precedence: bulk Subject: Risks Digest 20.83 RISKS-LIST: Risks-Forum Digest Wednesday 8 March 2000 Volume 20 : Issue 83 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at and by anonymous ftp at ftp.sri.com, cd risks . Contents: Gallup hacked (PGN) Aum Shinri Kyo affiliate develops Japanese government software (PGN) Computer releases prisoner (Bob Church) Online broker blames outages on software maker (NewsScan) Boeing loses space station parts (PGN) Arizona primary is first binding election with Internet voting (Sidney Markowitz) New Zealand's INCIS Crime Information System (Richard A. O'Keefe) Risks of Web information on heart attacks (PGN) Census fiasco (Bob Frankston) UK ISPs leave themselves open to potential abuse (Pedt Scragg) Judge sends message to network vandals: "go to jail" (NewsScan) The scary MSWord residue feature (Avi Rubin) Re: "Unstable" postal addresses (Peter Corlett) ADSL snooping (David) Risks of Leap Years and Dumb Digital Watches, quadrennial posting (Mark Brader) Leap-day 2000 (Chris Kuan) Leap-day 2000: VCR (Bob Erkamp) Leap-day 2000: Checkbook magazine (Jeremy Epstein) Getting Jenni arrested (Keith Schon via sragsdale) Privacy risks as mid-sized orgs decide that Web access is cool (Daniel P.B. Smith) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Tue, 07 Mar 2000 21:31:34 -0800 From: "Peter G. Neumann" Subject: Gallup hacked The Gallup Organization's Internet site was hacked, shortly before today's primary elections. The hacked Web page appeared to be the work of John Vranesevich's AntiOnline, although JV denies it and Gallup also believes that his identity was spoofed. Gallup's 65-year historical polling data remained unchanged -- because their internal site won't be connected until 1 Sep 2000. But this certainly gives them an incentive to make sure their internal site is more secure. [Source: Vandal alters Gallup Internet site just before primaries, cnn.com, 7 Mar 2000, courtesy of Dave Stringer-Calvert. See also * On the Net: Gallup's Web site: http://www.gallup.com * AntiOnline's Web site: http://www.antionline.com * Image of Gallup's hacked site: http://www.attrition.org/mirror/attrition/2000/03/05/www.gallup.com/ I guess the archival history items might be known as "Gallup-agos". Studying them tortoise a lot. PGN] ------------------------------ Date: Sun, 5 Mar 2000 14:15:01 -0500 From: "Peter G. Neumann" Subject: Aum Shinri Kyo affiliate develops Japanese government software An affiliate of Aleph, the cult formerly known as Aum Shinri Kyo (known for its nerve gas attacks in Tokyo subways), has apparently been a subcontractor on Japanese Defense Agency contracts for the development of a secure communication network, and is suspected of planting a security trapdoor. Police notified the Agency the day before operation was scheduled to begin. The company also developed software for the Construction Ministry, the Posts and Telecommunications Ministry, the Education Ministry, and NTT (among others). This discovery follows on several recent attacks on Japanese government Web sites, whose attackers were not identified. [Source: Doomsday Cult Linked to Government, 29 Feb 2000, courtesy of John Lowry. http://library.northernlight.com/EB20000229590000030.html?cb=0&dx=1006&sc=0#doc PGN-ed] ------------------------------ Date: Mon, 6 Mar 2000 13:06:21 -0500 From: Bob Church Subject: Computer releases prisoner The Southeastern Ohio Jail is a recently completed facility to serve four or five counties in Southeast Ohio. It was the subject of several news stories about delayed and poorly done construction. Executive Director Cochran publicly accused the contractors of "piddling around" instead of finishing work. The following article appeared in the March 5, 2000 issue of the 'The Sunday Messenger' in Athens, Ohio. Escaped Inmate Still at Large An inmate who escaped from an unsecured door at the Southeastern Ohio Jail Wednesday evening remained at large Saturday afternoon. [descriptions of Tharpe, accused of armed robbery of a carry-out and considered dangerous ...] Tharp was able to walk out of the jail when the emergency evacuation system failed and unlocked all outside security doors to the jail, Cathy Cochran, Executive Director explained. If the system would have been working correctly, a two-minute warning would have occurred before the door unlocked and the officer on duty would either give the go-ahead or discontinue the command. Instead