The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 21 Issue 05

Weds 20 September 2000

Contents

Qualcomm CEO's laptop vanishes, containing corporate secrets
NewsScan
David Lesher
Computers shut down aircraft engines in flight
Mike Beims
Russian troops block power shutoff
Doneel Edelson
OPEC site hacked
Mike Hogsett
Navy carrier to run Win 2000
Mike Ellims
Re: Windows NT/2000 palm sync
Avi Rubin
Re: Identity theft
Carl Ellison
Re: D.01: Off by x100
Terry Carroll
Re: New Pentium III chip recalled: typo
Gideon Yuval
Risks of using HTML Mail and HTTP proxy "censorware" together
Dan Birchall
Concorde crash report
Peter Kaiser
Computerized air-conditioning risks
Pere Camps
``Netspionage'' is the real security threat on the Net
NewsScan
Hackers offered $10,000 bait
NewsScan
A subtle fencepost error in real life
Andrew Koenig
New credit-card solution?
Joshua M Bieber
Reconstructing Privacy - Conference Announcement
Gene N Haldeman
Info on RISKS (comp.risks)

Qualcomm CEO's laptop vanishes, containing corporate secrets

<"NewsScan" <newsscan@newsscan.com>>
Mon, 18 Sep 2000 06:55:57 -0700

After addressing a national business journalists' meeting in Irvine,
California, Qualcomm chief executive Irvin Jacobs found that someone had
stolen his laptop computer, which he left on the floor of a hotel conference
room. The thief acquired not only an IBM Thinkpad but also the Qualcomm
secrets it contains, because Jacobs had just finished telling the audience
that the slide-show presentation he was giving with his laptop contained
proprietary information that could be valuable to foreign
governments. People in the area "included registrants, exhibitors and guests
at our conference, hotel staff and perhaps others.'' Qualcomm, a leader in
the wireless industry, and is the world's leading developer of a technology
known as CDMA, which makes high-speed Internet access available on wireless
devices. (Reuters/*San Jose Mercury News*, 18 Sep 2000
http://www.sjmercury.com/svtech/news/breaking/ap/docs/412258l.htm;
NewsScan Daily, 18 September 2000)

  NewsScan Daily is underwritten by Arthur Andersen and IEEE Computer
  Society, world-class organizations making significant and sustained
  contributions to the effective management and appropriate use of
  information technology. NSD is written by John Gehl and Suzanne Douglas,
  editors@NewsScan.com.  [NewsScan items are reproduced here with the
  very gracious permission of Gehl and Douglas.  Further reuse should
  respect their copyrights.  PGN]


Qualcomm CEO's laptop vanishes, containing corporate secrets

<David Lesher <wb8foz@nrk.com>>
Mon, 18 Sep 2000 22:36:02 -0400 (EDT)

This was bound to happen, if not then & there and to him, then to another
CEO-type. It will again. It's a clear message that folks of all levels need
to practice safe-computing by using real encryption on all data files.

It's also a message to crypto companies. Create real tools for this task,
ones that even C[E,F,T]O's can grok how to use {1}. A recent USENIX study
reported that a large percentage of users failed to use PGP correctly.

{1: Getting them to follow practices is the 2nd half of the problem; as the
Deutch case demonstrates....}

wb8foz@nrk.com  [v].(301) 56-LINUX


Computers shut down aircraft engines in flight

<Mike Beims <mbeims@mail-fair.ivv.nasa.gov>>
Mon, 18 Sep 2000 15:57:01 -0400

The Aerospace Online newsletter reports that some Full Authority Digital
Engine Control (FADEC) units have performed uncommanded shut downs of an
aircraft's engine in flight.  This led to the United State's Federal
Aviation Administration issuing an Airworthiness Directive (AD) requiring
that no more than one engine per airplane may use the suspect FADEC's.

The root cause of the FADEC computer malfunction is a power transistor, and
the AD lists the FADEC units affected by their serial numbers.

