The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 23 Issue 56

Tuesday 12 October 2004

Contents

VP Cheney shoots himself in the foot, URL-wise
Jim Griffith
Sabotage-induced power outage in Wisconsin
Sami Saydjari
Virus disables Colorado DMV for nearly a week
Brad Hill
Navy battle software unsafe
PGN
Runaway Renault risks
Alistair McDonald
Fire engine startup risks
Stephen Fairfax
Customs and Excise electronic returns
Ben Laurie
Power company sent too high voltage to customers
Jacob Palme
Terror alert from a "honey-pot"?
Bob Harbort
Glitch opens access to kids' records
Colleen Jenkins via Monty Solomon
Social security breach on Utah State University campus
Bob Heuman
Outsource firm sues in India
Karl Schoenberger via Monty Solomon
Internet voting
Martyn Thomas
Spam that asks you to delete it
Geoff Kuenning
Not all buffer overflow exploits are necessarily bad
Paul Robinson
Say goodbye to broken links
NewsScan
Info on RISKS (comp.risks)

VP Cheney shoots himself in the foot, URL-wise

<Jim Griffith <griffith@dweeb.org>>
Wed, 6 Oct 2004 14:47:41 -0500

In last night's VP debate, Vice President Cheney countered an assertion made
by Senator John Edwards and invited viewers to read a non-partisan analysis
confirming his position by going to "FactCheck.com".  Unfortunately, he
meant to say "FactCheck.org", which is indeed a non-partisan election
watchdog site run by the University of Pennsylvania.  Worse for Cheney, it
seems that FactCheck.com is a private advertising site, which is run by
someone who is not a fan of the President.  So to deal with the volume of
traffic generated by Cheney's reference, the owner of FactCheck.com is now
redirecting his traffic to www.georgesoros.com (George Soros being a
billionaire who is actively campaigning to defeat the Bush/Cheney ticket).
So anyone who follows Cheney's suggestion is presented with a partisan
argument for voting for Kerry/Edwards.

http://story.news.yahoo.com/news?tmpl=story&e=2&u=/ap/20041006/ap_on_el_pr/debate_rdp

So always keep your URLs straight!

http://story.news.yahoo.com/news?tmpl=story&ncid=738&e=1&u=/ap/20041006/ap_on_el_pr/debate_web_sites

  http://story.news.yahoo.com/news
  ?tmpl=story&ncid=738&e=1&u=/ap/20041006/ap_on_el_pr/debate_web_sites


Sabotage-induced power outage in Wisconsin (via Sami Saydjari)

<"Peter G. Neumann" <neumann@csl.sri.com>>
Mon, 11 Oct 2004 15:32:12 PDT

On 9 Oct 2004, near Milwaukee, Wisconsin, an 80-foot-tall high-voltage
electrical tower collapsed onto a second transmission tower, causing a
four-hour power outage for 17,000 customers.  Apparently someone had removed
enough bolts from the base of the tower.  Wires were still across railroad
tracks the next day, delaying Amtrak and Canadian Pacific trains.

  http://www.cnn.com/2004/US/10/11/wisconsin.blackout.ap/index.html


Virus disables Colorado DMV for nearly a week

<Brad Hill <hillbrad@gmail.com>>
Thu, 30 Sep 2004 17:16:01 -0600

The Department of Motor Vehicles in Colorado was disabled all of last week
by a computer virus.  New and renewed licenses and ID cards were unabled to
be issued during the time.  Every computer in the system had to get fresh
software installs and nearly 4.5 million documents had to be reloaded. No
cost estimates have been given for the outage and no details released about
the nature or origin of the virus.

The risks of inadvertent disclosure and alteration of DMV records has been a
frequent topic here over the years, but this is the first example I'm aware
of involving a malware attack against such a huge and legally important
government datasystem.

