The Risks Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 21 Issue 50

Thursday 12 July 2001

Contents

Microsoft bug causing serious nuclear risk?
Dudi Feuer
Michael D. Levi
John Lowry
Fiji has to relive Y2K?
James Paul
Intruder crashes United Arab Emirates' only ISP
Dave Stringer-Calvert
$480,000,000 for sending 9 parcels
Mark Brader
Uncleared disk space and MSVC
David Winfrey
Berlin Bank shows sensitive information
Debora Weber-Wulff
Power outage means wheel chairs on the go
Ray Todd Stevens
Electoral fraud
Tony Finch
Risks in inept election fraud
knhaw
Yet another e-mail filter effect
Jurjen N.E. Bos
Re: Billboard error message
Ben Morphett
Markus Peuhkuri
REVIEW: "Fundamentals of Network Security", John E. Canavan
Rob Slade
16th Annual Software Engineering Symposium 2001
Carol Biesecker
Info on RISKS (comp.risks)

Microsoft bug causing serious nuclear risk?

<Dudi Feuer <dudi@yucs.org>>
Wed, 11 Jul 2001 12:14:26 -0400 (EDT)

According to an article in *The Washington Post*, the US lent Russia
programs with a bug that loses track of nuclear materials over a period of
time.  The software has been in use for 10 years, and the latest patch did
not create a fix for the issue.  Apparently, the Russians initially
thought the bug was a trojan horse authored by the US.  Then, after
applying several patches, they realized it was an inherent flaw in the
program, and most likely exists in the Los Alamos version as well.

  [Source: *The Washington Post*, 11 Jul 2001, A19
  http://www.washingtonpost.com/wp-dyn/opinion/A44053-2001Jul10.html]


Microsoft bug causing serious nuclear risk?

<Levi_M <Levi_M@bls.gov>>
Thu, 12 Jul 2001 10:43:21 -0400

[...] The article goes on to say that the U.S. was warned of the security
risks but has made no public comment on the matter.  The article also points
out that the U.S. no longer maintains (and indeed has destroyed) backup
paper copies of their inventory: "To reconstruct a reliably accurate
accounting record, the Energy Department may need to inspect all of
America's nuclear materials -- a huge task that could cost more than $1
billion and still might not detect the diversion of some material, should it
have occurred."

Among other obvious risks is -- always look gift horses in the mouth.

Michael D. Levi, Project Manager, Data Dissemination Systems
U.S. Bureau of Labor Statistics  (202) 691-5100


Microsoft bug causing serious nuclear risk?

<"John Lowry" <jlowry@bbn.com>>
Thu, 12 Jul 2001 10:42:50 -0400

  [Re: http://www.washingtonpost.com/wp-dyn/opinion/A44053-2001Jul10.html]

LANL supplies MS software to Russia for nuclear material accounting that
develops data "black-holes" over time.

DoE has apparently abandoned paper trails and so, aside from the ability to
misappropriate nuclear material that has "disappeared" from the database,
there is going to be substantial cost incurred to inventory everything -
even assuming nothing is missing.

What ever happened to assurance testing for critical software ?

Where else is this software being used, and for what?

John


Fiji has to relive Y2K?

<"James Paul" <James.Paul@mail.house.gov>>
Thu, 12 Jul 2001 17:26:55 -0400

A programming error resulted in the deletion of all Fiji Government accounts
for the year 2000 and the postponement of official audits.  There is
reportedly some speculation about a cover-up of "mismanagement or abuse of
taxpayer funds", although the simple solution of a screw-up seems likely.
The information system dates from the mid-1970s.  Presumably the various 52
government ministries and departments can retransmit the relevant data.
[Source: Computer error deletes all Fiji Government accounts, Agence
France-Presse, 11 Jul 2001, from the *Fiji Times*, 12 Jul 2001]


