The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 21 Issue 67

Monday 1 October 2001

Contents

Aftermath of 11 September 2001
PGN
GAO reports on terrorism
Monty Solomon
Warding off cyberterrorist attacks
NewsScan
Hackers face life imprisonment under 'Anti-Terrorism' Act
Monty Solomon
Gartner "Nimda Worm shows you can't always patch fast enough"
Alistair McDonald
Hacker re-writes Yahoo! news stories
Gary Stock
YAHA: Yet Another Hotmail Attack
Alistair McDonald
Hackers and others win big in Net casino attacks
Ken Nitz
Creator of Kournikova virus gets 150 hours of community service
Abigail
"Good Samaritan" hacker pleads guilty to breaking and entering
Declan McCullagh
U.S. court shuts down deceptive Web sites
Jim Griffith
Report on vulnerabilities of GPS
Joseph Bergin
All public hospitals in Gothenburg Sweden Crippled by nimda
Peter Håkanson
Y2K flaw blamed for Down's Syndrome test errors
Les Weston
Re: Oxygen tank kills MRI exam subject
PGN
E-voting in Australia
Tony Jones
Australians voice anger over online spying
Monty Solomon
World Trade Center in RISKS
Jay R. Ashworth
We only reveal a few digits of your account number, don't worry
Dan Jacobson
X-ray machine risk
Asa Bour
Increasing RISKS of UPPER CASE
Stuart Prescott
2002 USENIX Annual Technical Conference - Call for papers
Ann Tsai
Info on RISKS (comp.risks)

Aftermath of 11 September 2001

<"Peter G. Neumann" <neumann@csl.sri.com>>
Mon, 1 Oct 2001 11:06:12 PDT

The Risks Forum has long advocated the importance of increased awareness of
risks and avoidance of critical systems with too many inherent weak links.
On 11 Sep 2001, the Internet stood up well and was a very important source
of information; land-based and cellular telephone systems experienced major
outages in lower Manhattan.  A few companies such as Cantor-Fitzgerald and
eSpeed suffered huge personnel losses, but were nevertheless able to resume
operations quickly -- through various combinations of advanced planning and
rapid recovery strategies.  There are many lessons that are worth recording
here, so I would like to invite some of you to contribute short but pithy
items on what was achieved, what was learned, and what insights you might
have gained.  [Thanks to Scott Rainey for encouraging me to do this.]


GAO reports on terrorism

<"monty solomon" <monty@roscom.com>>
Thu, 20 Sep 2001 17:28:02 -0400

Combating Terrorism: Selected Challenges and Related
Recommendations. GAO-01-822, September 20.
http://www.gao.gov/new.items/d01822.pdf

Aviation Security: Terrorist Acts Demand Urgent Need to Improve Security at
the Nation's Airports, by Gerald L. Dillingham, director, physical
infrastructure issues, before the Senate Committee on Commerce, Science, and
Transportation. GAO-01-1162T, September 20.
http://www.gao.gov/new.items/d011162t.pdf

Aviation Security: Terrorist Acts Illustrate Severe Weaknesses in Aviation
Security, by Gerald L. Dillingham, director, physical infrastructure, before
a joint hearing of the Senate and House Appropriations Subcommittees on
Transportation and Related Agencies. GAO-01-1166T, September 20.
http://www.gao.gov/new.items/d011166t.pdf


Warding off cyberterrorist attacks

<"NewsScan" <newsscan@newsscan.com>>
Mon, 01 Oct 2001 08:19:36 -0700

Internet experts believe that the threat of cyber-attacks are increasing,
though not necessarily from Osama bin Laden's AlQaida network, which seems
focused on destroying physical targets and killing civilians. Georgetown
University computer science professor Dorothy Denning says, "It's my
understanding that they're not teaching this in the terrorist-training
camps," but rather that the danger comes from "these thousands of affiliates
or sympathizers." Stephen Northcutt, who runs an information warfare
simulation for the SANS Institute, warns that terrorist could "potentially
paralyze commerce" and might be able to "accomplish a cascading failure of
the electronic grid." (*San Jose Mercury News*, 1 Oct 2001; NewsScan Daily,
1 October 2001; http://www.siliconvalley.com/docs/news/depth/cyber100101.htm)

  [Also, there is clearly renewed interest in off-site backup data storage.
  PGN]


Hackers face life imprisonment under 'Anti-Terrorism' Act

<Monty Solomon <monty@roscom.com>>
Tue, 25 Sep 2001 16:32:58 -0400

Hackers face life imprisonment under 'Anti-Terrorism' Act; Justice
Department proposal classifies most computer crimes as acts of terrorism
By Kevin Poulsen, 23 Sep 2001

