precedence: bulk Subject: Risks Digest 20.01 RISKS-LIST: Risks-Forum Digest Thursday 1 October 1998 Volume 20 : Issue 01 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at http://catless.ncl.ac.uk/Risks/20.01.html and at ftp.sri.com/risks/ . Contents: Computer collapse wipes out British Social Security records (PGN) Calling All Traffic Lights in Dublin! (Fiachra O Marcaigh) Y2K "fix" causes Dublin traffic jams (Mich Kabay) Natural gas plant explosion in Victoria, Australia (Martin Gleeson) Malaise in Malaysia hits satellite uplink (Mich Kabay) Bank of Montreal card functions paralyzed by bug (Mark Brader) Bad power strip knocks out Net service (Andrew Brandt) "Cyberdeath' raises privacy issue (Scott Peterson) How to bypass those pesky firewalls (Mark Jackson) Hacking, Irish-Style (Fiachra O Marcaigh) Re: X-rated net suit (Rishiyur S. Nikhil) Re: Sexy risks of searching for MP3 (John Mee, Don Byrd) Y2K risk in Netscape cookies (J Seymour) Re: "Windows NT Security" (Russ Cooper, Joe Thompson) Enquiry re: problems at universities (Pete Mellor) REVIEW: "Decrypted Secrets", F. L. Bauer (Rob Slade) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Thu, 1 Oct 98 17:12:24 PDT From: "Peter G. Neumann" Subject: Computer collapse wipes out British Social Security records A major outage of the British Department of Social Security (DSS) national insurance register computer system (NIRS) has created a turmoil. Payments are being made manually without the usual vetting of eligibility. DSS is apparently being very coy about the situation, fearing a flurry of false claims. This occurred during the cutover to the new system (being developed by Andersen Consulting under a 170-million-pound project, reportedly the biggest and most complex information technology project in Europe). DSS officials anticipate that NIRS could be down until at least the end of October, although Andersen folks think they are close to solving the problem. Stay tuned. [Source: An article by David Brindle, Guardian Weekly, 20 Sep 1998, p. 10, courtesy of David Stringer-Calver; PGN Abstracting] ------------------------------ Date: Tue, 29 Sep 1998 13:57:32 GMT From: "Fiachra O Marcaigh" Subject: Calling All Traffic Lights in Dublin! Getting into, or out of, Dublin City Centre by car was much more difficult than usual yesterday (Sept 28th, 1998). The journey that should have taken me 25 minutes (long after normal rush-hour at 9.30) took over an hour instead. During rush hour, one motorist reported taking an hour and a half to cover a mile and a half. In my case the congestion was so severe in the inner city that I kept expecting to round a corner and find some major obstruction such as a collapsed building, or two stalled trucks side by side. The answer was much simpler - an incomplete "upgrade" had disconnected the traffic lights at 140 junctions from the Dublin Corporation control centre. The lights are normally regulated to cater for traffic conditions, but without communications they were left to get on with the job themselves. They ran through preprogrammed sequences without allowing for traffic conditions, or proper synchronisation between them. Gridlock resulted. PS: Yesterday's jams were so bad that traffic today was much *lighter* than usual. Thousands of people must have taken to public transport. Full story: http://www.irish-times.com/irish-times/paper/1998/0929/fro2.html [Also noted by Niall Smart , Bernard Lyons . See the next item from Mich Kabay, which provides a Y2K link! PGN] ------------------------------ Date: Tue, 29 Sep 1998 09:12:43 -0400 From: Mich Kabay Subject: Y2K "fix" causes Dublin traffic jams Chris Parkin of *The Press Association News* (UK) reported that the Dublin traffic snarl on 29 Sep 1998 was due to poor quality assurance in a new version of the software controlling traffic signals led to fixed cycles with no allowance for longer cycles at peak traffic times. Ironically, the software was installed to prevent Y2K problems. [PGN edited] This case illustrates * the general danger of introducing new bugs in any "fix" if QA procedures are inadequate; * the specific danger of pushing Y2K fixes into production without proper QA; * the vulnerability of electronically-controlled infrastructure to interference. M. E. Kabay, PhD, CISSP / Director of Education ICSA, Inc. ------------------------------ Date: Mon, 28 Sep 1998 09:30:59 +1000 From: Martin Gleeson Subject: Natural gas plant explosion in Victoria, Australia Shortly before 1pm on 25 Sep 1998, a series of explosions ripped through the Number 1 Plant at the Esso gas processing installation at Longford in eastern Victoria. Two workers were killed and seven