Subject: RISKS DIGEST 18.64 RISKS-LIST: Risks-Forum Digest Monday 2 December 1996 Volume 18 : Issue 64 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator ***** See last item for further information, disclaimers, caveats, etc. ***** Contents: Amtrak ticket system breaks down (PGN) Bell Atlantic/Northern Telecom upgrade failure (Christopher Palermo) Shetland Islands newspaper hyperlink controversy (Lance Hoffman) RISKS of misidentified versions (John Pelan) Risks not limited to technology (Rich Mintz) Czech hackers allegedly rob banks (Mich Kabay) Data diddling in cockroach races (David Kennedy) Scary spelling correction (Geoff Kuenning) Web-based auto update of Microsoft's Java support (Tim Panton) E-mail solicitation on the rise (Scott C. Savett) ATMs zapped (Bruce Wampler) Radiation and crypto (Jean-Jacques Quisquater) Re: Smart cards and radiation (Jean-Jacques Quisquater) Workshop on Human Error and Systems Development (Nancy Leveson) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Sun, 1 Dec 96 20:04:04 PST From: "Peter G. Neumann" Subject: Amtrak ticket system breaks down On Friday, 29 Nov 1996, Amtrak's nationwide reservation and ticketing system bellied up during what is usually the heaviest travel weekend of the year. The outage caused enormous confusion and delays, because agents typically had no printed schedules and fare tables. [Source: An item from *The New York Times* in the *San Francisco Chronicle*, 30 Nov 1996, A6.] ------------------------------ Date: 26 Nov 1996 21:09:34 GMT From: cpalermo@next.com (Christopher Palermo) Subject: Bell Atlantic/Northern Telecom upgrade failure Bell Atlantic Customers Put on Hold by Directory Assistance [Source not specified, 26 Nov 1996. PGN Abstracting.] Hundreds of thousands of would-be telephone callers in nine states from NJ to WV could not get prompt directory assistance from Bell Atlantic on 25 Nov 1996, because of flaws in new database software installed by Northern Telecom that affected the entire customer area. The problems affected all of the about two dozen directory-assistance centers throughout the day, until the old version could be resuscitated. Operators were noting requests and calling customers back when assistance could be attained (with delays typically from three minutes to half an hour). Northern Telecom said that the new upgrade was intended to correct some minor errors in the earlier version, and had previously been used without incident by at least two other large telcos. Blame was allocated to a technician who had installed the software. This was reportedly one of the biggest outages of this kind ever. ------------------------------ Date: Sat, 30 Nov 96 08:43:11 -800 From: hoffman Subject: Shetland Islands newspaper hyperlink controversy The Shetland Islands have a 124-year-old print weekly (*Shetland Times*) and a 1-year-old online daily (*Shetland News*). The *News* includes titles of *Times* articles as hypertext links to the *Times*. Robert Wishart, the *Times* managing director (who once fired his former editor, Jonathan Wills, who is now the *News* publisher), has demanded that the links be removed; Wills has refused, although he did add asterisked footnotes. Wishart then invoked Scotland's Court of Session, which issued an interim interdict against the hyperlinks. A full hearing is pending. If the interim judgement is upheld, this is seemingly a landmark case in Scotland and potentially the UK, including issues such as the differences between a web site and a cable TV service, and whether newspaper headlines constitute copyrightable literary works. [Source: Scottish Case Tests `Right to Link', By Pamela Mendels, *The New York Times* CyberTimes, 30 Nov 1996. PGN Abstracting] [So, perhaps the *Times* really wants the *News* to stop a little horsing around, and pony up? But the ponies are so small there. PGN] ------------------------------ Date: Wed, 27 Nov 1996 00:33:32 +0000 (GMT) From: John Pelan Subject: RISKS of misidentified versions A recent security announcement was made to the 'linux-alert' security list describing how the 'lpr' utility suffers from the (now infamous) buffer overrun problem. This could be exploited as a security vulnerability in the case where it has the suid bit set. It wasn't until after this first announcement that it was realised that various Linux distributions have different ideas about the version number of