the doors were unlocked automatically and Tharp walked out. The alarm company that installed the system was on the site Thursday and reviewed with officers a number of possibilities that could have occurred. Regional Jail Captain John Morris said Friday "to insure nothing like this incident could ever occur again, we have taken all the fuses out of the outer security doors. Only officers with keys will have the availability to unlock the door for exit purposes." [The RISKS archives have a bunch of computer-related prison screwups.] ------------------------------ Date: Fri, 03 Mar 2000 08:56:53 -0700 From: "NewsScan" Subject: Online broker blames outages on software maker National Discount Brokers, and online brokerage, says the outages it experienced recently were the result of "hacker-like" attacks by an unnamed Web software maker. The company had originally said its problems "had the earmarks of a hacker attack." Apparently, the periodic disruptions were the result of software incompatibility with products made by the outside company that resulted in denial-of-service-type outages. NDB says it's considering whether to pursue "appropriate judicial relief" through legal action against the company. The outages meant that NDB customers had to wait an average of 43.9 seconds to reach its site, twice as slow as the next slowest online trading site, and prevented 200,000 customers from placing stock orders online, although they could still relay orders over the phone. [http://www.techweb.com/wire/story/reuters/REU20000303S0001 Reuters/TechWeb 3 Mar 2000; NewsScan Daily, 3 Mar 2000] ------------------------------ Date: Mon, 6 Mar 2000 14:20:52 PST From: "Peter G. Neumann" Subject: Boeing loses space station parts Two nitrogen and oxygen tanks (worth $750,000) still in their crates (5 feet on a side) for use by space-station astronauts were apparently accidentally sent off to the Huntsville dump after being moved outdoors temporarily to make room inside the Boeing plant. http://dailynews.yahoo.com/h/ap/20000303/sc/space_station_trash_1.html ------------------------------ Date: Tue, 7 Mar 2000 13:09:31 -0600 From: "Sidney Markowitz" Subject: Arizona primary is first binding election with Internet voting The Associated Press has a fairly upbeat article about the Arizona Democratic Primary as the first binding election in the US with votes cast over the Internet. http://www.mercurycenter.com/svtech/news/breaking/ap/docs/288268l.htm Other mainstream coverage is in Time http://www.time.com/time/digital/daily/more/0,2845,0,00.html The online voting is being conducted by Election.Com http://www.election.com/ But the darker side can be found at the Web site of the group that sued to stop the online election, Voting Integrity Project, http://www.voting-integrity.org/ where their case is made more strongly than in the brief summary of the AP article. RISKS readers may be interested in the security of the voting process. According to the elections.com website, each voter receives a PIN via postal mail that gets them access to the voting web page. A voter also has to answer "several questions" to confirm their identity. The instructions also remind the potential voter that "[...] it is a Class 5 felony offense to knowingly vote at an election when not entitled to do so." That is not the same as verification of the identity of the person who knows the PIN and knows the answer to the several personal questions, but then I've never had to show a photo id when I have gone to a polling place to vote. VIP's objections appear to have less to do with security and more with the effects of unequal access by the poor and minorities who are less likely to have a computer and an Internet connection. Easier voting for one group is seen to mean more voting power for that group. Sidney Markowitz ------------------------------ Date: Thu, 09 Mar 2000 14:57:20 +1300 From: "Dr Richard A. O'Keefe" Subject: New Zealand's INCIS Crime Information System The New Zealand Police had 18 databases that were nearing the end of their useful life in 1990. They came up with the idea of combining them, plus a bunch of other stuff, to form the Integrated National Crime Information System. The business case was drawn up in 1993, and a contract signed with IBM in 1994. Last August, IBM pulled out, with only Increment 1 (of three Increments) completed. The project was three years late and running later all the time. The money