The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 22 Issue 22

Friday 30 August 2002

Contents

Real risks of cyberterrorism?
Chris Norloff
Rookie's mistake melted down $500,000 transformer
Scott Wlaschin
Police dispatch disrupted by broken lightbulb
Gene Berkowitz
Sabotage in a few clicks: NDS vs. Canal Plus
Max
Tough EU privacy rules influence U.S. Web practices
NewsScan
Big Brother hiding inside cars' airbags - tells fibs
Bernd Felsche
FEC OK's SMS spam without saying who paid for it
Hal Murray
Website Security Flaw Costs ZD
Monty Solomon
Transport worker ID in works; privacy rights, funding at issue
Monty Solomon
The EUR-RVSM safety case is flawed
Peter B. Ladkin
Bogus Probabilistic Risk Assessments
Peter B. Ladkin
Japanese phones vulnerable to hackers?
Monty Solomon
Microsoft warns of Office and IE risks
PGN
Computer expert says he can break Microsoft security
Monty Solomon
A better approach to spam
John Pettitt
Re: Keystone SpamCop summary and response
Crispin Cowan
Parody and copyright
Terry Carroll
Re: American style cyber warfare ...
Peter Hanecak
Info on RISKS (comp.risks)

Real risks of cyberterrorism?

<"Chris Norloff" <cnorloff@norloff.com>>
Thu, 29 Aug 2002 09:11:33 -0400

The article "What are the real risks of cyberterrorism?"
  http://zdnet.com.com/2100-1105-955293.html
plays down risks from hostile access through Internet connections.  The
conclusions seem to be based on a recent study by the Gartner Group and the
US Navy War College.  This study, however, is not referenced or included.

Some statements from people apparently interviewed by the article's author
or perhaps were part of the Gartner/Navy study seem like something right out
of the RISKS archives:

  Ellen Vancko, a representative for the North American Electric
  Reliability Council, said such access [direct access by Internet or modem]
  should not always be considered unsafe. "All the electric companies are
  connected to the Web in one way or another," she said. "But that doesn't
  mean our control systems are hooked up to the public Net."

I'd like to hear what other RISKS readers think of the real risks of
"cyberterrorism" and poorly-protected supervisory control and data
acquisition (SCADA) devices.

  [The report of the Clinton Administration's President's Commission on
  Critical Infrastructure Protection (The Marsh Commission) (RISKS-18.89,
  RISKS-19.43, RISKS-19.61) clearly indicated that essentially all of the
  critical infrastructures had serious potential vulnerabilities.  PGN]


Rookie's mistake melted down $500,000 transformer

<"Scott Wlaschin" <scott@extractofmalt.com>>
Fri, 23 Aug 2002 19:21:31 -0700

*Palm Beach Post*, 23 Aug 2002 (via Romensko's Obscure Room)
http://www.gopbi.com/partners/pbpost/epaper/editions/friday/news_d3568ba0e56222b00057.html

With the flick of the wrong switch, an unsupervised power-plant apprentice
melted down a half-million-dollar transformer, blacking out the city for 40
minutes.

Apparently, Coady [the apprentice] failed to follow procedures.

Two circuit breakers -- called the east and west buses -- must be flipped in
a particular order to avoid damaging equipment: the west bus first, then the
east bus. The procedure was written for an important reason -- because the
west bus turns on the cooling system for the transformer.

The switches are in separate rooms. Coady said he closed the east switch
before Stephenson [the supervisor] closed the west one. They couldn't see
each other when the [switches were closed and the] damage was done.

The result was disastrous. "It was literally an explosion inside the
transformer," Lake Worth Utilities Director Miller said. "The internal parts
of the transformer reached such high temperatures that even the insulation
inside the transformer was burned."

Stephenson said Coady had no clue what had happened. "He was completely
unaware," Stephenson wrote in a memo to Baker. "With his lack of knowledge
of the plant electrical controls, it was not even possible to explain to him
what he did. He would not have understood. His training did not include
these advanced concepts."

