The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 23 Issue 33

Saturday 24 April 2004

Contents

University supercomputers attacked by vandals
NewsScan
Risk of automatic updates
Geert Jan van Oldenborgh
Runaway car from hell
Ken Knowlton
Unfortunate MTA behavior
Drew Dean
User interface anecdote, ATMs and voting machines
David Crooke
Global Domination
Lauren Weinstein
Former anti-piracy 'bag man' turns on DirecTV
Monty Solomon
Expecting browser-side code to implement security
Derek Ziglar
MiniDV Firewire connectors
Ron Erwin
Risks of tax-preparation software
Toby Douglass
Re: Cancer treatments and radiation detectors
Rob Slade
Squeezing the pips until they squeak
Andrew Yeomans
Re: Radar guns, again
Derek Ziglar
Sean Sosik-Hamor
Arthur T
Web Sites ignore the law, think it applies only to Federal Government
Bob Heuman
Info on RISKS (comp.risks)

University supercomputers attacked by vandals

<"NewsScan" <newsscan@newsscan.com>>
Wed, 14 Apr 2004 08:28:32 -0700

Network vandals have infiltrated supercomputers at as many as 20
colleges, universities and research institutions in recent weeks,
disrupting the TeraGrid, a network of computers funded by the National
Science Foundation and used in support of such scientific projects as
weather forecasting and genome sequencing. The vandals have not been
identified.  None of the systems was permanently damaged, but the
intruders gained the ability to control the various networks for short
periods of time, prompting TruSecure security expert Russ Cooper to
warn, "This could be a wake-up call to what should be very, very
secure computing environments, because these machines should never
have been compromised." The attacks were made against Unix
machines. Stanford University computer security officer Tina Bird
comments: "This incident is definitely giving us an opportunity to
reevaluate the maintenance and protection we provide to our Unix
systems.  When you're completely focused on widespread attacks on
Windows systems, it's certainly startling."  [*The Washington Post*,
13 Apr 2004; NewsScan Daily, 14 Apr 2004]
  <http://www.washingtonpost.com/wp-dyn/articles/A8995-2004Apr13.html>


Risk of automatic updates

<"Geert Jan van Oldenborgh" <oldenborgh@knmi.nl>>
Fri, 23 Apr 2004 14:47:38 +0200

At a recent workshop one of the authors presented his latest insights in
seasonal predictability using his laptop connected to the beamer - not
unusual.  However, he was not aware that his computer also surreptitiously
connected itself to the wireless network of the university, and worse, that
it had determined that it was vulnerable to attack!  So, suddenly a notice
propped up, informing him that the latest Windows update had been installed
successfully, that a reboot was necessary, and and asking him whether he
would like to reboot now.  The only option available was [Yes], and a timer
announced it would reboot anyway within three minutes.  Rushing through his
conclusions he just finished his presentation before this unexpected
deadline.

Geert Jan van Oldenborgh <http://www.knmi.nl/~oldenbor>


Runaway car from hell

<Ken Knowlton <KCKnowlton@aol.com>>
Sat, 17 Apr 2004 20:04:51 EDT

Source: Sarah Huntley, *Rocky Mountain News*, 2 Feb 2004, starkly PGN-ed]

Angel Eck, driving a 1997 Pontiac Sunfire found her car racing at high speed
and accelerating on Interstate 70 for 45 minutes, heading toward Denver --
with no effect from trying the brakes, shifting to neutral, and shutting off
the ignition.  To make a long story short, she eventually gained cell-phone
coverage and called a co-worker airliner mechanic, whose suggestions failed
but who then had another colleague call 911.  Recalling a 1980s CHiPs TV
show, police then cleared the highway into Denver, and while she was going
80 mph, a cruiser was positioned just in front of her and -- after a light
initial impact -- eventually brought her car to a halt.  The car was
awaiting review by a GM rep to see what caused the malfunction.


