance of privacy, including the positive
role anonymity can play in reporting crimes and war atrocities.  [*The
Washington Post*, 9 Mar 2000,
http://www.washingtonpost.com/wp-srv/business/feed/a39970-2000mar9.htm;
NewsScan Daily, 9 Mar 2000]


TWA includes e-mail others' addresses in bulk mailing

<main@radsoft.net>
Wed, 22 Mar 2000 05:37:51 +0000
  [TWA accidentally disclosed e-mail addresses of 80% their customers,
  albeit in alphabetically ordered batches.  Spammers's delight?
  Advertiser's boon?  Violation of their privacy policy?  PGN]

Again, mice prove to be erratic creatures:

http://news.cnet.com/news/0-1007-200-1580221.html?tag=st.ne.ron.lthd.1007-200-1580221

It would seem a standard "Are you really really sure?" would be in order
here so that the mice don't take the day.

-R

Radsoft Laboratories  http://www.radsoft.net


Re: Overdue Railtrack calls in the Army (Martin, RISKS-20.84)

"Mark Nelson" <mnelson@fnx.com>
Wed, 22 Mar 2000 11:58:35 -0500
> An earlier article explains that the cost overrun from 2.2 billion to 5.8
> billion (that's UK pounds and UK billions)

  [We have been around this one before in RISKS.  For quite a few years,
  UK billions and and US billions have been unofficially the same,
  irrespective of whether OFFICIALLY the UK billion might still be
  a million million.  I had inteded to take out Ursula's unofficially
  gratuitous parenthetical.  PGN]

Please report problems with the web pages to the maintainer

Top