was also blowing out: it was originally expected to cost NZD 80 million but was up to NZD 134 million when IBM pulled out. The government sued and IBM counter-sued, but that is now settled. The Report of the Justice and Law Reform Committee on the CARD and INCIS systems can be found at http://www.gplegislation.co.nz/incis/incis.html Since that report was issued last year, we have a new government, which has promised a fuller enquiry into the INCIS affair, but not the Royal Commission that many people were expecting. About NZD 50 million of the cost was for hardware: 3000-odd PCs (although the amount spent on PCs seems rather higher than I would have expected), networks, buildings, and an S390 mainframe at about NZD 7.5 million, which the government now want to sell because it costs NZD 0.5 million/month to run. See http://www.govt.nz/news/detail.php3?id=400 which has a link to a recent report on Police & Justice IT requirements. Regular readers of comp.risks will find no real surprises in the report, including the fact that there are worries about data quality in the main Law Enforcement System data base (fields are not being used for their intended purposes, and the Courts don't bother filling some of the fields in anyway). Quick summary: - ambitious project (there wasn't anything like it available) - customer demanded major architectural changes part way through - requirements took a long time to discover - customer kept asking for new features - management problems (top level customer people who didn't get on, rapid project management turnover at IBM) Mind you, it helped bring down the New Right government, so it's an ill wind as they say... ------------------------------ Date: Wed, 08 Mar 2000 13:21:23 PST From: "Peter G. Neumann" Subject: Risks of Web information on heart attacks The following letter appears on the Rochester General Hospital Web site [http://www.viahealth.org/via_news/99_news/99_august_news/heartattack.htm] Important Notice Regarding the article "How to Survive a Heart Attack When Alone." Hundreds of people around the country have been receiving an e-mail chain letter entitled "How to Survive a Heart Attack When Alone." This article recommends a procedure to survive a heart attack in which the victim is advised to repeatedly cough at regular intervals until help arrives. The source of information for this article was attributed to ViaHealth Rochester General Hospital. This article is being propagated on the Internet as individuals send it to friends and acquaintances - and then those recipients of the memo send it to their friends and acquaintances, and so on. We can find no record this was produced by Rochester General Hospital. Furthermore, the medical information listed in the article can not be verified by the medical literature. Please help us combat the proliferation of this misinformation. We ask that you please send this e-mail to anyone who sent you the article, and please ask them to do the same. Sincerely, John Turner, Director of Public Relations ViaHealth Rochester General Hospital [This is of course not a unique case. I include it here simply as one more reminder of the risks of unauthenticated e-mail. Incidentally, speaking of e-mail, the ever-vigilant French have now rejected the use of the term "e-mail" (and many other terms) as further incursions of American/English into francais. It is not clear whether the fact that "email" is a perfectly good old French word (relating to enameling) had anything to do with the matter. (New RISKS readers in the past four years might want to look at my lead note in RISKS-17.95.) PGN] ------------------------------ Date: Wed, 8 Mar 2000 11:36:35 -0500 From: "Bob Frankston" Subject: Census fiasco Apparently all the informational mailings about the 2000 census [US] put an extra digit before hour numbers so that 23 Main St can become 123 Main St. Apparently the solution is to tell the postal workers to ignore the first digit. Sounds reasonable except that this is the 2000 census and the real address is in the barcode not the printed version. Seems similar to the assumption that the Post Office made in changing some zip codes in 021 to 024 -- the number is now a database key, not a physical delivery route. So I looked a little further and saw http://www.census.gov/Press-Release/www/2000/cb00cn21.html which said that the barcodes are, in fact, correct. So it is just a minor labeling error at the end