From http://www.aerospaceonline.com:

2) AD released on Allison AE 3007A/C series turbofan engines FAA adopted a
final rule applicable to Allison Engine Company AE 3007A and AE 3007C series
turbofan engines that requires inspection before further flight to determine
that no more than one engine with a suspect FADEC is installed on the same
airplane. The rule was prompted by reports of uncommanded in-flight
shutdowns of engines caused by a potential hardware failure mode in some AE
3007 series FADECs. The rule is effective 22 Sep 2000.

The AD text (.pdf) is available from Aerospace Online's Download Library:
http://www.aerospaceonline.com/read/nl20000912/213768

Mike Beims <Mike.A.Beims@ivv.nasa.gov>


Russian troops block power shutoff

<Doneel Edelson <doneel.edelson@eulergroup.com>>
Tue, 12 Sep 2000 15:53:29 -0400

A Russian strategic missile base had its power shut off as a result of a
year-long accumulated nonpayment of bills totalling about $683,000.  As a
result, troops took over the utility's switching station and restored power.
Earlier shutdowns affected hospitals, an air-traffic control center, coal
mines, a city sewage plant, and in 1995 a nuclear submarine at an Arctic sub
base.  [Source: Associated Press article by Vladimir Isachenkov, 12 Sep
2000, PGN-ed]


OPEC site hacked

<Mike Hogsett <hogsett@blob.csl.sri.com>>
Wed, 13 Sep 2000 11:08:41 -0700

Someone identified as "fluxnyne" cracked into the OPEC Web site, posting
this message: "I think I speak for everyone out there (the entire planet)
when I say to you guys to get your collective a**es in gear with the crude
price.  We really need to focus on the poverty-stricken countries, who don't
even have enough money for aspirin, let alone exorbi[t]ant prices for
heating oil.  I think the lives of children are paramount to your profits."
[http://dailynews.yahoo.com/h/nm/20000913/od/website_dc_1.html, PGN-ed
with ** filtering]


Navy carrier to run Win 2000

<Mike Ellims <mike.ellims@pitechnology.com>>
Wed, 20 Sep 2000 09:27:47 +0100

Apparently the new Navy aircraft carrier is to use windows or some
derivative for at least some of it's mission critical applications.

"This is a new area for us," said Keith Hodson, a Microsoft Government
spokesman. "Windows-based products have not traditionally been associated
with Defense Department-specific mission-critical applications."

The Web site with the press release:
  http://www.gcn.com/vol19_no27/dod/2868-1.html

As they say, who do you want to shoot today?

Mike Ellims, Pi Technology  mike.ellims@pitechnology.com
www.pitechnology.com   +44 (0)1223 441 434


Re: Windows NT/2000 palm sync (Rubin, RISKS-21.04)

<Avi Rubin <rubin@research.att.com>>
Mon, 18 Sep 2000 19:59:26 -0400

Some people have pointed out that a virgin palm pilot would cause a pop-up
window asking for the user name, so for the attack that I mentioned to work,
you would have to know the username on the pilot of the person you were
attacking, and set that name in the new palm. It was also pointed out that
the palm databases can be backed up, in which case obviously data wouldn't
be lost. There may have been a few other problems with the hypothetical
attacks I mentioned. However, the main risk remains - that locking a windows
machine with the alt-ctrl-del option does not prevent the palm from syncing,
and you can imagine ways in which this can be abused in additions to the
ones I mentioned in the original post.

Perhaps disabling the serial port would be a bit draconian. Then what about
the Ethernet port? What if someone wants to receive a fax while they are
away, but lock the computer? Where do you draw the line between locking the
computer and turning it off? These are difficult questions.  I believe the
sync issue when the computer is locked is a user interface problem, and yet,
everyone that I tell about being able to sync the pilot after locking
windows 2000 is surprised. Locking the computer is a useful feature, but it
needs to be done in such a way that the user has an intuitive sense of what
is locked and what isn't. I don't have the solution.