The risks of disclosure and modification of these data are obvious, but
completely shutting down a major branch of state government for a week also
provides a good case study of the possibilities of information
warfare/sabotage.
  http://www.denverpost.com/Stories/0,1413,36~53~2417722,00.html


Navy battle software unsafe

<"Peter G. Neumann" <neumann@csl.sri.com>>
Tue, 12 Oct 2004 09:02:47 -0400

[Source: Article by Neil Mackay, Investigations Editor, *Sunday Herald*
(Scotland), 10 Oct 2004]

The Royal Navy's new, state-of-the-art destroyer has been fitted with combat
management software that can be hacked into, crashes easily and is
vulnerable to viruses, according to one of the system's designers who was
fired after raising his concerns.

Gerald Wilson, who has 25 years' experience designing naval software, worked
for Alenia Marconi Systems (AMS) in a joint venture with Bae Systems and the
Italian company Finmeccanica on the combat system for the Type 45 destroyer,
which will rely on Microsoft Windows 2000.  System failure in action, he
says, would leave the ship blind, defenceless, and as good as sunk.

Dismissed after voicing his fears to the Ministry of Defence and the Defence
Procurement Agency (DPA), Wilson wants to give evidence to the parliamentary
defence select committee about the software.

Last night he told Channel 4 news that "the use of Windows For Warships puts
the ship and her crew at risk, and the defence of the realm".

There are also plans to install a similar Microsoft Windows-based
computerised command system on Britain's nuclear submarines. Wilson said:
"It is inconceivable that we could allow the possible accidental release of
nuclear missiles. The people who survived such an exchange, if any, would
certainly regard such a thing as a crime against humanity. And I can't help
feeling that even planning to deploy such systems on Windows, with its
unreliability and lack of security, is itself some sort of crime in
international law."

Windows was chosen by AMS in order to cut costs, as the DPA has been
encouraging a switch to off-the-shelf systems. Wilson says the Navy should
stick to its current operating system, Unix, which is said to be more
reliable. Designers can also customise Unix, which would allow unnecessary
components to be removed to reduce risk.

A navy spokesman said: "Bae Systems, as the prime contractor for the Type
45, is responsible for ensuring that the warship meets the requirements
placed on it by the DPA. Using Microsoft Windows within combat management
systems was the subject of an independent review commissioned some while ago
by the DPA. "The review found a proper engineering approach had been taken,
both from a security perspective, as the system middleware isolated Windows
from the remainder of the mission-critical systems, and from a safety
perspective.

Comprehensive hardware mechanisms will be put in place where necessary to
avoid any potential Windows-derived compromises. "We are satisfied that the
solution recommended by the contractor will meet our requirements, as it has
been subject to an independent review. This review was conducted by a team
at the DPA who are independent of the Type 45 team."


Runaway Renault risks

<"Alistair McDonald" <alistair@inrevo.com>>
Fri, 8 Oct 2004 13:14:34 +0100 (BST)

A driver of a Renault car fitted with an automatic speed regulator got
more than they expected when the the regulator stuck on, giving him an
hour-long drive at 125 MPH.

The Renault uses an electronic card instead of a key, and the driver finally
stopped the car by pulling the card out. He had been in touch with police,
who had used motorway warning signs to clear the road for him to drive past
safely - but at one point he had to use the emergency lane, normally only
used for recovery of broken-down cars.
  http://www.theregister.co.uk/2004/10/07/satanic_renault/

I wonder if the driver had attempted to pull the card out earlier, and
also wonder why Renault, the manufacturer, was allowed to "impound" the
car for tests. I'd expect the police to be involved in any investigation.

The Register article includes links to previous stories where machines
have "misbehaved" - it's worth a read.

Alistair McDonald, InRevo Ltd (http://www.inrevo.com)
Author of the SpamAssassin book: http://www.spamassassinbook.com/

  [Lindsay Marshall noted this case as well:
http://www.iol.co.za/index.php?set_id=1&click_id=29&art_id=qw1096963740806B216
  Also, recall "Runaway car from hell", a Pontiac Sunfire, in RISKS-23.33.   PGN]


Fire engine startup risks

<Stephen Fairfax <fairfax@mtechnology.net>>
Thu, 26 Aug 2004 14:44:31 -0400

The risks of allowing a rushed ignition sequence to stall or significantly
delay an emergency vehicle are certainly breathtaking.

