The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 22 Issue 05

Sunday 5 May 2002

Contents

"Don't Touch That Dial--Or You're Under Arrest!"
Lauren Weinstein
Re: "Don't Touch That Dial--Or You're Under Arrest!"
Dan Gillmor
Vivendi suspects electronic vote fraud
NewsScan
Lost password' delays Mali vote count
PGN
Online voting in UK
Toby Gottfried
How to rig an election
*The Economist* via Mohammad Al-Ubaydli
Seattle City light billing disputes
Jason Axley
Risks of differing Unices
Theo Markettos
CIA warns of Chinese plans for cyber-attacks on U.S.
Mike Hogsett
Smart inventory control overshoot
Paul Breed
California DMV online data base
Bruce Stein
A new risk to computers worldwide: W32/KLEZ.H" in MS Outlook
John Schwartz via John F. McMullen
How not to warn about viruses
Rob Slade
IE 6 Privacy features open users to attack
Monty Solomon
Midwest Express Web site security
Midwest Express
Robot cameras 'will predict crimes before they happen'
Merlyn Kline
Re: Online banking system failure in a big way
Ishikawa
Re: Nanny-Cam may leave a home exposed
Marc Roessler
Info on RISKS (comp.risks)

"Don't Touch That Dial--Or You're Under Arrest!"

<Lauren Weinstein <lauren@vortex.com>>
Sun, 05 May 2002 14:51:01 -0700

Greetings.  According to some in the entertainment industry, consumers risk
becoming outlaws if they skip the commercials during television programs!
The latest Fact Squad Radio short audio segment concerns the escalating
technology and political battle between the entertainment industry and their
consumers, and is entitled:

   "Don't Touch That Dial--Or You're Under Arrest!"

It's playable via:

   http://www.factsquad.org/radio

Lauren Weinstein   +1 (818) 225-2800
lauren@pfir.org or lauren@vortex.com or lauren@privacyforum.org
Co-Founder, PFIR, People For Internet Responsibility: http://www.pfir.org;
  Fact Squad: http://www.factsquad.org; URIICA - Union for Representative
  International Internet Cooperation and Analysis - http://www.uriica.org
Moderator, PRIVACY Forum - http://www.vortex.com


Re: "Don't Touch That Dial--Or You're Under Arrest!"

<Dan Gillmor <dgillmor@sjmercury.com>>
Sun, 05 May 2002 14:16:49

  [From Dave Farber's IP, written in response to Dave's posting a
  notice from Lauren Weinstein similar to the above.  PGN]

Dave, today's column [by Dan] is on point:

http://www.siliconvalley.com/mld/siliconvalley/business/columnists/3200101.htm

Dear Reader:

If you are reading this column in the newspaper, but did not read every
article and look at every advertisement in previous sections, stop now. You
must go back and look at all of that material before continuing with this
column.

If you are reading this column on the Web and did not go to the newspaper's
home page first, stop now. Go to the home page and navigate through whatever
sequence of links our page designers have created to reach this page, and
don't you dare fail to look at the ads.

Ridiculous? Of course.

Tell that to the dinosaurs at some major media and entertainment companies.
They insist they have the right to tell you precisely how you may use their
products.

  [For IP archives see:
     http://www.interesting-people.org/archives/interesting-people/ ]


Vivendi suspects electronic vote fraud

<"NewsScan" <newsscan@newsscan.com>>
Mon, 29 Apr 2002 09:13:08 -0700

Vivendi Universal, the Paris-based media giant, is calling for a criminal
investigation of suspected fraud by unnamed computer hackers during a
shareholders vote by Internet last week. Vivendi thinks the vote tampering
"could have been carried out by a small team armed with a transmitter-
receiver and detailed knowledge of the procedures and technical protocols of
electronic voting." (AP/*The Washington Post*, 29 Apr 2002; NewsScan Daily,
29 Apr 2002)
  http://www.washingtonpost.com/wp-dyn/articles/A64981-2002Apr29.html


Lost password' delays Mali vote count

<"Peter G. Neumann" <neumann@csl.sri.com>>
Tue, 30 Apr 2002 8:42:06 PDT

The announcement of the results of Mali's presidential election on 28 Apr
2002 has been suspended after a computer technician had a car accident,
election officials have said.  He is the only person with the password to
access the election centre's computers.  The technician was reportedly
recovering in the hospital.  [BBC, PGN-ed]
  http://news.bbc.co.uk/hi/english/world/africa/newsid_1959000/1959327.stm

  [... except that nobody wanted to admit how easy it might have been to
  break in without knowing the password, which would have blown the cover of
  the folks who had already rigged the election?  PGN]
    [This item was noted by several readers.  TNX]


Online voting in UK

<"Toby Gottfried" <toby@gottfriedville.net>>
Thu, 2 May 2002 15:51:53 -0700

Apparently the British are making moves toward voting in a "high tech" way.