Intruder crashes United Arab Emirates' only ISP

<Dave Stringer-Calvert <dave_sc@csl.sri.com>>
Tue, 03 Jul 2001 18:33:20 -0700

A computer whizzkid has been fined 2,000 ($2,600) for hacking into the
United Arab Emirates' only Internet provider and causing the whole country's
system to crash. Lee Ashurst, 22, originally from Oldham in Greater
Manchester, was convicted of misusing equipment, services or facilities
provided by Emirates Telecommunications Corp Etisalat.  Ashurst, who works
for a construction company in the Gulf, is now facing a compensation claim
of more than 500,000 ($650,000) from Etisalat after the Dubai Court of
First Instance transferred his case to the civil courts.  He was working as
a computer engineer at a Dubai construction firm in May last year (00) when
he began hacking into Etisalat's systems.  According to the Gulf News
newspaper, the court was told the entire United Arab Emirates internet
system crashed on several occasions over a month.

http://63.108.181.201/2001/07/03/eng-wenn/eng-wenn_001056_76_4245186652988.html


$480,000,000 for sending 9 parcels

<msb@vex.net (Mark Brader)>
Thu, 12 Jul 2001 11:16:08 -0400 (EDT)

Edward Rudzki (whose hobby shop in Edmonton, Alberta, Canada, opened in the
mid-1960s) just received a bill from Canada Post for CA$480,000,000 (roughly
US$310,000,000), for transactions supposedly having taken place from 1906 to
1928!  The actual transactions were 9 parcels from a month ago, but the
dates and dollar amounts were wrong.  Canada Post says the problem occurred
when they merged 60 databases into one.  [Source: *Toronto Star*, 12 Jul
2001]

Mark Brader, Toronto


Uncleared disk space and MSVC

<David Winfrey <dlw@patriot.net>>
Thu, 12 Jul 2001 14:20:52 -0400 (EDT)

I have a program called "clrspace" which clears the unused space on my hard
disk. When I use it at work, I set it to fill the space with the company
name and phone number.

Recently I got a new copy of the Microsoft Visual C++ compiler, version 6,
introductory edition.

Today, after compiling a program of the "Hello World" level of complexity
and finding that the resulting program was well over 100 kilobytes, I went
to the DOS prompt and looked at the .EXE file with a hex editor to try to
find out why it was so big.

I was surprised to find "Property of Acme Widgets, 301-555-1212" in the .EXE
file from 0x6000 to 0x14FFF. The compiler had obviously just grabbed a big
chunk of disk space and stuffed it into the file, without bothering to clear
it first.

If that particular chunk of disk had been used for something confidential,
and if this were the production version of the compiler that allows
redistribution of executables (the intro version doesn't, although this
restriction is somehow omitted from the outside of the package), then 60
kilobytes of company plans, source code, spreadsheets, customer lists, or
whatever could have been burned onto CD and shipped to customers around the
world.

Anyone compiling programs with MSVC may want to examine the output closely
for data that shouldn't be there.


Berlin Bank shows sensitive information

<Debora Weber-Wulff <weberwu@fhtw-berlin.de>>
Mon, 09 Jul 2001 12:38:37 +0200

On 2 Jul 2001, a reporter for a local newspaper wanted to check his on-line
account with the Berliner Sparkasse. Imagine his surprise to find lots of
interesting data about an account and loans - except that they were not his.
About 50 persons could not access their own accounts, they were presented
with data from other people. The bank assures us, that no funds could be
transferred, it was "just" possible to see how much money was in the
accounts and to see the last transactions.

They immediately removed the on-line banking from the net. The official
problem source, according to a spokesperson from the bank, was "strain"
(Ueberlastung) on the systems. The company DefCom Security worked feverishly
to get it back on line by Tuesday, but forgot that they had fooled with the
certificates.  Users were presented with a screen warning them that the
certificate was issued by a company that was classified as not
trustworthy.... Maybe it's time to change banks?