injured. Effectively all residents of the state (~5 million) have been required to turn off their gas supply and it is not known when services will be restored. It could be days, weeks or even months. RISKS? This looks like an all-your-eggs-in-one-basket problem. There are four plants at the Longford facility, but an incident like this means that they must all be shut down until the cause of the explosion is established. A new gas pipeline from a neighbouring state was finished six weeks ago, but it can only bring enough gas in for hospitals and nursing homes and to keep the gas pipeline network itself from going completely belly-up (it is absolutely vital that gas stays in the pipes and no air or water gets in). It is expected that industry will be losing upwards of $100 million per day and thousands of workers will be stood down. Further information can be seen at . Looks like cold showers for a while. :-( Martin Gleeson, Webmaster, The University of Melbourne, Australia. [Also noted by "Martin, Mike" , who noted the effects on industry and on the spectators of the Australian Football League grand final in Melbourne (perhaps linked to Victoria losing to South Australia because they did not want cold showers?), Toby Stevens , who noted that the crematoriums were shut down, and "Peter J. Cherny" . PGN] ------------------------------ Date: Mon, 28 Sep 1998 17:15:38 -0400 From: Mich Kabay Subject: Malaise in Malaysia hits satellite uplink As most readers will know, there is political unrest in Malaysia because the government has accused the former finance minister Anwar Ibrahim (who was also the deputy prime minister) with various unsavory crimes (which he and his supporters characterize as a smear campaign). The following detail at the end of an article entitled, "Matathir cracks down on protests" by Nick Hopkins in this week's (1998.09.27) _Guardian Weekly_ (p. 4) caught my eye: "Diplomatic relations were further strained when broadcasters, including the BBC, discovered that their reports were being censored by the Malaysian authorities. Footage of the clashes between police and protesters demanding the resignation of Dr Matathir was blacked out by hackers, who intercepted transmissions bound for a satellite link." Jamming itself is hardly new, but if -- and I stress _if_ -- this report is correct, it represents a rare case of known information warfare through an attack on communications satellites. M. E. Kabay, PhD, CISSP / Director of Education ICSA, Inc. ------------------------------ Date: Wed, 30 Sep 98 05:30:57 EDT From: Mark Brader Subject: Bank of Montreal card functions paralyzed by bug Yesterday morning at 5:30 am, a new software version was loaded on the computers that control all electronic card transactions at the Bank of Montreal. It was intended to upgrade the system to better handle the upcoming Christmas season. Instead the result was MasterCard credit authorizations denied, debit cards denied, and ATMs shut down. According to today's *Toronto Star*, "bank technicians ... immediately set up 'war-rooms' -- rethinking pages and pages of computer code, desperately trying to find a quick solution." The article is silent on the possibility of quickly reverting to the previous version. Anyway, at 1:30 pm the system "went down hard" and it wasn't until 4:30 that things were working again. The Bank of Montreal is the third-largest in Canada, and the largest MasterCard issuer. The Star article refers to 2,000,000 cardholders, but isn't clear as to whether this is the total number of them or the number who actually use their cards in one day -- the figure seems to me too low for the one and too high for the other. ------------------------------ Date: Wed, 16 Sep 1998 11:06:55 -0700 From: Andrew Brandt Subject: Bad power strip knocks out Net service What follows is a message send by the sysadmin at my employer's office. The company for which I work has a huge number of employees who use their Net connection daily as part of their job duties. The risk in this case is obvious. Major network hubs should have proper electrical power connections (with uninterruptable power supplies) for their servers and associated network hardware. Kludgy solutions aren't appropriate for large businesses. I can only assume somebody blew it when they didn't install the appropriate electrical hookups in their server room, and tried to cover their error by using power strips. Replacing the power strips is only a temporary fix, though I doubt more will be done to correct the problem. How many other ISPs use $5-20 power strips on their $10,000+ hubs, routers, and servers, instead of wiring their offices correctly from the