The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 21 Issue 51

Monday 16 July 2001

Contents

CD-eating fungus amongus
Gary Stock
The computer is taking over the train
Hanan Cohen
Trains Ain't Planes, it's plain to see
Daniel P Dern
Eli Lilly e-mail snafu reveals identities of Prozac users
Jeremy Epstein
Allan Noordvyk
Brownouts take out computers in Livermore
Fred Cohen
Phoenix BIOS phones home?
Merlyn Kline
Hacked caller ID?
Alexandre Pechtchanski
Anatomy of an Internet scam
NewsScan
Who watches the watchdog?
Gary Barnes
Autoresponder goes haywire
Joshua M Bieber
Auto-banner ads
Mark Richards
Microsoft pulls controversial Smart-Tag feature
NewsScan
Yearly siren test ...
Marco Frissen
4 to 6 *million* votes uncounted in 2000 election
PGN
US Voting Systems Standards - available for public comment
Thom Wysong
Re: Electoral fraud
David Hedley
Lindsay Marshall
Re: WashingtonPost.com real estate database
Tramm Hudson
Re: Uncleared disk space and MSVC
John Sullivan
Peter da Silva
Re: The risks of clueless marketing
Toby Riddell
10th USENIX Security Symposium
Tiffany Peoples
Info on RISKS (comp.risks)

CD-eating fungus amongus

<Gary Stock <gstock@nexcerpt.com>>
Tue, 19 Jun 2001 13:22:22 -0400

>From Electronic Telegraph:

   http://www.telegraph.co.uk/et
   ?ac=004299402432522&rtmo=k7bZ7bYp&atmo=rrrrrrrq&pg=/et/01/6/18/wfung18.html

Scientist finds fungus that eats through compact discs
By Robert Uhlig, Technology Correspondent

FIRST there was the computer virus. Now scientists have found a fungus
that eats compact discs.

Victor Cardenes, of Spain's leading scientific research body, stumbled
across the microscopic creature two years ago, while visiting Belize.
Friends complained that in the hot and sticky Central American climate,
a CD had stopped working and had developed an odd discoloration that
left parts of it virtually transparent.

Dr Cardenes and colleagues at the Superior Council for Scientific
Research in Madrid discovered a fungus was steadily eating through the
supposedly indestructible disc. The fungus had burrowed into the CD from
the outer edge, then devoured the thin aluminium layer and some of the
data-storing polycarbonate resin.

Dr Cardenes said: "It completely destroys the aluminium. It leaves
nothing behind." Biologists at the council had never seen this fungus,
but concluded that it belonged to a common genus called geotrichum.

Philips, the Dutch electronics company that invented the compact disc,
said it believed the Belize case was probably a freak incident caused by
extreme weather conditions.

Gary Stock  UnBlinking  gstock@unblinking.com  http://unblinking.com/


The computer is taking over the train

<Hanan Cohen <hanan_cohen@yahoo.com>>
Thu, 12 Jul 2001 08:50:58 +0200

Overhead on the MUNI this morning: "Hang on, please. The computer is
taking over the train." A feeling of dread rippled through the train.
"Finally," we all thought, "the war with the machines is beginning."

http://www.kottke.org/notes/0107.html#010711

Hanan Cohen - http://www.info.org.il


Trains Ain't Planes, it's plain to see

<Daniel P Dern <ddern@world.std.com>>
Wed, 20 Jun 2001 10:19:12 -0400 (EDT)

Usually, I do my work-related travel between Boston and New York by
plane, but I've been meaning to try train again, especially Amtrak's
allegedly-faster Accela.

So I call the company travel office to make reservations.  (I already
know which trains -- whatever the rail equivalent of "flights" is --
I want.)  An e-mail confirmation shows up a few minutes later, with a URL
pointing to an itinerary.

The itinerary showed the correct train numbers and arrival times.  No
departure times.

And had me going between (something like, IIRC) Aptco Test, Texas and
someplace in Arkansas.

I called the travel group back; they called Amtrak.  My reservation's
correct, but when the AmTrak system passed info to the next system, it tried
to parse City Codes as Airport Codes.