Avi Rubin  http://avirubin.com/


Re: Identity theft (PGN, RISKS-21.04)

<"Carl Ellison" <cme@acm.org>>
17 Sep 2000 19:16:23 -0700

I used to try to keep my SSN private -- then I realized that that's blaming
the victim (me).  It's not the SSN holder's fault that stores and other
institutions use improper means for authenticating people.  It's the store's
fault.

Any information held by a credit bureau is public.  So is any information
held by any government agency, if I'm to believe the spam I get
occasionally.

So, that information is not acceptable for authentication -- even in person,
but especially online.  It's not merely unacceptable when dealing with the
credit bureau.  The credit bureau poisons the information for everyone.

Now -- how do we get consumer protection laws that make it clear that a
consumer is not liable for any debts incurred by someone claiming to be
him/her unless there is irrefutable authentication during registration
(e.g., videotape of the consumer signing up for the service).  This means
killing all issuing of credit online, by mail, by phone, etc.

Maybe I'd stop getting all those credit-card applications in the mail....

[This opens a technical challenge: how can we authenticate anyone, if we rule
out information that an attacker can get?]

 - Carl

  [This topic has recurred in RISKS for many years, but the people who
  should be learning this lesson are not listening (or lessoning -- although
  they may be lessening).  Thus, your moderator not at all immoderately
  includes Carl's contribution.  PGN]


Re: D.01: Off by x100 (Blakley, RISKS-21.04)

<Terry Carroll <carroll@tjc.com>>
Mon, 11 Sep 2000 15:41:20 -0700 (PDT)

> I notice that both SmartMoney.com's "Map of the Market" and CNNfn's
> intraday chart have gotten confused by decimalization of stock prices.
> If you check out a decimalized stock (like Gateway (GTW), for example)
> at either of these sites ... you'll see that both sites think that
> Gateway's per-share valuation today (8/28) is $6655.00, instead of
> $66.55.

This is not (to the best of my knowledge) a decimalization issue, but for an
interesting computer error related to stock price, check out the quote for
Ford Motor Company (ticker symbol F) on Yahoo.

The data includes a spurious split of Ford stock on August 3, 2000: a
"-44:-24" split (or, on some screens, such as the historical data referred
to below, a "1748:1000" split).  However, there was no split on that date:
instead, there was a stock drop due to the Firestone tire problems.

You can see this most clearly by viewing a stock chart at
<http://finance.yahoo.com/q?s=F&d=3mm>.  Yahoo shows Ford as jumping from
around $26.50 (pseudo-split-adjusted) to around $29 (a 9% increase) on
August 3.  In reality, it dropped like a stone, from around $47 *down* to
around $29 (a 45% DECREASE).  Yahoo is split-adjusting for this
non-existent split.

The problem is also visible in the historical charts page, e.g., on
<http://chart.yahoo.com/d?s=f>.

I suspect that there's some program somewhere that treats such a
precipitous overnight stock price drop as a potential split, although why
it's not referred to a human for verification, and why it settles on such
odd ratios eludes me.

I reported the error to Yahoo a couple weeks ago.  They said that they'd
notify their data provider (CSI Data), who would verify and correct, and
that sometime in the future, the displays at Yahoo would again be
correct.  It's still not correct.

In the meantime, I hope that no Yahoo users are trying to rely on moving
averages or other historical bases to try to figure out a good time to
trade in Ford.

Terry Carroll, Santa Clara, CA  carroll@tjc.com


Re: New Pentium III chip recalled: typo (RISKS-21.04)

<Gideon Yuval <gideony@microsoft.com>>
Tue, 12 Sep 2000 15:02:15 -0700

> Intel is recalling its 1.3 gigahertz Pentium III chip

I think it was 1.13GHz, not 1.3


Risks of using HTML Mail and HTTP proxy "censorware" together

<Dan Birchall <djb0x7736fb0b@scream.org>>
20 Sep 2000 01:56:30 GMT

Summary: Unseen things in HTML mail may trigger HTTP censorware.