What I find interesting is that Toyota, which sells primarily in the free
market rather than to government agencies, got this behavior pretty much
correct.  In the Toyota Prius, the computer controls the engine, the device
the serves as the transmission, and of course the electric motor/generators
and their associated power electronics.  There is no starter motor, no
reverse gear, and no cable between the accelerator pedal and the throttle,
the computer monitors and controls everything.

The owners manual instructs you to turn the key to 'start,' wait for the
'OK' light in the instrument panel, then release the key.  In the original
Prius (up to 2004) the engine starts every time the ignition is activated in
order to heat up the catalytic converter.  I'm told the 2004 and later
models will start in all-electric mode without the engine.

The beauty of the Prius is that Toyota engineers knows perfectly well that
very few people read the owners manual.  So you can just flip the key to
start and immediately let it go.  The computers go through their tests, and
then start the engine.  There's no way to manipulate the key in a way that
will cause a delay or stall or require a reboot.


Customs and Excise electronic returns

<Ben Laurie <ben@algroup.co.uk>>
Wed, 29 Sep 2004 13:05:52 +0100

Background, for non-Brits: Customs & Excise (C&E) is the government
department responsible for collecting VAT (Value Added Tax), which is a
European sales tax. Businesses report their VAT transactions quarterly to
C&E, currently mostly on paper (a one page form, amazingly) - this is known
as a VAT return.

For some time, C&E has been encouraging electronic VAT returns (cunningly
named eVAT), but until recently required the use of an X509 client
certificate to submit.

Presumably this has proved unpopular, since they are now permitting good
old username/password to be used. But they seem to be a little confused...

 From the eVAT FAQ:

http://new.hmce.gov.uk/channelsPortalWebApp/channelsPortalWebApp.portal?_nfpb=true&_pageLabel=pageOnlineServices_ShowContent&id=HMCE_PROD_008287&propertyType=document

  http://new.hmce.gov.uk/channelsPortalWebApp/channelsPortalWebApp.portal
  ?_nfpb=true&_pageLabel=pageOnlineServices_ShowContent&id=HMCE_PROD_008287
  &propertyType=document  [SPLIT URL]

"Which is more secure -- using a Digital Certificate or User ID & Password?

Both methods are secure, but they work in different ways."

From the Government Gateway Help pages:

http://www.gateway.gov.uk/help/help_template_non_secure.asp?content=%3A%2F%2Fwww.ukonline.gov.uk%2FGateway%2FGatewayArticle%2Ffs%2Fen%3FCONTENT_ID%3D4013333%26chk%3DBQAvk3&languageid=0

  http://www.gateway.gov.uk/help/help_template_non_secure.asp
  ?content=%3A%2F%2Fwww.ukonline.gov.uk%2FGateway%2FGatewayArticle
  %2Ffs%2Fen%3FCONTENT_ID%3D4013333%26chk%3DBQAvk3&languageid=0  [SPLIT]

"Certificates provide a higher level of security, which is required for
certain services."

Nothing like singing from the same songsheet, eh?

Anyway, it gets better. Three types of certificate are permitted,
SecureMark, SimplySign or Trust Services. Again from the eVAT FAQ:

 "* SecureMark and Chamber SimplySign certificates can be used with
    either Internet Explorer 5.01 or higher, or Netscape Navigator.
  * Trust Servicesí certificates work with Microsoft Internet
    Explorer 5.0 or later and Netscape v 4.6 or higher (but not v6 or 7).
  * certificates can be used with Internet Explorer 5.01 or higher or
    Netscape Navigator 4.08 or later (but not v6 or 7). "

I dunno about you, but this is not exactly clear to me. Leaving that aside,
let's look at the various CAs...

SecureMark, on a page amusingly titled "Does your Netscape Browser meet
the minimum requirements?"
  http://www.equifaxsecure.co.uk/digitalcertificates/Netscape_Response.html
  "The minimum system requirements are:
  Windows 95 or NT 4 (SP3) or higher
  Internet Explorer version 5.01 or above
  128-bit cipher strength"

I guess the answer will be "no", then! (My browser was Firefox,
incidentally).