And there are the worriers ...
  http://www.bbc.co.uk/webwise/column/col128.shtml
  http://www.bbc.co.uk/webwise/column/col139.shtml

"...  But if there are unexpected results from next week's local elections
in the UK it is entirely possible that they will be blamed on hackers,
programming errors or network failures.  The reason is that the May 2002
local elections are being used to test a selection of alternative voting
methods. Most of these are 'e-voting' systems which use computers and
networks, including the Internet. So if something unexpected happens there
will be a temptation to blame it on the computers rather than take it as an
reflection of a change in local opinion.  ..."

Followup:

Quoting from the start and end of
http://society.guardian.co.uk/modlocalgov/story/0,7999,645401,00.html
which has links to more articles,

  Residents of Sheffield and Liverpool will be able to vote over the
  Internet and by mobile phone text message in the May local government
  elections as part of a nationwide wave of 30 innovative electoral pilots
  announced today. [ Feb 5 2002 ]

  The pilots will provide a crucial first test of Internet voting, and could
  be a step towards an online general election.  .....  His announcement
  came as the independent Electoral Reform Society (ERS) warned that the
  government should not rush into online voting. Ministers need to ensure
  the technology used is thoroughly tested and that tough safeguards are in
  place to prevent fraud.


How to rig an election (*The Economist*)

<"Dr Mohammad Al-Ubaydli" <mo@idiopathic.com>>
Tue, 30 Apr 2002 15:00:27 -0400

[An article from *The Economist* print edition, 25 Apr 2002, considers a
situation which readily generalizes to a state with N Congressional
districts in which one redistricting gives results of N to 0 representatives
one way, and another redistricting gives results of 1 to N-1 the other way.
Starkly PGN-ed from Dave Farber's IP
  http://www.interesting-people.org/archives/interesting-people/
  http://www.economist.com/world/na/displayStory.cfm?story_id=1099030]


Seattle City light billing disputes

<Jason Axley <jason-risks@axley.net>>
Tue, 23 Apr 2002 11:33:02 -0700

Still no light has been shed on what is causing the massive overcharging of
many Seattle City Light customers -- some as much as 10 times above normal.

Some quotes:

  Seattle City Light, beleaguered by scores of customer complaints about
  inflated bills, now plans to do things "the Nordstrom way," meaning it
  will resolve billing disputes quickly and in the customer's favor when
  there's a question, Mayor Greg Nickels vowed yesterday.

  The city made some headway in trying to turn around what has become a
  public-relations disaster. But after promising Friday to come up with a
  definitive explanation on the inflated bills for the mayor by Monday, it
  came up a bit short.

  The hearing examiner "indicated that all my bills were from direct meter
  reads, so the bill in question was not a makeup bill," O'Leary said. "He
  also said the bill on its face was wrong. His conclusion was, however,
  that the meter never lies, and I must prove I did not use the power. How
  does one prove a negative?"

  Zarker emphasized that the billing problem does not lie with the city's
  new $40 million computer. "It works," he declared.

[Source: *Seattle Times*, "Nickels says City Light billing disputes will be
resolved quickly, in customer's favor", 16 Apr 2002]
http://archives.seattletimes.nwsource.com/cgi-bin/texis.cgi/web/vortex/display?slug=citylight16m0&date=20020416


Risks of differing Unices

<Theo Markettos <theom@chiark.greenend.org.uk>>
Tue, 30 Apr 2002 22:05:33 +0100 (BST)

Both Linux and HPUX provide a 'killall' command.  Under Linux 'killall
<process name>' is used to kill all processes with the given name -- for
example, as root one might kill all instantiations of httpd.

Under HPUX, killall kills _every_ process, except those required for
shutdown.  It takes an optional signal argument, but ignores this if it
doesn't recognise it as a valid signal name.  Hence 'killall httpd' kills
everything except a handful of processes required for shutdown.  If not
running as root, it kills all processes owned by the current user.

The RISK?  Don't assume something that is safe on one OS is on another,
and don't assume that running a command without arguments to get help will
do the right thing.


CIA warns of Chinese plans for cyber-attacks on U.S.