First, the data points:

1. Many workplaces, including mine, have HTML-"enabled" mail software
   on the desktop.

2. Many workplaces (though not as many), including mine, make use of
   HTTP proxy "censorware" to catch employees trying to access "bad"
   sites (porn, hate sites, hacking sites, etc).

3. Those sites, like many others, tend to use 1x1 GIFs for spacing
   and the like.

4. Users who read HTML mail rarely view the source.

Now, the risk:

It is extremely trivial to concoct an HTML mail message containing IMG SRC
calls to (near-)invisible 1x1 images, or other more damning images scaled to
1x1, from any number of "banned" sites.

If such a message is received and opened by someone with an HTML mail
reader, they will probably generate HTTP requests to those sites, which
would be blocked/logged by proxy censorware.

Thus, a prankster, BOFH, or anyone bent on malice can pull off a "joe job"
by sending e-mail to such a recipient.  The e-mail might appear to be
totally innocent based on its content, or might even be disguised as spam,
with forged headers and other junk.

It doesn't matter, really, as long as the recipient's mailreader generates
the HTTP requests for those files.  Enough entries in the censorware log
over a period of time, and someone's bound to start asking questions.

Of course, the HTTP requests are for individual files, not pages.  But if
the proxy is _blocking_ requests to "banned" sites (ours is), no pages could
be accessed anyway, so all log entries would be of an individual-file
nature.  These are just blocked requests for images, rather than blocked
requests for HTML files.

(As a side note, if someone were ideologically opposed to the use of
censorware, sending this sort of message to a large number of users behind
such a proxy, including those parties charged with administering the proxy,
would seem to be a fitting form of protest.)

Dan Birchall - Palolo Valley, Honolulu HI - http://dan.scream.org
Post your reviews; get paid: http://epinions.scream.org/join.html


Concorde crash report

<Peter Kaiser <kaiser@acm.org>>
Tue, 12 Sep 2000 21:52:01 +0200

The Bureau Enquêtes-Accidents (BEA; Office of Accident Investigation) has
issued a preliminary report on the Concorde crash of 25 Jul 2000.  It may be
worth mentioning a couple of things here.

One is that the crew apparently never knew what was wrong, because there was
no means of sensing the actual problem: the catastrophic rupture of a fuel
tank caused by the explosion of a tire, with massive ignition of the leaking
fuel.  The Concorde's engines are instrumented to detect fire, but the tanks
are not; nor is there any means of detecting the rupture of a tank nor of
extinguishing a tank fire.  And the pilots couldn't see to the rear.  So all
the sensors were no use at all, and the flight was doomed before it left the
ground.  Undoubtedly the passengers on the left side of the plane could see
the flames and the disintegration of the left wing.

There's a parallel here to the instrumentation of computer systems in
places, and at levels, that make it possible to diagnose problems before
they result in catastrophe.

The aircraft carried three types of recorders.  The cockpit voice recorder
had external damage, but its thermal protection worked and its tape was
recovered intact.  The flight data recorder (FDR) didn't entirely protect
its tape from fire, and the report states that its

  ... recording was of moderate quality, which led to a certain number
  of losses of synchronization of the signal....  It was decided to
  search in parallel for better-quality information.

They turned to the quick-access recorder (QAR, in French literally
"maintenance recorder"), which is not required equipment:

  The QAR is an unprotected recorder.  It contains a copy of the FDR's data
  on magneto-optical disk, and is used by Air France to analyze flights.
  The method of writing on this disk uses three buffer memories whose role
  is to store data sent by the Flight Data Acquisition Unit (FDAU) until the
  conditions of vibration detected by an accelerometer within the QAR are
  favorable to write on the disk.  These are volatile memories which must be
  supplied with current to preserve the information they contain....

  The QAR's box was crushed and the magneto-optical disk deformed.  The card
  holding the memories, visible through the half-torn-off cover, seemed to
  be in good condition.  Thus it was decided to concentrate work on this
  card.  Two of the three memories had been torn off at the impact.  The
  third was still in place and powered.