If you read German, you can find more information at

http://www2.tagesspiegel.de/archiv/2001/07/03/ak-in-6611353.html
http://www2.tagesspiegel.de/archiv/2001/07/03/ak-be-447917.html

Prof. Dr. Debora Weber-Wulff
FHTW Berlin, FB 4, Internationale Medieninformatik
Treskowallee 8, 10313 Berlin
Tel: +49-30-5019-2320      Fax: +49-30-5019-2300
weberwu@fhtw-berlin.de     http://www.f4.fhtw-berlin.de/people/weberwu/


Power outage means wheel chairs on the go

<"Ray Todd Stevens" <raytodd@kiva.net>>
Thu, 12 Jul 2001 14:27:54 -0500

I witnessed an interesting failure mode during a recent shopping trip.  This
store had some of the motorized-chair shopping-cart setups for customers who
need them.  They are all lined up against one wall facing out and plugged
into the wall charging.  All was well until the power failed.

When the power failed, all of these units took off and most ran into things
before the staff could stop them, trailing their cords behind them.  I asked
about this.  It seems that there are several what appear to be glaring
design flaws in these units.

1. The stopped position on the handle is not the default position.  Instead,
   the control is all the way down for forward, all the way up for reverse
   and half way in between for neither.  Meaning that the nature position is
   forward.

2. There is also a foot brake, but it must be pushed to stop.

3. Of course there is a power switch.  But it must be turned on to charge
   the unit.

What you do to charge is plug the unit in, and then turn on the power.  The
fact it is receiving outside power switches it to charge mode and the unit
will not go anywhere.

Now here comes the power failure.  All of these units (about 7) are turned
on, brake off, and in forward.  They seem to assume that no electricity
means that they are now to take off and do so driverless.

Interesting failure mode, and in this time of more and more backup power for
computers, one we should remember.

Ray Todd Stevens, Senior Consultant, Stevens Services  (812) 279-9394
R.R. # 14 Box 1400 Apt 21, Bedford, IN 47421  Raytodd@kiva.net


Electoral fraud

<Tony Finch <dot@dotat.at>>
Thu, 12 Jul 2001 02:00:15 +0100

Following the question "Does the UK have significantly less electoral
fraud than countries which use untraceable ballot papers?" I wrote this,
which (although it is a bit late to be a followup to the discussion
around last year's USA presidential election) might be interesting.

One of the interesting things about the recent general election is that
fraud has been much easier to perpetrate than usual, but without any
kind of extra auditing.

The reason that fraud has been worse is because they have increased the
availability of postal votes. Now, this doesn't inherently imply fraud,
so I will tell you a tale to explain why I think this is the case.

The usual arrangement for an election in the UK is as follows: You have
(at some point in the past) put yourself on the electoral register by
filling in a form that says "I live here and this is my name and I am
entitled to vote", and this means that (amongst the dead tree spam)
you receive a piece of card through the letterbox shortly before an
election which explains where you have to go to vote and what your voter
number is. Now, you might expect (being good RISKS readers and all that)
that this piece of paper is a physical token that entitles you to vote
(and the process of registering entails some kind of behind-the-scenes
checking that this is true), but no. You do not have to take the card
to the polling station: you merely have to turn up and state your name,
the only checking being that you have already put your name on the list.

Now, regardless of how bad that is, it gets worse. In the past, postal votes
were quite hard to get, i.e. (unlike usual votes) some checking
happened. This was because most postal voters were disabled or expatriates
or had some other unusual difficulty that prevented them from getting to the
polling station on the day, so there were few enough of them that checking
their applications was feasible. The unique thing about this year is that
large numbers of farmers and other members of the rural community have not
been able to leave their homes because of the travel restrictions caused by
the Foot And Mouth epidemic.

The procedure for postal votes this year has been: (1) find out
the phone number you need to call to get a postal vote; (2) say to
the person on the other end of the line how many votes you need; (3)
receive the forms through the post; (4) fill them in; (5) sit back and
enjoy an extra-large swing in your constituency. If you think that you
might not have enough votes, feel free to call back again later and
ask for more. [I know someone who tried this out to see if it worked,
and it did, but I don't think he actually used the extra votes.]

The general election this year has been characterised by an unusually
large degree of apathy (59% turn-out, compared to usually 75% or so) but
the aggregate result has been just as conclusive as the 1997 result (71%
turnout): a landslide victory for the Labour party. The per-constituency
change in opinion has made almost no difference to the membership of
the House of Commons. This means that there has been absolutely no
worry about electoral fraud, since it couldn't have made a significant
difference to the overall result.