Unfortunate MTA behavior

<Drew Dean <ddean@csl.sri.com>>
Fri, 16 Apr 2004 11:36:02 -0700 (PDT)

I recently received a typical phishing scam.  I'm reproducing the
poorly done (NB: by SRI's MTA) Received: headers below.

Received: from localhost (HELO mailgate-external1.SRI.COM) (127.0.0.1)
  by mailgate-external1.sri.com with SMTP; 11 Apr 2004 14:31:00 -0000
Received: from ibank.barclays.co.uk ([80.98.63.110])
 by mailgate-external1.SRI.COM (SAVSMTP 3.1.2.35) with SMTP id M2004041107305827172
 for <DDean@CSL.sri.com>; Sun, 11 Apr 2004 07:30:59 -0700

As I'm not a Barclays customer (how many Americans are?), I wasn't
fooled for a minute.  But note the last Received: header.
Ibank.barclays.co.uk has 2 IP addresses: 62.172.239.139 and
193.128.3.139. An inverse lookup on 80.98.63.110 yields
catv-50623f6e.catv.broadband.hu.

I included the 2nd header so you can see what things should look like.
Why it didn't note the mismatch between claimed domain and and inverse
IP mapping is beyond me.  RISK: If someone was trying to determine the
legitimacy of this message and looked at the Received: headers,
nothing appears to be wrong.  (Anyone sophisticated enough to look at
headers hopefully won't fall for a phishing scam, but that's another
story.)

Drew Dean, Computer Science Laboratory, SRI International


User interface anecdote, ATMs and voting machines

<David Crooke <dave@convio.com>>
Thu, 15 Apr 2004 18:14:10 -0500

I used an ATM the other day which had been upgraded with a new
touchscreen system. Judging by the UI and the design of its overlaid
peripatetic mouse pointer, the underlying OS is an elderly MS-Windows
variant. It was very slow to repaint the screen, and made no
acknowledgement of touchscreen input whatsoever, leading to me
stabbing at the touchscreen repeatedly with my finger. There was no
fallback to choose options from the keypad instead of the
touchscreen. I noticed that the alignment between where I touched and
where the mouse pointer would gravitiate to on the screen was quite a
bit off. When I finally got to the screen for choosing the amount of
money to withdraw, I stabbed 7 or 8 times at the $100 button. After
some delay, and still no on-screen acknowledgement, the machine
dispensed $70 - just as I was about to explode, there followed a
receipt for the same amount, proving at least that it could count. I
looked up, and suddenly I understood why the UI was so horrible -
there before me was a little badge that said "Diebold ix".

The issues had it been a voting machine I leave to the reader.

David Crooke, Chief Technology Officer, Convio Inc.
11921 N Mopac Expy, Austin TX 78759  1-512-652 2600


Global Domination

<Lauren Weinstein <lauren@vortex.com>>
Fri, 16 Apr 2004 15:49:03 -0700

The latest "Reality Reset" satire column explores the potential for
manipulation of hi-tech voting systems (touch-screen voting, Internet
voting, etc.).

It's in the form of a "progress report" titled:
   "Global Domination Via Voting Manipulation"
and resides at:
   <http://www.vortex.com/reality/2004-04-16>

Unfortunately, the technological scenario it postulates is far from
impossible.

Lauren Weinstein  lauren@pfir.org  lauren@vortex.com  Tel: +1 (818) 225-2800
http://www.pfir.org/lauren  http://www.pfir.org  http://www.factsquad.org


Former anti-piracy 'bag man' turns on DirecTV

<Monty Solomon <monty@roscom.com>>
Fri, 16 Apr 2004 22:19:37 -0400

Former anti-piracy 'bag man' turns on DirecTV
By Kevin Poulsen, SecurityFocus, 16 Apr 2004

A one-time enforcer in DirecTV's anti-piracy campaign is suing his
ex-employer for wrongful discharge, after he allegedly resigned rather
than continue to prosecute the company's controversial war against
buyers of hacker-friendly smart card equipment.

