The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 21 Issue 24

Thursday 15 February 2001

Contents

Calligraphy, computers, and Chinese culture
NewsScan
Lost pet fees cost Toronto $700,000
Perry Bowker
Network Solutions Sells Out -- Domain Info For Sale to Marketers
Lauren Weinstein
Hacker defends his vandalism, blames the victims
NewsScan
AnnaKournikova worm
rcooper
It's the wolf! It's the wolf!
David G. Bell
Osprey crash involved "software fault"
Peter B. Ladkin
Privacy on New Zealand golf Web site
Gavin Treadgold
Risks of outsourcing: you can bank on it!
Cris Pedregal Martin
Microsoft Hotfix undoes previous good
Graham Bell
SiteGuest.com: Unauthorized e-mail address capture whilst browsing
Stewart C. Russell
The very friendly skies of United?
Steve Bellovin
Risks inside my Jan 2001 American Express bill
Thomas Maufer
Domain name mismatch family feud
James Ryan
RISKS of anticipating computer problems
Eric Nickell
Satellite strike blows away DirectTV pirates
Serguei Patchkovskii
Info on RISKS (comp.risks)

Calligraphy, computers, and Chinese culture

<"NewsScan" <newsscan@newsscan.com>>
Thu, 01 Feb 2001 09:42:58 -0700

A current debate among Chinese speakers revolves around anecdotal evidence
that computer word processing is eroding the ability of people to write
traditional characters by hand -- and thus constituting an attack on Chinese
culture.  But the same debate occurred a century ago, when the pen began
replacing the calligraphy brush, which is now used by a tiny segment of the
population and treated as an instrument of artistic expression rather than
normal communication.  Professor Ping Xu of Baruch College predicts that the
computer will replace the pen, just as the pen replaced the brush: "Why
would you still spend so much time on handwriting Chinese characters when
you are eventually going to use computers?  In spite of the opposition
against the pen, why did the pen prevail?  Because the pen is much easier to
use and much easier to carry around.  If the computer can provide an easier
way of learning Chinese characters and all the Chinese language skills,
eventually it will prevail."  (*The New York Times*, 1 Feb 2001
http://partners.nytimes.com/2001/02/01/technology/01LOST.html;
NewsScan Daily, 1 February 2001)


Lost pet fees cost Toronto $700,000

<Perry Bowker <pbowker@attglobal.net>>
Thu, 15 Feb 2001 14:15:44 -0500

  ... the city lost out on nearly $700,000 in pet fees last year because
  nearly half of Toronto's dog and cat owners were never billed. The staffer
  who knew how to run the computerized billing system was laid off. [...]
  only one city employee ever understood the system well enough to debug it
  when problems arose. That person was lost last year [due to downsizing]
  leaving no one to get things going again when the system ran into trouble
  and collapsed.  [Source: *Toronto Globe and Mail*, 15 Feb 2001]

The risks here are obvious, but the Y2K experience has shown that many
organizations are still lucky to have even one person who understands some
of their systems. There were lots of war stories about places where
applications were run religiously because no one knew what they did, or why,
or how - except they seemed to produce something or feed into something else
- much less assess and correct any Y2K risk.

Perry Bowker


Network Solutions Sells Out -- Domain Info For Sale to Marketers

<Lauren Weinstein <privacy@vortex.com>>
Wed, 14 Feb 2001 19:59:31 -0800 (PST)

See PRIVACY Forum Digest V10 #03 for the entire item:
  http://www.vortex.com/privacy/priv.10.03


Hacker defends his vandalism, blames the victims

<"NewsScan" <newsscan@newsscan.com>>
Wed, 14 Feb 2001 08:53:55 -0700

Defending his vandalism as an attempt to do good, a 20-year-old Dutch
student arrested for creating the so-called Anna Kournikova computer virus
that jammed Internet traffic throughout the world justified his action by
saying he "never wanted to harm the people" whose computers he infected. He
claims he intended only to issue them a warning to tighten their Internet
security, and insisted that "after all it's their own fault they got
infected." (AP/*The New York Times*, 14 Feb 2001; NewsScan Daily, 14 Feb 2001
http://partners.nytimes.com/aponline/technology/AP-Tennis-Virus.html;
as usual, copyright material, reprinted in RISKS with permission)