<Mike Hogsett <hogsett@csl.sri.com>>
Thu, 25 Apr 2002 14:07:50 -0700

U.S. intelligence officials believe the Chinese military is working to
launch wide-scale cyber-attacks on American and Taiwanese computer networks,
including Internet-linked military systems considered vulnerable to
sabotage, according to a classified CIA report.
  http://www.latimes.com/news/nationworld/world/la-042502china.story


Smart inventory control overshoot

<Paul Breed <Paul@Netburner.com>>
Mon, 29 Apr 2002 14:15:16 -0700

I've been working on an old car, in the process of removing the spot welds I
needed a specific sized bullet tipped drill bit. The bit would only last
about 5 welds and I had hundreds to do.  The only place I could find locally
to buy the bits was in a pack of 15 various size bits at the local home
center.

So, over the period of three months, I purchased all of their drill sets,
every weekend (usually 3 sets).  Now I have disassembled the old car and
don't need more bits. The last time I was in the home center they had so
many of these drill bit sets that they were overflowing on to the floor.

From my experience the computerized inventory system has a delay of about 3
months.  It determined that this item sold out for 12 weeks straight,
plugged this into it's inventory tracking prediction S/W and ordered
hundreds and hundreds of sets......


California DMV online data base

<Bruce Stein>
Wed, 24 Apr 2002 17:17:50 -0700

From the Los Angeles Times, 24 Apr 2002
http://www.latimes.com/news/printedition/highway1/la-000028975apr24.story

At the California DMV Web site at http://www.smogcheck.ca.gov , click on
"Vehicle Smog Check History".  Enter just a license plate number, and you
will be provided with:

Vehicle Identification Number (VIN)
Make, Model, and Year of the vehicle
The date and location of every smog test the vehicle has had.

The location of the smog test is almost always the neighborhood where the
car lives.

In the case of Personalized License Plates, you get all of the vehicles the
plate has ever been on.


A new risk to computers worldwide: W32/KLEZ.H" in MS Outlook

<"John F. McMullen" <observer@westnet.com>>
Sat, 27 Apr 2002 10:45:57 -0400 (EDT)

  [Source: John Schwartz, *The New York Times*, 27 Apr 2002]

A rogue computer program that is the online equivalent of a quick-change
artist is infecting computers around the world via e-mail and clogging
computer networks.  The program, W32/KLEZ.H, is a "blended threat,"
combining elements of a virus, which infects machines, and a worm, which
transports itself from machine to machine. It also tries to disable some
antivirus programs.  It makes itself hard for users to spot by changing its
e-mail subject line, message and name of the attachment at random, drawing
from a database that includes, for example, such subject lines as "Hello,
honey," and "A very funny Web site."  The program has grown increasingly
common as users unknowingly activate it sometimes without even opening the
e-mail attachment that carries the virus and allow it to send copies of
itself to those in the victim's e-mail address file.  [PGN-excerpted]


How not to warn about viruses

<Rob Slade <rslade@sprint.ca>>
Thu, 2 May 2002 10:28:11 -0800

The Klez family of viruses is not new: on the publicity page that I provide
at http://www.osborne.com/virus_alert/ I first warned of the family in
November of 2001.  However, the author (or authors) has been continually
active, and some of the recent variants (particularly Klez.H) have been
successful enough that the virus warnings have been flying around the net.

Unfortunately, not all of the warnings have been particularly helpful.  Klez
os one of the new breed of polymorphic e-mail viruses.  Unlike Melissa,
Loveletter, Hybris, or Sircam with their identifiable subject lines,
attachment filenames, implied pornography, or ungrammatical message bodies,
Klez variants present with a wide variety of subjects, bodies, filenames,
topics, and (most recently) senders.

Recently I got my hands on what has to be one of the worst examples of a virus
warning that I've ever seen:

> I have been advised that ther is a very bad computer virus out.  If opened
> the virus will attach itself to your address book.
>
> If you get an e-mail from W32.klez@jena.nn
>
> Do not open the attachment
>
> Delete it right away

I might note that, although I can't tell the source of this misinformation,
it make several obvious errors.  The attempt at a CARO virus name has a few
problems: it doesn't have a variant designation (such as Klez.H), there
appears to be some confusion with another extent virus (which makes mention
of "Jenna"), and the "mass mailer" designation is usually .mm rather than
.nn.  More importantly, Klez does not have a consistent "From" indicator.
Also, this particular company uses Microsoft Outlook for e-mail, and has no
policy regarding the preview pane or other security related configuration.
By the time anyone notices that an attachment exists, it will likely be too
late.