More obvious than the "metric vs. English" glitch, but still shows that just
because two programs _can_ talk to each other doesn't mean they've agreed on
what they're saying...  Fortunately, if I get on a southbound train from
Boston (traveling at n miles an hour accompanied by a parrot with a balloon
tied to one foot) it'll be hard to miss arriving in New York.

Daniel Dern, Executive Editor, Byte.com <ddern@world.std.com>


Eli Lilly e-mail snafu reveals identities of Prozac users

<"Jeremy Epstein" <jepstein@webmethods.com>>
Thu, 5 Jul 2001 18:31:50 -0400

Eli Lilly sent an announcement that it was discontinuing a mailing list,
using CC instead of BCC.  Some of the more than 600 recipients were unhappy
about having their e-mail addresses and Prozac use disclosed, because the
purpose of the list was to send out reminders to fill prescriptions for the
anti-depressant drug.  According to a *ComputerWorld* article, "Eli Lilly is
preparing a code audit review and 'working on a program that would block all
outbound e-mails with more than one address.'"  The American Civil Liberties
Union (ACLU) has asked the Federal Trade Commission (FTC) to investigate.

A little bit of anonymity is a good thing, even if it's not totally
anonymous (e.g., a Hotmail account).


Eli Lilly e-mail snafu reveals identities of Prozac users

<Allan Noordvyk <anoordvyk@alitech.com>>
Thu, 5 Jul 2001 12:56:29 -0700

This kind of error is made frequently by new users of e-mail software, but
it is interesting (but perhaps not surprising) to see that corporations
running large mailing lists occasionally making the same error.  In either
case, it's usually merely an annoyance, or a strategic embarrassment (i.e.,
effectively giving away your customer list to your competitors).  However,
in this case the desire of the patients to keep their medical condition
private adds another more serious layer to the risk.

Allan Noordvyk


Brownouts taking out computers in Livermore

<Fred Cohen <fc@all.net>>
Thu, 12 Jul 2001 16:27:52 -0700 (PDT)

On 11 Jul 2001, the power levels in Livermore, CA dropped to voltages so low
that air conditioners and computers could no longer operate.  Computers and
air conditioning units went off and on moment by moment -- some lighting
systems ended up burnt out, and those without UPSs on their computers had
significant data corruption.  It is especially noteworthy that this area was
NOT on the areas scheduled for blackouts.

It turned out to be a set of changes they were making in the infrastructure
-- half of our house became out of power, the other half still worked.  We
went to motor generator for the down half till we determined what was up,
then switched over to a cross feed from the rest of the house.  When power
came back we switched back - thank you UPSs and motor generators...

Fred Cohen at Sandia National Laboratories at tel:925-294-2087 fax:925-294-1225
Fred Cohen & Associates: http://all.net - fc@all.net - tel/fax:925-454-0171
Fred Cohen - Practitioner in Residence - The University of New Haven


Phoenix BIOS phones home?

<"Merlyn Kline" <merlyn@zynet.net>>
Wed, 20 Jun 2001 10:04:48 +0100

>From slashdot: http://slashdot.org/yro/01/06/19/2039216.shtml

Myrv writes: "There is an interesting thread over at DSL Reports discussing
Phoenix Technologies new BIOS. This BIOS contains the PhoenixNet Internet
Launch System. ILS resides safely within ROM and is activated the first time
a user launches a PhoenixNet-enabled PC with a Windows 98 Operating
System. When the PhoenixNet ILS detects an Internet connection, it makes
contact with the PhoenixNet server and delivers user-selectable
services. These services are delivered to the user as hotlinks on the
desktop and in the web browser or, as applications that PhoenixNet
automatically packages, downloads and installs. It's 3 a.m., do you know who
your motherboard's talking to????"

Merlyn Kline = merlyn@zynet.net


Hacked caller ID?