// Comment:
Giant circuit breakers have to be flipped in a certain order blindly in
different rooms? This was an accident waiting to happen. It is scary that
systems like this can exist.  Note that the poor trainee was blamed, of
course, for not understanding the 'advanced concepts'.


Police dispatch disrupted by broken lightbulb

<"Gene Berkowitz" <geneb.ma.ultranet@rcn.com>>
Sun, 28 Jul 2002 20:10:35 -0400

This is a Rube Goldberg sort of story: Man damages cruiser.  Police use
pepper spray, restraints, place him in a cell.  He jumps up and hits the
cell light and microphone, destroying the light, tripping a circuit breaker,
causing the dispatch room lights to go out and messing up the phone systems
-- which still were not working properly the next day.  [Source: Stacey Hart
and Michael Wyner, *Sudbury Town Crier* (Massachusetts), 24 Jul 2002;
heavily PGN-ed] http://www.townonline.com/metrowest/sudbury/38116472.htm


Sabotage in a few clicks: NDS vs. Canal Plus

<Max <max7531@earthlink.net>>
Thu, 29 Aug 2002 06:10:22 -0700

Canal Plus (a maker of smart cards) alleges a rival firm (NDS Group, a
competing company largely owned by Rupert Murdoch's News Corp) broke its
secret code, then gave it to counterfeiters.  (In Italy, for example, 75% of
premium-channel viewers are reportedly freeloaders using bogus cards.)
Canal Plus is suing for a billion dollars in damages.  NDS denies the
charges, attributing the suit to "an attempt by an inept competitor to shift
the blame for its incompetence."  This situation has also played a role in
the downfall of Vivendi's Jean-Marie Messier and the auctioning off of
Vivendi's Italian satellite system -- purchased by News Corp.  "The case
marks the biggest and most sensational accusation yet of corporate
cybercrime, a shadowy, unsavory and increasingly popular activity."
[Source: A very long and interesting article by David Streitfeld, *Los
Angeles Times*, Column One, 29 Aug 2002; PGN-ed]

Streitfeld's article also notes that "Seven years ago, Cadence Design
Systems, a maker of design software for integrated circuits, sued Avant
Corp., claiming it had stolen its programs. A subsequent criminal case,
brought by a determined San Jose prosecutor, led to verdicts last year
against seven current and former Avant employees, including the chief
executive and three founders. Five received jail sentences."

Also, "In 1999, Internet bookseller Alibris paid $250,000 to resolve federal
charges that it had unlawfully intercepted thousands of e-mail messages to
its customers from online bookseller Amazon.com."


Tough EU privacy rules influence U.S. Web practices

<"NewsScan" <newsscan@newsscan.com>>
Fri, 30 Aug 2002 08:38:06 -0700

Europe's strict approach to consumer data protection is forcing many
U.S.-based companies to follow suit in order to continue serving their
European customers. "Europeans are extremely concerned about the use of data
about people," says Rockwell Schnabel, the U.S. ambassador to the European
Union. "The data privacy issue is a huge issue over there.  American
partners have to live with those rules, and they can't do with it what they
can with American data." A case in point is Microsoft's Passport online ID
service that enables users to log in once and then move from one secure Web
site to another. Consumer and privacy groups had accused Microsoft of not
taking adequate steps to protect consumers' personal information and in a
settlement earlier this month, Microsoft admitted no wrongdoing, but agreed
to government oversight of its consumer privacy policies for the next 20
years. A separate Passport investigation by the EU is still pending. "The EU
directive raised the bar on the practices by U.S.  companies for
U.S. consumers," says Marc Rotenberg, head of the Electronic Privacy
Information Center. "Passport is a good example of that, because Microsoft
is very much aware that its products are going to have to meet EU privacy
standards." EU standards specify that data may be collected only for
"specified, explicit and legitimate purposes, and to be held only if it is
relevant, accurate and up to date." Citizens may access any data about
themselves, find out its source, correct inaccuracies, and pursue legal
recourse for misuse.  [*San Jose Mercury News*, 29 Aug 2002; NewsScan Daily,
30 August 2002]
  http://www.siliconvalley.com/mld/siliconvalley/news/local/3966648.htm


Big Brother hiding inside cars' airbags - tells fibs (RISKS-22.21)

<Bernd Felsche <bernie@innovative.iinet.net.au>>
Wed, 28 Aug 2002 11:20:03 +0800 (WST)

Monty Solomon (RISKS-22.21) drew our attention to the use of recorded
information in airbag triggers for crash investigation. Notwithstanding the
likelihood that extraction of such measurements doesn't constitute a legal
measurement(*), such information extracted must be treated with extreme
distrust because the operating environment is not trusted and has many
potential modes of unpredictable and unforeseen behaviour.