No one had ever before tried to recover one of these memory units live from
a damaged recorder, but after some experimentation on other units, by
attaching the third memory to a parallel power supply they managed to move
it intact and operational to a working card.

  The contents of the third memory ... could be read and a copy of the disk
  was sent to the BEA [where] it became clear that the data from this flight
  were to be found on the only one of the three memories that had remained
  powered.  Because of the technology used, the quality of the recording was
  excellent and displayed no desynchronization.  Thus it was unnecessary to
  try to read the magneto-optical disk, nor to proceed with new work to
  acquire a [usable] signal from the FDR's tape.

So the flight data recorder didn't survive the crash unharmed, but a perfect
recording was recovered from the volatile digital medium within an
unprotected, vibration-sensitive, optional recorder.

The preliminary report, "Accident survenu le 25 juillet 2000 au lieu-dit La
Patte d'Oie de Gonesse (95) au Concorde immatriculé F-BTSC exploité par Air
France", is BEA document f-sc000725p, available from BEA's Web Site (only in
French).  All quotations above are my translations, for whose quality I beg
your forbearance.


Computerized air-conditioning risks

<Pere Camps <pere@pere.net>>
Tue, 19 Sep 2000 19:45:05 +0100 (BST)

We just moved offices this monday to a brand new building and we found out,
the hard way, that the air-conditioning machines were working much too well:
we were freezing.

This surprised most of us, as the new AC system was ran by a PC and it had a
very user-friendly interface. It looked very robust.

However me, being a long time RISKS follower, knew that having a PC for
controlling your AC wasn't necessarily A Good Thing (TM).

After some "debugging", we found out that the control software was buggy. We
notified this to the appropriate vendor which confirmed the bug with us and
told us that it would be soon be fixed.

In the meantime, we have to work with gloves and the coat on...

  [Added note: The bug with the PC software was so huge (it looks like it
  only happens with our setup - the vendor claims is the first time it
  happens), that what we have is the AC units running continuously, no
  matter what the thermostat tells the control unit.

  Good thinking that our department (MIS Support & Internet) was the only
  one that stayed behind and will move in three weeks time. We know that is
  not good to be beta testers of v1.0 "hardware and software" (ie,
  building).]


``Netspionage'' is the real security threat on the Net

<"NewsScan" <newsscan@newsscan.com>>
Tue, 12 Sep 2000 10:58:35 -0700

Teenage hackers who deface government sites or steal credit-card numbers
attract a lot of attention, but experts say the real problem of cybercrime
is corporate-sponsored proprietary information theft committed by
professionals who rarely get caught. According to the American Society for
Industrial Security, Fortune 1000 companies sustained losses of more than
$45 billion last year from thefts of proprietary information, and a survey
by the Computer Security Institute indicates over half of 600 companies
polled said they suspected their competitors were a likely source of
cyberattack. "Your competitors no longer have to be across town, or even
across the country; they're in other countries that have different laws and
business ethics," says Richard Power, who conducts the annual CSI survey.
"Culpability is much less. There is a lawless frontier in terms of theft of
trade secrets." Experts agree that while juvenile hackers often leave
calling cards enabling them to be traced, professional information thieves
are almost impossible to catch. What's even more frustrating is that many
firms never know their systems have been breached. "It's difficult for
people to see the theft of information," says the owner of a security firm.
"Information is the only asset that can be copied or stolen but nothing can
appear to be missing. You can still have the information... but have lost
the value of that information." (MSNBC, 11 Sep 2000
http://www.msnbc.com/news/457161.asp; NewsScan Daily, 12 September 2000)