<Alexandre Pechtchanski <pechtca@rockefeller.edu>>
Fri, 13 Jul 2001 15:53:49 -0400

I've recently discovered an incoming number in my caller ID list that looks
suspiciously as a hack.  The number is listed as 212-555-1212, which is a
long-distance directory assistance for New York, NY and, AFAIK, cannot be an
originating number.  I called Verizon Communications, which serves both my
home code 201 and New York's 212, and their service representative confirmed
that call could not have originated from this number, but refused to
speculate on why I would see it on my caller ID.  I wonder how long will it
take for exploits of such hole in telecommunication infrastructure to
invalidate law enforcement evidence as in, say, RISKS-21.50 article by
<knhaw@rockwellcollins.com> on Risks in inept election fraud, which mentions
that
 > * Prosecutors say they traced the IP address back to an AT&T
 >WorldNet user who repeatedly used the "Katie Stevens" Hotmail
 >account by connecting from Gunhus' home number. (Guess they keep
 >Caller ID logs.)

Alexandre Pechtchanski, Systems Manager, RUH, NY


Anatomy of an Internet scam

<"NewsScan" <newsscan@newsscan.com>>
Tue, 03 Jul 2001 09:54:11 -0700

Federal investigators have charged 53-year-old mid-westerner Donald A.
English with perpetrating an Internet-based "Ponzi" scheme that bilked tens
of thousands of small investors out of $50 million. In a Ponzi scheme, early
investors are paid phony "profits" from the money taken from other investors
who follow them, after hearing about the huge, fast profits.  Since no money
is really being earned, the pyramid eventually collapses, when the supply of
new investors diminishes. Many of the investors in English's operation,
which was called EE-Biz Ventures, were people who are elderly or sick. One
of them wrote: "I need at the least a full refund of the $3,000 spent if you
do not intend to pay anyone back.  Remember, I have cancer and am unable to
work for the next six months."  [*The New York Times*, 3 Jul 2001,
http://partners.nytimes.com/2001/07/03/business/03PONZ.html; NewsScan Daily,
3 July 2001]


Who watches the watchdog?

<Gary Barnes <gkb@bofh.org.uk>>
Fri, 22 Jun 2001 08:37:25 +0100

Thousands of consumers' credit card details were leaked by a "flaw" on a
(UK) Consumers' Association website, according to the BBC:
  http://news.bbc.co.uk/hi/english/business/newsid_1401000/1401648.stm

The consumers affected were people who had bought tax calculation software
from the Consumers' Association.

The ironic thing is that as a watchdog organisation for consumers, the
Consumers' Association is responsible for administering the Which? Web
Trader scheme which aims to make online shopping "easy and safe".

The Which? Web Trader Code of Practice at:

http://whichwebtrader.which.net/webtrader/code_of_practice.html

says of sites displaying the Which? Web Trader logo:

"You must have an effective security policy that you review regularly.

 Your policy must include the following:

 - you must ensure that your web site is secure so that consumers' personal
 information and transactions remain confidential and cannot be interfered
 with"

This incident will do more than most to make consumers aware of the RISKS of
shopping on the Net, given the current level of security of Web traders'
sites.

Gaz  gkb@bofh.org.uk (Gary "Wolf" Barnes)


Autoresponder goes haywire

<"Joshua M Bieber (852-5436)" <jbieber@vnet.ibm.com>>
Fri, 13 Jul 01 09:50:36 EDT

I had a strange experience with one of the mailing lists that I have
subscribed a week ago.  I am sure that this was mentioned in the past, if so
perhaps it is time for a reminder...

Basically what happened was that one of the subscribers to the mailing list
decided to get a new e-mail address, and as a courtesy to those who still
use the old e-mail address, set up an autoresponder on the old e-mail
address that sends the following message: (you know what got changed to
protect who)

>  From: guilty.oldaddy.com
>  To:   you.youraddy.com
>  Subject: Re: current discussion topic
>
>  Hello,
>  My new e-mail address is guilty.newaddy.com
>  Guilty Person

Ok, so what happened? Well, someone decided to post a message to the mailing
list which promptly sent a copy to all subscribers.  The autoresponder
picked it up and posted the above message to the sender which happened to be
the mailing list.  The mailing list then sent a copy of the autoresponder's
e-mail to all subscribers including the sender.  The autoresponder then sent
another e-mail to remind the mailing list of the new address.  Ad infinitum.