The recording device isn't measuring road speed at all; rather, it relies
not only on its own sensors, but also on information provided by other
subsystems in the car. Road speed is most easily (cheaply) obtained by
measuring the rate of revolutions of the final drive gearing in the
transmission. That speed depends on the speed of rotation of the driving
wheels and not the road speed.

One example where the indicated speed is nothing like the true road speed is
when one or more drive wheels becomes airborne. Depending on the current
driver demand and engine torque, a wide-open-throttle condition results in a
very rapid acceleration of the airborne drive wheels, producing a "speed" as
high as will be permitted by the engine management system.

How much data are stored is another question. If the recording is only of a
second or less of the end to a crash, then it's difficult to establish the
sanity of individual data points.

The records may be accurate, but how can you be sure that they reflect what
happened in reality?

(*) e.g. http://www.nsc.gov.au/PAGES/Nms/nms_metrology.html

Bernd Felsche - Innovative Reckoning, Perth, Western Australia


FEC OK's SMS spam without saying who paid for it

<Hal Murray <hmurray@suespammers.org>>
Fri, 30 Aug 2002 12:44:27 -0700

A decision by federal election regulators to exempt text-based wireless ads
from campaign disclosure rules has critics warning that consumers could find
their mobile phones subject to a flood of political spam as campaign 2002
kicks into high gear.
  http://www.washingtonpost.com/wp-dyn/articles/A49356-2002Aug22.html


Website Security Flaw Costs ZD

<Monty Solomon <monty@roscom.com>>
Wed, 28 Aug 2002 23:41:19 -0400

By Brian McWilliams, Wired.com, 28 Aug 2002

Ziff-Davis Media has agreed to revamp its Web site's security and pay
affected customers $500 each after lax security exposed the personal data of
thousands of subscribers last year.  The settlement, announced on 28 Aug
2002 by New York's Attorney General, could spur other online companies to
do a better job securing their sites ...
  http://www.wired.com/news/business/0,1367,54817,00.html


Transport worker ID in works; privacy rights, funding at issue

<Monty Solomon <monty@roscom.com>>
Sun, 25 Aug 2002 00:16:26 -0400

The US Transportation Security Administration is developing a mandatory
identification card for every trucker, dock worker, airport employee, and
mass-transit operator in the nation with access to secure corners of the
country's transportation network.  ...  if implemented, it would be the
first broad national identity-card system and could involve hundreds of
thousands of people.  [Source: Raphael Lewis, *The Boston Globe*, 24 Aug
2002; PGN-excerpted]
http://www.boston.com/dailyglobe2/236/nation/Transport_worker_ID_in_works+.shtml


The EUR-RVSM safety case is flawed

<"Peter B. Ladkin" <ladkin@rvs.uni-bielefeld.de>>
Fri, 30 Aug 2002 00:21:16 +0200

Reduced Vertical Separation Minima (RVSM) is a procedure by which the
altitude separation between Flight Levels 290 and 410 (that is, between
29,000 ft pressure altitude and 41,000 ft pressure altitude) is reduced to
1,000 ft vertically instead of the previous 2,000 ft vertically. It has been
in force in European airspace since early 2002, after trial periods since
1997 on the North Atlantic Track (NAT) and early introduction in Ireland,
the UK, Germany and Austria, which was, however, not based on the procedures
for the full EUR-RVSM implementation.

