The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 21 Issue 22

Friday 26 January 2001

Contents

Software crash hits Canadian grocery chain
Aaron PooF Matthews
Aircraft had near-miss in Finland
Michael Walsh
UK Trials of GPS controlled car speeds
Steve Loughran
Theft of vehicle leads to robbery at home
D. Joseph Creighton
Bank robber nabbed by GPS
Roger H. Goun
B of A Visa Y2K glitch?
Ethan McKinney
Risks of shortcuts in user interfaces
Austin Donnelly
Cross-site scripting still a threat
Michael Sims
HotMail blocking users from e-mailing Peacefire
Bennett Haselton
Network vandal attacks Microsoft sites
NewsScan
Hacker indicted for network vandalism
NewsScan
Sex-offender Web sites are insecure
Monty Solomon
Remote disabling of satellite TV receiver smart cards
Jeremy Epstein
Shoppers seize unauthorized discounts at Macys.com
Monty Solomon
Re: Palm Pilot Security
Mitch James via Dave Stringer-Calvert
Clone phones with help from AT&T
Nikita Borisov
Re: Chinook
Lloyd Wood
Ken Garlington
Expanding on an urban legend
Danny Burstein
Re: "Security holes protect your equipment from theft"
Daniel P. B. Smith
Re: Risks of mail auto-reply
Jerrold Leichter
Hotmail declines to accept new users with reserved words in last names
Robert Rossa
ACM1 Message for RISKS Subscribers
Lillian Israel
Info on RISKS (comp.risks)

Software crash hits Canadian grocery chain

<Aaron PooF Matthews>
Thu, 25 Jan 2001 20:54:01 -0500

http://cbc.ca/cgi-bin/view?/news/2001/01/25/sobeys010125

Sobeys (Canada's second largest grocery mega chain) had a computer systems
outage that lasted over a five day period.  The result of the outage is that
they will miss their projected profits.

  [CBC reported that Sobeys will take an after-tax charge of Canadian
  $49.9 million because it had to scrap its SAP software system.
  Dan Haggerty also noted this item.  PGN]


Aircraft had near-miss in Finland

<Walsh Michael <michael.walsh@wmdata.fi>>
Mon, 15 Jan 2001 16:52:05 +0200

Last week's Finnish papers were full of the continuing story of how a
Russian Aeroflot plane leaving Helsinki Vantaa airport came within 450 feet
of a Finnair charter flight returning from Malaga.  (This happened in
November 2000, but was just reported.)  Apparently the Russian plane kept
disappearing (and coming back) from the radar screen in the tower.

In the following days the plot thickened.

* Helsinki Vantaa has since March 2000 a new modern French radar system.

* Aeroflot planes have (since then) often displayed this fault.

* Conclusion (Finnish spokesperson - day one) the problem is with the Russian
planes.

* Day two Aeroflot came back with the comment that their planes were flying
to many other Western European destinations and Helsinki/Finland was the
only airport that had reported this problem.

* Day three the Finnish reply was that the old planes that Aeroflot were
using on the Helsinki run were old, Russian (undertone - rubbish) whereas
they were using better planes in the rest of Western Europe.

Somewhere in the midst of this we had statements from the Finnish side that
passengers were not at risk.  Oh yes?

Given the Finnish/Russian history, we're not likely to have this thing
cleared up any day soon.

I tend to **wildly guess** that as the only thing that has changed is the
(French) radar system (we've had old rubbishy Russian planes on this route
for years), someone should be looking at that a bit more closely. It maybe
assumes newer planes than those Aeroflot use.

Anyway, the Risk: Should I choose my Finnair charter flight on the basis of
whether a Russian plane is due to land or take off at roughly the same time,
and how do I cater for the inevitable delayed flights on either side?

Mike Walsh, Helsinki <mnw@bigfoot.com>

  [I suppose if there had been an Irish controller in the tower,
  the blame would have fallen on a Mickey Finn.  PGN]


UK Trials of GPS controlled car speeds

<"Steve Loughran" <slo2@iseran.com>>
Fri, 19 Jan 2001 20:33:33 -0800

From the Guardian, Saturday Jan 20, an update on the proposal for GPS speed
control of vehicles, where the car determines its maximum speed from an in
vehicle database of speeds of roads.
http://www.guardianunlimited.co.uk/uk_news/story/0,3604,425344,00.html

  The government has commissioned a trial of speed limiters in cars, which
  could lead to computer-controlled overrides as a standard fitting within
  five years.  Twenty trial vehicles will be fitted with a system which has
  won praise on a prototype Ford Escort driven over thousands of rigidly
  monitored miles in the past three years.