The interesting thing is that the small turnout is likely to have a greater
long-term effect than any murmurs of procedural irregularities: the
proportional-representation faction have made great mileage from saying that
people are apathetic because they have no control over politics, and they
have no control because they live in a safe constituency, so their
third-party Lib-Dem vote counts for nothing. They have made further headway
because of the Gothenburg summit riots which were perceived to be a
complaint against the unrepresentative ivory towers of the EU politicians.

So, even though the Brits don't want to look like pillocks for criticising
the Americans for their banana republic election, we changed none of
the procedures, had another shambolic election, and breathed a sigh of
relief because it was a cock-up that didn't matter. It remains to be
seen whether those in favour of electoral reform will be able to maintain
their momentum and get a better system working before the next time.


Risks in inept election fraud

<<knhaw@rockwellcollins.com>>
Wed, 27 Jun 2001 09:44:16 -0700

Several news outlets are reporting on the recent "No Contest" plea on June
14th by Christine Gunhus, wife of former U.S. Senator Rod Gram (Republican,
Minnesota) on criminal violations of Minnesota election code.  Here is the
posting from Cluebot.com, which reads suspiciously like a RISKS posting ;)

The wife of a U.S. senator who unsuccessfully ran for re-election in 2000
plead "no contest" on Thursday to charges of using a pseudonym to send email
messages that disparaged her husband's Democratic rival.

Minnesota prosecutors charged Christine Gunhus, who married former
Republican senator Rod Grams after working on his campaign, with violating
state criminal laws. Grams' rival, Democratic-Farmer-Labor candidate Mike
Ciresi, had filed a complaint under the Minnesota Fair Campaign Practices
Act.

The risks of using technology you don't completely understand and that could
leak your identity are worth noting:

 * Gunhus is accused of using a Hotmail account (Katie Stevens --
kylomb@hotmail.com) to send the disparaging email messages, which talked
about how Ciresi had represented corporate polluters and anti-union
companies. But Hotmail includes an X-Originating-IP: header that shows the
IP address of the sender -- a problem if you're typing it from the opposing
campaign's computer!

 * Prosecutors say they traced the IP address back to an AT&T WorldNet user
who repeatedly used the "Katie Stevens" Hotmail account by connecting from
Gunhus' home number. (Guess they keep Caller ID logs.) Apparently the person
using the "Katie Stevens" pseudonym was smart at first, sending the mail
from a Kinko's store, but then got sloppy.

 * The email attacks included Microsoft Word attachments, which a Ciresi
aide investigated. The aide found that Word listed the document authors as
Grams staffers including -- you guessed it -- Christine Gunhus.

 * Democratic researchers reported that they found Globally Unique
Identifiers (GUIDs) in the Word documents. The GUID includes the Ethernet
MAC address. Prosecutors last August obtained a search warrant to seize
Gunhus' computer, from which they could extract the MAC address if the
Ethernet card was still the same.

 * Let's not forget the political risk. In an article in the Minneapolis
Star-Tribune on the pseudonymous mail campaign last year, the Grams campaign
offered a remarkably narrow denial. A spokesman hedged: "We didn't put this
together and send it out of the Grams campaign office," leaving open the
question of whether it was sent by a campaign worker from another location.

 * And what about the legal risk to free speech? The Minnesota Civil
Liberties Union reasonably argues that a criminal law that bans sending
pseudonymous messages is unconstitutional. A Supreme Court decision,
McIntyre v. Ohio Elections Commission
(http://www.epic.org/free_speech/mcintyre.html), says that a prohibition on
the distribution of anonymous campaign literature violates the First
Amendment. The state law seems to be ecumenical in its application: A
Republican has used it to attack the Sierra Club
(http://www.fcregister.com/ziegler11_6_00.htm).