(More recent Klez variants tend to pick a real e-mail address harvested from
the infected computer to generate the "From" line in generated e-mail.
Therefore, those attempting to track infections will often concentrate on a
machine or user that is not the source of the infection.  I have heard from
someone in another company who has been targeted by management as the
source of the infection.  This was interesting in that he was travelling at
the time of the occurrence, and his computer was not connected to the
Internet at all for a few days on either side of the event.)

For those interested in trying to detect Klez messages, three of the more
reliable, but by no means universal, indicators are that, viewed manually,
the MIME file type often does not match the filename extension, the filename
extension is one of the usual executable crowd (.BAT, .PIF, .SCR, .EXE,
etc.), and the size of the encoded file usually ranges between 120K and
180K.

(The old advice to avoid running attachments still holds true, albeit with a
few provisos.  Those who use Microsoft Outlook or Outlook Express may,
because of the specialized construction of the message, still be at risk
even if the attachment is not run deliberately run by the user.  Due to this
same construction, users of other mailers, such as Pegasus or Netscape
Communicator, may never see the attachment at all, and therefore may be at
no risk.)

rslade@vcn.bc.ca  rslade@sprint.ca  slade@victoria.tc.ca p1@canada.com
http://victoria.tc.ca/techrev    or    http://sun.soci.niu.edu/~rslade


IE 6 Privacy features open users to attack

<Monty Solomon <monty@roscom.com>>
Thu, 25 Apr 2002 02:13:41 -0400

By Brian McWilliams, *Newsbytes*, 23 Apr 2002

Security flaws in privacy features added to Microsoft's Web browser could
enable attackers to perform several privacy-robbing attacks, including
hijacking victims' MSN Messenger accounts, a security researcher warned.
According to Thor Larholm, a developer with Denmark-based Internet portal
Jubii.dk, "severe" bugs in the "Privacy Report" feature in Internet Explorer
version 6 can be exploited "in effect removing all privacy."  Last week,
Larholm posted an advisory and harmless demonstrations of the flaws at his
personal Web site. One example showed how the browser bugs enable a Web site
to launch programs that exist on the user's hard disk. Another demo page
silently sends a message to users in the target's MSN Messenger contact
list.  ...
  http://www.newsbytes.com/news/02/176077.html


Midwest Express Web site security

<Midwest Express>
Fri, 26 Apr 2002 21:41:18 -0700

  [via Mark Luntzel]

On the morning of Monday April 22, Midwest Express Airlines was informed
that customer profile data had been published on the Internet, specifically
on the U.S. Space and Naval Warfare Systems Command Web site. The data
published contained a handful of user profiles including names and e-mail
addresses. This screenshot of data was captured from the Midwest Express
test server, not the actual Web site. This test server is used for testing
new enhancements to www.midwestexpress.com.

Midwest Express has always taken steps to ensure security. As a result of
this situation, a number of additional precautionary measures were taken to
ensure that customer data was protected:

* The U.S. Space and Naval Warfare Web site immediately removed the defaced
  Web page from the Internet.

* A security company was contracted to eliminate any vulnerability to our
  test server.

* All customer passwords to Web profiles were changed to protect and
  restrict access to the customer data.

Since all passwords have been changed, the next time you visit
midwestexpress.com and login to your profile, you will be prompted to change
your own password upon successfully answering a challenge/response question
that you created.

While Midwest Express is confident in the security of its Web site, we are
always assessing our Web site for potential vulnerabilities and taking
appropriate steps when needed. We assure you that your customer information,
purchases and other transactions are secure.

Tom Vick, Senior Vice President and Chief Marketing Officer


Robot cameras 'will predict crimes before they happen'

<"Merlyn Kline" <merlyn@zyweb.com>>
Mon, 22 Apr 2002 13:36:51 +0100

According to the UK broadsheet *The Independent*, Dr Sergio Velastin, of
Kingston University's Digital Imaging Research Centre, has developed
software to analyse CCTV images for the purpose of predicting crime:
  http://news.independent.co.uk/uk/crime/story.jsp?story=287307

Quote from the article:

  Scientists at Kingston University in London have developed software able
  to anticipate if someone is about to mug an old lady or plant a bomb at an
  airport.  It works by examining images coming in from close circuit
  television cameras (CCTV) and comparing them to behaviour patterns that
  have already programmed into its memory.  The software, called Cromatica,
  can then mathematically work out what is likely to happen next. And if it
  is likely to be a crime it can send a warning signal to a security guard
  or police officer.


Re: Online banking system failure in a big way (RISKS-22.03)

<Ishikawa <ishikawa@yk.rim.or.jp>>
Sun, 21 Apr 2002 09:16:09 +0900

Here are a few interesting points to follow up the original story of online
banking system failure of Japan's Mizuho bank.