  The tests, which prevented the car from topping 30mph, 40mph and other
  limits, were "highly reliable" according to the Institute of Transport
  Studies at Leeds University, which has won funding for the expanded trials
  from the Department of Transport, Environment and the Regions."

  "We've had two dozen people driving along a 40 mile route, including the
  A1M motorway," said Oliver Carsten, head of the project, which has also been
  demonstrated on the north circular road in London.

  The system uses a computerised navigator linked to the car's electronic
  controls and a positioning satellite. Areas with speed restrictions are
  fed into the system to trigger action as soon as a limit is breached.

Just think how much fun you'll be able to have by a UK motorway in five
years time from jamming the GPS signals. Or how much a 'chipped' database or
speed limiter will be worth. A more rigorous trial would be to place the
speed limited vehicles in the hands of well known violators of the speed
laws to see how much effort it takes to disable -- the UK home secretary
himself, for example.

Steve Loughran

  [Home, Secretary, and don't spare the tires.  PGN]


Theft of vehicle leads to robbery at home

<"D. Joseph Creighton" <djc@cc.UManitoba.CA>>
Thu, 11 Jan 2001 11:03:09 -0600

A laptop computer with sensitive files on high-level drug investigations
was stolen from an RCMP officer's house on New Year's Eve.  Apparently,
the officer's van was first stolen while he was attending a hockey game.
The thieves discovered his address from the vehicle registration and drove
to his home where they made off with thousands of dollars in personal
property and the computer.  [Source: *Winnipeg Free Press*, 11 Jan 2001]

The risks in keeping such sensitive information at home, presumably not
protected with any sort of encryption, are obvious.  But I never realized
that home address information on registration papers was a risk until now.

D. Joseph Creighton [ESTP] | Programmer Analyst, Database Technologies, IST
Joe_Creighton@UManitoba.CA | University of Manitoba  Winnipeg, MB, Canada,


Bank robber nabbed by GPS

<"Roger H. Goun" <roger@bcah.com>>
Wed, 17 Jan 2001 20:34:49 -0500

Together with his loot, a Vancouver bank robber jumped into a taxi that was
equipped with satellite tracking technology.  At the request of the police,
the taxi company was able to track the cab by GPS, and the police
apprehended the robber a few blocks away.  [PGN-ed from a
Reuters item <http://news.excite.com/news/r/010116/10/odd-taxi-dc>]

Roger H. Goun, Senior Staff Kennel Boy, Brentwood Country Animal Hospital, P.C.
Exeter, New Hampshire, USA


B of A Visa Y2K glitch?

<Ethan McKinney <e.mckinney@attglobal.net>>
Thu, 18 Jan 2001 11:32:26 -0800

I had Visa card through Bank of America which I canceled last January
(2000). Imagine my surprise when a bill arrived in the mail yesterday!
Fortunately, it was for $0.00, but I was concerned that B of A might have
somehow reactivated my account. When I called their customer service number,
the rep was not at all surprised by my situation. "It's a computer
error. Just ignore it," she said.

Sadly, I don't have any firm proof, but I suspect this was a slow-acting
Y2K glitch. If they're still using two-digit years, they might have set
up the system to read "00" as "100." Noting that it's the year 01 and my
card isn't going to be cancelled until 100, the computer decided to send
me a bill.

Ethan McKinney, 1750 E. Appleton St. #4, Long Beach, CA  90802


Risks of shortcuts in user interfaces

<Austin Donnelly <Austin.Donnelly@cl.cam.ac.uk>>
Sat, 20 Jan 2001 13:21:11 +0000

You know how bank ATMs have those little buttons down the side of the screen
to select from an on-screen menu?  Mostly, they're useful: they allow only
the valid options to be presented to the user, and keep the number of
different buttons required down to a minimum.  But ATMs also have a variety
of other buttons on the keypad (usually including "OK" and "Cancel") and
this split screen/keypad user interface can lead to problems.

