Subject: RISKS DIGEST 18.53 RISKS-LIST: Risks-Forum Digest Thursday 17 October 1996 Volume 18 : Issue 53 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator ***** See last item for further information, disclaimers, caveats, etc. ***** Contents: Stolen computer contains ophthalmology certification exam (PGN) Computers miss $1.2M in ATM withdrawals (Jack Fenner) Microsoft AGAIN distributes Macro Virus (Klaus Brunnstein) Re: Rats take down Stanford and Silicon Valley Internet (Arthur P. Smith) Health Info Database Misused (Duane Fickeisen) Risks of not understanding the system (John Stewart) RISKS of just having a name! (Nick Brown) Telephone Switch Cutover Problem (Paul J. Mech) Re: Maybe your secure Mac isn't as secure ... (Jon Callas) Re: Another Mail-Forwarding (Tony Lima) Risks of not including manual overrides: not a computer risk! (Jerry Leichter) The Year-2000 Crisis (PGN) Announcement: Year-2000 Software Crisis Conference (Hawkins Dale) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Wed, 16 Oct 1996 8:06:24 PDT From: "Peter G. Neumann" Subject: Stolen computer contains ophthalmology certification exam A laptop disappeared from a ``high-security'' suite in the San Francisco Palace Hotel while board examiners were out of the room for an hour in the morning of 15 Oct 1996. The laptop contained the questions for one segment of the national oral exam for doctors seeking ophthalmology certification. The hotel suite was reportedly accessible only by using one of six access mag-stripe cards, with the claim being made that hotel personnel could not possibly have had any access to the rooms. [Source: *San Francisco Chronicle*, 16 Oct 1996, A15] [Now, why is it that cleaning personnel generally get in to hotel rooms for which you are told your unique registration-time-generated mag-stripe access code gives only you access? Ah, yes, RISKS readers probably won't believe that there could not have been any master-key cards, or emergency overrides, or other access modes such as creating a new access card from the front desk, or somehow triggering the door release electronically with an out-of-band signal! So, was this merely the theft of a $5000 laptop? Or an attempt to eye the exam? (An-eye-for-an-eye-exam?) PGN] ------------------------------ Date: Mon, 14 Oct 1996 21:03:39 -0600 From: Jack Fenner Subject: Computers miss $1.2M in ATM withdrawals The local paper here in Colorado Springs has had a series of articles about a "massive computer glitch" affecting 12,000 customers of a local credit union. Ent Federal Credit Union recently announced that it was about to subtract a total of $1.2M from the accounts of its members because, for over a year, multiple identical ATM withdrawals on the same day were incorrectly processed. Only the first withdrawal was charged to the account. People without enough money in their accounts to cover what Ent decides they owe will be offered loans (at prevailing interest rates, of course). Ent blamed the problem on a "computer conversion" by the company that services its automatic teller transactions. Naturally, some people are upset and are moving money out of their accounts. The NCUA, which insures credit unions, is investigating, and (before they had a chance to actually investigate anything) gave Ent a clean bill of health and said it was in no danger of being closed. A variety of experts have been interviewed by the newspaper, and all express astonishment that it took so long to be discovered (but curiously are not surprised that it happened in the first place). Ent says it has no choice but to collect the money because absorbing the loss "would wipe out nearly three months' profit". Ent is asking its internal auditor, Arthur Andersen, to "fully investigate the incident." Also, newspapers have reported that many people reported the problem to Ent over the past months, and were ignored. Besides the obvious risks of potentially uncollectable losses, disgrunted customers, and lost interest due to the time lag in charging accounts, there are a variety of other risks. Separate investigations by the NCUA and Arthur Andersen must be time consuming and expensive. Lawsuits are a possibility (if the computer is wrong about deducting multiple charges, why should we believe it about the charges in the first place?). Then there is the increased call for more federal oversight of credit unions in general and Ent in particular. Finally, there is the nightmare scenario: people decide that Ent is not safe enough for their money, and start a run on the credit union. Ent claims that while some money has moved out since the announcement, it is not a significant portion of their $1B in assets. Even assuming that's true, I'd