precedence: bulk Subject: Risks Digest 20.43 RISKS-LIST: Risks-Forum Digest Friday 4 June 1999 Volume 20 : Issue 43 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at and at ftp.sri.com/risks/ . Contents: A THAAD Day in Black Rock (PGN) Ghost bridge (Meine van der Meulen) Y2K Test Knocks Out Fiji's Telecommunications (Doneel Edelson) Hackers take down FBI and Senate Internet sites ... (Keith A Rhodes) Crackers do for gov't what critical infrastructure report couldn't (John Gilmore) Errors in the Cox report on Chinese nuclear spying (PGN) Hoax takes down country's phone networks (Lloyd Wood) Symbols silently slip south: it's not Greek to pdf (Bryan O'Sullivan) John Denver and interfaces (Lindsay Marshall) Smart Identity Card to debut in Malaysia (Anonymous) Late-night movie viewing and computerized ticket sales (Steve Fenwick) Senator Hatch - Trademark (Alan Barclay) BUGTRAQ may be banned in Australia (Peter Jeremy via Seth David Schoen) Re: Microsoft "fixes" the MS Office ... vulnerability (David Mediavilla) We don't care, we don't have to, we're the phone company! (John Pettitt) Firewall risks (Robert David Graham) Re: Allaire defects are nobody's fault? (Adam Shostack) A Problem with Biometrics (Andrew J Klossner) Re: Biometric risks (Ron Ruble) California will sell confidential wage data (PGN) Privacy Digests (PGN) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Wed, 26 May 99 11:22:54 PDT From: "Peter G. Neumann" Subject: A THAAD Day in Black Rock The Pentagon halted a test of the Theater High-Altitude Area Defense (THAAD) missile-defense system, when a Hera target rocket malfunctioned. THAAD is under scrutiny after seven consecutive failed tests. [Source: Reuters item, 26 May 1999, seen in the *San Francisco Chronicle*.] [Maybe this renewed attempt to develop the Star Wars technology should be left to George Lukas, who seems to do it much better. Perhaps animating the system without ever building it would be the most cost-effective strategy. PGN] ------------------------------ Date: Wed, 2 Jun 1999 16:32:10 +0200 From: Meine van der Meulen Subject: Ghost bridge Kropswolde, Monday. The bridge on the Meerweg in the village Kropswolde manifested itself as a ghost bridge during the weekend. A car driver was trapped when he passed the bridge and both barriers suddenly closed. The police managed to rescue the man. Just after this rescue action, the bridge suddenly opened and closed without apparent reason. The village closed the bridge. [Source: *Algemeen Dagblad*, 1 Jun 1999] M.J.P. van der Meulen ------------------------------ Date: Wed, 26 May 1999 13:13:43 -0400 From: "Edelson, Doneel" Subject: Y2K Test Knocks Out Fiji's Telecommunications Fiji's telecommunications services were completely shut down for several hours on 24 May 1999 when a Y2K test by Telecom Fiji Ltd. caused the entire system to crash. [See http://www.tfl.com.fj/. Source: Yahoo Asia News - Technology, Newsbytes item by Adam Creed, Post-Newsweek Business Information, Inc., 24 May 1999: PGN-ed.] ------------------------------ Date: Fri, 28 May 1999 13:13:37 -0500 From: "Keith A Rhodes" Subject: Hackers take down FBI and Senate Internet sites ... Both FBI and Senate Web sites were attacked on 27 May 1999, evidently in retaliation for the FBI's harassment of certain hacker groups -- including one that apparently cracked the White House site earlier this month (for which Eric Burns (Zyklon) was indicted. Both sites were removed from service, although only the Senate site was penetrated and altered. [Source: Associated Press item by Ted Bridis, 28 May 1999; PGN-ed.] [The Department of Interior and a Govt facility at Idaho Falls were also hit on 31 May 1999. Other attacks were reported subsequently. PGN] ------------------------------ Date: Thu, 03 Jun 1999 19:05:50 -0700 From: John Gilmore Subject: Crackers do for gov't what critical infrastructure report couldn't "There's a government-wide effort to make sure that our computer systems remain secure," White House Press Secretary Joe Lockhart said in a briefing. http://www.zdnet.com/zdnn/stories/news/0,4586,2268574,00.html As usual, the computer underground is doing a service to the country by making it clear just how shallow the government's understanding of computer security is. They are quite curiously refraining from damaging anything in their intrusions but the egos of the bureaucracies involved. As usual, the first response of the Feds is to threaten dire punishment for the messengers. But they are being prodded into actually attempting to keep serious attackers out, a novel idea somewhat overdue for consideration. Perhaps this is heresy, but has the computer underground considered