For example, today I met young lady who was quite distressed because she
thought the ATM had "eaten" her card.  The problem was that the on-screen
menu was laid out as follows:

Push here for other services --> [::]
    Press Cancel if finished     [::]

The poor lady was pushing the bottom (non-active) screen button, rather than
reading the instructions to press a separate key.  The screen layout here is
not terribly helpful, since it suggests that the bottom button might do
something.

But the real risk is that if you provide shortcuts to perform common tasks,
then users won't learn how to do things that aren't available from a
shortcut.

Austin


Cross-site scripting still a threat

<Michael Sims <jellicle@inch.com>>
Tue, 23 Jan 2001 14:51:14 -0500

News.com (CNET) unveiled today a fresh new look to their site.  The two
major innovations appear to be:

a) huge, garish advertisements
b) cross-site scripting vulnerabilities

The new site accepts URL variables - user input - for page titles and
headlines in the pages. This allows users with a moderate degree of savvy to
"write your own CNET headlines", or write your own javascript to be executed
from CNET's pages.

You can publicize URLS like this:

http://news.cnet.com/news/topic/0-1003-249-0.html?title=CNET%20Editors%20Agree:%20Slashdot%20is%20a%20better%20news%20site%20than%20News.com&topic=slashdot

or this:

http://news.cnet.com/news/topic/0-1003-249-0.html?title=Breaking%20News:%20Bill%20Gates%20Commits%20Suicide%20at%20Age%2042%20-%20Survived%20by%20three%20ugly%20children%20and%20wife<script>javascript:alert('Javascript%20is%20executed%20-Your%20Site%20is%20Vulnerable')</script>&topic=Microsoft

Javascript executed on the site can grab a user's cookie information or
perform other nefarious tricks; since CNET has a substantial e-commerce
section (auctions, shopping, jobs, etc.) this seems rather dangerous. But
for a news site, "write your own headlines" could be even more damaging.

This problem was widely publicized in the spring and summer of last year
(and frankly, should have been well known to Web developers long before
that).  In fact, CNET has several stories about the issue in their archives.
It is apparent, however, that if web developers don't learn from others'
mistakes, they are doomed to repeat them.

CNET was notified six hours before this e-mail was sent to RISKS; they have
not replied at this time or taken any corrective action.

Michael Sims - slashdot.org editor - michael @ slashdot.org
               Your Rights Online  - http://slashdot.org/yro


HotMail blocking users from e-mailing Peacefire

<Bennett Haselton <bennett@peacefire.org>>
18 Jan 2001 21:41:22 -0500

  [sent to journalists on Peacefire's press contacts list;
  RISKS saw it in a forwarding of a message from  Monty Solomon]

We recently discovered that for the last five months, HotMail has been
blocking their users from sending e-mail to peacefire.org addresses.  If you
tried to send mail to a peacefire.org address from HotMail, you'd get a fake
error message a day later saying that there was a problem on the recipient's
end -- when it was really HotMail blocking the message from being delivered.

HotMail is part of the same boycott that AboveNet was part of, when AboveNet
was blocking their downstream users from accessing our Web site.  After our
ISP owner complained, HotMail stopped blocking their users from e-mailing us
and other Media3 customers.

HotMail is still, however, blocking their users from e-mailing other sites
on their "boycott list".  I've talked to several of our members who are
using HotMail, and most of them are furious that HotMail would be censoring
their outgoing mail without telling them.

Again, the irony is that HotMail didn't single us out for anything, we just
happened to be in the same IP address block as other sites that were the
original target of the boycott (e.g. ListSorcerer.com).  When our ISP,
Media3, didn't kick them off, the boycott organizers expanded the "boycott
list" to include hundreds of unrelated sites also hosted by Media3.

Several HotMail members that I talked to, have said they would be willing
to talk to the press about HotMail blocking their outgoing mail.  Many of
them said they never would have signed up with HotMail if they knew their
mail would  be blocked, and some have even said that they're going to
switch to another mail service.  (Especially since HotMail is *still*
blocking outgoing mail -- it was just our IP address block that they
exempted from the list.)

	-Bennett

bennett@peacefire.org     http://www.peacefire.org
(425) 649 9024
 - - --
The Telecom Digest is currently mostly robomoderated. Please mail
messages to editor@telecom-digest.org.