Hackers, virus-writers and web site defacers would face life imprisonment
without the possibility of parole under legislation proposed by the Bush
Administration that would classify most computer crimes [and maybe noncrimes
(PGN)?] as acts of terrorism.  The Justice Department is urging Congress to
quickly approve its Anti-Terrorism Act (ATA), a twenty-five page proposal
that would expand the government's legal powers to conduct electronic
surveillance, access business records, and detain suspected terrorists.
[See http://www.securityfocus.com/news/257 for the full item.  PGN]


Gartner "Nimda Worm shows you can't always patch fast enough"

<Alistair McDonald <alistair@bacchusconsultancy.com>>
Fri, 21 Sep 2001 13:07:00 +0100

Gartner is recommending that IIS users who have been hit by the recent MS
exploits should "immediately" consider moving to alternatives such as Apache
or iPlanet.  http://www4.gartner.com/DisplayDocument?doc_cd=101034

But when will those in control take note?  I'm sure that a lot of NT/200
sysadmins (and especially Webmasters) are aware of the limitations of their
platform, but corporate strategy means that they are a "Microsoft shop".

Alistair McDonald 	Bacchus Consultancy 	www.bacchusconsultancy.com


Hacker re-writes Yahoo! news stories

<Gary Stock <gstock@nexcerpt.com>>
Mon, 24 Sep 2001 09:50:34 -0400

  Will Knight, New Scientist, 20 Sep 01
  http://www.newscientist.com/news/news.jsp?id=ns99991329

A computer security expert has revealed how he altered news articles posted
to Yahoo!'s web site without permission. The incident highlights the danger
of hackers posting misleading information to respected news outlets.
Freelance security consultant Adrian Lamo demonstrated that, armed only with
an ordinary Internet browser, he could access the content management system
used by Yahoo!'s staff use to upload daily news.  He added the false quotes
to stories to prove the hole was real to computer specialist site Security
Focus.  Yahoo! has issued a statement saying the vulnerability has been
fixed and security is being reviewed.  But experts say that the incident
demonstrates a serious risk. "Just think how much damage you could do by
changing the quarterly results of a company in a story," says J J Gray, a
consultant with computer consultants @Stake.

Gary Stock, CIO & Technical Compass, Nexcerpt, Inc.  1-616.226.9550
gstock@nexcerpt.com


YAHA: Yet Another Hotmail Attack

<Alistair McDonald <alistair@bacchusconsultancy.com>>
Fri, 21 Sep 2001 09:49:00 +0100

Yet another attack on hotmail. Computing (20 Sept 2001) reports that one can
hack the hotmail web site, and redirect users to another site. This brings
up the possibility of password collecting. The hacker, known as "Oblivion",
reported this to the bugtraq mailing list. The exploit involves smuggling
javascript code through the filters used at hotmail.

Alistair McDonald 	Bacchus Consultancy 	www.bacchusconsultancy.com


Hackers and others win big in Net casino attacks

<Ken Nitz <nitz@SDL.sri.com>>
Mon, 10 Sep 2001 09:14:27 -0700

  http://news.excite.com/news/r/010910/11/net-tech-gambling-hacking-dc

  [The article is on risks in on-line gambling, and particularly
  CryptoLogic, Inc., a Canadian on-line casino games developer that has been
  hacked.  One of their sites had been "fixed" so that craps and video slot
  players could not lose, with winnings totalling $1.9 million.  Every dice
  throw turned up doubles, and every slot spin generated a perfect match.
  Whether it was an insider attack or a penetration is not clear from the
  article.  (We noted the likelihood of hacking of Internet gambling sites
  in RISKS-19.27, 1 Aug 1997, not to mention my 1995 April Fool's piece in
  RISKS-17.02.)  Interesting question: which laws against hacking will apply
  to subversions of illegal Internet gambling parlors?  Who gets to
  prosecute remote attacks on off-shore operations?  PGN-ed]


Creator of Kournikova virus gets 150 hours of community service

<"Abigail" <abigail@foad.org>>
Fri, 28 Sep 2001 01:16:42 +0200

>From http://www.volkskrant.nl/nieuws/nieuwemedia/1001567916953.html
(in Dutch).

27 Sep 2001

The 20-year-old creator for the Kournikova virus, J. de W. from Sneek, was
sentenced to 150 hours of community service by the court of Leeuwarden this
Thursday. The prosecution demanded the maximum of 240 hours of community
service.  In February De W. released on the Internet the so-called
wormvirus, which spread itself as an e-mail message. The virus was activated
by clicking the e-mail which was titled Anna Kournikova (the tennis
player). This lead to inconvenience of Internet users all over the world.
When determining the sentence, the court took into consideration that the
boy had no previous run-in with justice, that he turned himself in, and that
material damages were limited. The American investigation service FBI
reported an amount of $166.827 in damages.


