The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 22 Issue 04

Monday 22 April 2002


Y2K: The malady lingers on
Frank Carey
Nanny-Cam may leave a home exposed
John Schwartz via Dave Farber
Wireless used for water supplies
John R. McPherson
More Web voting - UK local elections May 2002
R M Crorie
Security flaw in Microsoft Office for Mac
Robert Lemos via Monty Solomon
One-fourth of Mellon financial's I.T. work moved to India
This is scary
Ted Lee
Another April Fool's risk
Geoffrey Brent
Citibank Visa woes
Bill Brykczynski
Cracking for a fee
CASPR Anti-virus Management and Protection discussion group
Rob Slade
Re: Computers to Cars, warning lights
Walter Underwood
REVIEW: "Handbook of Computer Crime Investigation", Eoghan Casey
Rob Slade
Conference on security information disclosure
Edward W. Felten
DSN 2002 Registration and Advance Program
Anup Ghosh
23RD ISODARCO SUMMER COURSE - Call for application
Diego Latella
Info on RISKS (comp.risks)

Y2K: The malady lingers on

<Frank Carey <>>
Thu, 18 Apr 2002 21:02:08 -0400

Bugs fixed, cities must repay county over $1M in erroneous disbursements

After two and a half years, Brevard County, Florida, has finally fixed the
bugs that surfaced following installation of it's Y2K preparedness software
in 1999.  One bug prevented the county Clerk of Courts from determining how
fines should be divided among the many cities and agencies that receive a
share from each ticket.  Since then, employees in the clerks office have
estimated how big each city's checks should be.  When new software became
available last summer, the Clerk of Courts went through the records back to
1999 and discovered that some cities were significantly overpaid and must
return the excess amounts.  Melbourne owes $430,993 and Cocoa owes $353,083.
Melbourne Beach owes $227,150, which represents about 10% of its budget.
City Manager William Hoskovec said: "We will have to make some concessions
or raise taxes...".

The Clerk of Courts office was unable to suspend drivers licenses because it
was impossible to track who was paying fines.  Without the threat of license
suspension, many motorists didn't pay their fines and revenues from fines
dropped.  With the bugs now fixed, notices are being sent to scofflaws and
the county expects to recover $4 million for the cities to share, thus
reducing their reimbursement payments.

During the two and one half years of buggy software, the computers were
also blamed for issuance of incorrect bench warrants, mistaken judicial
assignments, failure to notify jurors of there summonses, and more.

*Florida Today*, 12 Apr 2002, front page

Nanny-Cam may leave a home exposed (John Schwartz, *NYTimes*)

<Dave Farber <>>
Sat, 13 Apr 2002 20:41:57 -0400

Thousands of people who have installed a popular wireless video camera,
intending to increase the security of their homes and offices, have instead
unknowingly opened a window on their activities to anyone equipped with a
cheap receiver.  The wireless video camera, which is heavily advertised on
the Internet, is intended to send its video signal to a nearby base station,
allowing it to be viewed on a computer or a television. But its signal can
be intercepted from more than a quarter-mile away by off-the-shelf
electronic equipment costing less than $250.  [...]
  [Source: John Schwartz, *The New York Times*, 14 Apr 2002]

From Dave's IP,

Wireless used for water supplies

<"John R. McPherson" <>>
Wed, 17 Apr 2002 21:42:35 +1200

... The Matamata wireless link replaced an expensive frame relay service as
well as providing a 1Mbs Internet service to several outlying sites
including a library and remote management of water supplies.  "As the water
facilities are computer controlled, they are able to manipulate them
remotely rather than sending someone 20 miles down the road just to turn a
valve.  ...  From *The New Zealand Herald* (Talking about 802.11b)

  Now I don't know if this technology is mature enough to be trusted for
  this type of thing - I guess I'll wait for the comments to come flooding
  in. I sincerely hope they've thought through the encryption and security
  issues here.

More Web voting - UK local elections May 2002

<R M Crorie <>>
Thu, 18 Apr 2002 23:15:11 +0100

I obtained some information about another Web voting trial, this time in the
UK, in Crewe & Nantwich Borough (Cheshire).  This has been the subject of
fairly low-key advertising, perhaps because it is limited to two wards
(local electoral districts), Wybunbury and Maw Green.