SimplySign - seems they actually admit that "Netscape" might work. But...
http://www.simplysign.co.uk/support/ierootdownload.html

  "To make sure that your browser works with Trustis certificates the
  'Trustis FPS Root CA' certificate should be installed. There is no danger
  in doing this and no programs will be downloaded to your computer."

No, of course, installing root CAs in your browser has no security
implications whatever. And of course, you have to have the root CA to use a
client cert. Not.

As for Trust Services. Well, I can't find them through Google (at least, not
the one they had in mind) but much meandering around FAQs eventually yielded
a link - turns out its BT and Verisign, but ... oops! "Note: Inland Revenue
services have not yet been upgraded to allow the use of BT ID
Certificates". So much for a simpler user experience.

Oh yeah, another gem from the eVAT FAQ:

"The Government Gateway and Digital Certificate authorities do not currently
support the use of Digital Certificates on Apple Macintosh"

Well, of course not, because everyone knows that Apple X.509 is completely
different from Microsoft X.509. Duh.

So, after all that, I totally understand why everyone thinks PKI is
hard. I'm all for the username/password thing. Its free, too.

http://www.apache-ssl.org/ben.html       http://www.thebunker.net/


Power company sent too high voltage to customers

<Jacob Palme <jpalme@dsv.su.se>>
Fri, 8 Oct 2004 21:15:14 +0200

A Swedish power company (Fortum) had a technical failure, causing it to send
electricity to a hundred households with too high voltage.

Result: One fire destroying part of a house, Other houses got their
electrical heating destroyed. When the fire company and police arrived, lots
of people met them on the street, since all the houses were more or less
affected.

[Source: Dagens Nyheter (largest Swedish morning paper), 6 Oct 2004]

This incident actually happened in May, but not until five months was it
reported in the national newspapers.  The power company refuses to pay for
the damages, but the issue has not been settled in courts yet.

Power companies in Sweden were ten years ago mostly owned by the government
or the local government. But in the privatization fervour of the 1990s, most
of them have been "privatized". The private companies optimize profit at the
expense of reliability.  -- Jacob Palme <jpalme@dsv.su.se> (Stockholm
University and KTH) for more info see URL: http://www.dsv.su.se/jpalme/


Terror alert from a "honey-pot"?

<bharbort@spsu.edu>
Thu, 30 Sep 2004 13:46:42 -0400 (EDT)

Security at this past summer's Oshkosh AirVenture Fly-In was increased in
response to what may have been a non-threat. USA Today reports that "...a
suspicious Web posting was found referring to the city."  The description of
the posting reminds me a lot of what an anti-spam "honey pot" web page looks
like:

  "Winnebago County Sheriff Michael Brooks said the Milwaukee office of the
  FBI contacted him early Sunday regarding the Web site, which mentioned
  Oshkosh and Sunday's date in the text but contained no actual threat.

  "Brooks said a California resident found the letter, which contained more
  than a full page of incoherent words, on a pharmaceutical Web site and
  notified the FBI. It also mentioned Auckland, New Zealand; Bangor, Maine
  and a couple other cities around the world, Brooks said.

  "'It was just a series of words that did not form a complete thought,' he
  said. 'It contained today's date along with several names of cities -- one
  of which was Oshkosh -- so it becomes important for us to have heightened
  awareness..."

http://www.usatoday.com/tech/webguide/internetlife/2004-08-01-oshkosh-terror-warning_x.htm

Bob Harbort, Prof. of CS/Softw.Eng., Southern Polytechnic State U., 1100
S. Marietta Pkwy. Marietta, GA  30060-2896  1-678.915.7405 bharbort@spsu.edu

  [I presume you heard about the Midwest Airline story of the flight from
  Milwaukee to SF that was aborted after takeoff because a passenger found a
  sheet of paper that looked like Arabic writing in the airline magazine.
  (It reportedly turned out to be a prayer-like message in Farsi.)  PGN]


Glitch opens access to kids' records

<Monty Solomon <monty@roscom.com>>
Mon, 4 Oct 2004 00:51:48 -0400

Officials say the problem has been fixed, but the error made thousands of
confidential child-abuse and foster care files available to anyone on the Web.