say it leaves them with no margin of error for future problems. Jack Fenner, Colorado Springs ------------------------------ Date: Mon, 14 Oct 1996 16:02:16 +0200 From: Klaus Brunnstein Subject: Microsoft AGAIN distributes Macro Virus On ORBIT, a Swiss IT exhibition (held in Basel last week), Microsoft distributed a CD-ROM with a document (including German hotline numbers) infected with WAZZU.A Word Macro virus. Even when MS officials were made aware of this virus, the CD-ROM was continued to be distributed. At the same time, this infected document was also available for downloading from Microsofts Swiss Internet site, for several (at least 5) days after MS was warned. MS experts at the exhibition said that this virus was "harmless". Indeed, WAZZU.A just interchanges (with probability of 1/5th) 2 randomly selected words in a document, and with a lesser probability, it inserts strings WAZZU. Any Risk in Microsoft behaviour and attitude? "WAZZU" is a harmless string (does not delete anything :-), and random interchange of 2 words may even improve readability of texts :-). So, what risk? Klaus Brunnstein (October 14,1996) PS: For those with short memory: Microsoft was that company which released the first non-theoretical Word Macro virus, when it distributed, in July 1995, several CD-ROMs (dedicated to Windows 95 proliferation) with documents infected with Word.Macro.Concept (now .A). Until then, this was just a theoretical threat discussed first by Prof. Harold Highland back in 1989/1990. Since Microsoft`s pioneering work, almost 70 Word Macro viruses have been detected (plus one EXCEL and One AMIPRO Macro virus), some of which are "in-the-wild" primarily in the Anglo-Saxon Word World, but with fast development also in some non-Anglo-Saxon Word countries such as Taiwan and Germany :-) [Check out the VIRUS-L Digest (listserv@lehigh.edu with the command "help virus-l"), which keeps up the WAZZU discussion (in 12 of the last 16 issues!). PGN] ------------------------------ Date: Sat, 12 Oct 1996 23:25:08 -0400 (EDT) From: "Arthur P. Smith" Subject: Re: Rats take down Stanford power and Silicon Valley Internet service > But I'm surprised that power-system technology has not found a way to > develop rodent-tolerant circuits. I recently discussed this with a friend who is an engineer for LILCO (and well paid and qualified, thanks to our 18 cent/kwh rates). He pointed out that this was a very difficult problem due to the high voltages - you don't want ANYTHING in the neighborhood that provides a possible electrical path between the high voltage lines. The best thing to have as insulation is plain old air, but that leaves lots of room for little creatures to get in and mess things up. People have come up with lots of ideas for fancy enclosures, traps, noise-makers and the like to keep small animals out, and none of them have yet worked reliably for long. Anybody who can figure this one out will be saving the utility companies a lot of money (and their customers a lot of hassle)! Arthur Smith (apsmith@aps.org) [I was actually thinking about rat-tolerant systems along the lines of double-error-correcting, triple-error-detecting coding systems, where a system could for example tolerate two rats and detect the simultaneous presence of a third by shutting down safely. But I was raticent to suggest it. PGN] ------------------------------ Date: Thu, 10 Oct 1996 11:06:01 -0700 From: dfickeisen@Sunnyside.COM (Duane Fickeisen) Subject: Health Info Database Misused An AP story from Tampa Bay appearing in the Palo Alto Daily News asserts that a public health worker took a laptop and disks with confidential lists of people with AIDS and HIV home and to a gay bar to check out the HIV status of potential dates and offered to look up names of people his friends were interested in dating. One person asserted that he had warned friends away from potential dates, telling them that their names were "on the list." Another claimed that people interested in dating him backed away after the health worker talked to them. The County Health Department has fired him, although he claims he did nothing wrong. The former health worker also owns and lives in a funeral home. The state had permitted such databases to be removed from offices and taken home until they changed their internal rules two weeks ago. This raises anew questions about privacy and confidentiality of records, security, and misuse/abuse of information for personal and private gain. This ought to be raised up as an example of abuse in response to the announced plans for a national health information database. Duane H. Fickeisen, Interim Director Computer Professionals for Social Responsibility ------------------------------ Date: Tue, 15 Oct 96 11:37:13 EDT From: luigi@mars.dgrc.doc.ca (John Stewart) Subject: Risks of not understanding the system One day the accountants network printer failed. She needed some printouts from the financial computer in England. We were in The Netherlands. The "company" we worked for is based in Canada. I called the maintainers of the financial system in London, and asked them to re-route the account print queue to go to a different IP address. They could not, as that was considered a security risk, and nobody in London had the system privilege to make that change. Time zone differences meant that the people who could change it (in Canada) were still asleep. So, I changed an ethernet address in the bootp table, rebooted a printer, and lo and behold, the accountants information came out on a printer in my office. She was happy. The people in London and Canada were not - I had broken their "security". I also once made my manager the "head" of the organization, as she was requested by him to send out an e-mail in his name. It took me all of about 20 seconds to copy the passwd file, change his password, have her log in, etc, etc. She was amazed, and scared about the ease of such changes. I could go on and on about the design issues of the network (and did, and was listened to, by the maintainers of the system - nice people!). The RISK? I think that the exponential growth of networking usage has produced a whole range of uninformed "experts" who design systems and place unreasonable bounds on them. It is not the experts fault - it takes time to gain experience, and that time is not available to them. Needless to say, I no longer work for that organization. John A. Stewart luigi@mars.dgrc.doc.ca ------------------------------ Date: 14 Oct 1996 18:20:28 +0200 From: "Nick BROWN" Subject: RISKS of just having a name! Bill McFadden (Re: RISKS-18.50, RISKS of temporary change-of-addresses) raises, perhaps inadvertently, an interesting point about people's names, describing his problems with his son's name differing from his own by just one initial. Having been cursed at birth with three given names, I have become used over the years to appearing in lists several times, as N.Brown, N.J.Brown, N.J.L.Brown, etc etc. My wife has two given names, but has always used her second given name, perhaps fortunately for us because her first name (Nansi) begins with N too. When our children were born, we used unambiguity of initials as one criterion for choosing their names (really !): manual systems have not served us well up to now, and computer systems do not have a good record of improving on the reliability of existing manual systems. Thus, our children both have exactly one given name (Alexander and Joanna respectively), neither of which begins with the same letter as ours. In fact even "Alexander" is turning out to be a mistake: he is only ever called Alex, and I know he is in at least one (manual) database under both Alex and Alexander. This is partly because in France, most people only ever use one given name, and also because nicknames are relatively rare. (In the Netherlands, by contrast, it is not uncommon to have four given names, and be known (from birth) by a nickname which is unrelated to any of one's given names.) When I visit the US, I find both manual and automated systems quite unable to cope with the idea of multiple "middle initials"; doubtless my children will have plenty of crashes when "middle initial = ". Somebody told me that some Americans have middle initials that don't stand for anything - I wonder if their parents were anticipating software problems ? Nick Brown, Strasbourg, France (Nick.Brown@dct.coe.fr) ------------------------------ Date: Sun, 13 Oct 1996 03:28:23 -0400 From: "Paul J. Mech" Subject: Telephone Switch Cutover Problem I thought this experience might be of interest to other RISKS readers. In the wee hours of Saturday morning (12 Oct 1996), I was ftp-ing data from around the world. My network-inspired happiness was marred by my sudden loss of the phone connection to my Internet provider. No problem, these things occasionally happen. However, the situation went to annoying when my modem announced "... your call could not be completed as dialed ...". After this condition persisted for thirty minutes, I contacted Ameritech. Residential Repair told me that they were told that this sort of behavior occurs when they are disconnecting a customer and forwarded me to Business Repair. Business Repair said that they couldn't comment on the situation because their computers were down. They did, however take my name and address and told me that they would call me back when they came back up. I left a couple of concerned