However, it has been publicised as "e-mail voting", when in fact it is "Web
voting".  Details are sketchy (local council officials are somewhat hesitant
about providing too much detail), but the company behind the trial is the
Oracle Corporation, in the form of Oracle (UK) Ltd.

Basically, the Council has posted a letter (actual snail mail) to every
eligible voter in these two wards with a "secret code".  Over the next few
days, a second such letter, with another "secret code", will be sent,
together with a URL within the Council's Web domain
(, which will allow the voter to select their
candidate and vote by entering the two previously-supplied codes.

The risks are pretty much as previously discussed in this forum for such
schemes, with the added irritation that only certain browsers are supported
- yes, it's IE and Netscape, but only the Windows versions, so tough cookie
to all you Linux-user voters out there - you have to turn up in person.  It
looks like browser independence didn't feature highly in the design of the
trial, with only a vague reference to "security accreditation" being offered
as to why Linux browsers aren't acceptable.

That looks like a re-run of the UK Government Gateway browser-specificity
debacle - or the Microsoft Government Gateway, as we should call it now that
we have learned the Government has handed over the IPR for the whole thing
(35m worth) to Microsoft completely free, on the basis of potential future
licence royalties...  but that's another whole shed-load of risks...!

R M Crorie (

Security flaw in Microsoft Office for Mac (Robert Lemos)

<Monty Solomon <>>
Tue, 16 Apr 2002 22:33:24 -0400

By Robert Lemos, Staff Writer, CNET, 16 Apr 2002

Microsoft acknowledged on Tuesday that its popular Office applications for
the Macintosh have a critical security flaw that leaves users' systems open
to attack by worms and online vandals.  The software slip-up happens because
the Microsoft applications incorrectly handle the input to a certain HTML
(Hypertext Markup Language) feature. By formatting a link in a particular
manner, an attacker can cause a program to crash a Macintosh or run
arbitrary commands. The link could appear on a Web page or in an
HTML-enabled e-mail.  [...]

One-fourth of Mellon financial's I.T. work moved to India

<"NewsScan" <>>
Wed, 17 Apr 2002 08:56:35 -0700

The latest financial giant to move much of its information technology work
outside U.S. borders, Mellon Financial will soon be sending a quarter of its
routine software maintenance chores to India. (A study by the Meta Group
consulting firm indicates that an Indian programmer can be hired for
one-fourteenth the rate of an American programmer.) Mellon executive Ken
Herz says the company hopes to have new work for all U.S. workers affected
by the company's decision, and explains: "This project emphasizes our intent
to focus Mellon technology talent on growth-related projects and have
routine maintenance work done offshore." (*San Jose Mercury News* 16 Apr
2002; NewsScan Daily, 17 April 2002)

This is scary

<"Ted Lee, Minnetonka, MN" <>>
Fri, 05 Apr 2002 15:41:10 -0600

I had reason to question the denial of a claim on our dental insurance.
I called the appropriate 800 number and ended up choosing the menu item
for their "automated services."  The first thing they asked for was my
subscriber identification number, which the voice then said "is usually
your social security number."  I punched it in.  The voice repeated it
back to me -- and then went on to spell out my name (yes, they had it
correct; OK, no middle initials, but first and last name were fine)
*and* give my birthdate.  Need I say more?

Another April Fool's risk

<Geoffrey Brent <>>
Tue, 16 Apr 2002 23:44:00 +1000

I run an e-mail discussion list for postgrad students at University of New
South Wales. At the beginning of 2001 UNSW moved to an on-line re-enrollment
system. Besides the obligatory teething problems, the designers seemed to
have forgotten that not all students were undergrads.  Much of the
information on the site, while good for undergrads, was quite misleading and
confusing for the rest of us, leading to a good deal of frustration and
venting on the list. (And at the end of the day, we *still* had to queue up
to get our student cards, like always...)

One day after the last day of March, somebody <cough> 'forwarded' a message
from a Mrs. Avril Fuller, announcing that all enrollment data had been lost
in a server crash and that students would have to line up to
re-re-enroll. Also, that they'd have to bring proof that they'd paid their
fees first time around. Also, that their student numbers had been lost in
the crash, and they'd be given new ones strictly by alphabetical
order. (Note that the student number is printed on the cards everybody still
had from when they re-enrolled.)  Also, that because our e-mail accounts are
based on student numbers, we would have to change addresses immediately.