beginning? I suppose we'll just have to live with this idiocy for a while. > Last night, two of the power strips feeding power to our network > equipment in [city name deleted] failed. Power has been restored as > well as our ability to surf the web and replicate using an ISP. > The outage began sometime yesterday evening at around 6:45 PM and was > temporarily fixed. This morning we noticed another outage which lasted > for about 20 minutes. We're waiting to hear from our ISP to know more > about the second outage. Our guess is that this morning's brief outage > was necessary to transfer our equipment to new power strips. I'll > confirm with our ISP this later today. ------------------------------ Date: Fri, 25 Sep 1998 15:24:25 -0700 From: Scott Peterson Subject: "Cyberdeath' raises privacy issue An article yesterday in my local paper crediting Cox News service relates the story of a woman who applied for a loan at her bank. However, the credit check indicated that Social Security said she was dead. An investigation uncovered that a claims agent at the SSA's Belle Glade FLA office named Jorge Yong had had a fight with the woman in an internet chat room and was banned from it. In retaliation, he used a co-workers terminal to put a date of death on the woman's record. Yong resigned and was ordered to pay $700 to the victim and pay a $100 fine after pleading guilty to one count of falsifying personal data This story came out in testimony by acting inspector general James Huse before the Senate Governmental Affairs Committee as part of an ongoing investigation of whether private information is safe on government computers. Scott Peterson ------------------------------ Date: Tue, 29 Sep 1998 11:30:43 PDT From: mjackson@wc.eso.mc.xerox.com (Mark Jackson) Subject: How to bypass those pesky firewalls The United Media website (very popular as it is the home of the "Dilbert Zone") is advertising "Comic Explorer - the NEW way to read comics." Turns out (http://www.unitedmedia.com/explorer/index.html) that it's a free "Java" applet that facilitates browsing their comics archives - if you have a Pentium running Windows (hence the quotes around "Java"). But click on "System Requirements" and one finds the following advisory: Firewalls: Some companies have firewalls that make it difficult to run Java applets with multiple classes. If this is the case, you can make some adjustments to use the software with Internet Explorer 4.0. Follow these instructions: Internet Explorer 4.0: Select Internet Options (Under the view menu), and click on the "security tag." Under the Zone pull down menu, select "Trusted sites zone." (The security level "Low" should be selected.) Click on "Add Sites," then type in "http://umweb2.unitedmedia.com" Uncheck "Require server verification (https:) for all sites in this zone." Click "OK" twice. Everybody out there who sets firewall security policy comfortable with that? Mark Jackson - http://www.alumni.caltech.edu/~mjackson ------------------------------ Date: Tue, 29 Sep 1998 13:57:32 GMT From: "Fiachra O Marcaigh" Subject: Hacking, Irish-Style No backdoors or Trojans required for a four-man gang that wanted to incapacitate the phone-monitored alarms in a rural area in the south of the country. They busted in the door and took hammers to the exchange equipment, in an attack that left 500 families without telephone service. It is ironic that the provision of extra services such as alarm monitoring by the phone company has made its exchanges a target of attack. Perhaps they should install a decent alarm system? Full story: http://www.irish-times.com/irish-times/paper/1998/0929/hom16.html ------------------------------ Date: Fri, 25 Sep 1998 19:48:15 -0400 From: "Rishiyur S. Nikhil" Subject: Re: X-rated net suit (PGN's comment in RISKS-19.97) > [Combine digital photography with the see-through infrared camera > technology described in RISKS-19.93 and we get undie-lewded truth? PGN] Beware of geeks baring gifs. Rishiyur S. Nikhil (nikhil@acm.org) ------------------------------ Date: Sat, 26 Sep 1998 08:33:01 -0700 From: John Mee Subject: Re: Sexy risks of searching for MP3 (Markowitz, RISKS-19.97) In RISKS-19.97, "Sidney Markowitz" pointed out that a number of porn sites will add meta tags pointing to rock bands. In a recent investigation at my workplace, we (I work in Information Security) discovered that an alarmingly high number of the sites are using www.disney.com as either a link or a meta tag so that children will find these sites when they go out and look for pictures of Mickey and Goofy. Parents would be well advised to check the global history and cache files of their browsers to see if