AnnaKournikova worm

<rcooper <rcooper@jamesconeyisland.com>>
Wed, 14 Feb 2001 09:34:20 -0600

  (from Esa-l, via Mark Luntzel)

Well, we have survived the AnnaKournilova worm, but unfortunately this worm
is directly responsible for our fax machine blowing up.  Apparently numerous
employees at our company is in our Attorney's address book.  Apparently the
law firm got hit pretty hard.  Funny thing is, instead it being emailed to
the recepients they were faxed.  Got a pile of about 250 pages where the
worm itself was faxed to numerous people at our office.  The fax machine
just couldn't handle it and blew up.  Being we thought this was quite funny,
I wanted to share it with the list.  John, we need a sanitizer for fax
machines now :-)


It's the wolf! It's the wolf!

<dbell@zhochaka.demon.co.uk ("David G. Bell")>
Wed, 31 Jan 2001 21:23:14 +0000 (GMT)

It is now commonplace for commercial sites to operate through several
different versions of the same name, often by the use of different TLDs.  In
some cases, this may be cause of the distinct function of certain parts of
their system, as with the recommended use of the .net TLD.  In other cases,
it is an attempt to make it easy for customers, and harder for competitors.

After rather more than half a year of Real Soon Now promises, a new
agricultural web site has opened for business, under the name of
Globalfarmers.  And they have as their main domain globalfarmers.com while
also running globalfarmers.co.uk, as they are based in Scotland.

Naturally, they have a system of registration and logins and SSL.  However,
if you connect by the www.globalfarmers.co.uk address, the Verisign
certificate presented in the establishment of the secure connection is for
www.globalfarmers.com, which triggers a spate of warning messages.

Combine that with the 40-bit encryption, and I'm just paranoid enough to
give up on trying to register.

I know of other sites with multiple names, and secure connections, and this
is the first time I've ever seen the wrong certificate presented.
Globalfarmers seem to have made some mistakes, but I'm also wondering just
what it all means.  The error messages are rather uninformative.  There
seems to be an assumption that I already know about how these security
systems work.  Meanwhile, the naive user is always being told to check the
padlock symbol displayed by the browser, and not how to respond to such
error messages.

There's a whole slew of risks here, including the problem of false positives
(aka crying wolf), and what such things do to the reputation of a dot-com.

David G. Bell -- Farmer, SF Fan, Filker, and Punslinger.


Osprey crash involved "software fault"

<"Peter B. Ladkin" <ladkin@rvs.uni-bielefeld.de>>
Fri, 02 Feb 2001 21:27:21 +0100

The investigation into the V-22 Osprey tilt-rotor crash on 11 Dec 2000 on
approach to New River, North Carolina, about 7 miles away from the airfield,
is almost completed. Lt. Gen. Fred McCorkle, who oversees Marine aviation,
said the causes were a combination of hydraulics and software failure.

The V-22 has two engines, one at each end of its wing, turning large
propellors that are much larger than normal propellors but much smaller than
helicopter rotors. It has a helicopter mode for landing and takeoff, in
which the engine nacelles are vertical and the rotors operate in "helicopter
mode", and for cruise flight, the nacelles rotate horizontally so that the
rotors operate as giant propellors.

The aircraft has recently completed its operational evaluation. During the
evaluation, one aircraft crashed in Arizona on approach to landing, killing
19 marines. This was put down to "vortex ring state" or "power settling" of
one of the two rotors, a condition in which a descending helicopter rotor
encounters its own downwash and is unable to produce required lift. This
happened with just one of the two rotors of the aircraft, which flipped
inverted since the other rotor was still producing adequate lift, and there
was no altitude available to recover.

The opeval was not question-free, and some irregularities in maintenance
records have recently come to light and are being investigated. The latest
crash is believed to be unconnected to any maintenance irregularities.