[Source: Article by Colleen Jenkins, *St. Petersburg Times*, 1 Oct 2004]

A *Miami Herald* reporter alerted local child welfare authorities this week
to a software glitch that made available thousands of confidential
child-abuse and foster care records to anyone with Internet access.

Those files contained detailed information about the 3,966 children under
the watch of Kids Central, the private consortium that handles foster care
and related services for at-risk children in the Department of Children and
Families' District 13, which includes Citrus, Hernando, Marion, Lake and
Sumter counties.

Names of foster children, birth dates, Social Security numbers, photographs,
case histories and even directions to children's foster homes were
accessible with a password that had been published on Kids Central's Web
site, the Herald reported.

DCF officials, who monitor the competitively bid contract with Kids Central,
immediately ordered that the site be shut down after the reporter informed
them of the security breach Wednesday morning.  ...

http://www.sptimes.com/2004/10/01/Hernando/Glitch_opens_access_t.shtml


Social security breach on Utah State University campus

<Bob Heuman <rsh@idirect.com>>
Mon, 11 Oct 2004 16:34:41 -0400

Do I need to say anything except that anyone who has been at USU in the past
8 years or more needs to be careful that their SSN is not misused?  While it
is reassuring to hear that it looks like no one has accessed the files in
question, there is NO proof and can be no proof that this is the truth.
Anyway, the following is from the campus newspaper.  RSH

Social security breach on USU campus
Personal information leaked in USU database security breach
By Hilary Ingoldsby, hilaryi@cc.usu.edu
*The Statesman*, 11 Oct 2004, Email Edition TheStatesman@collegepublisher.com
http://www.utahstatesman.com/news/749251.html&mkey=1022600

The social security numbers of 16 Utah State University faculty and staff
members were mistakenly made accessible on the Internet, leading to the
discovery of thousands more, USU officials said.  Over the weekend of Oct. 1
and 2, a faculty member looked up his name using the Google Internet search
engine, John DeVilbiss, executive director of public relations and
marketing, said. The search yielded results of a university site that
contained his social security number, he said.

The site also contained the personal information of 15 other faculty and
staff. The faculty member first notified the police and then Webmaster
Charles Thompson was contacted, DeVilbiss said.  "He [Charles] went right in
and took immediate action," DeVilbiss said.  Thompson said he immediately
pulled the information off the server and began doing other searches. He
said he also contacted Google who said they will shut down the sites but it
will take a few weeks to do so completely.

Upon further investigation, 12 Excel spreadsheets were found on an
open-access server. The spreadsheets contain more than 7,000 social security
numbers of current and past faculty, staff and students, DeVilbiss said.  An
additional 11 files were also found containing sensitive information,
Thompson said.

After much testing and searching DeVilbiss said they haven't found anything
to lead them to believe that the spreadsheets were ever accessed on the
Internet.  So far, nothing shows that the other 11 files were indexed by
search engines. However, the files containing the personal information of
the 16 USU faculty and staff were accessed, DeVilbiss said.  [...]


Outsource firm sues in India

<Monty Solomon <monty@roscom.com>>
Fri, 27 Aug 2004 16:42:01 -0400

Outsource firm sues in India: Alleged Code Theft Highlights Foreign Risk
Karl Schoenberger, (San Jose) *Mercury News*, 26 Aug 2004

In a case that exposes the intellectual-property risks of outsourcing in
India, a small San Carlos software company has sued Mumbai police for
refusing to investigate the alleged theft of proprietary source code by an
employee at its Indian subsidiary.

Sandeep Jolly, the founder and chief executive of Jolly Technologies, said
U.S. technology companies should beware of the risks of doing business in
his native land at a time when many are taking advantage of the cost savings
of offshoring and entrusting sensitive software development and testing work
to Indian contractors. Protection of intellectual property is still a new
concept for lawmakers, police and prosecutors, he said.  ...
  http://www.siliconvalley.com/mld/siliconvalley/9500402.htm


Internet voting

<"Martyn Thomas" <martyn@thomas-associates.co.uk>>
Mon, 4 Oct 2004 10:18:35 +0100

Internet voting should not be considered secure until the electoral
authorities are confident enough to give immunity from prosecution to anyone
hacking the election, and to offer a substantial prize for anyone who can
produce evidence that they have attacked it successfully.