demonstrating that it can break into electrical power distribution computers, and the phone network, so those will get secured too? John ------------------------------ Date: Fri, 4 Jun 1999 16:35:12 PDT From: "Peter G. Neumann" Subject: Errors in the Cox report on Chinese nuclear spying An article by James Oberg on the ABC News Science website documents many misstatements in the Cox report. http://www.abcnews.go.com/sections/science/DailyNews/oberg990602.html ------------------------------ Date: Tue, 11 May 1999 00:16:27 +0100 (BST) From: Lloyd Wood Subject: Hoax takes down country's phone networks http://news.bbc.co.uk/hi/english/world/middle_east/newsid_340000/340104.stm Article claiming: 1. Lebanese radio station broadcasts hoax claiming cellular networks are affected by Chernobyl virus (the current popular student excuse for tardy wordprocessed reports, if my experience is at all typical). 2. Lebanese immediately stop using popular cellular networks, and switch to landline networks to warn each other of anticipated cellular problems. (Israel's also known for its heavy cellular use.) 3. Landline networks are promptly overloaded due to normally-large and now-displaced cellular use and warnings of problems. The radio broadcast has prompted a flash crowd and service outages result. 4. Conspiracy theorists suspect underlying motives in finger-pointing wake, while ignoring the risks of behaving rationally when armed with false information and not having meme countermeasures in place. Handling and selectively discarding the majority of calls from flash crowds caused by e.g. television phone-ins is trivial; it's arranged in advance (if the media people know their jobs...) and you know where the flash calls are going. But how do you effectively deal with a many-to-many surge like this? Dimensioning telco switch capacity for expected use doesn't lead to graceful degradation under heavy load, but hey, that's Erlang for you. Legacy local loop is the real constraint/problem; degrading the quality of digitised voice traffic in the pleisynchronous backbone and restoring at the other end to increase capacity is a trivial codec application, and just a minor step up from silence suppression. I think this is something like the sinister inverse of the oft-cited disaster scenario, where network damage is suffered and any remaining functional cellular and landline capacity would be immediately overwhelmed by people trying to locate loved ones. The callers are behaving rationally and selfishly; the networks can't cope effectively. I'd say 'tragedy of the commons' if it wasn't for the fact you pay for phone service. This is far more impressive than that "if someone tells you to dial #91, don't" meme, which got through multiple countries to users of all types of mobile networks recently. But the "withdraw money from banks for Y2K to avoid the financial crash the withdrawals contribute to" and the "don't purchase Iridium handsets because Iridium are in trouble" memes may yet have far more impressive results as self-fulfilling prophecies. PGP ------------------------------ Date: Wed, 2 Jun 1999 20:00:07 -0700 (PDT) From: "Bryan O'Sullivan" Subject: Symbols silently slip south: it's not Greek to pdf In the course of some exploratory work I am doing, I recently downloaded a technical paper in Adobe's Portable Document Format: http://research.microsoft.com/copyright/accept.asp?path=http://research.microsoft.com/~hoppe/siggraph96pm.pdf&pub=acm [SPLIT FOR THOSE FOR WHOM IT IS OFF THE PAGE: http://research.microsoft.com/copyright/accept.asp?path=http:// research.microsoft.com/~hoppe/siggraph96pm.pdf&pub=acm] After a brief perusal of the abstract using Adobe's free Acrobat Reader for Linux, I decided that the paper was interesting enough to print out, and squirreled the hardcopy away for later perusal. When I went to read the paper today, I was a little surprised to find that it had not reproduced very well. In particular, much of the mathematical notation in the paper was garbled or missing; Greek characters and curly braces were notable by their absence. All of this information was represented correctly on-screen by Acrobat Reader; it was silently mangled when I printed the document out. Worried, I did a little more experimentation. The free gv viewer had no trouble displaying the paper on my screen (but I didn't try printing it out). The free xpdf viewer dropped most of the mathematical notation, but the author at least documented this shortcoming (relating to embedded fonts). As I am not near a printer at the moment, I am going through my hardcopy of the paper with a pen, adding the missing characters. Most disturbingly of all, as I began