Helicopters have two means of controlling the pitch of the rotor blades,
that govern the movement of the aircraft, called collective and cyclic
pitch. They also have a power control, and these three together form the
flight control system of a helicopter. Collective and cyclic pitch controls
on the Osprey are hydraulic, as on most helicopters, as is the system
controlling the angle of the engine nacelles (and thus transition between
forward and "helicopter" flight positions). The No. 1 hydraulic system
failed on the Osprey at the moment the pilot started converting from
forward-flight to helicopter mode. The nacelles had covered 10% of their
travel, and the pilot immediately commanded the rotors back to forward
mode. The aircraft crashed anyhow.

Here is how Aviation Week's Robert Wall described what then happened
(Aviation Week, "V-22 Support Fades Amind Accidents, Accusations, Probes",
pp28-9, Aviation Week and Space Technology, January 29, 2001).  "The V-22 is
equipped with a triple-redundant hydraulic system and a mechanism that is
supposed to be able to compensate for hydraulics problems in on line within
0.3 sec. Hydraulic levels are monitored by the flight control computers that
monitor system pressure, reservoir fluid levels and changes in those
levels. If an anomaly is detected, a combination of local switching
isolation valve [sic] and remote switching valve are supposed to reroute
hydraulics fluid from other systems, in this case the second and third, to
compensate for the loss in the primary system. But that emergency system
failed because of a software problem [...]" Apparently, the Marines are not
yet giving out details of the software problem.

It is worth noting that the V-22 hydraulics was designed to operate at 5,000
psi instead of the "normal" 2,000-3,000 psi, because it allowed use of
smaller and lighter components. But it was the single largest failure item
during 804.5 hours of operational testing.

It is important to note, as the Marines have pointed out, that the
reliability of the hydraulics systems themselves have nothing fundamental to
do with the tiltrotor technology, but were simply a design choice. It is
important also to note that the "software problem" occurred in the operation
of a failure-mitigation mechanism, which is only activated during failure of
a primary aircraft system.  The original failure appears to have been purely
mechanical.  But it is well-known that it is difficult to assure the
reliable functioning of systems that are activated only during rare
failures.

Another report appears in Flight International, 20 January-5 February,
2001, p24, "USMC fights for Osprey's future", by Paul Lewis.

Peter Ladkin

  [Also noted by Mike Beims, who added that the risks of an incompletely
  tested backup system are a recurring theme in this forum.  PGN]
     [A subsequent article by James Dao appeared in *The New York Times*,
     13 Feb 2001, and quotes the Marine Corps on the forthcoming report.  PGN]


Privacy on New Zealand golf Web site

<"Gavin Treadgold" <gav@rediguana.co.nz>>
Wed, 31 Jan 2001 14:47:30 +1300

Recently the New Zealand Golf Association moved over to a newer and some
would say fairer handicapping system. One feature of this system is the
handicapping web site ( http://www.golf.co.nz ). This site is currently down
for maintainence.

On this site, golf club handicappers can enter golf scores for members,
which are then consolidated into a national database. On this site you can
log in and review your most recent rounds (date and location are given). You
can also search for any other golfer in New Zealand and view their history.

Cards are generally visible on the site within 2-3 days of the card being
handed in.

This site has a lot of benefits for golfers in New Zealand.

1. Being able to monitor people you play with to ensure they are handing
good cards in and are not 'farming' their handicaps.

2. Ensuring that out of town visitors to tournaments supply their correct
handicaps.

3. Providing club, regional, and national rankings of golfers.

There are however a few recently discovered risks - hence the site being
taken down and redeveloped.

1. Every user's login id consists of a three-digit club code, ie mine is 371
- Russley Golf Club, and a four-digit club member id. This gives every
registered golfer in New Zealand a unique seven digit identifying id. There
was initally no password to login, hence someone could guess seven digit
numbers, or collect them as the member numbers are printed out on the
handicapping lists at the golf clubs. You are able to record your email
address, and create a list of friends. This information could have been
farmed by a spider/crawler. FIX? Use more than just a unique identifer that
is easily guessed.