I was surprised to see 15 such entries in my mailbox when I checked my
e-mail before logging off that Sunday night.  When I realized that this is
what happened, I immediately notified via ICQ the owner of that mailing list
who happened to be on-line and she was able to put a stop to it immediately.
It isn't clear to me at this point whether she actually stopped it or the
guilty person logged on at that time and put a stop to it.  By the time it
stopped, a total of 46 notifications were sent.  This took up 100MB of my
allotted 4000MB mailbox space at malaspina.com. So if this hadn't been
stopped in time, a lot of mailboxes would have been full.

So what went wrong?  For starters:

1) Guilty Person forgot to change all mailing list subscription or
   more specifically, this particular one.
2) The autoresponder wasn't configured to send exactly one e-mail to
   any given user (or maximum of one per day).
3) The mailing list in question didn't have a mechanism that would
   recognize duplicate message body being sent over and over again
   and reject duplicate submissions.

I notified the mailing list site with a copy of the offending e-mail
explaining what happened and asked them to do what they can to prevent this
from happening again.  The mailing list owner deleted the duplicate entries
from the archives and Guilty Person apologized.


Auto-banner ads

<"Mark Richards" <mark.richards@massmicro.com>>
Thu, 12 Jul 2001 21:40:06 -0400

As reported in last weeks' NTK digest (http://www.ntk.net), auto-generated
banner ads (particularly when appearing in news pages) can generate
significant embarrassment.

NTK illustrates it at http://www.ntk.net/2001/07/06/dohburn.gif
however they are not certain as to its authenticity.

At any rate, having a banner ad titled "Burn baby, burn" (a reference to
a CD ROM burner) above a story titled, "One toddler dead, another
critical after house fire", certainly brings home the point.

With mindless automation, the embarrassment possibilities are infinite.


Microsoft pulls controversial Smart-Tag feature (Re: RISKS-21.46)

<"NewsScan" <newsscan@newsscan.com>>
Thu, 28 Jun 2001 09:18:41 -0700

Bowing to a wave of criticism, Microsoft says it will kill plans to include
a Smart Tag feature in its forthcoming Windows XP operating system.  The
feature would have allowed Internet Explorer to turn any word on any Web
site into a link to Microsoft's own sites and services, or to a site of
Microsoft's choosing. The company continues to defend Smart Tags in
principle, and plans to work toward including it in a future version of
Windows or Internet Explorer, but group VP Jim Allchin said the decision was
made to remove the Smart Tags because "we got way more feedback than we ever
expected." Although many people view the public reaction against Smart Tags
as excessive, Wall Street Journal columnist Walter Mossberg says,
"...Microsoft's dominant Internet Explorer browser is like a television set,
or a digital printing press, for the Web. Its function is to render --
accurately and neutrally -- all Web pages that follow standard
programming... Microsoft has a perfect right to produce and sell its own Web
content with its own points of view. But it is just plain wrong for the
company to use the browser to seize editorial control and to steal readers
from other sites." [*Wall Street Journal*, 28 Jun 2001
http://interactive.wsj.com/archive/retrieve.cgi?id=SB993679289461737795.djm
(sub req'd); NewsScan Daily, 28 June 2001]


Yearly siren test ...

<marco.frissen@philips.com>
Thu, 7 Jun 2001 13:39:58 +0200

On 6 June 2001, 12:00, 12:05 and 12:10 were targeted for the siren test in
the Netherlands. The sirens are used to warn people if a catastrophe has
happened (remember Enschede, fireworks factory), or war has started.  In the
past, when sirens were still mechanical, these tests occurred once every
month (first Monday of the month).  Now, everything is computerised, and
'they' have decided to test only once a year.  Well, after the test this
time, a lot of sirens did not work at all, or some started to late.  In
Limburg, a province in the south, 6 sirens refused work, due to a software
glitch.  In Groningen, in the North, also. Other areas were also 'silent'.

Because the new sirens have high-tone 'woops', the sound doesn't travel
nearly as far as the old sirens. If one fails, there's little chance of
hearing another for people living close to the 'silent' siren.  The Risk?
Only your life...