the *same* lpr source. Of course, this could cause much confusion and prompted a follow-up message drawing people's attention to this somewhat annoying and misleading situation. The RISKS are that, especially in the case of freely-redistributable source, users may not know the 'true' version that they are running and may be deluded into thinking that they have a 'fixed' or 'safe' version. Of course, the program *could* differ in all but name but in any case some co-ordination, clarity and careful thought should be exercised by all. A case for truth in advertising ? John Pelan (J.Pelan@qub.ac.uk) ------------------------------ Date: Tue, 26 Nov 1996 15:16:33 -0500 From: Rich Mintz Subject: Risks not limited to technology The following item from WhiteBoard News (posted without permission of the author joeha@microsoft.com; for list info, http://www.vantagepoint.com/ghayes/Lists/news.html) reminds us that risks are possible in the case of any system that's relied upon, whether or not that system is technological in nature: == begin excerpt == Jackson, Tennessee: Cathy Mullikin's bird is cooked, and her calendar is toast. Mullikin had her Thanksgiving turkey dinner already cooked on Thursday [Nov. 21], "and my friends and family are coming on the 28th and they're going to think I'm a kook," she said. She should never have believed that free calendar. Jackson-Madison County General Hospital gave out 40,000 of them last year and every last one said Thanksgiving was on the 21st instead of the 28th. "I wouldn't have known it was wrong except my niece called and asked what I was doing. When I told her I was finishing up Thanksgiving dinner, she said 'A week in advance?'" Mullikin told The Jackson Sun on Thursday.... "We've had a number of calls from people who have seen the error and called it to our attention," [JMCG Hospital] spokesman Ken Marston said. [Various power outages were reported on Thanksgiving Day, when it was stormy and windy in parts of the western U.S. Many turkeys apparently were left partly cooked during the outages. PGN] ------------------------------ Date: 27 Nov 96 16:08:25 EST From: Mich Kabay <75300.3232@CompuServe.COM> Subject: Czech hackers allegedly rob banks From "Central & East European Secure Systems Strategies (CEESSS)" with permission of the copyright holder: Secret incidents of hackers' attacks upon Czech banks and release of Czech citizens' personal information by Steven Slatem Copyright (c) 1996 IntelliTech Hackers stole 50 million Kc ($1.9 million) during attacks upon unnamed Czech banks and, in another incident, obtained and posted to BBSs a file of Czech citizens' personal information, we learned in an interview at INVEX (Brno, 22 -- 26. October) with Jiri Mrnustik, CEO of the Brno-based anti-virus and encryption software developer AEC s.r.o.// (ss961112-002) (630 words) (STS) Central & East European Secure Systems Strategies (CEESSS) is delivered via e-mail and the Web. See http://www.intellitech.cz/ceesss/ for details. [To preempt our esteemed moderator, I will immediately warn readers that the facts will have to be Czeched before giving credence to this report.] M. E. Kabay, Ph.D. / Director of Education National Computer Security Association (NCSA)/ http://www.ncsa.com ------------------------------ Date: 25 Nov 96 23:51:06 EST From: David Kennedy <76702.3557@CompuServe.COM> Subject: Data diddling in cockroach races Criminal group made money by manipulating ... COMTEX Newswire 25 Nov 1996 SARATOV, November 25 (Itar-Tass) -- A well-organised criminal group that made more than 800 million roubles every month by manipulating computer files in gambling has been exposed by police in the Saratov region, the middle Volga. A source in the regional directorate in charge of fighting organised crime told Itar-Tass that computer-added swindling was exposed by police for the first time in Russia, although crimes of this sort have been reported in many regions of Russia. The source described the technology of fraud: the operator used a false file to influence the outcome of the "cockroach races" in a way that ensured that the victory was won by the cockroach chosen by the operator. [Or perhaps the file was altered to select the designated "winner"? PGN] The experience accumulated in the process reportedly will enable the law enforcers in other regions of Russia to take into account computer swindlers who have