Hackers offered $10,000 bait

<"NewsScan" <newsscan@newsscan.com>>
Wed, 13 Sep 2000 08:18:25 -0700

The Secure Digital Music Initiative, a forum of 175 companies in the music,
electronics, information technology and telecommunications industries
dedicated to developing a secure framework for the digital distribution of
music, is offering a reward of up to $10,000 to the first person to crack
its codes. In an open letter to the "alternative" press, SDMI executive
director Leonardo Chiariglione challenged hackers to "show off your skills,
make some money, and help shape the future of the online digital music
economy." SDMI has about 10 different proposals for "watermarking"
technology that could be embedded in a digital music file. Portable music
players complying with the SDMI standard would only work if the watermark --
an inaudible signal -- is present. SDMI has also issued the challenge to the
technology departments at the University of California at San Diego, MIT,
Virginia Tech and Stanford University. "The proposed technologies must pass
several stringent tests: they must be inaudible, robust and run efficiently
on various platforms, including PCs... So here's the invitation: Attack the
proposed technologies. Crack them. By successfully breaking the SDMI
protected content, you will play a role in determining what technology SDMI
will adopt," said Chiariglione. (*Financial Times*, 13 Sep 2000
http://news.ft.com/news/industries/media; NewsScan Daily, 13 September 2000)


A subtle fencepost error in real life

<Andrew Koenig <ark@research.att.com>>
Wed, 20 Sep 2000 15:15:49 -0400 (EDT)

I recently got email from amazon.com offering me a $50 discount on any order
of $100 or more from ashford.com.  As it happens, my wife's wristwatch
needed repair, and I decided that for $50 I wouldn't mind buying her another
watch if I could find one I thought she would like.

I found such a watch, for exactly $100.  When I tried to order it, the
ashford.com website wouldn't accept my promotional-offer code.  More
precisely, it accepted it but didn't indicate any discount.

So I called them on the phone.  The (very pleasant) sales rep said that he
could place the order for me.  When he tried, though, he also found that
their system wouldn't accept the promotional code.

He then told me that he would go ahead and place the order anyway, and once
it was in their system, he would make sure that I was charged the right
price.  It might take a day or two, but he would make it right.  I told him
to go ahead.

They let you track existing orders on their website.  Later that day, the
order was there, showing a price of $100.00.  The next day, it still showed
$100.00.  The following day, it showed $50.01.

If you've read this far, I trust that you can figure out what must
have happened.

Andrew Koenig, ark@research.att.com, http://www.research.att.com/info/ark

  [I can only assume that the resourceful sales rep added $0.01 to
  the price, in order to cater to a system that was implemented to
  offer the discount only for orders strictly greater than $100,
  rather than the $100 or more promised in the promotional email.  ARK]


New credit-card solution?

<"Joshua M Bieber (852-5436)" <jbieber@vnet.ibm.com>>
Tue, 12 Sep 00 09:47:43 EDT

Safer online shopping with disposable credit cards

American Express will launch a disposable credit-card service in the US next
month, designed to answer the worldwide worry of online shopping.  The
system, Private Payments, enables cardholders to access a random one-use
only credit-card number with an expiry date on the AmEx website, to be used
in making one online purchase.  In the event that the number is illegally
accessed during a transaction, it cannot be re-used by a hacker.  Visa and
Mastercard are also looking at similar ideas.

*The Independent Monday Review*, P9, *The Mirror*, P18

  [Not comforting! JMB]


Reconstructing Privacy - Conference Announcement

<Gene N Haldeman <geneh@cpsr.org>>
Sat, 16 Sep 2000 19:08:48 -0400

CPSR will hold it's Annual Meeting for 2000, "Drawing the Blinds:
Reconstructing Privacy in the Information Age", October 14 & 15 on the
campus of the University of Pennsylvania in Philadelphia.  Marc Rotenberg
of EPIC will be receiving our Norbert Wiener award, and Dave Farber will be
keynoting.  More info and registration is at
http://www.cpsr.org/conferences/annmtg00/.

Gene N Haldeman <cpsr@gene-haldeman.com>  Mid-Atlantic Regional Director,
Computer Professionals for Social Responsibility

Please report problems with the web pages to the maintainer

Top