to make these corrections, I found that the mathematical symbol for inequality (an "equals" symbol with a slash through it) was misrendered on paper as that for equality. The RISK seems clear - technical papers presented for downloading in PDF can be arbitrarily garbled by viewers in ways that may be difficult to spot. ------------------------------ Date: Tue, 1 Jun 1999 13:55:50 +0100 (GMT) From: Lindsay.Marshall@newcastle.ac.uk Subject: John Denver and interfaces describes how John Denver was killed because of a modified interface in the plane he was flying. http://catless.ncl.ac.uk/Lindsay [The builder had changed the designer's plans, placing the fuel-tank selector controls rather weirdly over the pilot's shoulder, unlabelled, with up for off, down for the right tank, and to the right for the left tank. There are more curiosities in the NTSB report, at www.ntsb.gov. PGN] ------------------------------ Date: Tue, 1 Jun 1999 09:29:15 +0100 (BST) From: [Identity anonymized] Subject: Smart Identity Card to debut in Malaysia Malaysia's compulsory National Registration Identity Card (NRIC), required for doing anything official or semi-official (such as banking, buying a car, etc) is to become SMART and include financial and health data, driving and travel rights and criminal offences in addition to the residence address and thumbprints on the current laminated paper version. The thumbprint, currently underused, is set to become the standard computerised ID biometric used by government agencies. The new NRIC may also become the national payment system. NRIC numbers are issued at birth (on the birth certificate) but the card itself is issued at the age of 12, and must thereafter be carried at all times. I have no information about the private company that has won the contract to supply the new smart cards. Nor have I heard of any public scrutiny mechanism to ensure that the technology does not contain flaws that will enable this data to fall into the wrong hands. [Source: article by Philip Golingai, Your smart IC Card with personal data of holder expected out in August next year, The Star, 1 Jun 1999.] ------------------------------ Date: Thu, 20 May 1999 19:43:20 -0700 From: Steve Fenwick Subject: Late-night movie viewing and computerized ticket sales If you're an after-midnight movie-goer, check your tickets! I bought tickets last weekend for "Phantom Menace", dated Wednesday, May 19th, 12:15AM. Bright RISKS readers can guess what's coming next... The theatre's computer apparently does not recognize midnight as the break between two days, it uses the normal box office opening time (11AM) as the break. So their 12:15AM 5/19 show was really on 5/20 at 12:15AM. Oops. So I wound up seeing the show on 5/18 (according to their computer), a full day before the movie officially opened. Take *that*, Darth Vader! Steve Fenwick http://www.w0x0f.com [Star Warps? PGN] ------------------------------ Date: Thu, 27 May 1999 12:55:40 -0400 From: Alan Barclay Subject: Senator Hatch - Trademark ABC News apparently thinks that Senator Orin Hatch has registered his name as a trademark, in http://www.abcnews.go.com/sections/tech/DailyNews/netbombs990525.html "The amendment, sponsored by Sens. Orrin Hatch [*R*] of Utah and Dianne Feinstein (D) of California, does not make it illegal to simply provide the information, However." Here "[*R*]" designates the \256 code that prints as the circle-R registered-trademark symbol. Obviously we're seeing some sort of translation between (R) and the circle-R, even though in this case the (R) is the correct text. An old story of over-enthusiastic substitution. [By the time I checked it out the next day, it had been fixed. PGN] ------------------------------ Date: Thu, 27 May 1999 08:21:26 +1000 From: Peter Jeremy Subject: BUGTRAQ may be banned in Australia To: BUGTRAQ@netspace.org [Forwarded to RISKS by Seth David Schoen . PGN] This message is intended as a call-to-arms for BUGTRAQ subscribers as well as a warning to subscribers in other countries. Yesterday, the Australian Senate (Upper House of the Federal Government) passed legislation to censor the Internet (I don't have a URL for the final legislation at present). This legislation mandates the censorship of Internet content (which includes mailing lists) as if it was a film. All Australian ISPs are required filter overseas content that would be rated X or RC under the Australian classification guidelines (see http://www.oflc.gov.au/PDFs/Film%20&%20Video%20Guidelines.pdf). The RC (Refused Classification) category states: "The Classification Code sets out the criteria for refusing to classify a film or video. The criteria fall into three