Marco Frissen    CryptoWorks


4 to 6 *million* votes uncounted in 2000 election

<"Peter G. Neumann" <neumann@csl.sri.com>>
Mon, 16 Jul 2001 14:05:13 PDT

One person, one vote?  NO.  And Florida was not the worst state.  According
to the Caltech/MIT study, Illinois, South Carolina, Idaho, Wyoming, and
Georgia had even higher rates of uncounted ballots.  In all, up to 2 million
ballots were discarded because of faulty/aged equipment or poorly designed
ballots; up to 3 million due to registration foul-ups; up to another million
or so because of polling-place screwups; and an unknown number of absentee
ballots discarded.
  http://www.cnn.com/2001/ALLPOLITICS/07/16/voting.problems/index.html

And the 15 Jul 2001 issue of *The New York Times* had several articles
documenting widespread irregularities in the counting of absentee ballots in
Florida.


US Voting Systems Standards - available for public comment

<Thom Wysong <wysong@technodemocracy.org>>
Mon, 02 Jul 2001 22:35:36 -0400

The US Federal Election Commission (FEC) has made available for public
comment an updated version of their Voting Systems Standards (VSS). The
original US VSS were published in 1990. They have gone un-revised until
now. The draft for the updated "Volume 1: Voting System Performance
Standards" is currently available. The draft for the updated "Volume 2:
Voting System Test Standards" is scheduled to be released for public comment
in late 2001.

The FEC press release is at http://www.fec.gov/press/062801nvra.html

An overview of the Voting Systems Standards is at
http://www.fec.gov/pages/standardsoverview.htm

The current draft of VSS Volume 1 is at
http://fecweb1.fec.gov/pages/vss/062801vss.html

Comments may be submitted to the FEC at vss@fec.gov.


Re: Electoral fraud (Finch, RISKS-21.50)

<David Hedley <dhedley@hebdenbridge.u-net.com>>
Fri, 13 Jul 2001 14:13:40 +0100

While not disagreeing that fraud in UK Elections has been made easier by
easing restrictions on postal votes, things are not as bad as Tony Finch
implies.

The procedure is as reported - I can phone and ask for as many forms as I
wish. But I can't just sit and fill them all in. To obtain a postal vote,
it is necessary to be on the electoral register to start with. If you are
on the register, then you can fill in one form for a postal vote, and
receive your postal vote. In the past, you were expected to vote in person
unless there was a good reason not to do so. Now, anyone may obtain a
postal vote. The voting papers are then sent to your address for you to
fill in and return by post. You are blocked from voting in person. Filling
in a second form (for the same voter) does not acquire an extra vote!

The system is open to fraud. To get on the electoral register is easy. All
there is to do is list the people who live at an address on a particular
date and who are eligible to vote. It is presumably easy to add a few names
at this stage. It is also not unknown for impostors to vote, especially for
dead people. It is extremely rare, however, for an impostor to vote instead
of a living person.

There is now an extra potential for fraud. In the past, postal votes could
only be obtained for one vote at time. Now it is possible to obtain a
postal vote for life, no matter what changes of address occur.

I can also assure Tony that many Brits are happy to criticise the US
"banana republic election" and don't feel pillocks for doing so.

I am happy that (a) my [postal] vote was counted, (b) I was not barred from
voting because I lived in a black neighbourhood and/or may have once had a
conviction, (c) the voting process and checking of electoral lists is not
in the hands of a political party, (d) the judges who rule on the validity
of the voting are not appointees of a political party.

And, of course, the party with the most votes won the election.

David Hedley


Re: Electoral fraud (Finch, RISKS-21.50)

<Lindsay.Marshall@newcastle.ac.uk>
Fri, 13 Jul 2001 11:04:58 +0100 (BST)

Tony Finch describes the process for getting postal vote in the UK. His
description does not match my experience at all. Yes, I had to phone a
number, but I was then sent an *application* form which I had to fill in and
return. There was never any opportunity a) for saying how many votes I
wanted or b) for geting more vote forms. (I should also add that there was
never any opportunity for me to vote either as the post office managed to
take over a week to deliver my application and so I missed the closing date
for applications so I never even got to see a postal vote form)

http://catless.ncl.ac.uk/Lindsay


Re: WashingtonPost.com real estate database

<hudson@swcp.com (Tramm Hudson)>
18 Jun 2001 23:50:14 GMT

Nick Laflamme <dplaflamme@alumni.nd.edu> wrote in comp.risks 21.49:
> WashingtonPost.com, in association with a local real estate agency, has put
> up a database of home sale prices and property tax appraisal values.

