precedence: bulk Subject: Risks Digest 19.96 RISKS-LIST: Risks-Forum Digest Tues 15 September 1998 Volume 19 : Issue 96 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at http://catless.ncl.ac.uk/Risks/19.96.html and at ftp.sri.com/risks/ . Contents: NY Times Web site attacked (Epstein Family, Dave Farber) 5th SRI squirrelcide causes 18.5-hour outage (PGN) Starr galactic dispersion avoided black holes except for USGovt (PGN) Sexy risks of searching for MP3 (Sidney Markowitz) 'Whois' blocks abusers domain database (Doneel Edelson) Y2K legal settlement (Keith Rhodes) Problem of signs -- signs of problem (Mich Kabay) An inverse story (G. Roussos) Re: "Windows NT Security" (Mike Perry) Re: Rocket blows 12 Globalstar satellites (Eugene) Privacy Digests (PGN) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Tue, 15 Sep 1998 08:08:27 -0400 From: Epstein Family Subject: NY Times Web site attacked According to *The Washington Post*, 14 September 1998, *The New York Times* web site was repeatedly hacked over the weekend by attackers who replaced the home page with one "containing images of bare-breasted women", and also "attacked the newspaper and two reports, using vague threats and creative spelling". The attackers claimed to be defenders of Kevin Mitnick, who is currently in jail over a number of hacking episodes of his own. The article explains that the NYT staff removed the attackers' web page and replaced it with their own, only to be hacked again. The tug of war between the two versions went on for two hours, before the NY Times took their site off the air for several hours to prevent further attacks. The FBI is investigating, and claims to be familiar with the attacker group [Hacking for Girlies]. [Total time reportedly 9 hours] http://www.washingtonpost.com/wp-srv/WPlate/1998-09/14/138l-091498-idx.html [As the NY Times and Washington Post are fierce competitors for title of "best newspaper", I wonder how much glee the WP got from reporting this story :-) ] [In their 14 Sep 1998 article, *The NYT* quoted George Washington University professor Lance Hoffman: "The material posted by the hackers is offensive, childish, threatening and chilling. It's a good example of why we have to bring accountability to the Internet." In the 15 Sep 1998 *San Francisco Chronicle*, Jon Schwarz quoted Ira Winkler as saying ``Any Web site -- no matter how secure -- can be hacked.'' Although we often cite *The NYT* writers in RISKS, I guess *The NYT* management is not *reading* RISKS. No surprises here. PGN] ------------------------------ Date: Mon, 14 Sep 1998 22:06:33 -0400 From: Dave Farber Subject: NY Times Web site attacked While *The Times* hacking was illegal, it should teach us a lesson. I would like to propose a more sinister event ... . Suppose someone who was more clever hacked *The New York Times* Web page not to destroy it but to modify a piece of news. Say, for example, the person, better yet a group, at 9am inserted into the business page a news item with a very downbeat news item on a company -- preferably a widely traded company with a good short showing. It would, no doubt, drive down the price and enable the short sellers to made a lot of money while The Times/users recognized the breakin and fixed it. A well organized version of this might be very hard to solve. What would happen if there was an announcement of a, for example, coup in Russia.... Times for places we trust to protect their windows to the public a lot better than The Times seemed to have. Dave ------------------------------ Date: Tue, 15 Sep 98 08:13:05 PDT From: "Peter G. Neumann" Subject: 5th SRI squirrelcide causes 18.5-hour outage Yesterday was one of those days when there was no power at work all day, beginning just after 8am and continuing until 2:30 this morning. ANOTHER squirrel attack took down the main transformer, and prevented use of both the cogeneration plant and public power. As usual, some computer systems were hosed and took further hours of work to restore. See RISKS-8.75 for SQ#3, RISKS-16.46 for SQ#4, and RISKS-16.47 for a protective measure that seems not to have been adopted by SRI. To quote from Where Have All the Flowers Gone, ``When will they ever learn?'' [For related items, see RISKS-17.91, RISKS-18.52 and 53.] [If your contributions and risks-requests bounced, please resubmit.] ------------------------------ Date: Tue, 15 Sep 98 17:18:31 PDT From: "Peter G. Neumann" Subject: Starr galactic dispersion avoided black holes except for USGovt We noted in RISKS-19.95 that many sites mirrored the Starr report soon after it was released. As a consequence, although Net traffic was very high, individual sites were not affected too dramatically -- except for the three government sites (loc.gov, house.gov, and gpo.gov), which were so saturated that they were effectively nonexistent. Once again, there was a beneficial effect from not putting all of the eggs in one basket. Various folks have noted that if the Communications Decency Act (subsequently declared unconstitutional) were in effect, the Starr Report (subsequently declared indecent) might have resulted in fines of $250,000 and 5 years in prison to those posting it on the Internet. An Associated Press item on 15 Sep 1998 estimated that almost 6 million people had read the Starr report via the Internet. (... well, maybe browsed.) ------------------------------ Date: Fri, 11 Sep 1998 13:53:43 -0700 From: "Sidney Markowitz" Subject: Sexy risks of searching for MP3 Related to PGN's parenthetical comments in RISKS-19.95 (which you can find in that issue by searching for the words "sex" and "MP3"), I was searching for Grateful Dead bootleg recordings (not pirated!) in MPEG3 format and was surprised that many of the links that came up were porn sites that had no mention of MP3 nor Grateful Dead. Investigation revealed that the HTML source for the porn sites contained META tags with repetitions of the words "MP3" and a long list of rock bands, designed to fool the search engines. Add in to the mix the practice of many of these porn sites to spawn new browser windows when you try to back out of them (there has to be a pun there, somewhere) and I'm sure there are a number of risks for the unwary surfer. sidney markowitz ------------------------------ Date: Mon, 14 Sep 1998 14:57:05 -0500 From: "Edelson, Doneel" Subject: 'Whois' blocks abusers domain database From Yahoo News - Monday September 14 2:17 PM ET 'Whois' blocks abusers domain database By Randy Barrett, ZDNet Network Solutions Inc. is blocking certain companies from using its public database of domain name holders. NSI's Whois database contains detailed information on 2.3 million Internet domain name recipients who have registered through NSI's InterNIC service. The listings, which include name, postal address, telephone numbers and e-mail addresses, were designed primarily to help network operators communicate with domain holders. But Whois has become increasingly popular with companies that mine the list for direct mail marketing campaigns and subsequently burden its servers. "You don't have to tie up all the bandwidth [to mine the list]," said David Holtzman, NSI's senior vice president of engineering. Hits soaring NSI allows mining of the Whois database, but in the past two months, the number of hits to the site has doubled every 20 days, Holtzman said. In June, the site received 12.2 million hits. In July, that number jumped to 21 million. The August statistic was not available. Holtzman found that 32 percent of the Whois traffic - more than generated by all of Europe - was initiated by a single company. He won't name names but said two companies in particular badly abused the database and are now locked out. The culprits initiated parallel sessions via HyperText Transfer Protocol with multiple computers and slowed down by 50 percent access to Whois for the rest of the Net. "I interpret it as a denial-of-service attack," Holtzman said. But, in this case, the companies' motives appeared more impatient than nefarious. Holtzman at first tried to meet the demand by adding new hardware but finally gave up and filtered the two companies instead. Whois access speeds are now improving, he said. Can identify source Numerous domain name holders said they regularly receive direct mail marketing solicitations from such companies as American Express Co. and Verio Inc. and can tell by the addressing that the source is Whois. "Every time I register a domain, I get paper junk mail from Verio telling me what a swell idea it would be to use their service. It's quite clear what they're doing, since it always comes to the contact listed for the new domain, which I always list care of my company," said John Levine, author of the book Internet for Dummies. NSI even uses the database for its own marketing. Last month, the company sent out e-mail messages to domain holders advertising digital identification services from VeriSign Inc. ------------------------------ Date: Mon, 14 Sep 1998 10:45:06 -0500 From: rhodesk.aimd@gao.gov Subject: Y2K legal settlement Produce Palace International, a grocer in Warren, Mich., has accepted $250,000 from Tec America Inc. of Atlanta (a subsidiary of the Tec Corporation, an affiliate of Toshiba of Japan), which makes its cash registers and credit-card verification systems. (The plaintiff's attorney claimed this is the first reported Y2K settlement.) Produce Palace said the entire system routinely crashed when a single register was presented with credit cards with 00, for the Year 2000, in the expiration date, with crashes one-fifth of the days over a 500-day span. The case was filed in 1997. David Nadler (a Washington lawyer) was quoted saying, "It's a lemon-law case dressed up in year 2000 clothing." [Source: *The New York Times*, 14 Sep 1998] ------------------------------ Date: Tue, 15 Sep 1998 08:23:12 -0400 From: Mich Kabay Subject: Problem of signs -- signs of problem At Logan Intl Airport in Boston on 14 Sep 1998, there was a lot of milling about and frustration as people entered the lineup for a Business Express commuter flight to Philadelphia. The flight that was boarding was actually for Halifax, Nova Scotia, and Philadelphia passengers were being turned away. They would then go to the harried flight attendant at the counter for an explanation, causing yet more delays as they interfered with newcomers trying to register for later flights. The problems were caused by the electronic announcement board, which clearly showed that the Philadelphia flight was boarding even though it wasn't. A few minutes later, while the Philadelphia flight, now 10 minutes late, was _really_ boarding, the board entry winked out, giving the impression that the Philadelphia flight had left. Late-coming Philadelphia passengers now besieged the desk in panic demanding to know what they would do having supposedly missed their flight. I asked the agents why the board was inaccurate; could they not adjust the flight information? No, said the agent, it was all computer-controlled and there was nothing she could do about it. The flight attendant on the little commuter place to Philly was apparently better-informed. The flight status is controlled by a human being in