point. The real risk in news reports passing on factoids without understanding the underlying issues and thus giving a misleading report. Alas, this is the norm. The good news [NPI - No Pun Intended] is that they are not the sole gatekeepers of information even though the newspapers still don't provide links to their sources even if the source is a standard press release. Of course, there's the whole issue of this being the last paper-based census but that is beyond the scope of riskoids. Bob Frankston http://www.Frankston.com ------------------------------ Date: Tue, 7 Mar 2000 17:41:46 +0000 From: Pedt Scragg Subject: UK ISPs leave themselves open to potential abuse A number of the new 'free' UK ISPs have left themselves open to potential abuse with certain e-mail/website addresses being available for the general public that should perhaps be not available. I happen to be sysadmin@network-operations.freeserve.co.uk and also network_operations@tesco.net amongst others - all via the signup page on their web sites and I get web sites to match the name. Risks: I could put up a web site detailing non existent problems or post to newsgroups using these addresses and they may well be believed as being from someone who works at the relevant NOC. Joe Public might well believe a site at http://www.network-operations.freeserve.co.uk or at http://www.network_operations.tesco.net as being legitimate sites for the ISP if found on a Search Engine. Pedt Scragg Signpost Web Design, Wrecsam, North Wales http://signpost-design.co.uk/ ------------------------------ Date: Mon, 06 Mar 2000 07:59:23 -0700 From: "NewsScan" Subject: Judge sends message to network vandals: "go to jail" Federal judge Irma Gonzalez has imposed an 18-month prison sentence on a 27-year-old man who as leader of a 12-member ring of network vandals broke into the computer systems of a number of major U.S. phone companies. In passing the sentence, the judge said: "This is a crime which is becoming more and more prevalent in our society. There has to be a message sent to this community that people like you, who commit this type of crime, will be punished." [AP/*San Jose Mercury News*, 5 Mar 2000; NewsScan Daily, 6 March 2000] ------------------------------ Date: Wed, 1 Mar 2000 21:16:53 GMT From: rubin@research.att.com (Avi Rubin) Subject: The scary MSWord residue feature I recently received a legal document as part of a personal negotiation that I am doing. The document was e-mailed to me in MSWord format. As I was showing it to my lawyer (who happens to be my wife), we decided to put our thoughts inline using the track changes feature of word. After selecting Tools, and Track Changes, we clicked on "Highlight changes in document" and voila, suddenly a whole bunch of red appeared on the screen. We looked at it closely and realized that everything in red represented changes in the document that my counterpart's lawyer had written. We got a good look at the previous version of the contract, as well as a bunch of comments and justifications that the lawyer wrote to his client. It was an eye opening experience. It appears that instead of selecting "Accept all changes" before sending it to me, the other party to the contract simply turned off the highlighting to the track changes feature. This is obviously a case of an unsophisticated person misusing a feature. However, it is very dangerous. Lawyers send word documents around all the time, and many of them do not really understand all the features that they use, nor should they have to. I imagine that I was not the first person to see some behind the scenes conversation in an important word document, that I was never intended to see. ------------------------------ Date: Sun, 05 Mar 2000 15:18:47 +0000 From: Peter Corlett Subject: Re: "Unstable" postal addresses (Re: Dellinger, RISKS-20.82) The UK Post Office exacerbates this somewhat by providing a database that will cleanse and correct addresses. This works by taking the house number and the post code, and generating an address in the preferred format for the Post Office. For example, the house number "234" and the post code "SW6 9XY" (that I've just plucked out of the air) might produce the address: 234 Random Street Fulham London SW6 9XY This is quite a good scheme as it goes, since many companies seem to use it as an extra form of validation. If I phone a company who want my address, I'll be asked for my post code - which