categories. These include films that: ... promote, incite or instruct in matters of crime or violence." and later "Films and videos will be refused classification: or if they contain: ... detailed instruction in: matters of crime or violence," BUGTRAQ is a full-disclosure list and regularly contains detailed descriptions of how to break into computers. Breaking into computers is a crime in Australia. It is therefore possible that BUGTRAQ could be classified "RC" and hence banned in Australian. Refer to http://www.efa.org.au/ for further information. Peter Jeremy (VK2PJ) peter.jeremy@alcatel.com.au Alcatel Australia Limited 41 Mandible St Phone: +61 2 9690 5019 ALEXANDRIA NSW 2015 Fax: +61 2 9690 5982 ----- End forwarded message ----- Seth David Schoen http://ishmael.geecs.org/~sigma/ (personal) http://www.loyalty.org/ (CAF) [Ah, yes, and Linux source code contains some dirty words. PGN] ------------------------------ Date: Thu, 27 May 1999 14:59:53 +0200 From: Mediavilla David Subject: Re: Microsoft "fixes" the MS Office ... vulnerability (R 20 42) After reading RISKS 20.42, it came to my mind a combination of risks. Paul Walker mentioned the Microsoft plan to sign Office 2000 macros. In "German government criticizes own style in Word documents", Debora Weber-Wulff mentions that Office automatically fills author and organization information from the current machine. I am not sure if this means Microsoft may have enabled that every macro that came to my system without signing, say an Office 97 virus that I inadvertently loaded, will come out as signed by me. Then, everybody who trusts me will become infected (and I will be blamed). I asked Paul Walker (the original poster to RISKS). According to the MS document, with security settings as 'high' unsigned macros are silently disabled. Set to 'low', Office 2000 will silently run them. Set to 'medium', Office 2000 will ask the user. Reading the document further does not explicitly state what happens to the macro when it is opened under low security settings. It would appear that the macro will run, but it will not be signed. Signing a macro appears to be something that you have to do yourself. It would appear that this won't be a danger, but... Can you have an untrusted vb code make a function call that would sign the macro? In current versions of word, almost every menu function (maybe all, I have not checked) can be done through the vb macros. Until I get a copy of the software in my hands, I won't be able to confirm this... David Mediavilla Ezquibela [ES/EN/EO/EU] (Lan) ------------------------------ Date: Tue, 25 May 1999 16:47:14 -0700 From: John Pettitt Subject: We don't care, we don't have to, we're the phone company! I recently made a couple of trips to the UK on business and not wishing to spend the entire US GDP on phone bills (UK hotels phones should be avoided at all costs) I used my MCI card to call home and check e-mail. When I got back my MCI bill was full of "operator assisted" calls from the UK to the US (billed at more than $2 per min). I called MCI and after they dialed the number and confirmed that it was indeed a modem and that no their operators could not speak V.90 I got a credit for $200 or so. My next MCI bill was for $4000+ - with exactly the same problem (in this case close to $3000 in over billing). This time they would not issue a credit (they can't tell me why - I'm not allowed to talk to the people who decide these things). There are a whole bunch of risks here: 1) Systems that are wrongly configured and over bill even when used according to the instructions (and still do it a month after first reported) 2) Customer service systems that prevent customers from talking to decisionmakers. 3) No exception system to allow issues to be escalated. I'm reminded of the well know phrase "We don't care, we don't have to, we're the phone company". John Pettitt (ex MCI customer, about to hand the whole mess to the lawyers) ------------------------------ Date: Tue, 1 Jun 1999 19:49:15 -0700 From: "Robert David Graham" Subject: Allaire firewall RISKS In the past couple months, hundreds (if not thousands) of web sites using Allaire's ColdFusion have been hacked (their web pages have been defaced). When interviewed by the press, one site administrator said, "We are installing a firewall so that this won't happen again". However, firewalls do not protect against this particular hack. Explanation: Firewall technology is based on "port filters". The average web server has many ports open for a variety of reasons, but needs only port 80 in order to serve web pages. However, ColdFusion runs as part of the web server reachable at port 80. QED, placing a firewall in