2. A golfer's record displays recent rounds and their home course. The link
can then be made between someone being on holiday and handing in out-of-town
cards. Joe Smith lives in the South Island, but has been handing in cards in
the North Island for a few days now. Hmm, I'll use the Telecom White Pages
( http://www.whitepages.co.nz ) to find his address and phone number... say
no more. FIX? Delay the display of any out-of-region cards for x days.

3. And another goody related to the second point. Employers and employees
can keep an eye on each other to see how much golf they are playing, and if
they are calling in sick and then having a game of golf! Ha! I'll bet this
is the real reason the site has been taken down - all the executives
complained that their sub-ordinates could see how much golf they really were
playing. FIX? Nah, this one is too much fun to take away :)

It will be interesting to see what sorts of fixes they have made once the
site comes back online. Most people I have talked to about the site are
supportive of it, with a couple of minor modifications to reduce some of the
above risks.

=== Press Articles
Golf: Website pulled after privacy concerns
http://www.stuff.co.nz/inl/index/0,1008,588486a1823,FF.html

Golfers chipping back over page
http://www.stuff.co.nz/inl/index/0,1008,593772a1601,FF.html

I can see the sub-par PGN jokes now... :)

Gavin Treadgold, Red Iguana Ltd


Risks of outsourcing: you can bank on it!

<Cris Pedregal Martin <cris@cs.umass.edu>>
Mon, 5 Feb 2001 12:47:50 -0500

Summary: I left one bank because of their incompetence, and the new bank
gave me an ATM card with my name and password, but linked to someone else's
account.  The RISK is embracing business models without regard to their
technological implications, outsourcing in this case.

Banks are a well-established source of RISKS-lore, but my recent experiences
are starting to convert me into a believer in the existence of RISKS-karma.
After many hours spread over months of unpaid consulting to my formerly
small regional bank, trying to get them to (a) refund the double debit for a
safe rental and (b) record that I had paid at least once, so I could
actually access my safe, I decided to take my business elsewhere, and opened
an account in my local (still) small bank.  It does not take a RISKS reader
to do this cautiously, so I waited for new checks and the automatic deposit
to switch over before trying to use my new account... my very first ATM
operation was a balance request, which yielded an amount well below the
expected.  Went to the brick'n'mortar office, where a check of their
computers showed the correct balance.  Although I was relieved I wouldn't
have to fight to get my money back, I knew things were bad because there was
obviously (at least) two different, not mirrored, databases at play here.  I
had to demonstrate the problem at their own ATM there, several times, before
they'd start investigating, and after a good 30 minutes of consultations
they admitted that yes, the card was linked to someone else's account, then
had the gall to sternly ask me whether I had taken any money out, and then
took another 20 minutes to "push through" the change, with some muted
apology from the lowest-level employee involved.

Turns out that they outsource the printing of ATM cards, and they outsource
the running of their ATM machines, presumably to two different companies,
and evidently they move information from their own database to these other
organizations... in a very RISKy manner.

The RISK here is familiar: embracing a business practice without
understanding its technical underpinnings. The current management fads of
outsourcing everything assume (implicitly!) well-defined and well-executed
interfaces. In this sense, I am much luckier than PGN and other Californians
who are experiencing a large scale version of the same with their supply (or
lack thereof) of electricity.

Cris Pedregal Martin - Computer Science, UMass - http://www.cs.umass.edu/~cris/


Microsoft Hotfix undoes previous good

<BELLG@allianz.com.au>
Thu, 1 Feb 2001 10:05:37 +1000

Good system administrators apply Hotfix packs to their systems promptly, to
ensure known vulnerabilities are closed as soon as possible. Of course it is
also wise to test the Hotfix to ensure it does not create new problems (and
we all do that, of course).  But who tests to see if it reintroduces
problems/vulnerabilities removed by previous fixes?

