precedence: bulk Subject: Risks Digest 20.56 RISKS-LIST: Risks-Forum Digest Friday 3 September 1999 Volume 20 : Issue 56 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at and at ftp.sri.com/risks/ . Contents: Online gambling software flaw (Matthew Schmid) Test page for dangerous ActiveX controls (Richard M. Smith) Intuit strikes again (Gary Cattarin) Danish UPS (Finn Jensen in rec.humor.funny) Tandy bug? (Lindsay Marshall) E*Trade and the Dow Jones (Theodore Y. Ts'o) U.S. top-secret messages go astray (Andrew Johnson) UPenn bug report (Rebecca Mercuri) Local company stung by Y2K bug (Doneel Edelson) Smart Card Forum annual meeting (Donna Farmer) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Fri, 3 Sep 1999 05:26:02 -0700 (PDT) From: "Matthew Schmid" Subject: Online gambling software flaw Regardless of its quasi-legal status, online gambling presents an entire raft of risks. Key questions include: Will your personal information be handled securely (for example, will the credit card number you're paying with be stolen or the fact that you're gambling at all be leaked)? What if the gaming site is hacked? Could you be playing against cheating insiders or players acting in collusion? Are the games implemented correctly and fairly? Is the software secure? In response to the last question, we have demonstrated that the answer is no. The Software Security Group at Reliable Software Technologies (www.rstcorp.com) has discovered a serious flaw in the implementation of Texas Hold 'em Poker that is distributed by ASF Software, Inc. (www.asfgames.com). We have exploited this flaw in the lab. Our exploit allows a player (us) to calculate the exact deck being used for each hand in real time. That means a player using our exploit knows the cards in every opponent's hand as well as the cards that will make up the flop (cards placed face up on the table after rounds of betting). We can win every time. A malicious attacker could use our exploit to bilk innocent players of actual money without ever being caught. ASF Software has been notified of the flaw. Currently we know of three online casinos (www.planetpoker.com, www.purepoker.com, and www.deltacasino.com) that appear to use ASF Software's implementation of Texas Hold 'em Poker. All three Websites allow players to compete for real money. There is also a demo casino (www.casinococo.com) that allows players to gamble with play money. We have only used our exploit against the demo casino. The flaw exists in the card shuffling algorithm used to generate each deck. Ironically, the code was publicly displayed at www.planetpoker.com/ppfaq.htm with the idea of showing how fair the game is to interested players (the page has since been taken down). In the code, a call to randomize() is included to produce a random deck before each deck is generated. The implementation, built with Delphi 4 (a Pascal IDE), seeds the random number generator with the number of milliseconds since midnight according to the system clock. That means the output of the random number generator is easily predicted. A predictable "random number generator" is a very serious security problem. There are a number of other problems in the implementation that could lead to complete security compromise. We have only exploited the easiest one at this time. The broad take-home message from this work is simple: when software misbehaves, bad things can happen. Our mission in the Software Security Group is to stamp out insecure code before it is placed in service. Members of the group involved with the Gambling exploit are: Brad Arkin, Frank Hill, Scott Marks, Matt Schmid, and TJ Walls. The Software Security Group is led by Dr.Gary McGraw. Matt Schmid, Reliable Software Technologies ------------------------------ Date: Sun, 29 Aug 1999 14:04:32 -0400 From: "Richard M. Smith" Subject: Test page for dangerous ActiveX controls There are a number of outstanding problems with ActiveX controls that are awaiting patches from Microsoft. I've put together a test page which will determine which dangerous ActiveX controls are installed on a system. Here is the URL: http://www.tiac.net/users/smiths/acctroj/axcheck.htm I think the best solution for right now is to turn off ActiveX in IE4 and IE5. The "bad guys" can use these controls to do all sorts of nasty stuff in Web pages, HTML E-mail messages, and even newsgroup messages. Affected products are Internet Explorer, Outlook, Outlook Express, and Eudora. Note: the test page requires IE4 or IE5. Netscape users are safe because Navigator does not support ActiveX controls. Richard ------------------------------ Date: Wed, 1 Sep 1999 20:54:13 -0700 From: "Gary Cattarin" Subject: Intuit strikes again Intuit blows it again. Should we be surprised? Go to: http://privacy.intuit.com/ Read all the high and mighty "We're so careful about your privacy it hurts" crap. At the bottom, find a link that reads, "If you would like to review or change your contact preferences, please click here." Enter your last name and ZIP code. No, wait, enter ANYONE'S last name and ZIP code who you think might use any Intuit product. It's not hard to think of someone who might. Of course, you are taken - without any verification whatsoever - right to that individual's privacy profile, where you can determine your friend's, neighbor's, enemy's, or mother's choice of receiving junk