However, the argument in the Pre-Implementation Safety Case for RVSM
demonstrates at most that RVSM operations without ACAS meet Target Levels of
Safety /TLS). It does not demonstrate that RVSM operations with
ACAS-equipped aircraft meet Target Levels of Safety; neither can a correct
argument for this assertion be reconstructed from the document. The document
believes it derives the assertion that RVSM-with-ACAS-meets-TLS from the
assertion that RVSM-without-ACAS-meets-TLS, but the reasoning is flawed and,
as far as I can see, irreparable.

Since most aircraft operating in RVSM are required to be ACAS-equipped, the
safety case does therefore not establish the required safety level of RVSM
operations as they are currently conducted and for the foreseeable future.

The reasoning demonstrating the flaw is contained in the short note "The
Pre-Implementation Safety Case for RVSM in European Airspace is Flawed",
RVS-Occ-02-03, available from http://www.rvs.uni-bielefeld.de

Peter B. Ladkin, University of Bielefeld, http://www.rvs.uni-bielefeld.de


Bogus Probabilistic Risk Assessments (Re: Fairfax, Risks 22.21)

<"Peter B. Ladkin" <ladkin@rvs.uni-bielefeld.de>>
Thu, 29 Aug 2002 04:51:34 +0200

In a note which, inter alia, extols the merits of Probabilistic Risk
Assessment (PRA) for assessing risks, Stephen Fairfax claims in RISKS-22.21
that:

  Guns in the cockpit represent an independent layer that does not
  automatically fail when screens fail.  While there is heated debate about
  the possibilities of negative consequences, a dispassionate analysis of
  the probabilities of both success and failure offers rather overwhelming
  evidence that on balance, armed pilots will reduce both the likelihood and
  consequences of hijacking attempts.

He claims to be able to assess the probabilities of success and failure (of
what, he does not say). I think his assertion is bogus.  But it takes
advantage of what one might call sound-bite rhetoric. It takes one sentence
to assert, but one page to refute, and many people don't have the patience
or interest to read that page. Here it is, for those who do.

A PRA works well with physical components. You have a thingummie which is
supposed to do thisandthat. You make lots of them, put them on a test
apparatus which makes them do thisandthat continuously, and assess a failure
rate using well-founded statistical techniques. A physical system has lots
of components; lots of different thingummies, so you arrange the failures
and their consequences in a taxomony, plug in the failure rates you have,
and do straightforward computations to assess the rates of different kinds
of failures of the entire system. This system has worked well for half a
century, mainly in the guise of Fault Tree Analysis, and is routine for many
applications.

Applying it to components that do not fail that way is rather more
tricky. Software, for example. The assessment of SW reliability is a whole
branch of statistical methods to itself. It is anything but routine: some
very clever people have become famous through their ability to make it sort
of work, sometimes.

Then there is PRA applied to human negotiations. People interacting with
each other. Dealing with hijacking is an almost pure negotiation
situation. It is not like HW or SW assessment.  PRA can be and is performed
on negotiation situations, but one requires reliable data, as in the HW
case. If you don't have data, whether for hardware, software or wetware, a
PRA cannot work. And reliable data for human negotiation situations is very
sensitive to environmental variables, many of which one cannot see (it is
notoriously difficult to control for cultural dependencies, for example),
let alone that infamous variable known to believers in it as free will.

On hijackings in the US, there is no data, none, for the last, oh, thirty
years until September 11 last year. The only way that Fairfax could gather
data for any of his proposed models would be by simulation, or by patching
together data from fragments of behavior inferred from other situations that
someone considers relevantly similar.

There is no data, for example, on facility of deployment of a firearm by
cockpit crew. That includes the decision to deploy, not just the physical
deployment. Second, deployment of a firearm changes the negotiating
situation. There is no data on how this negotiating situation will be
changed in a commercial airplane.  One has to guess: will it be more like a
hostage-taking situation, or more like a military firefight amongst
civilians? Until September 11, 2001, the assumption was that it is a hostage
situation and pilots were advised accordingly. Opinions have since
changed. I emphasise the word "opinions". Those four examples constitute
meagre data, as those warning us against "responding by preparing to fight
the previous war" have pointed out.