John Fisher, a former police officer, alleges in a complaint filed in
Los Angeles County Court late last month that he joined DirecTV as a
senior investigator in July, 2002, expecting to serve a legitimate
investigative role tracking signal pirates. He wound up instead "as
little better than a 'bag man for the mob,'" the lawsuit claims. He's
seeking unspecified damages, and an end to DirecTV's tactics.

At issue is DirecTV's end-user campaign, aimed at shutting down and
collecting money from TV watchers who use smart card programmers and
other equipment to get free or expanded satellite TV service. Because
there's no way to trace people who are passively receiving DirecTV's
signal, the company turned to a strategy of physically raiding
equipment sellers that cater to pirates, using the authority of the
Digital Millennium Copyright Act. The company then sends out
threatening letters to everyone on the seized customer lists.  ...
  <http://www.securityfocus.com/news/8472>


Expecting browser-side code to implement security

<"Derek Ziglar" <newsletters@dziglar.com>>
Thu, 15 Apr 2004 19:06:03 -0600

I have access to the press-only section of the website for a particular
company. As one would expect, it requires a login and password assigned by
the manufacturer and given only to people with appropriate press credentials
or equivalents. The login combination I received from them was pretty
cryptic and hard to guess.

They have recently added a new feature to update your profile online. One of
the fields on the form -- inside a colored box marked Admin Only -- is a
drop-down selector for the login. Naturally, some programmer foolishly
populated it with their entire database of authorized logins. The supposed
protection to keep one authorized user from selecting the login of another
is implemented with client-side JAVA Script that pops up a message and
resets the field to its original value.

The RISKS are pretty obvious. By merely selecting View/Source in your
browser, you have access to a list of all their authorized logins. But even
worse, since the 'security' on this field is implemented in client-side
code, all one has to do is turn JAVA Script off in the browser and then
there are likely no restrictions to overwriting the profile of any other
authorized user.

Oh, and one of their authorized logins is 'x' -- I wonder if the password to
that one would be hard to guess?


MiniDV Firewire connectors

<Ron Erwin <ronerwin@u.washington.edu>>
Fri, 16 Apr 2004 10:54:00 -0700 (PDT)

I work at the UW business school and we have been recording, editing and
producing video for instructional use for over two years.  Recently all of
our video equipment failed connecting thru our firewire/1394 cables.

We found only one explanation for this failure, one cable was connected in
reverse to our dell workstation(with front 1394 connectors).  From this
evidence, we surmised that switching the cable at one end would put power to
data lines and data to power lines.

This affected all our equipment like a virus, we had a few key components
that failed and put our video production to an abrupt halt.

Consulting with our IT group and other video production areas as the UW
brought no help.  We've sent our minidv/vhs vcr to the shop for repair,
they estimate a 600 dollar repair bill with new motherboard etc.. Our
cameras (2) are now reduced to s-video or composite use. Last year our vcr
also broke and required a 600 dollar repair in california. Our dell
computer 1394 interface card still has weak protection against installing
this cable backwards.

Why is the firewire technology so fragile?  This technology needs solid
re-engineering.

Ron Erwin, Business School, University of Washington
Ethnic Cultural Center  543-4635  Business School Technology Center 616-9049


Risks of tax-preparation software

<Toby Douglass <toby.douglass@summerblue.net>>
Sat, 17 Apr 2004 18:38:41 +0100

I'm British and I live in England.

I've had the extreme misfortune of recently having to fill in my income tax
declaration.

There is a Government web-site, www.inland-revenue.gov.uk, which does it's
best to hide contact information from you, but nevertheless from which I
finally managed to find a page where I can search for local tax offices,
from whom I can obtain advice filling in aforementioned tax form from hell.

To find your local tax offices, there is a form into which you can enter
your post code (zip code to you American types).  Now things get
interesting.  This form returns a page which contains a map centered on
your postcode and a table containing the details (address, phone, distance
to, etc) of your nearest few tax offices.

This page, with the map and table, actually comes from www.multimap.com,
who have a custom interface for the Inland Revenue.

Now, the problem is this; when you view the page in IE, it looks
fine.  When you view the page in Mozilla, the font for the table contents
is *minute*.  One or two pixels per character.