escaped responsibility until now. (The net take was about US$5,500 daily.) Dave Kennedy [CISSP] Research Team Chief, National Computer Security Assoc. ------------------------------ Date: Wed, 27 Nov 1996 10:55:20 -0800 From: Geoff Kuenning Subject: Scary spelling correction Here's a verbatim quote from the Orchestra List, which is occupied by musicians and conductors. Apparently spelling correctors are getting RISKier all the time. Note that this was *automatic* spelling correction, so apparently the user didn't even get a chance to override the incorrect decision. > Subject: Parts are a MESS ... > >Here's a warning on the E.C. Scarier parts to the Mozart Vespers, K. 321. > In > > Well, I typed E.C. S-c-h-i-r-m-e-r. I must figure out how to disable my > automatic spell correcting program so it doesn't do this to me again. But > then again, given the condition of the parts, maybe scarier is the better > term anyway. Geoff Kuenning g.kuenning@ieee.org geoff@ITcorp.com http://fmg-www.cs.ucla.edu/geoff/ [But a MASS is a MESS(E) (in German, French) is AMISS (from Latin, MISSA). You'll have to vesper more softly ven you perform. PGN] ------------------------------ Date: Wed, 27 Nov 1996 11:18:20 +0100 From: Tim Panton Subject: Web-based auto update of Microsoft's Java support [Here is a frightening snippet from Microsoft's website I'm not sure I understand the full implications of it, but I don't doubt that there are risks involved.] http://www.microsoft.com/java/sdk/getstart/javac007.htm : Updating the Java Support on a User's Machine If you are placing an applet that uses COM on an HTML page accessible from the Internet, you must ensure that any users who encounter that page have a version of the Java Support for Internet Explorer that fully supports Java/COM integration. To do this, you must insert the following tag on the HTML page containing your applet (or on the introductory page of your Web site): This tag causes the user's Internet Explorer to check the version of its Java support. If the version installed on the user's machine is not up-to-date, Internet Explorer downloads the latest version of Java support from http://www.microsoft.com and updates the user's machine. - - - - The potential risks are endless. Say I know of a security hole in a specific version of IE, I can automatically get visitors to my website to install it, then attack them through the hole. Some questions: Does it ask the user first ? Can I force a 'down'grade, i.e., install an older version ? What happens if the user uses two sites that require different versions? Is the code signing strong? (i.e., stronger than MS's CD keys ?), can I fake a CAB file? Tim Panton, Westhawk Ltd, Frederik Hendriklaan 89, 2582BW Den Haag. The Netherlands tpanton@ibm.net +31 6 5348 1795 http://www.westhawk.co.uk ------------------------------ Date: Fri, 29 Nov 1996 18:30:06 -0500 From: "Scott C. Savett" Subject: E-mail solicitation on the rise I'm sure we're all increasingly aware of annoying unsolicited commercial e-mail messages forced into our electronic inboxes. But is this just the tip of the iceberg? A mass mailing recently ended up in my e-mail, promising e-mail marketing to 100,000 or 1,000,000 people for $195 or $995 respectively. Ominously, the message did not have a valid "From:" address in the header, and was passed through at least two servers before being distributed to an undisclosed list of recipients. Does a $100 InterNIC registration and $15/month ISP charge now give anyone the ability to saturate the Internet community with unsolicited e-mail? Besides carefully screening incoming e-mail, what recourse does one have against acts of e-mail terrorism? With many SMTP e-mail servers readily accepting mail from anonymous senders, how can we stop the constant stream of unsolicited commercial e-mail being forced down our throats? This trend gravely concerns me, as it should concern us all! Scott Savett, Graduate Student in Analytical Chemistry, Clemson University Webmaster, National Collegiate EMS Foundation http://www.ncemsf.org/ ------------------------------ Date: Fri, 29 Nov 1996 14:24:33 -0700 (MST) From: wampler@cs.unm.edu Subject: ATMs zapped Last week I was unable to use my cash card to pay for my groceries at the local grocery store because the system wasn't working. The November 28, 1996 business section of the Albuquerque Tribune explained why: "ATMs