this has happened and also have a talk with their children about things. My own son, while doing some research on the U.S. Govt. found out that Whitehouse.com does NOT contain government info :-) Moral: Maintain open communication with your children and monitor their Web usage. ------------------------------ Date: Mon, 28 Sep 1998 11:48:03 -0400 From: Don Byrd Subject: Re: Sexy risks of searching for MP3 (Larry, RISKS-19.97) [...] Actually, the Web-search companies are well aware of unscrupulous Webmasters trying to manipulate their search systems, and they have been taking countermeasures for quite a while. See for example the following discussion, at http://searchenginewatch.com/webmasters/rank.html : Meta tags are what many web designers mistakenly assume are the "secret" to propelling their web pages to the top of the rankings. HotBot and Infoseek do give a slight boost to pages with keywords in their meta tags. But Excite doesn't read them at all, and there are plenty of examples where pages without meta tags still get highly ranked. They can be part of the recipe, but they are not necessarily the secret ingredient. Search engines may also penalize pages or exclude them from the index, if they detect search engine spamming. An example is when a word is repeated hundreds of times on a page in a row, to increase the frequency and propel the page higher in the listings. Search engines watch for common spamming methods in a variety of ways, not the least by following up on complaints. I don't know that this description is totally accurate but I'm confident it's basically correct. And I have seen the ignoring-Meta effect. A while ago, one of my colleagues built a simple Web search system and used it to search for "biochemistry" (or some such, I'm not sure any more). One of the top hits was a university department page which neither used the word "biochemistry" heavily nor seemed particularly relevant to it; however, it did repeat the word numerous times in a META tag. But one of the well-known search services we tried (Alta Vista? Infoseek? I forget) was not fooled at all. Don Byrd, Center for Intelligent Information Retrieval (CIIR), Computer Sci., University of Mass., Amherst, MA 01003 1-413-545-3147 dbyrd@cs.umass.edu ------------------------------ Date: Sat, 26 Sep 1998 00:58:13 +1000 From: jseymour@au1.ibm.com Subject: Y2K risk in Netscape cookies How did the following happen? The Netscape cookies specification (url below) states that the expires field of the cookie string is formatted as: Wdy, DD-Mon-YY HH:MM:SS GMT A 2 digit year! In a specification from circa 1994-95!! What planet am I on?!!! More seriously, how many web applications will stop working around the year 2000 because of differing interpretations of what YY means? http://developer.netscape.com/docs/manuals/communicator/jsguide4/cookies.htm ------------------------------ Date: Fri, 25 Sep 1998 15:30:57 -0400 From: Russ Subject: Re: "Windows NT Security" (Frankston, RISKS-19.95) First, Bob Frankston mentioned that Windows NT "has been C2 certified," Then, John Nolan said it was Windows NT 3.51. Actually, it was Windows NT 3.5 (Workstation and Server) with Service Pack 3. In the NSA state that the highest level NT 3.5/SP3 could meet and satisfy all criteria is class C2. - It's correct that the evaluated platforms were not networked. - Extensive modifications were not made to the system registry (some were, but considering the size and scope of the registry the mods could not be called "extensive"). - Like all evaluations, it was done on specific hardware that was also specifically configured (sans floppy, for example). Compaq Intel and Dec Alpha configs were evaluated. See http://www.radium.ncsc.mil/tpep/process/procedures.html if you're interested in the RAMP process. MS went the ITSEC route with NT 3.51, and received an E3 assurance level in the U.K. in 1996 . From a marketing perspective, it was a better schpiel (NOS certification rather than OS), especially since they were already allowed to sell into the .gov/.mil by virtue of the NSA C2 evaluation on 3.5SP3 (which purchasing managers seem to gleefully ignore btw). Novell contends its not a "network" evaluation . NT 4.0 (Workstation and Server) are under ITSEC E3,F-C2 functionality evaluation with AISEP (DSD Australia) but have not, as far as I know, completed it anywhere. Personally, I think all of this evaluation junk (at this level) is just that. I feel much better passing an ISS scan or an Axent audit than I do knowing some pseudo-spooks had a gander at it. IMO, anything below B is intended to keep responses to RFPs to a minimum and make purchasing somewhat simpler. Russ - NTBugtraq moderator Join the NTBugtraq list, see ------------------------------ Date: Fri, 25 Sep 1998 23:48:27 -0400 From: Joe Thompson Subject: Re: "Windows NT security" There was a forum on InfoWorld Electric (http://www.infoworld.com/) about this about a month or so ago. The actuality of NT's C2 certification is dependent on the following: * One of two or three (I seem to remember two Compaqs and one Digital system) very specifically detailed hardware configurations must be used. These do not include any kind of external connectivity (network card, modem). * The version of NT that was certified was NT 3.5 with Service Pack 3 applied, and no networking or comm drivers installed. 