operations (via a computer program, of course). In the absence of feedback, the signs are causing more trouble than if they were turned off. The fundamental problem is that no one is integrating information about late flights or allowing for real-time information from the gate. An information system based on theory isolated from reality is bound to fail. I will send a copy of this message to the president of Business Express so he will see to a simple improvement: allowing for feedback from the gate. M. E. Kabay, PhD, CISSP / Director of Education ICSA, Inc. ------------------------------ Date: Sun, 13 Sep 98 22:54:40 BST From: g.roussos@ic.ac.uk Subject: An inverse story RISKS frequently reports problems caused by cut cables to voice or data communications, as a result of work of the [insert you favourite public utility here]. Especially those of you who suffered such fortune may be interested to know that on Friday night a worker of Cable and Wireless, UK, damaged a British Gas pipe while repairing phone lines in Chiswick, West London. As a result approximately 1,400 people had to be evacuated and had to spend the night away from their homes. [ITN News, Sat 12/9/98] ------------------------------ Date: Fri, 11 Sep 1998 22:02:36 edt From: Mike_Perry@DGE.ceo.dg.com Subject: Re: "Windows NT Security" (Frankston, RISKS-19.95) All of Bob's concerns about what access is really needed, different roles, the problems of "super" users, and the basic requirement of always being able to just trust the system are addressed by B2 operating systems. Mike [Well, not all, but many. But then, there are very few B2 systems, and system developers are not very eager to develop any more. PGN] ------------------------------ Date: Mon, 14 Sep 1998 08:57:42 +0300 From: "Eugene" Subject: Re: Rocket blows 12 Globalstar satellites Yuzhnoye is not in Russia. It is in the Ukraine. Eugene [Spasi'ba! PGN] ------------------------------ Date: 17 Apr 1997 From: RISKS moderator Subject: Privacy Digests Periodically I will remind you of TWO useful digests related to privacy, both of which are siphoning off some of the material that would otherwise appear in RISKS, but which should be read by those of you vitally interested in privacy problems. RISKS will continue to carry general discussions in which risks to privacy are a concern. * The PRIVACY Forum is run by Lauren Weinstein. It includes a digest (which he moderates quite selectively), archive, and other features, such as PRIVACY Forum Radio interviews. It is somewhat akin to RISKS; it spans the full range of both technological and nontechnological privacy-related issues (with an emphasis on the former). For information regarding the PRIVACY Forum, please send the exact line: information privacy as the BODY of a message to "privacy-request@vortex.com"; you will receive a response from an automated listserv system. To submit contributions, send to "privacy@vortex.com". PRIVACY Forum materials, including archive access/searching, additional information, and all other facets, are available on the Web via: http://www.vortex.com * The Computer PRIVACY Digest (CPD) (formerly the Telecom Privacy digest) is run by Leonard P. Levine. It is gatewayed to the USENET newsgroup comp.society.privacy. It is a relatively open (i.e., less tightly moderated) forum, and was established to provide a forum for discussion on the effect of technology on privacy. All too often technology is way ahead of the law and society as it presents us with new devices and applications. Technology can enhance and detract from privacy. Submissions should go to comp-privacy@uwm.edu and administrative requests to comp-privacy-request@uwm.edu. There is clearly much potential for overlap between the two digests, although contributions tend not to appear in both places. If you are very short of time and can scan only one, you might want to try the former. If you are interested in ongoing discussions, try the latter. Otherwise, it may well be appropriate for you to read both, depending on the strength of your interests and time available. PGN ------------------------------ Date: 31 Mar 1998 (LAST-MODIFIED) From: RISKS-request@csl.sri.com Subject: Abridged info on RISKS (comp.risks) The RISKS Forum is a MODERATED digest. Its Usenet equivalent is comp.risks. => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) if possible and convenient for you. Alternatively, via majordomo, SEND DIRECT E-MAIL REQUESTS to with one-line, SUBSCRIBE (or UNSUBSCRIBE) [with net address if different from FROM:] or INFO [for unabridged version of RISKS information] .MIL users should contact (Dennis Rears). .UK users should contact . => The INFO file (submissions, default disclaimers, archive sites, copyright policy, PRIVACY digests, etc.) is also obtainable from http://www.CSL.sri.com/risksinfo.html ftp://www.CSL.sri.com/pub/risks.info The full info file will appear now and then in future issues. *** All contributors are assumed to have read the full info file for guidelines. *** => SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line. => ARCHIVES are available: ftp://ftp.sri.com/risks or ftp ftp.sri.comlogin anonymous[YourNetAddress]cd risks [volume-summary issues are in risks-*.00] [back volumes have their own subdirectories, e.g., "cd 18" for volume 18] or http://catless.ncl.ac.uk/Risks/VL.IS.html [i.e., VoLume, ISsue]. The ftp.sri.com site risks directory also contains the most recent PostScript copy of PGN's comprehensive historical summary of one liners: get illustrative.PS ------------------------------ End of RISKS-FORUM Digest 19.96 ************************