snail mail, e-mail, and/or phone solicitations from Intuit, or whether Intuit may spread their information across the globe (only to "vigorously screened companies" of course!!!). You can even change their e-mail - so perhaps you can use someone else's profile to create SPAM into your favorite enemy's inbox! (Oh, if Dick Nixon were still alive...) Risk? Privacy statements and policies mean nothing if the company maintains no control over the information required to implement them. Weak attempts at "privacy control" allow easy abuse and further multiply the problem. So go ahead! Protect your neighbor from junk mail. I did. (He'd thank me for it if he ever knew I could do that.) Gary Cattarin - cattarin@ma.ultranot.com (Humans will guess the real address - e-mail address-grabbing scanners will not!) ------------------------------ Date: Tue, 31 Aug 1999 19:30:00 PDT From: Finn Jensen Newsgroups: rec.humor.funny Subject: Danish UPS [Courtesy of Aram Khalili, Jim Griffith, and Julian Thomas] To good to be true, but it is. From the Tele Danmark (ISP) homepage, translated from Danish. >This morning, Tele Denmark Internet was out of order, because the power >supply failed. It meant that customer couldn't connect to the Internet. > >The problem occu[r]red at 7:45, when a truck drove into the cabinet that >supplies Tele Denmark Internet with power. The truck was delivering a new >uninterruptible power supply, and therefore the old UPS had been disconnected. >At 9:00 the power returned and the different system began to reestablish, and >everything is expected to return to normal again by 10:30. Tele Denmark >Internet regrets the disturbance to its customers. [http://www.opasia.dk/online/tele_danmark/index.html, English here cleaned up a bit for humor's sake - ed.] ------------------------------ Date: Fri, 3 Sep 1999 14:09:52 +0100 (GMT) From: Lindsay.Marshall@newcastle.ac.uk Subject: Tandy bug? The following story was recently forwarded to the EGR mailing list. I wonder if anyone knows anything more about it? L. 2) William Slattery shares the following personal experience. All you reporters out there might take special note. Y2K is here! I got a check in the mail last week from Tandy Corporation: $891.24. A nice chunk of change that there is no way in the world they could owe me. Here is what I think happened. Because of my odd habit of paying off most of my bills to the nearest ten dollars OVER what I actually owe (it makes the math easier when I balance my checkbook), I had a small credit on my Radio Shack credit card. Their computer looked at the end of the billing period, which fell after the infamous 9/9/99, and said Wowza!, this guy has had a five dollar credit on our books since January 1 of 1900. Since company policy is to pay off credits on inactive accounts, I'm going to calculate the interest and cut this guy a check. So here we are. I phoned Tandy headquarters (817-415-3011) and talked with the person in charge of this sort of thing, Lisa Mapes. I told her there was no way Radio Shack could owe me 900 bucks because I hadn't spent that much money in their stores in my whole life. I told her I thought they had a Y2K problem. She laughed at me. It was not a good laugh. It was the "you're so ridiculous it's hilarious" kind of laugh. Ms. Mapes told me to go ahead and cash the check. Radio Shack really owes me this money, she says, even though they are completely unable to explain WHY they owe me the dough. I told reporters at The New York Times and National Public Radio that all their stories warning about Y2K were finally starting to pay off. I figured that after years of running Chicken Little stories -- the sky is gonna fall! the sky is gonna fall! -- it would make a good little story when the first chunks of sky actually started landing on people's heads. Apparently not. They seem profoundly uninterested. To a mind as comprehensive as yours, I am sure the potential for gaining fabulous wealth is immediately apparent. The key to getting rich off Y2K is to open numerous small accounts under assumed names, lodge small credits in them, and wait for the checks to roll in. If I'd thought of it sooner -- and could get rid of this pesky conscience -- I'd be a rich man today. ------------------------------ Date: Thu, 2 Sep 1999 16:33:57 -0400 From: "Theodore Y. Ts'o" Subject: E*Trade and the Dow Jones After suffering through the E*Trade / Red Hat fiasco, where each time I talked to a human being, I was really impressed, but each time I had to deal with the web page software I was less than impressed, I suppose I shouldn't be surprised about much from E*Trade's web page. But imagine my amusement when I looked at E*Trade's main web page, which according to its Market Watch, as of 9/2/1999, at 2:49pm the Dow Jones Industrial Average was $1.00, down $10936.88. Somehow, I have a little bit of trouble believing that. Either that, or that stock market bubble that Greenspan keeps worrying about was far more real than anyone ever believed!:-) (Given that the Nasdaq has only dropped 21.5 points today, I'm assuming the DJIA didn't really lose over ten thousand points.) Obviously, E*Trade's software doesn't have any "that can't *possibly* be right" checks, so when it somehow got the bogus data about the value of the DJIA, the software very happily calculated that if the index is currently worth one