Spam that asks you to delete it

<Geoff Kuenning <geoff@cs.hmc.edu>>
06 Oct 2004 20:44:34 +0200

I just got some spam from a biology company in Germany.  The amusing thing
is that it includes the now-popular (and legally meaningless) disclaimer:

> Important Note: This e-mail may contain trade secrets or privileged,
> undisclosed or otherwise confidential information. If you have received this
> e-mail in error, you are hereby notified that any review, copying or
> distribution of it is strictly prohibited. Please inform us immediately and
> destroy the original transmittal. Thank you for your cooperation.

So now spammers are sending us trade secrets and asking us to forget them?

Geoff Kuenning   geoff@cs.hmc.edu   http://www.cs.hmc.edu/~geoff/


Not all buffer overflow exploits are necessarily bad

<Paul Robinson <postmaster@paul.washington.dc.us>>
Sat, 02 Oct 2004 13:18:59 -0400

There is a well-known buffer exploit for the X-Box game system.  Basically
it involves loading a savegame from an external storage device such as a USB
key drive, the savegame overflows the font files used by the system,
allowing the execution of arbitrary code and installation of an unauthorized
program.  (Generally programs on X-Box have to be digitally signed by
Microsoft to run on the X-Box.)

The exploit is used to allow the arbitrary code to replace an item in the
Dashboard of the X-Box.

And what is the "arbitrary code" and "unauthorized program"?  The LINUX
Operating System!

Using the game MechAssault one can modify older U.S. X-Box systems to allow
Linux to be installed using a buffer overflow attack upon the font files
used by the X-Box, by installing a cracked savegame from a USB keydrive.
This modification only changes the software, allows the X-Box to continue to
be used to play X-Box game disks, does not require opening the box or
replacing any chips, and is fully reversible.  The method is detailed here:

http://www.xbox-linux.org/Software_Method_HOWTO

I note that in newer X-Boxen, Microsoft HAS fixed this bug.  :)

Isn't it interesting that when it is a problem for customers Microsoft can
take months or be "unable" to fix exploits to their software, but when it's
something that could cost them money (since someone can now purchase an
inexpensive X-Box - which is sold by Microsoft as a loss-leader - and use
the X-Box as a computer instead of a game console, which would mean a net
loss to them) Microsoft is very quick to make fixes?


Say goodbye to broken links

<"NewsScan" <newsscan@newsscan.com>>
Mon, 27 Sep 2004 09:03:21 -0700

Interns at IBM's UK unit have developed a tool called Peridot that's
designed to put an end to annoying broken links. It automatically maps and
stores key features of Web pages so it can detect when the content changes.
When deployed on a corporate intranet or Web site, it can then replace
outdated links with the new ones. Currently, most of this work is done
manually, which can result in work slowdowns or worse. Peridot's technical
mentor Andrew Flagg says, "Internally, you have users who are trying to do
their jobs and the intranet is there to facilitate that. If they can't get
the information they cannot do their job properly. Externally, you have
cases of companies that link to disreputable content which could seriously
damage their reputation." Although there are similar tools that simply
detect which links have been broken, Peridot's innovation is that it detects
more substantial changes and has adjustable levels of autonomy, allowing
staff to review changes before they're made or just allow the process to
proceed on autopilot. The Peridot prototype has been tweaked so that it runs
reliably over 100,000 pages, and intern James Bell predicts: "Peridot could
lead to a world where there are no more broken links." The tool is named for
the pale green gemstone which, according to legend, was used in ancient
cultures to help people find something they had lost.  [BBC News 24 Sep
2004; NewsScan Daily, 27 Sep 2004]
  http://news.bbc.co.uk/2/hi/technology/3666660.stm

Please report problems with the web pages to the maintainer

Top