FC: "Good Samaritan" hacker pleads guilty to breaking and entering

<Declan McCullagh <declan@well.com>>
Thu, 27 Sep 2001 12:53:53 -0400

  [Follow-up on RISKS-21.62 items.  PGN]

'Good Sam' Hacker 'Fesses Up, By Declan McCullagh, 27 Sep 2001 declan@wired.com

It seemed like such a straightforward example of prosecutorial misconduct:
An Oklahoma man was being investigated by the Justice Department for helping
a newspaper fix a Web site security hole.

The outcry among the geek community last month began with an uncritical
story on LinuxFreak.org entitled "Cyber Citizen Lands Felony Charges?" Sites
such as Slashdot soon picked up the sad tale of 24-year-old Brian K. West as
evidence of out-of-control, tech-clueless government lawyers, and urged
everyone to e-mail the U.S. Attorney in charge of the prosecution.

Making the story even more appealing to the open-source community was the
Microsoft angle: West was said to have reported to the Poteau (Oklahoma)
Daily News and Sun a security flaw in Microsoft NT 4.0 IIS and Microsoft
FrontPage.  But a guilty plea that West signed tells a far different story
-- and shows how easily a well-meaning community of programmers and system
administrators can be led astray.

http://www.wired.com/news/politics/0,1283,47146,00.html

  [Politech archive on U.S. v. Brian K. West:
  http://www.politechbot.com/cgi-bin/politech.cgi?name=sperling]

  [PGN-excerpted from the Sperling release:
    While probing the site, defendant made copies of six proprietary
    Practical Extraction Report Language (PERL) scripts that were part of
    the source code running the PDNS Web page.  Defendant also obtained
    password files from PDNS and used those passwords to access other parts
    of the PDNS Web page.  Defendant electronically shared the scripts and
    the password files for the PDNS Webs ite with another individual.
    Defendant's access to the Web page involved interstate communications.
    ...]


U.S. court shuts down deceptive Web sites

<griffith@olagrande.net>
Mon, 1 Oct 2001 14:59:23 -0500 (CDT)

Reuters reports that the U.S. District Court in Philadelphia has ordered
John Zuccarina to shut down sites operated by him.  The Federal Trade
Commission filed a complaint against Zuccarina, claiming that he has
purchased domain names which are misspellings or other "one-offs" of
popular sites, which he uses to "blitz" unsuspecting visitors with pop-up
ads, from which the user cannot escape, in order to receive advertising
revenue (estimated between $800K and $1 million).  Zuccarina has registered
some 5500 domains, including www.annakurnikova.com, 41 variants of
"Britney Spears", and others.

http://www0.mercurycenter.com/breaking/docs/081329.htm


Report on vulnerabilities of GPS

<Joseph Bergin <berginf@pace.edu>>
Tue, 11 Sep 2001 07:31:31 -0400

Yesterday (10 Sept. 2001) the U.S. Transportation dept released a report
on the vulnerabilities of the Global Positioning System. The report can
be obtained from
  http://www.navcen.uscg.gov/gps/geninfo/pressrelease.htm

There is a short story about it in *The New York Times 11 Sep 2001:
  http://www.nytimes.com/2001/09/11/national/11NAVI.html

The report notes that GPS is being increasingly relied on for life-critical
performance in transportation and recommends that various backups be
maintained and new ones developed.

Joseph Bergin, Professor, Pace University, Computer Science, One Pace Plaza,
  NY NY 10038  berginf@pace.edu  HOMEPAGE http://csis.pace.edu/~bergin/


All public hospitals in Gothenburg Sweden Crippled by nimda

<Peter Håkanson <peter@ipsec.nu>>
Tue, 25 Sep 2001 10:42:55 +0200

The hospitals in "Västra Götaland" sweden (west coast, population 1M)
were isolated fron Internet during 23 Sep 2001.  Some of internal networks
had to be partitioned to prevent nimda spreading further.  Reservations and
computer-based medical records were unavailable.  http://www.vgregion.se

The fact that a hospital chain has so relaxed security is amazing.  It's
also amazing that whole organizations are kept hostage of a vendor that's
not even cost-effective.

What would happen in case we get a *real* threat to security??