zapped: First Security's Albuquerque-area automated teller machines and electronic funds-transfer stations at Smith's Food & Drug Stores went on the blink last weekend when a new cellular-telephone company started service using a microwave frequency that bled over to First Security's ATM and EFT frequency. Service disruptions forced Smith's to shun electronic purchases Saturday through Monday. "We apologize to our customers who were inconvenienced and are working hard to fix the problem, but the problem of jammed frequencies is just going to get worse," said Paul Bouschelle, executive vice president for First Security Bank of New Mexico." Two obvious RISKs revealed by this incident: 1. The unintended and unexpected problems caused by bringing a new system on-line. For whatever reasons, this problem took the whole weekend to resolve. 2. This article also reveals that the ATMs and EFT terminals communicate over microwave frequencies, and are thus subject to being tapped or monitored, perhaps more easily than if they were connected via wire or telephone lines. I guess I've assumed that most of these terminals were handled via phone line, which seems inherently more secure than a radio link. This may not be true. I don't recall much discussion in this group of the risks of using radio links vs. wire for financial data transfer. Bruce E. Wampler, Ph.D., Adjunct Professor, Department of Computer Science, University of New Mexico wampler@cs.unm.edu http://www.cs.unm.edu/~wampler ------------------------------ Date: Mon, 02 Dec 96 09:23:18 GMT From: jjq@dice.ucl.ac.be (Jean-Jacques Quisquater) Subject: Radiation and crypto Your electronic wallet in the Van Allen radiation belt, or Electronic commerce at RISK in space? Jean-Jacques Quisquater UCL Crypto Group - Microelectronics Lab November 30, 1996 [Note: This short remark was intended as a contribution to the rump session of EUROCRYPT '97 but the subject is too hot to wait.] From end September until now many announcements were issued about the so-called Bellcore attack against tamper-resistant chips (example: smartcard or chipcard for electronic commerce). The attack is based on the (theoretical) possibility of flipping some bits (at some random position) of the secret key, stored in RAM or E2PROM, before or during the computations done by the chip. Another attack is to induce some decoding error during the execution of one instruction (Anderson and Kuhn). One crucial question is the effectiveness of such attacks by malicious hackers. In fact, this problem was very well studied in the contexts of nuclear physics and of space applications (what about the behavior of semiconductors in such hard environments?). In that area, there is the concept of SEE (Single Event Effect) and it is what we are trying to study! A SEE is an event induced by radiation, temperature, microwave, ..., having some effect one time on a device. There are many studies about that. What we need to know are the SEEs --- relatively well focused (one or few bits are flipped), --- and/or at a given moment, --- and/or for a very short time. Here are some references to begin the study. The reference newsgroup is sci.engr.semiconductors (others?). - The NASA ASIC guide, published by JPL and NASA, Chapter 4, Design for radiation tolerance, 1993. - Hardening integrated circuits against radiation effects, J.-P. Colinge and P. Francis, November 1996, Notes (66 pp.), Microelectronics Lab, UCL, Louvain-la-Neuve, Belgium (yes!, my lab), - Single-Event-Effect mitigation from a system perspective, IEEE Trans. on Nuclear Science, vol. 43, April 1996, pp. 654-660. - Laboratory tests for Single-Event Effects, IEEE Trans. on Nuclear Science, vol. 43, April 1996, pp. 678-686. - Microbeam studies of Single-Event Effects, IEEE Trans. on Nuclear Science, vol. 43, April 1996, pp. 687-695. - Soft errors susceptibility ands immune structures in dynamic random access memories (DRAM's) investigated by nuclear microprobes, IEEE Trans. on Nuclear Science, vol. 43, April 1996, pp. 696-704. - 32-bit processing unit for embedded space flight applications, IEEE Trans. on nuclear science, vol. 43, June 1996, pp. 873-878. - Single Event Effect testing of the Intel 80386 family and the 80486 microprocessor, IEEE Trans. on Nuclear Science, vol. 43, June 1996, pp. 879-885. - Analysis of local and global transient effects in a CMOS SRAM, IEEE Trans. on Nuclear