Now, there's no reason for this at all.  Table contents are *not* hard to
get right and there's no reason for this to be browser dependent.  So, I
felt annoyed about this, so I contacted Inland Revenue and told them about
the problem.

This was six months ago.

I had to look at the page again recently, still the same problem.

I contacted Inland Revenue again.  This time I received a response; to wit,
the site is IE only, and that this is a browser issue, so nothing is going
to be done.

I was not happy about this, because given the nature of the fault, I felt
it was a case of bad or lazy programming rather than and genuine browser
dependency.

So I examined the page closely and found the bug.

The DOCTYPE for the page is;

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.1 Transitional//EN">

This is interesting, because this *is* no HTML 4.1.  The final HTML version
was 4.01, release in 1998.

The consequence of this is that Mozilla renders the page in Mozilla-mode,
rather than in IE-compatability-mode.

When the DOCTYPE is corrected, to;

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

Mozilla renders the page correctly.

There are a number of issues here.

1. Developer mind-set; thinking "IE-only" and attributing, without
investigation, all bugs in other browsers to the fact they are not IE.  In
fact, making a site multi-browser is an excellent way of achieving
robustness, since different browsers will highlight different errors in
your code.
2. Browsers providing minimal feedback for page errors and very generously
rendering broken HTML.  If a browser supports broken HTML, given the
quality of the mass of page writers, broken HTML will become the norm.
3. DOCTYPE syntax being sensitive, high-impact and both silent and
non-obvious as the cause, in failure.


Re: Cancer treatments and radiation detectors

<Rob Slade <rslade@sprint.ca>>
Fri, 16 Apr 2004 01:15:18 -0800

Radioactive prostate sets off security alert
Margaret Munro, CanWest News Service, 13 Apr 2004

In an unexpected and embarrassing complication from prostate cancer
therapy, a Canadian was recently pulled aside by guards at a major
airport and interrogated after radioactive "seeds" near his private
parts set off security alarms.

The man, who frequently travels to the U.S., was passing through
customs at an international airport late last year when he was
approached by a guard, according to a report on the incident in the
Canadian Medical Association Journal today.

"He was taken into a separate room where he was asked to stand against
the wall and refrain from speaking while workers examined his
luggage," says the report by Hamilton doctors involved in his
treatment. "Eventually, he was asked why he kept setting off the
radiation detector."

The man explained it might have something to do with the radioactive
iodine "seeds" implanted in his prostate gland, which is tucked inside
the body under the penis. The seeds emit radiation and are implanted
to kill cancerous cells.

"The agents had not heard of such a procedure and called for their
superior.  Fortunately, the superior's brother-in-law had recently
undergone an implantation procedure, and our patient was immediately
released," report doctors Ian Dayes, Jink Sathya and Ian Davis at the
Hamilton Health Sciences Centre.

The amount of radiation leaking from the seeds is "minute," say the
doctors, who have never heard of a patient setting off security alarms
at an airport before. They believe the episode "probably occurred
because of the use of increasingly sensitive radiation detection
devices, especially in relation to the recent Code Orange security
status invoked in the United States."

Hamilton doctors now provide a letter to patients undergoing the
radioactive seed implantation which they can show to security agents.

The Edmonton Journal 2004

rslade@vcn.bc.ca      slade@victoria.tc.ca      rslade@sun.soci.niu.edu
http://victoria.tc.ca/techrev    or    http://sun.soci.niu.edu/~rslade


Squeezing the pips until they squeak (Watkins, RISKS-23.30)

<Andrew Yeomans <andrew_yeomans@yahoo.com>>
Fri, 16 Apr 2004 11:35:17 +0100 (BST)

Andrew Watkins' article on the Greenwich Time Signal reminds me of
another technology-induced risk with the pips.

The digital broadcasts of the time signal on DAB (Digital Audio
Broadcasting) and Freeview are no longer accurate, due to the delays
introduced by compression at the BBC and decompression at the
receiver. So you might be setting your clocks about one second slow
using the latest technology.