messages on my provider's voice mail and decided to wait until morning. By 10:00 AM Saturday, I had received no calls and the situation persisted. I pursued the same route, starting with Ameritech Residential Repair, and found things far less painful than the night shift had lead me to believe. At the time that I had been cut off, Ameritech had cut our exchange over to a brand spanking new switch. Our line checked out all right. Small Business Repair placed a call to the number that I was trying to reach and got through. Large Business Repair filed a trouble report and a technician called back shortly thereafter. As RISKS readers have no doubt concluded, the cutover apparently had a few unresolved bugs. RISK 0 : Can you trust customer service? By what I was first told, it seemed that my Internet provider was going out of business ... a scary thought, as I am not only pleased with this particular service, but I had to search quite a bit to find one who spoke *NIX this fluently. RISK 1 : Emergencies I am fairly savvy as to telephony problems, having spent several years programming for long distance resellers. Yet in the fog of the early AM, I obviously wasn't being too bright. What If someone had tried to place a call from our exchange to a doctor in my Internet provider's exchange? Would they have gotten through? Would they have though to call for operator assistance? How much time would they waste? I'm not sure if there is any way I could have anticipated this, and I was no more than inconvenienced and slightly annoyed. But twenty four hours after the problem started, I'm back on line. Ftp is perking along happily in one window, and life is good again. I'm also glancing at a postcard that arrived this afternoon. It announces, in glowing terms, that Ameritech is going to install a new switch for our exchange on 12 Oct. It figures. Paul J. Mech paul@coil.com pmech@freenet.columbus.oh.us ------------------------------ Date: Mon, 14 Oct 1996 14:06:55 -0700 From: Jon Callas Subject: Re: Maybe your secure Mac isn't as secure ... (Maniscalco, RISKS-18.52) The "problem" is not with PPP. PPP does not store e-mail account names in its preferences file. The problem almost certainly resides with something called "Internet Config." Internet Config is a database and API for storing information that Internet programs often need, oh, like your e-mail address. Your web browser wants that when it mails a page (or a message), your ftp program wants that to ease anonymous logins, and so on. Internet Config lets networking programs have a common database of information. It also allows programs like automatic shareware registration programs to know who you are, which is precisely what you saw. Jon Callas Senior Scientist Apple Computer, Inc. [Also noted by paul@ljl.com (Paul Robichaux) in a much longer message. PGN] ------------------------------ Date: Mon, 14 Oct 1996 09:45:00 -0700 From: tony.lima@toadhall.com (Tony Lima) Subject: Re: Another Mail-Forwarding (RISKS-18.52) [Several RISKS readers reminded Tony that ``branches of the U.K. postal service don't.'' should have read ``branches of the U.S. postal service don't.'' I fixed it in the ftp.sri.com archive copy. PGN] ------------------------------ Date: Wed, 16 Oct 96 22:19:01 EDT From: Jerry Leichter Subject: Risks of not including manual overrides: not a computer risk! In RISKS-18.47, William Hutchens reports his experiences at a hotel where an electronic keycard lock failed. Various "master keycards" also failed to open the door; "During the times I was left waiting in the hallway, I was half expecting the maintenance man to return with a sledgehammer". The door was eventually opened using a PC with a special interface. Mr. Hutchens says "I don't believe that it would be a problem to include a conventional mechanical keyway in the lock." Just because a computer contributes to a problem, doesn't mean the computer *is* the problem. Just because there is no "mechanical override" doesn't mean there *should* have been one. I, too, once found myself locked out of a hotel room by a failed lock. Repeated attempts to open the lock failed. My wife and I waited around in the hallway for quite some time as various attempts were made to get the lock to open. (The attempt that succeeded involved a ladder, a third floor window, and a hotel employee with a good head for heights.) The only difference between our experience and that of Mr. Hutchens is that the lock in question was a traditional mechanical lock. Part of the mechanism broke, and literally fell off the door into the room. Without it, there was no way to open the door for the outside. Should I complain about the lack of overrides for mechanical locks? There