Science, vol. 43, June 1996, pp. 899-906. - 1997 IEEE nuclear and space radiation effects conference, call for papers. Jean-Jacques Quisquater, Universite catholique de Louvain, Place du Levant, 3, B-1348 Louvain-la-Neuve, Belgium tel 32.10.47.25.41 jjq@dice.ucl.ac.be ------------------------------ Date: Mon, 2 Dec 1996 19:39:49 +0100 (MET) From: Jean-Jacques Quisquater Subject: Re: Smart cards and radiation A (corrected thanks to Arjen Lenstra) postscript version of Attacks on systems using Chinese remaindering by Marc Joye and Jean-Jacques Quisquater, Report CG-1996/9 is accessible at the following URL: http://www.dice.ucl.ac.be/crypto/techreports.html ------------------------------ Date: Mon, 02 Dec 1996 02:33:56 PST From: Nancy Leveson Subject: Workshop on Human Error and Systems Development Workshop on Human Error and Systems Development The Senate Room, University of Glasgow 20-22 March 1997 Co-chairs: Nancy Leveson and Chris Johnson Recent accidents in a range of industries have increased concern over the management and control of safety-critical systems. Much recent attention has focussed upon the role of human error both in the development and in the operation of complex processes. This workshop will, therefore, provide a forum for practitioners and researchers to discuss leading edge techniques that can be used to mitigate the impact of human error on safety-critical systems. Our intention is to focus the workshop upon techniques that can be easily integrated into existing systems engineering practices. With this in mind, each day will have a different theme. The session on Thursday 20th March will focus on accident analysis and risk assessment techniques. Friday, 21st will focus more narrowly upon interface and component design, development, and testing. We also encourage papers that cross these boundaries. Saturday 22nd March will provide the opportunity for informal discussion about the issues raised during the workshop. The day will be spent on the Isle of Arran, off the west Coast of Scotland [not to be confused with Aran]. Deadlines: Authors should submit extended abstracts to Chris Johnson, see below, to arrive no later than January 17th, 1997. [] Programme Committee: Veronique de Keyser, University of Liege, Belgium. Chris Johnson, University of Glasgow, Scotland. Peter Ladkin, Universitat Bielefeld, Germany. Nancy Leveson, University of Washington, USA. Chris Mitchell, Georgia Institute of Technology, USA. Kim Vicente, University of Toronto, Canada. David Woods, Ohio State University, USA. Further Information: Chris Johnson, Department of Computer Science, University of Glasgow, Glasgow, G12 8QJ, Scotland. johnson@dcs.glasgow.ac.uk tel.: +44 141 330 6053 fax.: +44 141 330 4913 This workshop is organised by the Glasgow Accident Analysis Group, Department of Computing Science, at the University of Glasgow. It is supported by the Human Factors section, IT and Computer Science programme within the UK Engineering and Physical Sciences Research Council. ------------------------------ Date: 15 Aug 1996 (LAST-MODIFIED) From: RISKS-request@csl.sri.com Subject: Abridged info on RISKS (comp.risks) The RISKS Forum is a MODERATED digest. Its Usenet equivalent is comp.risks. => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) if possible and convenient for you. Or use Bitnet LISTSERV. Alternatively, (via majordomo) DIRECT REQUESTS to with one-line, SUBSCRIBE (or UNSUBSCRIBE) [with net address if different from FROM:] or INFO [for unabridged version of RISKS information] => The INFO file (submissions, default disclaimers, archive sites, .mil/.uk subscribers, copyright policy, PRIVACY digests, etc.) is also obtainable from http://www.CSL.sri.com/risksinfo.html ftp://www.CSL.sri.com/pub/risks.info The full info file will appear now and then in future issues. *** All contributors are assumed to have read the full info file for guidelines. *** => SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line. => ARCHIVES are available: ftp://ftp.sri.com/risks or ftp ftp.sri.comlogin anonymous[YourNetAddress]cd risks or http://catless.ncl.ac.uk/Risks/VL.IS.html [i.e., VoLume, ISsue]. The ftp.sri.com site risks directory also contains the most recent PostScript copy of PGN's comprehensive historical summary of one liners: get illustrative.PS ------------------------------ End of RISKS-FORUM Digest 18.64 ************************