In the previous weeks I'd been working hard to educate list members on 'how
to spot a hoax', since I was tired of seeing supposedly-educated people
sharing yet another variation of the Good Times warning every couple of
weeks. I made sure Mrs. Fuller's message covered some of the biggies, like
lack of date or any contact details for 'Mrs Fuller' beyond a non- existent
e-mail address. And just in case anybody *still* didn't realise it was a
joke, I also added that UNSW would be imposing a $5 additional charge on
each student to cover the costs of the extra work for their staff.

*Most* of the list members got the joke, either immediately or (in one case)
just before leaping from the top of the refrigerator to an untimely
death. One, however, was completely taken in, and became very angry at
University management.

When he realised it was a joke, he became even angrier at having
demonstrated his gullibility in front of five hundred people, and directed
that anger at me. Within a few weeks his behaviour forced me to eject him
from the list, by which time he'd progressed to making quite serious threats
against my person.

The (April Fool-specific) risks: Forgetting that there will ALWAYS be
somebody who doesn't get the joke, no matter how obvious you make it - and
that human failure modes are just as bizarre and dangerous as technological
ones.  Geoffrey Brent -

Citibank Visa woes

<Bill Brykczynski <>>
Fri, 5 Apr 2002 08:28:44 -0500

I usually pay my Citibank Visa bill via the Web, having the balance debited
from my checking account. I tried to pay the bill the other morning, but
this resulted in "We've had a problem processing your request. A general
system error has occurred. Try your request again and let us know if this
problem continues."  A repeated attempt resulted in the same message. So, I
called them on the phone to inquire about the problem.

The person who answered the phone said hello from Citibank but did not ask
for my account number (as is usual). So, I said "Good morning. May I provide
you with my account number?" He said "No, our systems are down for
maintenance. They should be up in a couple of hours."  Ah, I said, that is
why I cannot pay be the Web. Right, he said.

Unfortunately, over the next few days, I still could not pay via the Web.
So, I called to pay by phone. The Citibank employee said they were having
problems with their Web system. I said I would like to pay by phone. No
problem said she.  She asked for the last four digits of my checking
account. Then she asked for a check number.  After an immediate internal
chuckle, I said "I'm paying by phone. Why do you need a check number?" "She
said "We have to have a check number. You need to void that check number." I
suspect that if I told her I was ROTFLMAO she would not chuckle at that,
either.  Anyway, I said "But there is no check! How can I give you a check
number?"  "We need a check number" was the best answer I got. So I said "I
have a big problem with this. I do not want to pay my account balance by
phone today. Thanks".

In retrospect, I should have given them a check number like
"83750595828437693093". Or maybe a negative number. Or one with alphanumeric
characters (imagine the fun I could have had with that one ..."AMEXNo1").

The RISKS? Seems to me like I should be informed when there is a lengthy
outage in the Web interface, instead of receiving a general error
message. When I did contact them, the employee concurred with my assumption
that the source of my problem was due to system maintenance. Apparently, he
did not know about the extended Web problem. Having employees ask for a
fictitious check number seems to be a poor procedure or suggests a lack of
training. However, it was good for a chuckle. This time.

Cracking for a fee

<"Peter G. Neumann" <>>
Fri, 5 Apr 2002 10:07:37 PST

A group of Chicago Web site operators say they will break into school,
government and corporate computers and alter records, for fees starting at
$850. But at least one security expert thinks the operation probably is a
scam.  Among the services promised by Chicago-based 69 Hacking Services, is
changing bad grades and other records on elementary, high school or college
computer systems.  [Source: Brian McWilliams, Newsbytes,]

CASPR Anti-virus Management and Protection discussion group

<Rob Slade <>>
Fri, 5 Apr 2002 12:53:23 -0800

Somebody recently pointed me to CASPR, the Commonly Accepted Security
Practices and Recommendations group (, loosely associated with
ISC2 (  They are looking for group leaders to lead groups in
order to prepare papers on a variety (about 70) of security topics roughly
grouped under the ten CBK domains.

I have created a Yahoo group for the Anti-virus Management and Protection
topic, notified the CASPR people, and have apparently been accepted as the
group leader.  I have used the name malware in order to be somewhat more
inclusive in the discussion.  (I note that in CASPR viruses come under
Computer Operations, whereas they appear in Applications Development in the
ISC2 domains.)