  [Incidentally, for the mailing of RISKS-21.21, bigfoot.com blocked
  the mailing to every subscriber there, because of the number of
  subscribers exceeding some spam limit.  Too bad.  Perhaps they won't
  get this message either, letting them know what happened, although we
  are trying a different mail configuration for this issue!  PGN]


Network vandal attacks Microsoft sites

<"NewsScan" <newsscan@newsscan.com>>
Fri, 26 Jan 2001 08:21:59 -0700

Just a day after Microsoft's Web sites were down for an extended period of
time because of the "human error" of a technician, they were victimized by
the "human malice" of a network vandal who subjected them to a "denial of
service" attack that flooded them with bogus communications, causing them to
gridlock and reject legitimate communications from their customers. The
company has called in the FBI for assistance. Computer security expert Abe
Singer of the San Diego Supercomputer Center said that part of Microsoft's
vulnerability to attack was due to the fact that its four domain-name
servers are linked in a single network. "They had all their eggs in one
basket and basically someone knocked down the basket." (*The Washington
Post*, 26 Jan 2001; NewsScan Daily, 26 Jan 2001
http://washingtonpost.com/wp-dyn/articles/A47581-2001Jan25.html)


Hacker indicted for network vandalism

<"NewsScan" <newsscan@newsscan.com>>
Fri, 26 Jan 2001 08:21:59 -0700

Twenty-one-year-old Jerome Heckenkamp has been indicted by federal
prosecutors for allegedly hacking into computers at eBay, Exodus, Juniper,
eTrade, Lycos, and Cygnus and causing a total of more than $900,000 in
damage, in events that took place in 1999 while he was a student at the
University of Wisconsin.  He has pleaded innocent of all charges and says
the break-ins were done by someone else using his computer. (AP/*San Jose
Mercury News*, 25 Jan 2001; NewsScan Daily, 26 Jan 2001
http://www.mercurycenter.com/svtech/news/breaking/ap/docs/786396l.htm)


Sex-offender Web sites are insecure

<Monty Solomon <monty@roscom.com>>
Fri, 12 Jan 2001 23:08:58 -0500

Nine state online sex-offender registries have had inadequate computer
security and easily could have been hacked, an MSNBC.com investigation has
found.  And in two states, more general criminal records databases also were
found to be insecure.  The flaws put Web site data at risk and raised the
possibility that a computer intruder could add or remove people from the
online versions of the databases.

http://www.msnbc.com/news/514284.asp


Remote disabling of satellite TV receiver smart cards

<"Jeremy Epstein" <jepstein@webmethods.com>>
Fri, 26 Jan 2001 14:01:03 -0500

DirecTV has the capability to remotely reprogram the smart cards used to
access their service, and also to reprogram the settop box.  To make a long
story short, they were able to trick hackers into accepting updates to the
smart cards a few bytes at a time.  Once a complete update was installed on
the smart cards, they sent out a command that caused all counterfeit cards
to go into an infinite loop, thus rendering them useless.

A commercial use of information warfare?  Very interesting article at
http://www.securityfocus.com/frames/?content=/templates/article.html%3Fid%3D143
(sorry for the long URL).

Jeremy

  [Reminder: As usual, no guarantee as to the future validity of URLs.  PGN]


Shoppers seize unauthorized discounts at Macys.com

<Monty Solomon <monty@roscom.com>>
Tue, 23 Jan 2001 00:13:26 -0500

Macys.com was victimized by its own 50% discount coupon code that was
inadvertently posted at FatWallet.com.  The extent of the resulting spending
spree was not divulged.  "Although mistakes of this kind do happen in the
offline world, the speed at which e-commerce moves can make a small glitch
turn into a thousand-dollar error."  (Note earlier problems involving
staples.com and amazon.com.)  [Source: Greg Sandoval, CNET News.com, 22 Jan
2001 URL: http://news.cnet.com/news/0-1007-200-4564219.html; PGN-ed]


Mitch James: Re: Palm Pilot Security

<Dave Stringer-Calvert <dave_sc@csl.sri.com>>
Thu, 25 Jan 2001 16:12:30 -0800

PDAs considered insecure...  now there's a surprise.