Epilogue: Grams managed to derail his Democratic rival's primary bid, and
Ciresi did not win his party's nomination. Even though Grams lost the
general election in the fall, that hasn't halted his political ambitions.
The Washington Times reported on April 13 that Grams is reportedly
considering a challenge in 2002 to U.S. Senator Paul Wellstone, a liberal
Democrat. "

Cluebot story (with links):
http://www.cluebot.com/article.pl?sid=01/06/15/0135212&mode=nocomment

Minnesota  Public Radio story on original affidavit:
http://news.mpr.org/features/200009/08_radila_grams/index.shtml


Yet another e-mail filter effect

<j.bos@interpay.nl>
Wed, 27 Jun 2001 09:47:41 +0200

The IACR (International organisation of Cryptology Research) has someone on
its Board of Directors named Don Beaver.  The direct result of this is that
the recent IACR newsletter (a 34K document full of relevant news on the
cryptologic community) was rejected by our company firewall, because his
name was in there too many times. It also contained other "dirty" words,
such as LaTeX, hardcore, and so on.

Our IT department told me that the message would *not* have been rejected if
it was split in two, since the number of dirty words would have been halved.
X-|

Sigh. I though cryptology was to prevent us from this kind of misery.

Jurjen N.E. Bos, Risk Management / Information Security Services
Interpay Nederland BV, Postbus 30500, 3503 AH Utrecht  tel. +31 30 283 6815


Re: Billboard error message (RISKS-21.45,46,48)

<Ben Morphett <morphett@lucent.com>>
Fri, 08 Jun 2001 10:40:25 +1000

> I was driving on I-405 northbound in southern Los Angeles County when I saw
> a bitmapped billboard on the east side of the road that was displaying a
> Windows error message.

Recently I was on a carnival ride called "The Drop Zone" with my nephews
when I saw a similar Windows error message.

The Drop Zone is rather fun.  They strap you in the ride, you are lifted
to the top of a tower, about 100m from the ground.  There are computer
screens at the top which give you a narrative about how some spacecraft
is going down and the whole crew are going to have to bail out, and then
they drop you.  You experience free fall for a few seconds.  The kids
scream.  You land safely.

The second time we did the ride, we got to the top and Windows had
crashed.  This time it was my turn to scream.  "I *really* hope my life
is not depending on Windows right now!  It's crashed!"

Ben Morphett, Bell Labs Research & Development


Re: Billboard error messages (RISKS-21.45,46,48)

<Markus Peuhkuri <puhuri@tct.hut.fi>>
Tue, 19 Jun 2001 11:46:24 +0300 (EET DST)

> signs that was declaring in foot-high letters "BATTERIES NEED RECHARGING".

That may be all that stupid if the system has no other way indicating
problems (some better formulation like "Malfunction: .." could help).
But, if it has some other means to inform operator, then it is stupid.

> The general risk, of course, is in piping STDERR to STDOUT.  Web
> sites that send complex error dumps to visitors' browsers are doing

There is a more risk than just user just being stumped by obscure
messages.  In many cases I've seen the error message has revealed
quite much of internal workings of web service.  I remember even
seeing something like

       db_connect(user=db, passwd=pass): failed no connection

The security risks are obvious.

Markus Peuhkuri            ! http://www.iki.fi/puhuri/


REVIEW: "Fundamentals of Network Security", John E. Canavan

<Rob Slade <rslade@sprint.ca>>
Mon, 25 Jun 2001 12:18:24 -0800

BKFNNTSC.RVW   20010512

"Fundamentals of Network Security", John E. Canavan, 2001,
1-58053-176-8, U$69.00
%A   John E. Canavan canavan@well.com jcnv@chevron.com
%C   685 Canton St., Norwood, MA   02062
%D   2001
%G   1-58053-176-8
%I   Artech House/Horizon
%O   U$69.00 617-769-9750 fax: 617-769-6334 artech@artech-house.com
%P   319 p.
%T   "Fundamentals of Network Security"

This commonplace guide to security can provide the newcomer with some basic
information.  However, it also contains some rather large gaps, and not a
little misinformation.