No data, though? Surely El Al's been doing it for years, one might think,
and they haven't been hijacked. Exactly: there is no data.  No data is not
data. One could infer that if one takes over the whole El Al prophylactic
package, including the cultural norms and expectations of most of its
passengers, maybe one would not have big hijacking problems either, but that
proposal is not what is being evaluated. Whatever the El Al example might
tell us, it does not tell us anything *probabilistically* about the US
domestic consequences of deploying firearms as cockpit equipment, so it's
not input to a valid PRA on that issue.

To summarise, I am not aware of any data on which to base a PRA concerning
the deployment of firearms in US domestic airline cockpits that is not open
to strong objections to its relevance to the situation.

The most worrisome aspect of Fairfax's assertion may be that it is made by a
presumed expert in PRA. That is the kind of phenomenon that has led and
continues to lead this enormously powerful, essential, but sensitive set of
techniques into disrepute. Fairfax is undoubtedly aware that not even the
National Academy of Sciences, nor the Royal Society in Britain, recommends
exclusive use of PRA methods as decision procedures for environmental or
social policy issues, although they used to until the early 1990's.

Whatever the wisdom or otherwise of deploying firearms on commercial
aircraft, the issue should not be determined by arguments with bogus claims
to objectivity.

Peter B. Ladkin, University of Bielefeld, http://www.rvs.uni-bielefeld.de


Japanese phones vulnerable to hackers?

<Monty Solomon <monty@roscom.com>>
Mon, 26 Aug 2002 13:05:48 -0400

Cell phone users in Japan have already had to contend with spam and
technical glitches, but that may seem like a breeze when hackers finally
turn their attention to the wireless world.  So far, no serious virus
attacks have been reported in Japan--or anywhere else--but tech security
companies say cell phones could become targets as they turn into
sophisticated, high-tech devices like PCs, allowing people to send e-mail,
surf the Internet and shop online.  [...]  [Source: Reuters, 26 Aug 2002]
  http://news.com.com/2100-1033-955294.html


Microsoft warns of Office and IE risks

<"Peter G. Neumann" <neumann@csl.sri.com>>
Fri, 23 Aug 2002 11:49:00 PDT

On 22 Aug 2002, Microsoft announced that "critical" security lapses in its
Office software and Internet Explorer Web browser put tens of millions of
users at risk of having their files read and altered by online attackers.
Using e-mail or a Web page, an attacker could use Internet related parts of
Office to run programs, alter data, and wipe out a hard drive, as well as
view file and clipboard contents on a user's system.  ...  [Reuters, 22 Aug
2002; PGN-ed]  http://news.com.com/2100-1001-954973.html


Computer expert says he can break Microsoft security

<Monty Solomon <monty@roscom.com>>
Mon, 26 Aug 2002 19:33:44 -0400

Software security widely used for Internet banking and e-commerce can be
easily circumvented, and customer accounts at several of Sweden's largest
banks remain at risk as a result, a computer expert said on 26 Aug 2002.
The Swedish hacking expert, who is well known in computer security circles,
but asked not to be named, demonstrated to Reuters how it was possible
within minutes to break through security on Web server SSL software from
Microsoft Corp.  He showed how to crack the security systems for Internet
banking, breaking into three of Sweden's big four banks in quick succession.
He was then able to show how to conceal his tracks, making detection
difficult afterward.  [Source: Peter Andersson, Reuters, 26 Aug 2002;
PGN-ed] http://finance.lycos.com/home/news/story.asp?story=28447602


A better approach to spam

<John Pettitt <jpp@cloudview.com>>
Tue, 27 Aug 2002 16:20:10 -0700

I'm a former spamcop user.    I've switched to a tool called bogofilter
(http://www.tuxedo.org/~esr/bogofilter/) which is based on Bayesian
statistics and an article "A Plan for Spam" by Paul Graham
(http://www.paulgraham.com/spam.html)  the full article presents an
interesting discussion of why keyword filters and block lists don't really
work and suggests a better way based on real math (rather than hunches and
suppositions).

For me the statistical approach doing better than spamcop and razor ever
did particularly with respect to false positives.