The group name is CASPRmalware.  To join, send e-mail to:
or see the group home page:
The group e-mail address is:

This group is for discussion and preparation of the CASPR
(, Commonly Accepted Security Practices and
Recommendations) Anti-virus Management and Protection document.

Currently membership is open and the discussion is unmoderated.  I reserve
the right to change that if circumstances warrant :-)

If any of you are interested, I would be delighted to have you join.    or

  [What might be a precursor effort that grew out of the National Research
  Council *Computers at Risk* study report led to The Generally Accepted
  Systems Security Principles:

Re: Computers to Cars, warning lights (RISKS-22.01-03)

<Walter Underwood <>>
Mon, 15 Apr 2002 16:49:51 -0700

This item:

  6. The oil, water temperature, and alternator warning lights would all be
  replaced by a single "General Protection Fault" warning light.

is a much simplified version of an older, sarcastic comment on the "ed"
editor's single warning message:

  Brian Kernighan has an automobile which he helped design.
  Unlike most automobiles, it has neither speedometer, nor gas gauge, nor
  any of the numerous idiot lights which plague the modern driver.
  Rather, if the driver makes any mistake, a giant "?" lights up in the
  center of the dashboard.  "The experienced driver", he says, "will
  usually know what's wrong."

Sorry, I've lost the identity of the author, though it was already in some
"fortune" files in 1983.

The worst consequence of this warning messages was when a user tried to quit
without saving. "ed" would respond "?", and most users would think, I said
"q", and repeat the command, losing all their work. To make matters worse,
the system console was often a printing terminal, so someone trying to
repair a system in single user mode was faced with a line-mode editor which
they didn't know well, and which wouldn't give them useful warnings.

Walter Underwood,, Senior Staff Engineer, Inktomi

REVIEW: "Handbook of Computer Crime Investigation", Eoghan Casey

<Rob Slade <>>
Mon, 15 Apr 2002 07:35:25 -0800

BKCMCRIN.RVW   20020315

"Handbook of Computer Crime Investigation", Eoghan Casey, 2002,
%E   Eoghan Casey
%C   525 B Street, Suite 1900, San Diego, CA   92101-4495
%D   2002
%G   0-12-163103-6
%I   Academic Press/Academic Press Professional/Harcourt Brace
%O   U$39.95 800-321-5068 fax: 619-699-6380
%P   448 p.
%T   "Handbook of Computer Crime Investigation"

This book is hard to read.  Not because of excessive technical rigour
or depth: quite the opposite.  The work lacks focus and direction, and
appears to be a compilation of components without an assembly diagram.
It's the type of material that might result from the "war stories"
told around a security seminar, after the core curriculum had been
taken away.

Chapter one is entitled "Introduction," but, other than a statement
that the book is supposed to be a resource for forensic examiners who
may have to deal with computerized systems, there is almost no
declaration of what the volume is about.  The remaining material in
the chapter, while it does have an obvious relation to the act of
obtaining evidence from computers, does not have any clear structure.
The points asserted are good advice, but appear to be relatively
random thoughts.  The text is neither readable nor lucid: in places it
seems more like a parody of obfuscated academic papers.  Chapter two
is somewhat more understandable, offering an outline on how to prepare
documentation for discovery.  Unfortunately, while it does deal with
some technical issues (original media is better than a bit-wise copy,
which is better than a copy of a file), the material concentrates on
lawyerly debates about what might be needed, and, after a great deal
of verbiage, boils down to the recommendation to produce all possible
documentation, but not too much.  (Where the material does get
technical it frequently goes too far, starting to deal with specific
pieces of software, rather than concepts.)

Part one looks at tools in forensic computing.  Unfortunately, to a
greater or lesser extent, the four chapters each deal only with a
single tool or vendor; EnCase, Cisco's NetFlow logs, Network Flight
Recorder, and NTI.

Part two is entitled technology: it looks at operating systems,
networks, and other system types.  Chapter seven provides some details
of the FAT (File Allocation Table) and NTFS (NT File System)
structures, as well as print spool files.  A miscellaneous collection
of information about UNIX files is given in chapter eight.  A
similarly unstructured compilation is listed in chapter nine, which
reviews network data.  Wireless network analysis, in chapter ten,
concentrates on cellular telephone systems, and really only throws out
generic information about such setups.  Chapter eleven's overview of
embedded systems varies between a similar generality and unhelpful
photographs of breadboarded circuits.