Peter Håkanson, IPSec sverige, Bror Nilssons gata 16  Lundbystrand
S-417 55  Gothenburg   Sweden  "Safe by design"  +46707328101   peter@ipsec.nu


Y2K flaw blamed for Down's Syndrome test errors

<Les Weston <trusteemse@mailexpire.com>>
Fri, 14 Sep 2001 13:24:33 +0100

The Y2K problem is being blamed for incorrect Down's Syndrome results being
given to more than 150 pregnant women throughout northern England between
January and May last year.  As a result, four Down's syndrome pregnancies
went undetected.  Amongst other factors, the mother's age is used to assess
her risk category. Only those in the high-risk category undergo further
tests for the syndrome.  Staff noticed the strange results coming from the
system, but initially thought they was due to a different mix of women being
tested.

Full report:
http://news.bbc.co.uk/hi/english/health/newsid_1541000/1541557.stm

Les Weston, Quinag-CSL, Edinburgh.

  [Also noted by several others.  TNX.  Overconfidence in the PathLAN
  computer was blamed for errors, occurring between 4 Jan and 24 May 2001.
  PGN]


Re: Oxygen tank kills MRI exam subject (RISKS-21.55)

<"Peter G. Neumann" <neumann@csl.sri.com>>
Sun, 30 Sep 2001 10:44:16 PDT

Westchester Medical Center was fined $22,000 for 11 violations related
to the death of the 6-year-old boy killed by the magnetically attracted
stray oxygen tank carried into the room by a doctor.
  http://www.newsday.com/news/nationworld/wire/sns-ap-mri-death0928sep28.story


E-voting in Australia

<tmj@enternet.com.au (Tony Jones)>
Sun, 23 Sep 2001 06:31:10 +1000 (EST)

On 20 October 2001 there will be an election of members of the Legislative
Assembly of the Australian Capital Territory. It is hoped that about 9% of
voting will be done using a new electronic voting system. Further details
are at <http://www.elections.act.gov.au/Elecvote.html>.

For the electronic system, no independently verifiable copy of a voter's
choices will be kept.  The selections made by a voter and displayed on the
monitor of the voting computer will be, we're led to believe, what go into
the duplicated databases for counting.

RISKS readers will be reassured to know that (see
<http://www.elections.act.gov.au/media0104.html>):

  "The new software will be subjected to extensive testing to ensure it is
  accurate and secure, as well as easy to use. The software will be used on
  standard computer hardware, that will not be connected to any external
  networks. The system will also include numerous backups and safeguards to
  ensure that voting data will not be lost. This will guarantee the security
  of the electronic voting and counting processes," Mr Green [the ACT
  Electoral Commissioner] said.

I hope Murphy is not eligible to vote.

  [Actually, given the flakiness and lack of security in existing
  all-electronic voting systems, it is likely that Murphy's entire surrogate
  extended family will be able to vote repeatedly, many times over.  PGN]


Australians voice anger over online spying

<Monty Solomon <monty@roscom.com>>
Sat, 8 Sep 2001 13:08:38 -0400

Australians voice anger over online spying
By Rachel Lebihan, ZDNet Australia News, 07 September 2001

Only three percent of surveyed ZDNet readers believe Internet Service
Providers should monitor all user activity, following a parliamentary report
that recommends user logs should be kept on customers' online activities.
The diminutive support for tighter online monitoring was transcended by a
resounding 60 percent of polled readers who said they would kick up a fuss
until the law was changed, if ISPs were forced to maintain access logs.
http://www.zdnet.com.au/news/breakingnews/story/0,2000020826,20259325,00.htm


World Trade Center in RISKS

<"Jay R. Ashworth" <jra@baylink.com>>
Tue, 11 Sep 2001 16:36:04 -0400

In light of this morning's events, which I will not minimize by trying
to select an adjective to describe, I thought it might be interesting
to search the RISKS archives, and see how the building's history
figures in that sphere.

First, there's coverage of the car bombing, and how the evac plan and
generators failed, in
  http://catless.ncl.ac.uk/Risks/14.37.html#subj4.1
with follow-on in
  http://catless.ncl.ac.uk/Risks/14.38.html#subj5.1
  http://catless.ncl.ac.uk/Risks/14.39.html#subj8.3

There's other coverage of the bombing, as well, in
  http://catless.ncl.ac.uk/Risks/14.39.html#subj8.2
which discusses how the building operators are allowed to violate the
building codes that they would be otherwise bound by.