3.51 is not certified, nor is 3.5 without SP3. 4.0 has not, to anyone's knowledge, begun the process of certification, and Microsoft declined to comment. The forum was started by InfoWorld columnist Nicholas Petreley, who spoke with a fellow named Ed... I can't recall his last name, but he headed up Lone Star Systems, the company which developed the testing software that Microsoft used to gain the seal of approval. He alleges that Microsoft has both actively and passively misrepresented the security of NT to, among others, government agencies, and that Microsoft reneged on promises to distribute his compliance-testing software. It was a very interesting forum. Petreley sent a comprehensive list of questions to Microsoft and their answer was a blanket "no comment." Most of the questions were not even speculative in nature, but were seeking comment on facts that could easily be verified independently (e.g., details about Microsoft displays at various trade shows). Nicholas will be happy to comment I'm sure, and the forum discussion should still be archived (I'd provide direct addresses and URLs, but my copy of Netscape is flaky today). -- Joe ------------------------------ Date: Tue, 22 Sep 1998 10:48:43 +0100 (BST) From: Pete Mellor Subject: Enquiry re: problems at universities I am interested in any information regarding software disasters that have affected administrative systems in universities, such as student records, registration systems, etc. These need not be recent. (In fact, my enquiry is prompted by an acquaintance telling me that several incidents resulting in permanent loss of student records occurred back in the 1970's, when universities were either just getting computerised or else upgrading to new mainframes.) Please reply to me directly, rather than to RISKS. I will post a summary of any interesting incidents, unless the respondent indicates that the information is confidential, in which case I will treat it as such. Many thanks. Peter Mellor, Centre for Software Reliability, City University, Northampton Square, London EC1V 0HB, UK. Tel: +44 (171) 477-8422, Fax: +44 (171) 477-8585 E-mail: p.mellor@csr.city.ac.uk [For starters, a very cursory search of the RISKS archives (for example, ftp://ftp.sri.com/illustrative.ps or pdf) found these references to RISKS (R i j) and ACM SIGSOFT Softw.Eng.Notes S (i j) (with earlier references to RISKS): Computer blunders blamed for $650M student loan losses (S 14 2) New Zealand student grants debited instead of credited (S 14 5) Brown University senior's account mistakenly given $25,000 (S 12 2) Ontario removes privacy controls on students' personal information (R 19 48) New computer system duns students for loans not due (S 18 2:9) Univ. Central Florida did not cut off student registration (S 12 3) On-line class registrations deleted by other students at UBC (S 18 1:19) ``Computer error" affects hundreds of UK A-level exam results (R 19 40) British school examination program gave erroneous grades (S 11 5) Computer gives law student wrong exam, passes him, after disk fix (S 12 2) 16-year-old boy cracks university computer security (S 21 2:20) Vandalism disrupts service at Stirling University for days (S 19 4:13) PGN] ------------------------------ Date: Tue, 29 Sep 1998 10:32:31 -0800 From: "Rob Slade" Subject: REVIEW: "Decrypted Secrets", F. L. Bauer BKDECSEC.RVW 980804 "Decrypted Secrets", F. L. Bauer, 1997, 3-540-60418-9, U$39.95 %A F. L. Bauer %C 175 Fifth Ave., New York, NY 10010 %D 1997 %G 3-540-60418-9 %I Springer-Verlag %O U$39.95 212-460-1500 800-777-4643 %P 447 p. %T "Decrypted Secrets: Methods and Maxims of Cryptology" Cryptology is the study of the technologies of taking plain, readable text, turning it into an incomprehensible mishmash, and then recovering the initial information. There are two sides to this study. Cryptography is the part that lets you garble something, and then recover it if you have the key. Cryptanalysis is usually seen as the "dark side" of