It looks like we all should start full security regression testing of Hotfix
packs, following the release of the recent Microsoft Security Bulleitin
MS01-005 , which includes the following statement:

  "An error in the production of the catalog files for English language
  Windows 2000 Post Service Pack 1 hotfixes made available through December
  18, 2000 could, under very unlikely circumstances, cause Windows File
  Protection to remove a valid hotfix from a system. The removal of a hotfix
  could cause a customer's system to revert to a version of a Windows 2000
  module that contained a security vulnerability."

Graham Bell, Allianz Australia


SiteGuest.com: Unauthorized e-mail address capture whilst browsing

<"Stewart C. Russell" <stewart@ref.collins.co.uk>>
Tue, 13 Feb 2001 11:27:15 +0000

I was looking at an estate agent's (realtor's) website when I noticed the
status line on my browser saying "Contacting <mailserver>" then "Message
Sent". I looked through the site's HTML code and there was a little piece of
JavaScript which appeared to send an e-mail message to the site's owner with
no intervention from me. This service is provided by
http://www.siteguest.com/, who describe it as "Caller ID for your web site".

Sure enough, in the next few days I started to get a number of e-mails from
this realtor promising the best deals on houses. I'd prefer to choose who
gets my e-mail address, and the behaviour of this particular individual has
pretty much guaranteed no business from me.

The risk? The usual JavaScript and security warnings should be on, and that
combining web and mail functions in one program is not always a good idea.

Stewart C. Russell Senior Analyst, Dictionary Division, HarperCollins
Publishers, Glasgow, Scotland  stewart@ref.collins.co.uk


The very friendly skies of United?

<Steve Bellovin <smb@research.att.com>>
Thu, 15 Feb 2001 09:30:51 -0500

According to the *Wall Street Journal*, 15 Feb 2001, the United Airlines Web
site had a problem a few weeks ago: it was quoting preposterously low fares.
For about an hour, some international fares were "zeroed out", and customers
were being quote a price that included only taxes and fees.  United is
declining to honor the tickets purchased during this time, saying that
customers should have known that a price of less than $30 for a round trip
from San Francisco to Paris wasn't reasonable.

Steve Bellovin, http://www.research.att.com/~smb


Risks inside my Jan 2001 American Express bill

<Thomas Maufer <tmaufer@acm.org>>
Thu, 1 Feb 2001 01:34:22 -0800

The items on my American Express Bill are listed in chronological order,
oldest first.

Beginning with items dated 1/1/2001, items dated from the future began to
appear.  For instance, the next several items were dated 1-Feb-2001,
1-Apr-2001, 1-Jun-2001, 1-Aug-2001, and 1-Sep-2001.  It seems that they must
have started interpreting the date as the month, and vice versa.  The actual
dates on the receipts corresponding to those items were 2-Jan-2001,
4-Jan-2001, 6-Jan-2001, 8-Jan-2001, and 9-Jan-2001.

I understand the mistake that they made (but I can't fathom the reason that
dates were corrupted), but I'm wondering what they'd say if I insisted that
those charges be deferred until I actually *make* them, as I haven't
actually made them yet.

Thomas Maufer


Domain name mismatch family feud

<James.Ryan@telemedianetworks.com>
Wed, 31 Jan 2001 15:46:36 +1300

A humorous story on similar domain names...

I own "yourmailinglist.com" and was recently afforded front-row seats to a
family feud of mind-boggling proportions.  It seems someone with a large
extended family had sent out a personal newsletter updating all his
relatives on his current state of affairs, the kids are fine, Mary's in
College, Joe has a new job, etc. etc.  Well, one of the recipients took
great offence to receiving such an impersonal form of communications.  He
blasted the entire list with a scathing sarcastic attack on the original
sender who he accused of "spamming" his relatives instead of sending each
one a personal update.

In order to make himself "anonymous" he changed his reply-to address to
"someone@yourmailinglist.com".  Practically everyone on the list came back
with their own scathing responses about how they were quite happy to receive
the newsletter about Mike and his kids, and shouldn't he be ashamed of
himself for his insensitivity, etc.  Of course, all these replies ended up
in my mailbox...