Also,
  http://catless.ncl.ac.uk/Risks/14.39.html#subj8.2
discusses the fact that damned near every TV and most of the radio broadcast
antennas serving NYC and Eastern NY State just hit the ground as well; that
had to be making life miserable for people trying to get the word out.

  http://catless.ncl.ac.uk/Risks/14.41.html#subj1.1
discusses an ATM outage in NJ attributable to the evac from that bombing.
Another outage in California happened at least in part because the backup
systems were otherwise occupied due to that same situation:
  http://catless.ncl.ac.uk/Risks/14.41.html#subj2.1

  http://catless.ncl.ac.uk/Risks/17.17.html#subj10.1
notes in passing that the WTC is not alone in having such problems.
[Discussion of the Citicorp problems and unlikely events.  PGN]

Jay R. Ashworth, Member of the Technical Staff, Baylink, Tampa Bay, Florida
http://baylink.pitas.com   +1 727 804 5015  jra@baylink.com


We only reveal a few digits of your account number, don't worry

<Dan Jacobson <jidanni@deadspam.com>>
12 Sep 2001 13:04:10 +0800

  > Re: Consumer Reports password policy risks (Bumgarner, RISKS-21.65)
  > ... but does give the last five digits

Sounds like the Taiwan power company sending bills with only the last few
digits of your auto-payment bank account revealed, the phone company sending
theirs with only the first few digits revealed.  Steal two envelopes and
you've got the account number?

  http://www.geocities.com/jidanni/ Tel+886-4-25854780


X-ray machine risk

<Asa Bour <bourea@scripturememory.org>>
Thu, 27 Sep 2001 23:16:04 -0400 (EDT)

I had to get some x-rays recently. I felt real confident when I saw a bright
yellow post-it note on the x-ray machine with bold print stating that the
measurements were in mm (millimeters) and not in cm (centimeters).  Since
the note was needed, one can assume they had problems with people
calibrating the machine properly with the right units.  I think the x-ray
software interface needs some improvement to eliminate this danger of
miscalibration.

E. Asa Bour <bourea@scripturememory.org>
http://www.scripturememory.org/  http://www.schemer.com/


Increasing RISKS of UPPER CASE

<Stuart Prescott <s.prescott@chem.usyd.edu.au>>
Mon, 24 Sep 2001 16:18:34 +1000

I recently received a confirmation e=mail from an Australian domestic
airline confirming a booking I had made over the web. The entire e-mail was
in capitals (were they shouting at me or was it all "very important"?)
including a little URL at the bottom for more information on in-flight health:

>  SOME STUDIES HAVE CONCLUDED THAT PROLONGED IMMOBILITY MAY BE A RISK
>  FACTOR IN THE FORMATION OF BLOOD CLOTS IN THE LEGS,
>  (DVT - DEEP VEIN THROMBOSIS). IF YOU FEEL YOU MAY BE AT RISK FROM
>  DVT OR OTHER HEALTH PROBLEMS,  QANTAS RECOMMENDS YOU CONSULT WITH
>  YOUR DOCTOR BEFORE TRAVEL. INFORMATION ON HEALTH ISSUES CAN BE
>  FOUND ON OUR WEBSITE -
>  WWW.QANTAS.COM.AU/FLIGHTS/ESSENTIALS/HEALTHINFLIGHT.HTML,
>  IN OUR TIMETABLE AND INFLIGHT MAGAZINE OR CONTACT YOUR LOCAL QANTAS
>  OFFICE.

No prizes for guessing whether or not the all-uppercase URL works...

So the RISKS... other than making the entire message much harder to read,
you can also break things.


2002 USENIX Annual Technical Conference - Call for papers

<Ann Tsai <mktgadm@usenix.org>>
Tue, 18 Sep 2001 13:34:59 -0700

2002 USENIX Annual Technical Conference, June 9-14, 2002, Monterey, CA
  http://www.usenix.org/events/usenix02/

Submissions to the General Refereed Sessions Track are due on November
19, 2001.

FREENIX is a special track within the USENIX Annual Technical Conference
that showcases the latest developments and applications in freely
redistributed technology. The FREENIX track covers the full range of
software and source code including but not limited to Apache, Darwin,
FreeBSD, GNOME, GNU, KDE, Linux, NetBSD, OpenBSD, Perl, PHP, Python, Samba,
Tcl/Tk and more.

The FREENIX program committee is looking for papers about projects with a
solid emphasis on nurturing the open source/freely available software
community and talks which advance the state of the art of freely
redistributable software. Areas of interest include, but are not limited
Submissions to the Freenix Track are due on November 12, 2001.

Submission guidelines and conference details are available on our Web site:
  http://www.usenix.org/events/usenix02/cfp/

The 2002 USENIX Annual Technical Conference is sponsored by
USENIX, The Advanced Computing Systems Association. www.usenix.org

Please report problems with the web pages to the maintainer

Top