would only be a valid complaint here if the electronic keycard locks failed as badly as Mr. Hutchens describes significantly more often than their mechanical brethren. I know of no evidence that this is the case. I do know that, in addition to my hotel experience, in the last year I found myself caught in a conference room at work when the (non-locking) door latch broke (the locksmith arrived shortly after I'd managed to remove the door from its hinges, a more elaborate job than it ought to have been); and I had to replace a broken lock on an external door at home after it, too, failed in a way that left the door "stuck shut". In that case, I had to literally smash the lock with a chisel in order to get the door open. Finally, while we were undergraduates (*so* many years ago, sigh), a friend got to call security to tell them he was locked *into* his room. Come again? You mean you lost your keys and are locked out, don't you? Well, no, the lock broke and I'm locked *in*. Mechanical locks are not quite as reliable as Mr. Hutchens appears to believe, and when they do fail, the failures very often do require significant mechanical intervention - the guy with the sledgehammer - to get them open. That's essentially what the locksmith at the hotel I was staying at had to use to get the old lock out of the door; it's what he would have used to get in to the room if the third-floor-ladder trick hadn't worked. If most failures of keycard systems - even if more common than failures of mechanical systems - can be repaired by the simple use of a master card key, I should think we're well ahead of the game. -- Jerry ------------------------------ Date: Thu, 17 Oct 1996 17:15:24 PDT From: "Peter G. Neumann" Subject: The Year-2000 Crisis: a possible resource I ran into Tom Reps this morning in San Francisco (where I had the pleasure of introducing Henry Petroski's wonderful keynote address to the ACM SIGSOFT Foundations of Software Engineering conference). Tom has been chartered by DARPA to make serious recommendations on the Year-2000 problem. I noted to him that a bunch of RISKS readers have offered me some possibly useful approaches, but indicated that it would be appropriate for those of you who believe you have something useful in this regard to contact Tom directly. I think he (and DARPA) would appreciate it. He can be reached at the Computer Sciences Department, University of Wisconsin-Madison, 1210 West Dayton Street, Madison, WI 53706-1685 1-608-262-2091, fax 1-608-262-9777 . ------------------------------ Date: Thu, 17 Oct 1996 15:58:18 -0700 From: Hawkins Dale Subject: Announcement: Year-2000 Software Crisis Conference The Education Foundation of the Data Processing Management Association announces a conference on The Year 2000 Software Crisis Information Systems professionals from the commercial, defense, and governmental sectors will share strategies and techniques for handling the coming potential disaster. Date: 5--6 December 1996 Location: Alexandria, VA (the Radisson Plaza Hotel at Mark Center) More information: online info: http://www.ttcus.com/y2k e-mail: ttchq@ttcus.com voice: Hawkins Dale (310) 534-4871 Hawkins Dale Technology Training Corporation 3420 Kashiwa St. Torrance, CA 90505 voice: (310)-534-4871 fax: (310)-534-8585 alt fax: (310)-534-0743 e-mail: hawkinsd@ttcus.com ------------------------------ Date: 15 Aug 1996 (LAST-MODIFIED) From: RISKS-request@csl.sri.com Subject: Abridged info on RISKS (comp.risks) The RISKS Forum is a MODERATED digest. Its Usenet equivalent is comp.risks. => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) if possible and convenient for you. Or use Bitnet LISTSERV. Alternatively, (via majordomo) DIRECT REQUESTS to with one-line, SUBSCRIBE (or UNSUBSCRIBE) [with net address if different from FROM:] or INFO [for unabridged version of RISKS information] => The INFO file (submissions, default disclaimers, archive sites, .mil/.uk subscribers, copyright policy, PRIVACY digests, etc.) is also obtainable from http://www.CSL.sri.com/risksinfo.html ftp://www.CSL.sri.com/pub/risks.info The full info file will appear now and then in future issues. *** All contributors are assumed to have read the full info file for guidelines. *** => SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line. => ARCHIVES are available: ftp://ftp.sri.com/risks or ftp ftp.sri.comlogin anonymous[YourNetAddress]cd risks or http://catless.ncl.ac.uk/Risks/VL.IS.html [i.e., VoLume, ISsue]. The ftp.sri.com site risks directory also contains the most recent PostScript copy of PGN's comprehensive historical summary of one liners: get illustrative.PS ------------------------------ End of RISKS-FORUM Digest 18.53 ************************