The BBC confirm this on
http://news.bbc.co.uk/1/hi/magazine/3462079.stm


Re: Radar guns, again

<"Derek Ziglar" <newsletters@dziglar.com>>
Thu, 15 Apr 2004 19:06:17 -0600

> Date: Sat, 10 Apr 2004 09:15:04 -0400
> From: Adam Shostack <adam@homeport.org>
> Subject: Radar guns, again
>
>   [Suppose they had put a bounds check that was somewhat greater than
>   maximum that any vehicle was capable of attaining, thus preventing the
>   system from issuing tickets for such obviously ridiculous speeds.

But the even scarier possibility is that they 'fix' it by merely capping the
maximum, so an obviously false data reading of 3000 MPH gets translated into
a 'reasonable' maximum of 120MPH -- for which the automated ticket is
written. Then it becomes phenomenally harder for the driver to prove he
wasn't driving that speed. In effect, the system would be masking clearly
erroneous data by translating it into seemingly valid data.


Re: Radar guns, again

<Sean Sosik-Hamor <sean@trunkmonkey.com>>
Thu, 15 Apr 2004 22:08:42 -0400

On Apr 15, 2004, at 06:39 PM, Adam Shostack wrote:

> A Belgian motorist received a speeding ticket for traveling in his
> Mini at three times the speed of sound.

A few months ago, I was pulled over when I was driving home from a
motorsports event. The vehicle I was driving was a fully-prepared
Subaru Impreza rally car, complete with SCCA ClubRally graphics, roll
cage, composite seats, 6-point harnesses, and coilover suspension
that's worth more than the chassis. What was I pulled over for? 137
MPH in a 65 MPH zone while traveling in a pack of traffic. Riiight.

I fully admit that I (along with everyone else) was going a little
faster than I should have but, after giving me the third degree
because I should "know better", the officer insisted that his radar
was correct and he would be citing me for reckless endangerment. As
calmly as I could, I informed him that the ECU of my vehicle hard
limited me to around 115 MPH, and that I'd be more than happy to fight
the ticket with the assistance of my factory service manual that
listed the exact full cutoff speed.

He stuck to his guns. I stuck to my guns. Eventually, logic got the
better of him as he admitted that it was highly unlikely that the two
or three cars in front of and behind me were also traveling at 137
MPH.  Especially since it took him less than a mile to catch up to me
from a dead stop on the side of the road.

I got away with a warning. ;)

The kicker? Seconds after letting me go and pulling around me into
traffic, he painted someone else and pulled them over...knowing full
well that his radar gun was throwing less than accurate readings.


Re: Radar guns, again (RISKS-23.32)

<"Arthur T." <ar23hur "at" speakeasy "dot" net>>
Fri, 16 Apr 2004 02:40:42 -0400

RISKS-23.32 mentioned the mini that was clocked by radar at mach 3.

Someone once said something like, "The thirteenth strike of a clock is
not only obviously wrong, but it throws great doubt upon the previous
12."

How many of the tickets generated were for believable speeds, but were
bogus nonetheless?  The risk of NOT sending out a mach 3 speeding
ticket is that the general public would not have proof that the radars
could be wildly mistaken.


Web Sites ignore the law, think it applies only to Federal Government

<Bob Heuman rsh@idirect.com>>
Fri, 16 Apr, 2004 00:18:42 -0400

I extract briefly from a 1996 paper as it seems that business AND
Educational institutions and State Government units are ignoring the
laws/policies that cover accessibility to their web sites.

They are therefore are risking their Federal Funding or are risking
being sued for their 'violation' of the rights of the disabled.

The US Federal Government has Section 508 requirements, and the W3C has
its accessibility standards.

[Note: Australia's Federal Government has legislated the W3C standards
into its own requirements re Web Site accessibility, and Canada has a
similar set of requirements.  I believe EVERY US State has these
requirements on their books as well, but there MAY be some that have
ignored the issue.