Chapter one outlines the usual reasons why we need security, and it also
provides some basic security terms and concepts.  Most of the material is
reasonable, but some is not quite standard.  A number of different threats
are outlined in chapter two.  However, errors are rife in this material,
although most are fairly minor.  Of the fourteen mailing lists it is
suggested readers might find useful, at least three have been dead for over
a year; at least two of those for more than three.  The overview of
cryptology, in chapter three, is at a very high level, with limited
discussion of key management, and almost none dealing with strength and key
length.  Chapter four starts out very badly, by stating that Kerberos uses
both symmetric and asymmetric cryptography.  (It doesn't: despite proposals
for public key extensions, Kerberos itself uses a very elegant system of
purely private key encryption to avoid sending passwords and keys in clear
text at any time.  Such a basic misunderstanding taints everything else in
the chapter.)  World Wide Web encryption is supposed to be the topic of
chapter five.  However, after a very terse outline of SSL (Secure Sockets
Layer) and SHTTP (Secure HyperText Transfer Protocol), and a tiny bit of the
missing discussion of key length, we get pages of screen shots of browser
certificates, which are almost meaningless without the background review.
There is also a tiny overview of Authenticode, with no mention of its flaws.
Chapter six presents something of a grab bag of email related topics,
mentioning encryption systems, spam, identity problems, privacy of employee
email, and even auto-responders.  With the addition of more screen shots a
number of pages are taken up with little information imparted.

Most of chapter seven concentrates on access control and passwords.  The
material is reasonable, if not deep, but could be better organized.  So too
with the suggested policies for network management in chapter eight,
although the author does seem to think that one set of recommendations can
fit all LANs.  Chapter nine's look at network media does not really deal
with security at all, unless you count the somewhat problematic opinions
regarding the relative difficulty of tapping.  There really isn't much
discussion of routers and SNMP (Simple Network Management Protocol) in
chapter ten: it concentrates on a few proprietary products.

Chapter eleven mentions a number of VPN (Virtual Private Network) related
protocols, but gives neither details for assessment nor conceptual
discussions for determining relative usage.  There is a decent overview of
basic firewall terms, with some areas of confusion, in chapter twelve.
Chapter thirteen has a basic outline of biometric concerns, but no details
of the technologies.  The review of security policy development in chapter
fourteen is pedestrian.  Chapter fifteen, entitled "Auditing, Monitoring,
and Intrusion Detection," is oddly confused since the author makes no
distinction between outside audits, and the ongoing auditing of materials
that result from regular monitoring.  There is unimaginative advice on
disaster recovery in chapter sixteen.  "Cookies, Cache, and AutoComplete" is
a strange add- on: yes, there are security risks associated with these
functions, but they are hardly fundamental to network security.

In the introduction, while stating that this book is intended for beginners
to computer security, the author disclaims the title of computer security
expert, and, in fact, asserts that many who do profess ace status may not
have as much right as they maintain.  I can greatly sympathize with this
sentiment.  However, simply by writing a book, Canavan implicitly professes
some mastery of the subject, and the mere abdication of the rank does not
relieve him of the responsibility for his mistakes.  There are a number of
other texts with better coverage, greater readability, superior accuracy,
and less wasted space.

copyright Robert M. Slade, 2001   BKFNNTSC.RVW   20010512
rslade@vcn.bc.ca  rslade@sprint.ca  slade@victoria.tc.ca p1@canada.com
http://victoria.tc.ca/techrev    or    http://sun.soci.niu.edu/~rslade


16th Annual Software Engineering Symposium 2001

<cb@sei.cmu.edu (Carol Biesecker)>
Thu, 12 Jul 2001 14:07:23 +0000 (UTC)

SEI 16th Annual Software Engineering Symposium 2001
Theme: Acquiring the Strategic Edge
October 15 - 18, 2001
Grand Hyatt at Washington Center
Washington, D.C.
http://www.sei.cmu.edu/symposium/

Contact: Symposium 2001 Conference Coordinator
Phone: 412 / 268-3007
FAX:   412 / 268-5556
E-mail: symposium@sei.cmu.edu

Please report problems with the web pages to the maintainer