the operation, because it is the attempt to get at the original meaning when you *don't* have the key. Most current and popular works on cryptology actually only speak about cryptography. For one thing, nobody wants to get into trouble by telling people how to break encryption. However, it is also much easier to blithely talk about key lengths and algorithms and pretend to know what you are doing if you don't have to understand enough math to try to figure out how to go about cracking a particular cipher. Bauer examines both sides, which is an important plus. If you need to decide how strong an encryption algorithm or system is, it is important to know how difficult it might be to break it. Chapter one looks at Steganography, the science of hiding in plain sight, or concealing the fact that a message exists at all. In this he first demonstrates a wide ranging historical background which is quite fascinating in its own right. Basic encryption concepts are introduced by the same historical background, but move on to a very dense mathematical discussion of cryptographic characteristics in chapter two. Encryption functions are started in chapter three, and it is delightful to have examples other than Julius Caesar's substitution code. Polygraphic substitutions are in chapter four and the math for advanced substitutions is in chapter five. Chapter six introduces transpositions. Families of alphabets, and rotor encryptors such as ENIGMA, are reviewed in chapter seven. Keys are discussed in chapter eight, ending with a brief look at key management. Chapter nine covers the combination of methods resulting in systems such as DES (Data Encryption Standard). The basics of public key encryption is introduced in chapter ten. The relative security of encryption is introduced in chapter eleven, leading to part two. However, it also ends with a discussion of cryptology and human rights, concentrating mainly, although not exclusively, on the US public policy debates. Part two examines the limits of functions used in cryptography, and thus the points of attack on encryption systems. Chapter twelve calculates complexity, and thus the size of brute force attacks. Known plaintext attacks are the basis of chapters thirteen to fifteen, looking first at general patterns, then at probable words, and finally at frequencies. Frequency leads to a discussion of invariance in chapter sixteen. Chapter seventeen follows with a look at key periodicity. Alignment of alphabets is covered in chapter eighteen. Of course, cryptographic users sometimes make mistakes, and chapter nineteen reviews the different errors and various ways to take advantage of them. Chapter twenty one looks at anagrams as an effective attack on transposition ciphers. The concluding chapter muses on the relative effectiveness of attacks and of cryptanalysis overall. Those seriously interested in cryptology will really need to be serious: brush up on your number theory if you want to use this book for anything. On the other hand, Bauer's history and vignettes from the story of codes and the codebreakers are interesting, amusing, and accessible to anyone. copyright Robert M. Slade, 1998 BKDECSEC.RVW 980804 ------------------------------ Date: 23 Sep 1998 (LAST-MODIFIED) From: RISKS-request@csl.sri.com Subject: Abridged info on RISKS (comp.risks) The RISKS Forum is a MODERATED digest. Its Usenet equivalent is comp.risks. => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) if possible and convenient for you. Alternatively, via majordomo, SEND DIRECT E-MAIL REQUESTS to with one-line, SUBSCRIBE (or UNSUBSCRIBE) [with net address if different from FROM:] or INFO [for unabridged version of RISKS information] .MIL users should contact (Dennis Rears). .UK users should contact . => The INFO file (submissions, default disclaimers, archive sites, copyright policy, PRIVACY digests, etc.) is also obtainable from http://www.CSL.sri.com/risksinfo.html ftp://www.CSL.sri.com/pub/risks.info The full info file will appear now and then in future issues. *** All contributors are assumed to have read the full info file for guidelines. *** => SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line. => ARCHIVES are available: ftp://ftp.sri.com/risks or ftp ftp.sri.comlogin anonymous[YourNetAddress]cd risks [volume-summary issues are in risks-*.00] [back volumes have their own subdirectories, e.g., "cd 19" for volume 19] or http://catless.ncl.ac.uk/Risks/VL.IS.html [i.e., VoLume, ISsue]. PostScript copy of PGN's comprehensive historical summary of one liners: illustrative.PS at ftp.sri.com/risks . ------------------------------ End of RISKS-FORUM Digest 20.01 ************************