1996 paper and extract
http://www.icdri.org/CynthiaW/applying_the_ada_to_the_internet.htm

United States Department of Justice Policy Ruling, 9/9/96: ADA
  Accessibility Requirements Apply to Internet Web Pages:

  "The policy ruling states that ADA Titles II and III require State
  and local governments and the business sector to provide effective
  communication whenever they communicate through the Internet. The
  effective communication rule applies to covered entities using the
  Internet for communications regarding their programs, goods or
  services since they must be prepared to offer those communications
  via an accessible medium...

  Applying the ADA to the Internet: A Web Accessibility Standard

  Therefore, as government and businesses increasingly depend on the
  convenience of the Internet as a vehicle for programs, goods or
  services, the more it is important that accessible web design be
  addressed. Accessible web design enables effective communication and
  saves government resources since documents can be readily available,
  requests for ADA Alternate Document Formats can be satisfied, and
  Internet/Intranet access for employees with disabilities can be
  provided."  [End of Extract]

I have found that these requirements are ignored far more than they are
met.  While the business sector is specifically named in the policy from
1996 above, business seems NOT to know that.  Instead they seem to feel
the rules only apply to Federal Government web sites.

In addition, there are rules clearly applying to ALL universities
receiving Federal Funding in the United States, but not all schools of
higher learning meet them. They apply to the State Government
agencies, but I have found them not being met by one US state's Office
of the CIO, Governor's Office web site. This office is now aware that
they fail, and I will not name the state.

I tested the web page for Peter G. Neumann at SRI and it failed at W3C
Priority 2, when I used Cynthia to do a quick test.

Verified File Name: http://www.csl.sri.com/users/neumann/neumann.html
Date and Time: 4/15/2004 11:14:25 PM
Failed Automated Verification

I tested the entry page for the University of Southern California, and
it too failed at W3C Priority 2

Verified File Name: http://www.usc.edu/
Date and Time: 4/15/2004 11:19:57 PM
Failed Automated Verification

I tested Firstgov.gov and IT passed:
Verified File Name: http://firstgov.gov/
Date and Time: 4/15/2004 11:57:34 PM
Passed Automated Verification

BUT the National Transportation Safety Bureau failed!
Verified File Name: http://www.ntsb.gov/
Date and Time: 4/16/2004 12:00:51 AM
Failed Automated Verification

http://www.cde.ca.gov/webstandards/access/ specifically discusses the
requirements from the California Department of Education and require USC
to meet all W3C priority 1, 2 and 3 accessibility rules.

To sum up, the vast majority of web page I have tested in the United
States have failed to meet US requirements for accessibility.

There are both legal and societal risks in failing to accommodate the
visually disabled.  I leave it to those responsible for web sites to
address the issue, and to PAY for fixing their problems.

There is a risk that few in the US even know of these requirements.

http://www.access-board.gov/sec508/508standards.htm is clearly limited
to the Federal Government itself.  However, some US States have
legislated so that it applies at the state level as well.  Various
states have legislated W3C into their own accessibility requirements
in addition to 508 or instead of 508.

This has been done at different levels of W3C priority application and
the coverage varies widely re the state's business and businesses.

Therefore one needs to find out the laws that specifically apply to
their own web site and web pages.

Even if NO law applies, it likely is a good idea to meet the needs of
the disabled. Over 20% of the population in the US and in Canada is
suffering from some from of visual disability, from simply being near
or far sighted to being color blind to being totally blind, or having
macular degeneration, etc.

Check with your own lawyer, but keep in mind that (s)he may not have
any idea of the issue or the laws that apply, and may have a web site
that also violates the rules.

Tests can be run at http://www.cynthiasays.com/ or other sites if
anyone is interested.

My signature below shows I have a vested interest in the subject. I
also admit that it is NOT a popular topic with webmasters.

A reminder: if anyone suspects their site does NOT meet the
requirements, have an INDEPENDENT auditor or expert do the
testing. The web site maintainers and designers do NOT make good
checkers of the web site they designed or work on.

Please report problems with the web pages to the maintainer

Top