dollar, then it must have dropped $10,936.88 since yesterday. Fortunately, it's pretty obvious that the DJIA on the Market Watch web page couldn't possibly be right, but this brings up some obvious questions that should be familiar to all Risks readers: what if some other dumb computer program which was rigged to do program trading decided this meant it should dump all of its holdings in a hurry? (Or buy lots of stocks since obviously everything is cheap.) What if the numbers on E*Trade's Market Watch were off by some significant amount, but not in a way which made it immediately obvious that it was in space? Could a human being be taken in by its a likely-looking-but-wrong DJIA, and mistakingly make some trades based an incorrect market index? - Ted P.S. I've saved a copy of the gif image displayed by E*Trade's Market Watch, for those who'd like to see this for themselves. It can be found at: http://web.mit.edu/tytso/www/etrade-djia.gif ------------------------------ Date: Fri, 3 Sep 1999 18:30:53 +1200 From: "Andrew Johnson (A.J.)" Subject: U.S. top-secret messages go astray A common risk inherent in all of our communication technology is...well, once again, human error. Next week New Zealand hosts the APEC conference in Auckland, being attended by a substantial number of world leaders, including President Clinton from the U.S. So imagine if Saji Phillips, a chicken farmer from Auckland, had been one of those people who holds a grudge: He was accidentally faxed the security arrangements for the U.S. Embassy and U.S. Delegation, including Mr Clinton, today N.Z. time (3 September 1999). See Newsroom.co.nz : http://www.newsroom.co.nz/story.asp?s=5469 [Another story says this had happened repeatedly.] The Risk here is very clear... imagine how much that information would be worth to the right person! Not that anyone would think that free trade is a bad thing, of course. *ahem*... Andrew Johnson http://critique.net.nz/aj/mania/ ------------------------------ Date: Wed, 1 Sep 1999 17:51:43 -0400 (EDT) From: Rebecca Mercuri Subject: UPenn bug report Here's the report on what happened to cut Penn entirely off from the Internet. R.Mercuri Date: Tue, 31 Aug 1999 20:11:25 -0400 Reply-To: Network Administration From: Network Administration Subject: ****EXTERNAL CONNECTIVITY RESTORED**** Comments: To: pennnet-announce@isc.upenn.edu To: UUGP@LISTS.UPENN.EDU Date: Tuesday August 31, 1999 Time: 2:20pm - 7:30pm Duration: 5 hours Buildings Affected: Entire Campus Services Affected: Internet Connectivity Description: At 2:20 this afternoon, the University's Internet connectivity was disrupted due to a problem with a Bell Atlantic high-speed line. By 7:30 this evening, Bell Atlantic had taken steps to restore our link to UUNet. There may be a brief interruption to our service in the next 24-48 hours while Bell Atlantic makes permanent repairs. netadmin@isc.upenn.edu ------------------------------ Date: Fri, 3 Sep 1999 12:18:36 -0400 From: "Edelson, Doneel" Subject: Local company stung by Y2K bug Y2K glitches happen to even the most computer savvy folks. Wayne Moule, president of Northwest Metrology, a company that calibrates electronic test equipment for federal agencies and major corporations, is a case in point. Moule sees the damage every day and still is counting losses - $80,000 and growing - because software he owns fell victim to a year 2000 problem. ... [Source: Marc Benjamin, *The Bakersfield Californian*, 24 August 1999; PGN-ed] ------------------------------ Date: Sun, 29 Aug 1999 17:40:30 -0400 From: "Donna Farmer" Subject: Smart Card Forum annual meeting Who: Leading privacy and Internet commerce technologists What: Smart Card Summit '99: Privacy & Security in the New Millennium When: September 22-23, 1999 Where: JW Marriott Hotel in downtown Washington, DC Web-information: http://www.smartcardforum.org or call (202) 530-5306. ------------------------------ Date: 23 Sep 1998 (LAST-MODIFIED) From: RISKS-request@csl.sri.com Subject: Abridged info on RISKS (comp.risks) The RISKS Forum is a MODERATED digest. Its Usenet equivalent is comp.risks. => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) if possible and convenient for you. Alternatively, via majordomo, SEND DIRECT E-MAIL REQUESTS to with one-line, SUBSCRIBE (or UNSUBSCRIBE) [with net address if different from FROM:] or INFO [for unabridged version of RISKS information] .MIL users should contact (Dennis Rears). .UK users should contact . => The INFO file (submissions, default disclaimers, archive sites, copyright policy, PRIVACY digests, etc.) is also obtainable from http://www.CSL.sri.com/risksinfo.html ftp://www.CSL.sri.com/pub/risks.info The full info file will appear now and then in future issues. *** All contributors are assumed to have read the full info file for guidelines. *** => SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line. => ARCHIVES are available: ftp://ftp.sri.com/risks or ftp ftp.sri.comlogin anonymous[YourNetAddress]cd risks [volume-summary issues are in risks-*.00] [back volumes have their own subdirectories, e.g., "cd 19" for volume 19] or http://catless.ncl.ac.uk/Risks/VL.IS.html [i.e., VoLume, ISsue]. PostScript copy of PGN's comprehensive historical summary of one liners: illustrative.PS at ftp.sri.com/risks . ------------------------------ End of RISKS-FORUM Digest 20.56 ************************