front of web server provides no protection against the ColdFusion hack. Firewalls do not "prevent" hacks, as most people believe. They simply reduce RISKS by reducing the number of ports or IP addresses that may be exposed inadvertently on the Internet. The remaining ports (such as e-mail, web, and FTP servers) can often be hacked. In practice, firewalls probably increase RISKS overall. Consider a study of Berlin taxi drivers who were given anti-lock breaks: the taxi drivers started driving more aggressively, and had more accidents. Therefore, the study concluded that anti-lock actually INCREASES RISKS. What is really going on is that firewalls/ABS only decrease RISKS if behavior is left unchanged, but the added security encourages RISKy behavior. The ColdFusion bug was not really Allaire's fault -- the bug was in a sample script that Allaire recommends be removed from a production web server. Almost every web-site creation package like ColdFusion has the same problem, including Microsoft's ASP scripting, FrontPage web hosting, and sample CGI programs. Administrators feel safe behind firewalls and do not diligently check their web servers for these problems. For the most part, crackers who intend to deface web pages or steal credit card information from web servers do not care about firewalls that might protect the target servers. Robert Graham http://www.networkice.com/advice ------------------------------ Date: Thu, 3 Jun 1999 12:31:20 -0400 From: Adam Shostack Subject: Re: Allaire defects are nobody's fault? (Graham, RISKS-20.43) Robert David Graham wrote: | The ColdFusion bug was not really Allaire's fault -- the bug was in a | sample script that Allaire recommends be removed from a production web | server. Almost every web-site creation package like ColdFusion has the | same problem, including Microsoft's ASP scripting, FrontPage web | hosting, and sample CGI programs. Administrators feel safe behind I'm sorry, but thats not the case. The ColdFusion bug was Allaire's fault. They wrote and shipped crap sample code that has security flaws in it. That code has probably been modified into other vulnerable programs. There are a reasonably large number of secure programming FAQs available; Matt Bishop has one, there's one in Garfinkel and Spafford, there's one I wrote. I've seen academic references in 1976 or so that programs that don't validate their input are vulnerable to attack. To absolve a company of blame for shipping bogus code is wrong. They screwed up. They got lots of people in trouble. They wasted lots of people's time. If you don't have time to do the sample code right, don't ship it. Its been a long time since a problem like this was found in Apache; NCSA had a slew, and the web folks learned. You can read the history of it in the bugtraq archives. ------------------------------ Date: Thu, 27 May 1999 13:37:07 -0700 From: Andrew J Klossner Subject: A Problem with Biometrics Unlike account numbers and PINs, biometrics suffer from the Universal Identifier problem. I can use a different account number and password at each of several institutions, and can change them at need. Switching to iris scan would have me use the same immutable password everywhere. This will also lead to unwanted pooling of data by commercial and government interests. Dig out any article on the evils of the U.S. Social Security Number as identifier and change "SSN" to "iris scan" throughout. -=- Andrew Klossner (andrew@pogo.wv.tek.com) ------------------------------ Date: Mon, 24 May 1999 05:33:33 -0400 From: Ron Ruble Subject: Re: Biometric risks In RISKS-20.41, Dan Wallach and Paul Lewis Gittins both mentioned risks involving lack of an alternative to biometric identification. They identified the risk of not servicing visually impaired individuals whose irises can't be scanned. In the US, failure to provide a fallback method of identification may well place the owners of the system at legal risk. Not having a fallback may well be considered a violation of the Americans With Disabilities Act. The ADA does not spell out specific rules or requirements, but does make the statement that 'reasonable accommodation' must be made for all persons with disabilities. It would be up to the jury to decide whether having a card and PIN as a fallback for the biometric system was reasonable. Some might argue that many visually impaired people would go to the human tellers anyway, and during banking hours, this may be an acceptable accommodation. But it does not provide the 24-hour availability of the ATM. In addition, the manufacturers of the devices may be at risk if they install or recommend installing the devices without fallback options. I