Re: Keystone SpamCop summary and response (Felten, RISKS-22.21)

<Crispin Cowan <crispin@wirex.com>>
Wed, 28 Aug 2002 16:38:55 -0700

> ... The ISP was intimidated by SpamCop and seemed to be trying to show
> that it was responsive to SpamCop complaints.  Hence the quick shutoff of
> my account.

Your ISP did not respond appropriately to Spamcop. They did not even follow
the directions. The ISP is required to address the issue, not shut down the
site. Shut down the site is one way of addressing the issue, and is only
appropriate if actual spamming occurred.

> ... This refusal to reinstate my account is what convinced me that the ISP
> was afraid of SpamCop.

Sounds like a really bad ISP.

> ... For me, the bottom line is this: if SpamCop didn't exist, my site
> would not have been shut off.

Near as I can tell from your response, "Blame the ISP, not SpamCop" still
holds.  So change hosting companies; it's not like there's a shortage of
them.

SpamCop is an immune response to invaders (spam). Like immune responses, it
can be inconvenient at times. But SpamCop is not nearly so draconian as you
make out: the draconian effects are all in your ISP's head.

Tell us who the ISP is. They are far more to blame for this than SpamCop,
and so far they've got off scot-free.  Traceroute seems to indicate it is
"netrail.net" but they do not have a responsive web site.

Crispin Cowan, Ph.D., Chief Scientist, WireX  http://wirex.com/~crispin/
Security Hardened Linux Distribution: http://immunix.org


Parody and copyright (Re: US Navy domain hijacking, RISKS-22.13)

<Terry Carroll <carroll@tjc.com>>
Sat, 17 Aug 2002 12:15:36 -0700 (PDT)

Jay Ashworth (RISKS-22.13) reflects a commonly repeated misunderstanding of
the Skywalker case, Campbell v. Acuff-Rose Music, 510 U.S. 569 (1994), as
though it held that parody is not an infringement.  The case held no such
thing.

The core holding of the opinion is that the lower court had made a mistake
by presuming that, because the Campbell parody was a commercial work, its
use of the original was presumptively not a fair use and therefore
infringing.  It then sent the case back down to the lower courts for further
consideration in light of the market effect factor.

The Court specifically rejected the argument that parody is inherently a
non-infringing fair use.  It said that parodies, like any other work, have
to be judged on a case by case basis:

  Like a book review quoting the copyrighted material criticized, parody may
  or may not be fair use, and petitioner's suggestion that any parodic use
  is presumptively fair has no more justification in law or fact than the
  equally hopeful claim that any use for news reporting should be presumed
  fair, see [Harper & Row Publishers, Inc.  v. Nation Enterprises, 471
  U.S. 539, 561 (1985)].  The [Copyright] Act has no hint of an evidentiary
  preference for parodists over their victims, and no workable presumption
  for parody could take account of the fact that parody often shades into
  satire when society is lampooned through its creative artifacts, or that a
  work may contain both parodic and non parodic elements. Accordingly,
  parody, like any other use, has to work its way through the relevant [fair
  use] factors, and be judged case by case, in light of the ends of the
  copyright law.

     http://supct.law.cornell.edu/supct/html/92-1292.ZO.html

Terry Carroll, Santa Clara, CA  carroll@tjc.com


Re: American style cyber warfare ... (Hendrik, R-22.18)

<Peter Hanecak <hanecak@megaloman.com>>
Mon, 29 Jul 2002 09:53:01 +0200 (CEST)

If such law will be passed, I expect RIAA and/or MPPA will start (maybe
slowly but definitely) global cyberwar consisting of:

a) many cracking attacks
b) many DoS and DDoS attacks
c) deployment of blocking mechanisms similar to those targeting SPAM ...

and also leading to:

a) many lawsuits (international too)
b) demonstrations
c) trade blockades

and a lot of other consequences - maybe also full scale war (jumping point
may be for example computerized war ship - it may answer electronic attack
with real rockets - but possibilities are almost endless).

Please report problems with the web pages to the maintainer

Top