Date:         Thu, 25 Jan 2001 15:37:10 -0800
>From: Mitch James <mitchj@AVANADE.COM>
Subject:      Re: Palm Pilot Security
To: PEN-TEST@SECURITYFOCUS.COM

The headline is "@stake, a US-based security consultant, has written a piece
of software code that can zap passwords off targeted Palm Pilots through
taking advantage of the PDA's hotsync function. Hotsync is used to transfer
data between the user's PC and a Palm Pilot."

The link to the article is here

http://www.vnunet.com/News/1116644

Mitch James


Clone phones with help from AT&T

<Nikita Borisov <nikitab@espresso.CS.Berkeley.EDU>>
Mon, 15 Jan 2001 17:51:19 -0800

I have cell service with AT&T Wireless Services in the Bay Area, and I
recently purchased a new phone from them.  Along with the phone, I received
a 1-800 number to activate my new phone.  When I called it, I reached an
automated service, which asked me for:

  1. My phone number
  2. My 5-digit zip code
  3. The ESN (equipment serial number) of my new phone.

After this, the friendly recording informed me that my account information
had been updated, and the new phone should be active in half an hour.  It
then offered me the chance to change the ESN for any other phones.  Not
being in the cloning business, I declined.  My new phone started working,
just as they promised.

The RISKS? Given the small number of possible zip codes in, say, the 415
area code, it shouldn't take long trying zip codes and phone numbers
within the AT&TWS exchanges at random before you get one right.  Or
surprise your friends or business partners by taking over their cell
phone service and answering their incoming phone calls!

- Nikita

  [Note added later in response to a comment from PGN:]

I actually received some further information from AT&T.  In response to my
concerns, they stated:

1) They have detection software that looks for sudden geographic
   migration (their example was a shift from Berkeley to Sunnyvale within a
   span of 10 minutes).
2) They promise that I won't be billed for an illegally changed ESN.
3) The incidence of such fraud is small enough for them not to take
   additional precautions.

I'm still a little worried about the possibility of a directed attack, i.e.,
someone who knows me stealing my cell phone # to find out who calls me.  But
there are probably other ways to do this, if you're resourceful enough...

- Nikita


Re: Chinook (Phil, RISKS-21.19)

<Lloyd Wood <l.wood@eim.surrey.ac.uk>>
Tue, 16 Jan 2001 15:55:04 +0000 (GMT)

> ... putting all your eggs in one basket - flying such a concentration of
> critical expertise in a single aircraft was reckless

The UK electrical engineering establishment (that is, regular Institution of
Electrical Engineer magazine articles, local talks, and sundry university
lecturers in their dotage) will tell you in detail about the tragic life of
Alan Dower Blumlein, an electronics wizard, audio engineer par excellence,
and all-round Good Egg, who sadly died with most of his
almost-as-talented-yet-seemingly-nameless colleagues when a research plane
jolly they were all taking together over England for a bit of a lark came
something of a cropper during The Big One (World War II).

Oh, the loss to electrical engineering! Oh, the loss to the war effort! Oh,
the many retrospective articles on Blumlein's short and tragic life! Oh, the
generations of bored undergraduates! Oh, what might have been!

Half a century on, nothing has changed.

<L.Wood@surrey.ac.uk>PGP<http://www.ee.surrey.ac.uk/Personal/L.Wood/>


Re: Chinook (Beims, RISKS-21.20)

<"Ken Garlington" <kennieg@flash.net>>
Mon, 15 Jan 2001 08:31:31 -0600

Mike Beims suggests that "Data for whether or not there was a FADEC failure
should have been available in the non-volatile memory built into the FADEC."
This assumes that the FADEC memory survived the crash essentially
intact. From my experience, NVMs in flight systems of this type are not
crash-rated to the extent of a "real" crash recorder, and can fail in a
crash.


expanding on an urban legend, re: QP -> UL? (Brader, RISKS-21.21)

<danny burstein <dannyb@panix.com>>
Thu, 25 Jan 2001 20:31:04 -0500 (EST)

(Note that I've replaced all entries that had a USA dollar sign with the
word "usads".  The reason will be obvious in a bit.)

[discussion of how the legend of 2,400 dollar phone calls came about]
> If you ever see a spam claiming (usads) 242,425/minute, just remember
> you saw it  here first."