It has been revealed that the Tokyo Electric utility which services the
heavily populated Tokyo and its surrounding areas had asked the (soon-to-be)
Mizuho bank for a dry-run of the utility bills payment before the merger
back in February.  The utility company was worried about the large scale
change and requested that about 100,000 sample bills be run through the new
integrated system to see if such bills are handled correctly.  However, the
bank turned down the request saying that their internal testing would be
enough.

Obviously it was not!

The utility company requested the testing albeit the first refusal, but then
again the request was turned down.

One of the reasons for the overload at the bank was mentioned as the failure
of many transactions due to incorrect input data.  It seems that the new
integrated banking system required the conversion of old branch numbers of
three banks into the newly assigned branch numbers.  Some branch numbers
were common among the three banks and they needed to be reassigned a new
number once Mizuho bank went into operation.  Apparently, some companies
requesting the automatic billing failed to update the branch numbers in
their transaction input (on MT!) and such transactions were deemed errors
and manual intervention to inspect and rectify the aborted transactions were
necessary.

Some of the double billings, etc. were attributed to the incorrect handling
of magnetic tapes.  Some tapes were obviously run through the system twice
under the confused circumstances.

I think by failing to perform the 100,000 bills test run, the bank missed a
great opportunity to test the integrated computer system and make sure the
the manual steps to intervene in case of failure is well organized and known
to operation staff members.

There ARE now visible damages.

The utility companies (gas, electricity) and telephone companies can't
figure out whether their bills were paid by the subscribers. The amount of
money mentioned amounts to 25,000,000,000 yen.  (That's approximately US$191
million at 1 dollar = 130.5 yen.)

Mizuho bank is negotiating with telephone companies and others to pay an
agreed-upon ball-park sum of money, but since individual transactions can't
be confirmed, the utility company can't figure out, say, if I paid the bill,
so to speak.  It seems that the utility companies decided to send out BLANK
invoice notices without filling in the status of the payment that were due
in April!)  The utility companies are considering to ask the bank to pay for
the additional cost to send complete receipts to their customers.

Small companies are hit hard when their payments didn't make it on time due
to the banking failure.  The small business associations all over Japan
seemed to be flooded with complaints of their reputation being on the line
due to the delay caused by the bank, not by their own failure.

I just heard a case of gas station owner whose salary payment to part time
workers at the station failed to materialize in the worker's account on TV
news.

This is getting serious.

In Japan, many companies have 25th as the monthly salary payment day, and
since the long holiday weekend called Golden Week starts in April 27, the
banking system will be busier.  It is expected that many people begin
withdrawing cash to use during the holidays and so the workload on the
banking system is expected to soar due to the monthly salary payment, and
the people taking out money from ATMs.

Since I am a customer of Mizuho, I have reason to concern...

With the revelation of the refusal to perform a dry run with the electric
utility company to test the real world workload and a top management saying
earlier at the parliament hearing about "No real harm was done to the
customers", the Mizuho bank's reputation is all time low.

The Mizuho bank seems to think that their system can withstand the workload
toward the end of the month, but who knows.

LATER-ADDED NOTE:

The bank has decided to stop ATMs all over Japan May 3rd and 4th, which are
part of the holiday season.  They had planned to operate ATMs during the
holidays, but they deemed it necessary to stop the ATMs and check the
banking system offline throughly.


Re: Nanny-Cam may leave a home exposed (RISKS-22.04)

<Marc Roessler <marc@tentacle.franken.de>>
Tue, 23 Apr 2002 10:56:29 +0200

This is nothing new. Such cameras are even installed in some public
restaurants and shops. Note that this basically voids all claims of the shop
owners concerning privacy and data protection -- ANYONE can receive that
data.  And, as more and more cameras are installed, the risk of malicious
"camera takeovers" rises significantly. Think about webcams, cams integrated
into notebooks/cellular phones, car dashboards (detect the driver falling
asleep)..  Those are easily tapped (or subverted, such as by installing
trojan software/ firmware).. this has some enormous potential. The case of
the Nanny-Cams shows the deviousness of this kind of attack: as the devices
are not suspected to be used to spy on their owner ("I own that device; that
makes it trusted"), they function more or less as hidden cameras. For more
"camera takeover" scenarios take a look at my paper "How to find hidden
cameras" [1].

[1] http://www.franken.de/users/tentacle/papers/hiddencams.pdf

Please report problems with the web pages to the maintainer

Top