gives the street name and a range of house numbers - and will then be asked for my full address which they will cross-check on the screen. If it doesn't match, they know there's an error, and I'm asked to repeat it. This is a great tool that stops misaddressing. Unless you're in a property that has been split into flats and has not been coded by the Post Office. For example, suppose 234 Random Street has been split into flats, and that I live in flat number 1. The proper address that I give out would thus be: Flat 1 234 Random Street Fulham London SW6 9XY Mail is successfully delivered to me at such an address. Unfortunately, some companies tend to lose the "Flat 1" because their database only has fields for "street address", "local area" and "post town", or try to use the 1 in the database, instead of 234. If you're lucky, 1 SW6 9XY is invalid, and it gets flagged. If not, your mail's going to go astray, being sent over a hundred doors down the road. Other problems involve trying to bodge the "Flat 1" into the "street address" field of the database, since the database designer was a bit short-sighted. You will now see things put there as "Flat 1, 234 Random Street", or sometimes "1 234 Random Street". You'd better hope the postman's on the ball and there aren't a thousand houses on the street. The Risk here is that some databases use aren't able to handle sub-addressing or free-form addresses, yet the designers still thought that their database would know somebody's address is what they claim it is. Time for a PO Box, I guess, let's see how they cope with that. ------------------------------ Date: Fri, 25 Feb 2000 11:01:41 -0500 From: da0g+@andrew.cmu.edu (David) Subject: ADSL snooping On my ADSL system, with tcpdump, I've noticed traffic between two other machines. The traffic was not going through my system. But I was free to observe it, and snoop on the telnet sessions. This was not normal. Bell Atlantic does not usually do this. (They have been informed, and will presumably take steps to correct this matter.) However, it drives home the point that ADSL is *NOT* a substitute for decent security (ssh, kerberized services, etc). ------------------------------ Date: Tue, 29 Feb 2000 13:32:05 -0500 (EST) From: msb@vex.net (Mark Brader) Subject: Risks of Leap Years and Dumb Digital Watches, quadrennial posting All right now, how many people reading this... -> saw a previous version of this message in Risks 6.34, 13.21, or 17.81, -> have watches that need to be set back a day because, unlike the smarter kind of digital watch, they went directly from 28 Feb to 1 Mar, -> and *hadn't realized it yet*? Mark Brader, Toronto, msb@vex.net ------------------------------ Date: Wed, 01 Mar 2000 12:50:15 PST From: "Chris Kuan" Subject: Leap-day 2000 My father's digital Casio wristwatch changed from Feb 29 to 30 Feb this year. ------------------------------ Date: Wed, 01 Mar 2000 09:17:39 -0700 From: Bob Erkamp Subject: Leap-day 2000: VCR I have a Sony SLV-940HF VCR with a nice feature that get's the date and time over cable from any channel that broadcasts it (I think it's PBS). I had programmed some shows to be recorded for Feb. 29/2000 and just happened to notice that the VCR wasn't recording when it should be. I checked my programming and the entries were there but the VCR wasn't taping? I then checked the date and time and it said it was Monday, February 28! The only way I could get me VCR to record anything yesterday was to switch to manual date and time. I am not sure which channel was broadcasting the incorrect time but I suspect others may have run into this? Bob Erkamp, Alberta Research Council, 250 Karl Clark Road, Edmonton, Alberta T6N 1E4 CANADA 1-780-450-5181 http://www.arc.ab.ca/individuals/erkamp/ ------------------------------ Date: Wed, 1 Mar 2000 14:04:53 -0500 (EST) From: Jeremy Epstein Subject: Leap-day 2000: Checkbook magazine I'm sure there are lots of these. Among them, Washington Checkbook magazine (a consumer magazine) seems to have sent out erroneous subscription renewals to some/all of their subscribers yesterday (February 29th). They sent out an apology e-mail, which is how I found out. ------------------------------ Date: Thu, 02 Mar 2000 18:21:05 GMT From: sragsdale@my-deja.com Subject: Getting Jenni arrested [My friend Keith Schon told me this story about Valentine's day, and I offered to post it to comp.risks for him.] I decided to send my girlfriend flowers