Note that last line, with the "242,245/minute" comment. The original
postings in comp.dcom.telecom, as well as the repost in comp.risks, used
the graphical representation of a USA dollar sign.

Which, naturally, would get misread by some software so as to prepend yet
another "24" to the figure.


Re: "Security holes protect your equipment from theft"

<"Daniel P. B. Smith" <dpbsmith@world.std.com>>
Thu, 25 Jan 2001 18:46:05 -0500

RISKS of technical terms with multiple meanings...

Asante, http://www.asante.com/product/index.html, says proudly that their
routers feature "security holes."  This is their term for physical holes in
the housing of their device, which facilitate the attachment of a steel
cable so that the device can be physically secured against theft.

Daniel P. B. Smith <dpbsmith@world.std.com>
"Lifetime forwarding" address: dpbsmith@alum.mit.edu


Re: Risks of mail auto-reply (RISKS-21.16)

<Jerrold Leichter <jerrold.leichter@smarts.com>>
Sun, 21 Jan 2001 15:38:18 -0500 (EST)

In RISKS-21.16, Dan Birchall writes about the exposure of possibly-sensitive
data - where someone works, when they'll be away, who else works with them -
in e-mail automatic responses.

The more things change, the more they stay the same.  Seven or eight years
ago, when some variant of the old "vacation" program - which implemented
such messages on Unix systems - became widely used, there were a bunch of
flames on the old Unix-Haters mailing list about the deluge of junk
"vacation" messages sent mailing lists.  I humorously suggested at the time
that the appropriate way to get across the message that this wasn't the kind
of thing everyone in the world wanted to - much less *should* - see would be
to create a new Usenet group, alt.houses.nobody-home, to which such messages
could be gatewayed.  For even greater effect, any readily available
information (from phone books and such) could be added.

These days, of course, the Internet is *much* larger, and it's *much* easier
to go from a name to an address and from an address to such information as
how likely there are to be valuables in homes in the area.

It continues to astound me that people blindly let thousands of absolute
strangers know not only that they will be away, but often for exactly how
long - and often even where they will be.  These same people probably are
careful to have their mail picked up, their newspaper deliveries stopped,
and lights on timers going off and on around their houses, all so that they
don't look empty!

Jerry


Hotmail declines to accept new users with reserved words in last names

<"Robert Rossa" <rossa@csm.astate.edu>>
Thu, 25 Jan 2001 14:12:28 -0600

For example, if your name is Billingsley, you get an error message when you
try to sign up.  The objectionable word seems to be "Billing".  Removing one
'l' lets you sign up.


ACM1 Message for RISKS Subscribers

<Lillian Israel <israel@hq.acm.org>>
Fri, 26 Jan 2001 09:54:39 -0500

ACM examines the future of information technology (IT) and the
potential impact of IT on science and society at "ACM1: Beyond
Cyberspace," a special Conference (March 12-14, 2001) and
Exposition (March 10-13), held at the San Jose Convention
Center. Register at: http://www.acm.org/acm1.

Speakers include: Steve Ballmer (Microsoft), David Baltimore
(California Institute of Technology); Rodney A. Brooks (MIT AI Lab);
Bill Buxton (Alias/Wavefront); Vint Cerf (WorldCom); Rita Colwell
(NSF); Sylvia Earle (National Geographic Society); Shirley Ann
Jackson (RPI); Dean Kamen (DEKA and FIRST); Alan Kay (Disney
Imagineering); Ray Kurzweil (Kurzweil Technologies, Inc.); Marcia
McNutt (Monterey Bay Aquarium Research Inst.); Martin Schuurmans
(Philips Center for Industrial Technology); and Neil de Grasse Tyson
(Hayden Planetarium), with Bob Metcalfe as Master of Ceremonies.

The FREE "hands-on" Exposition, a "field day for the mind," geared
for families and kids, will showcase the latest R&D software & hardware
from 70+ companies, universities, and research/educational institutions.
ACM1 also features a FREE Educators Day (March 10th) that will
address broad educational initiatives and provide educators with proven
strategies for engaging girls and minorities in technology-based education.
For ACM1 educational offerings: http://www.acm.org/acm1/educators.

Please report problems with the web pages to the maintainer

Top