I had to check the price for the most famous address in the DC area,
2600 Pennsylvania Ave NW.  According to the database, it is owned by
the Exxon Corporation, has zero bathrooms and was assessed at US$1.3M.

My screenshot of the listing is available here:

	http://www.swcp.com/~hudson/whitehouse.html

The risks are obvious...

hudson@swcp.com  hudson@turbolabs.com  http://www.swcp.com/~hudson/
W 505.986.60.75  KC5RNF @ N5YYF.NM.AMPR.ORG

  [NOTE: This item would be interesting were the White House at 2600
  instead of 1600 Pennsylvania.  Indeed EXXON owns 2600.  Your moderator
  apologizes for letting this one slip by.  PGN]


Re: Uncleared disk space and MSVC (Winfrey, RISKS-21.50)

<John Sullivan <john@kanargh.force9.co.uk>>
Fri, 13 Jul 2001 03:40:16 +0100

> Anyone compiling programs with MSVC may want to examine the output closely
> for data that shouldn't be there.

Well, it's not really MSVC's fault - it is definitely the operating system's
job to make sure that no sensitive data is leaked from one process to
another, in any way whatsoever. If MSVC exhibits this behaviour then it
could just as easily happen to Word or any other application, and I bet your
company sends out far more Office documents than finished executables.

You didn't mention what OS or filesystem you were running. If it was Windows
95/98/ME or NT on a FAT filesystem, then it would still be a seriously bad
defect, but one I wouldn't be *too* surprised to see existing.  If it was NT
on an NTFS filesystem, then it is absolutely unforgivable because that's
exactly the sort of leak it claims to prevent.

And don't forget that even if your OS doesn't leak sensitive information via
disk or memory allocations, most compilers *deliberately* leak small
amounts of information identifying the build environment - for example gcc
puts dummy symbols "gcc2_compiled." in all object files which you have to be
careful to strip out if that's important to you. Not that I imagine it's too
hard to identify a compiler without such blatant clues.


Re: Uncleared disk space and MSVC (Winfrey, RISKS-21.50)

<peter@abbnm.com (Peter da Silva)>
13 Jul 2001 12:59:48 GMT

It's not the compiler's fault, it's the operating system's fault.
Application programs should never have a mechanism that lets them look
at the contents of unallocated blocks.

Actually, it may not even be the operating system's fault.

I suspect your "clearspace" program overwrote some blocks the OS
thought were already cleared. If they use a "block clearing daemon" to
clear unallocated blocks in the background, your program could have
caught them after the daemon had passed them by.

Still, I can't think of any reason for the OS to actually read cleared
blocks off disk.  They should hand out a freshly zeroed block of memory
and write it to disk later. . . possibly it did do that, then since the
compiler never modified those blocks it didn't write them back to disk
since they were already clear.

A risk of using third-party utilities that modify things without informing
the OS?


Re: The risks of clueless marketing (J.McCarthy RISKS-21.46)

<Toby Riddell <tobyriddell@yahoo.com>>
Sun, 1 Jul 2001 08:10:20 -0700 (PDT)

chi-rho sounds rather like Cairo. I don't follow Microsoft all that closely
but wasn't this one of their codenames?

  [also noted by Craig Cottingham.  PGN]


10th USENIX Security Symposium

<Tiffany Peoples <tiffany@usenix.org>>
Mon, 16 Jul 2001 10:14:58 -0700

10th USENIX Security Symposium
August 13-17, 2001, Washington, D.C.

For more information and to register, visit:
  http://www.usenix.org/events/sec01

REGISTER BY JULY 20, 2001 AND SAVE UP TO $200!

The 2001 10th Security Symposium is sponsored by
USENIX, the Advanced Computing Systems Association.   www.usenix.org

Please report problems with the web pages to the maintainer

Top