I got my revenge, though.  I simply "educated" all of those irate relatives
in how to read an e-mail header, and soon they were blasting "Mr. Anonymous"
at his proper address.  The risk?  If you're crazy enough to insult your
whole extended family, be smart enough to know how to really cover your
tracks...


RISKS of anticipating computer problems

<Eric Nickell <nickell@parc.xerox.com>>
Thu, 8 Feb 2001 10:48:47 PST

My credit union, Xerox Federal Credit Union recently changed its website.
In the process, I lost access to my account information via the web for 2
weeks, somewhat troublesome since I have items that are charged to the
account automatically and I've come to rely on web access to be able to view
and transfer money between savings and checking to cover those charges.  The
changeover has been a comedy of errors, but in the end, customer service
informs me that the problems were entirely my fault. Hmph.

First change I noticed was that I could no longer type in my 7-digit
PIN.  I had originally been issued a 4-digit PIN, but feeling that this
was insecure, I changed it.  My estimates are that since XFCU gives 3
tries to get the PIN right, limiting the PIN to 4 numeric digits gives
them a .3% chance of guessing the right PIN, given an account number.
With a customer base of 70,000 members and account numbers of only six
digits, how long do you think it would take a hacker to break into, oh,
.3%*70,000=210 accounts, eh?

In trying to get into my account with the 7-digit PIN, I used up my 3
tries. A customer service rep re-opened the account, but this led me to a
debug page, so I assumed that I still didn't have the right PIN. Had to end
up having the PIN mailed to my home address.

One week later, the mailed PIN arrived, I can see that it's a truncated form
of my old 7-digit PIN, and we try again.  Now, we land in a barf page.  It's
the sort of message a programmer puts up to flag system errors.

From the XFCU home, I click on the "contact" link to send them email.  (It's
right next to their "Most Useful Credit Union Web Site" award icon. How
ironic.)  The email comes back 24 hours later due to delivery problems.
(The customer assures me that they have received no email complaining about
this problem.)

When I call customer service, they're able to track down the problem in a
few hours. Turns out in my correspondence with XFCU, they have always listed
my account as "0369045" (not the actual number).  I have always fastidiously
typed in the leading zero.  Why?  The reason I typed in the leading zero was
a defense against the possibility that some stupid computer programmer would
not treat "0369045" and "369045" and that believing the one received or
printed communication was to be preferred.  I was both right and wrong.

So, in the end, it was all my fault. Customer service informs me that they
did not need to notify of the PIN change, because they initially issued
4-digit PINS, and though the previous web access let members change to a
longer PIN, THEY HAD NEVER given us permission to use a longer PIN.
Further, I was the one at fault for typing in the leading zero.  How stupid
of me.

The RISKS here are obvious: Besides grumps about lowered security and
truncating my PIN without bothering to inform me, there are two:

* The RISK of causing a breakdown in service by anticipating one.

* Second, a more traditional RISK: Knowing that there was one problem in the
  changeover (the truncated PIN), I lost sight of the fact that there might
  have been two (that I no longer allowed to type in the leading zero).

Eric Nickell, Xerox PARC


Satellite strike blows away DirectTV pirates

<Serguei Patchkovskii <patchkov@ucalgary.ca>>
Tue, 30 Jan 2001 17:07:53 -0700

: PGN-ed (How long will it be until the next-iteration hack occurs?)]

Not long at all. According to a very informative report in The Register
(http://www.theregister.co.uk/content/6/16377.html), the DirectTV attack was
directed at the old, and easily hacked, "H"-type smartcards, which were
discontinued in 1999. The currently shipped cards, "HU"-type, are apparently
somewhat more difficult to hack - but hacked versions are nonetheless
already available, and were not affected by the attack.  Neither were
emulation-based systems, where a PC with the appropriate hardware connector
impersonates a hacked smart card. Given that, according to The Register's
sources, such hacks are not illegal in Canada, it won't take a lot of time
before the new hacked cards become widespread.  In fact, the DirectTV stike
may even provide the pirates with a healthy cash infusion from all those
people seeking to replace their now-defunct H-type cards.

Serge.P

Please report problems with the web pages to the maintainer