Part three provides three case studies.  While interesting (parts of
the third are especially amusing), they really don't provide much in
the way of assistance to anyone having to perform investigations.

The authors and contributors seem to be much more involved in the law,
and law enforcement, than in the technology of computer forensics.
The book has no framework or structure within which to place the many
details.  Therefore, the material simply blends into a haze of trivia,
rather than providing the promised handbook.  For those seriously
working in the field there are many helpful points of information, but
organizing them is left as an exercise to the reader.

copyright Robert M. Slade, 2002   BKCMCRIN.RVW   20020315    or

Conference on security information disclosure

<"Edward W. Felten" <>>
Mon, 22 Apr 2002 09:33:45 -0700

Conference on Cyber Security and Disclosure
May 9 at Stanford University

Stanford Law School Center for Internet & Society presents a conference
exploring the relationship between computer security, and disclosure of
information about security vulnerabilities. One view is that vulnerability
information should be kept secret and out of the hands of potential
criminals and foreign agents. Another view is that network administrators
require distributed research and public disclosure of vulnerability
information to enable them to secure their own systems.  Panelists will
discuss vulnerability disclosure and the trade-offs between security,
government and corporate interests, and the public's right to know. Computer
security researchers and practitioners, computer science academics and
professionals, hackers, policy formulators, and private and governmental
organizations concerned with securing private and public computer
infrastructures are invited to attend the conference.

This program is cosponsored by the Stanford Program in Law, Science &
Technology and the Information Technology Association of America (ITAA).

DSN 2002 Registration and Advance Program

<Anup Ghosh <>>
Tue, 16 Apr 2002 14:39:09 -0400

2002 International Conference of Dependable Systems and Networks: DSN 2002
             Hyatt Regency, Bethesda, MD,  23-26 June 2002

The advance program, registration and accommodation information are now
available at The early registration deadline is May 24, 2002.
This year's keynote speaker is the Honorable Richard Russell, Associate
Director (Designate), White House Office of Science and Technology Policy

23RD ISODARCO SUMMER COURSE - Call for application

<Diego Latella <>>
Fri, 12 Apr 2002 10:26:26 +0200

   Founded in 1966 (

  FORUM TRENTINO PER LA PACE - Autonomous Province of Trento;
  U.S.P.I.D. - Section of Trento; Italian Pugwash Group

ISODARCO has been organizing residential courses on global security since
1966.  The courses are intended for people already having a professional
interest in the problems of disarmament and conflicts, or for those who
would like to play a more active and technically competent role in this
field.  The courses have an interdisciplinary nature, and their subject
matters extend from the technical and scientific side of the problems to
their sociological and political implications.  Cyberwar, Netwar and the
Revolution in Military Affairs have given rise to a lively discussion in
political and military circles in the last few years.  Issues of major
importance are: the relation between computers and regional defense; the
threat of "cyberterrorism" as well as "cyberwar"; emerging forms of network
organization and how information technology supports them; the impact of
information technology developments in military doctrine and organization of
military forces.  Of comparable importance is the issue of the possible
implications on civil society and civil liberties possibly brought about by
counter-measures to cyberwar and netwar.

[If you are interested, first read the full information at
  This looks like a very interesting event.  PGN]

Applications should arrive not later than June 3, 2002 and should be
addressed to the Director of the School:
  Prof. CARLO SCHAERF, Department of Physics
  University of Rome "Tor Vergata"
  Via della Ricerca Scientifica 1, I-00133 Rome, Italy
  Tel.: (+39) 06 72594560/1 -- Fax: (+39) 06 2040309

The Course will be held at Istituto Salesiano "Maria Ausiliatrice",
Via Barbacovi 22, 38100 Trento, Italy.  Tel. (+39) 0461 981265 and Fax
(+39) 0461 981972.

Directors of the Course: GARY CHAPMAN and DIEGO LATELLA

Dott. Diego Latella,
Consiglio Nazionale delle Ricerche
Area della Ricerca di Pisa - ISTI
Via G. Moruzzi, 1 - I56124 Pisa, ITALY
phone: +39 0503152982 or +39 348 8283101
  fax: +39 0503138091 or +39 0503138092

Please report problems with the web pages to the maintainer