seem to recall that several European nations have similar laws that require similar accommodations for the disabled. I hope some of the Europeans who frequent this forum will comment on that. Ron Ruble, Raffles Software Development, Inc. ------------------------------ Date: Fri, 4 Jun 1999 16:33:19 PDT From: "Peter G. Neumann" Subject: California will sell confidential wage data California will begin selling confidential wage data of 14 million of its residents to private information companies, car dealers and creditors wanting to check an individual's annual income. [...] No data would be shared without the written permission of the individual, state officials said. However, private companies that are deemed qualified to access the data would operate on an honor system and would not be required to show proof of each individual's written permission before accessing the information. [Do you believe this one? See nandotimes, 3 Jun 1999, http://www.nandotimes.com/noframes/story/0,2107,55865-89293-634754-0,00.html] ------------------------------ Date: 17 Apr 1997 From: RISKS moderator Subject: Privacy Digests Periodically I remind you of TWO useful digests related to privacy, both of which are siphoning off some of the material that would otherwise appear in RISKS, but which should be read by those of you vitally interested in privacy problems. RISKS will continue to carry general discussions in which risks to privacy are a concern. * The PRIVACY Forum is run by Lauren Weinstein. It includes a digest (which he moderates quite selectively), archive, and other features, such as PRIVACY Forum Radio interviews. It is somewhat akin to RISKS; it spans the full range of both technological and nontechnological privacy-related issues (with an emphasis on the former). For information regarding the PRIVACY Forum, please send the exact line: information privacy as the BODY of a message to "privacy-request@vortex.com"; you will receive a response from an automated listserv system. To submit contributions, send to "privacy@vortex.com". PRIVACY Forum materials, including archive access/searching, additional information, and all other facets, are available on the Web via: http://www.vortex.com * The Computer PRIVACY Digest (CPD) (formerly the Telecom Privacy digest) is run by Leonard P. Levine. It is gatewayed to the USENET newsgroup comp.society.privacy. It is a relatively open (i.e., less tightly moderated) forum, and was established to provide a forum for discussion on the effect of technology on privacy. All too often technology is way ahead of the law and society as it presents us with new devices and applications. Technology can enhance and detract from privacy. Submissions should go to comp-privacy@uwm.edu and administrative requests to comp-privacy-request@uwm.edu. There is clearly much potential for overlap between the two digests, although contributions tend not to appear in both places. If you are very short of time and can scan only one, you might want to try the former. If you are interested in ongoing discussions, try the latter. Otherwise, it may well be appropriate for you to read both, depending on the strength of your interests and time available. PGN ------------------------------ Date: 23 Sep 1998 (LAST-MODIFIED) From: RISKS-request@csl.sri.com Subject: Abridged info on RISKS (comp.risks) The RISKS Forum is a MODERATED digest. Its Usenet equivalent is comp.risks. => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) if possible and convenient for you. Alternatively, via majordomo, SEND DIRECT E-MAIL REQUESTS to with one-line, SUBSCRIBE (or UNSUBSCRIBE) [with net address if different from FROM:] or INFO [for unabridged version of RISKS information] .MIL users should contact (Dennis Rears). .UK users should contact . => The INFO file (submissions, default disclaimers, archive sites, copyright policy, PRIVACY digests, etc.) is also obtainable from http://www.CSL.sri.com/risksinfo.html ftp://www.CSL.sri.com/pub/risks.info The full info file will appear now and then in future issues. *** All contributors are assumed to have read the full info file for guidelines. *** => SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line. => ARCHIVES are available: ftp://ftp.sri.com/risks or ftp ftp.sri.comlogin anonymous[YourNetAddress]cd risks [volume-summary issues are in risks-*.00] [back volumes have their own subdirectories, e.g., "cd 19" for volume 19] or http://catless.ncl.ac.uk/Risks/VL.IS.html [i.e., VoLume, ISsue]. PostScript copy of PGN's comprehensive historical summary of one liners: illustrative.PS at ftp.sri.com/risks . ------------------------------ End of RISKS-FORUM Digest 20.43 ************************