for Valentine's Day, and I ordered them through the 1-800-Flowers website. Where the field says "enter card message" I typed "If I was there I would get myself a great big kiss from you." When the flowers arrived (3 days from the target date), the message on the card had been truncated by a few crucial words. The new mangled message left off my name and ominously said "If I was there I would get myself." One of her co-workers was sufficiently disturbed and called university security, who detained and questioned my girlfriend for most of the morning about stalkers, bomb-threats, etc. Basically I paid to have my girlfriend arrested. I sent e-mail to their customer service department through the same website. They advertised a response within 12 hours. 4 days later, I got a form letter offering a partial discount, which showed no sign of their actually having read my e-mail. The RISK seems to be "be careful when you automate." If you're going to rush the results out to customers before a human being checks them, at least make good on your customer service. I'll never use these guys again via web or phone, and I have a feeling they made a lot of their other V-Day customers feel the same way. ------------------------------ Date: Wed, 8 Mar 2000 13:43:38 -0500 (EST) From: "Daniel P. B. Smith" Subject: Privacy risks as mid-sized orgs decide that Web access is cool I belong to the singing organization SPEBSQSA (Society for the Preservation and Encouragement of Barber Shop Quartet Singing in America), a nonprofit organization with about thirty thousand members and an increasingly sophisticated Web operation. Recently I received an unsolicited e-mail announcement of their "members only" area. The e-mail, which of course wasn't secured in any way, included a password for access to the account which happened to be a single, correctly spelled English word six letters long. On accessing the account I find that any member is, among other things, able to obtain the chapter roster of any chapter, complete with names, addresses, home, work and fax phone numbers and e-mail address of every member in the chapter. (The chapters have to be accessed by their code number, but the code numbers are sequential and readily available in SPEBSQSA publications). At very roughly 1000 chapters and 30 members per chapter, it would be very feasible for a 'bot, or even a moderately patient human, to obtain the complete membership list for the entire organization. There's no terribly sensitive information here, and of course there is the disclaimer: "The information contained on this site is confidential and may only be used for official SPEBSQSA business by authorized Society members. Unauthorized use of this site or the data it contains is strictly prohibited," which would presumably allow egregious abusers to be successfully sued. Still, this is AWFULLY sloppy. The necessary expertise to make information available on a Web site is propagating an awful lot faster than the expertise needed to keep it secure. And the customary practice seems to be "_first,_ let the cat out of the bag; _then_ inform you that there's a cat and a bag." Daniel P. B. Smith ------------------------------ Date: 13 Dec 1999 (LAST-MODIFIED) From: RISKS-request@csl.sri.com Subject: Abridged info on RISKS (comp.risks) The RISKS Forum is a MODERATED digest. Its Usenet equivalent is comp.risks. => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) if possible and convenient for you. Alternatively, via majordomo, SEND DIRECT E-MAIL REQUESTS to with one-line, SUBSCRIBE (or UNSUBSCRIBE) [with net address if different from FROM:] or INFO [for unabridged version of RISKS information] .MIL users should contact (Dennis Rears). .UK users should contact . => The INFO file (submissions, default disclaimers, archive sites, copyright policy, PRIVACY digests, etc.) is also obtainable from http://www.CSL.sri.com/risksinfo.html ftp://www.CSL.sri.com/pub/risks.info The full info file will appear now and then in future issues. *** All contributors are assumed to have read the full info file for guidelines. *** => SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line. => ARCHIVES are available: ftp://ftp.sri.com/risks or ftp ftp.sri.comlogin anonymous[YourNetAddress]cd risks [volume-summary issues are in risks-*.00] [back volumes have their own subdirectories, e.g., "cd 19" for volume 19] or http://catless.ncl.ac.uk/Risks/VL.IS.html [i.e., VoLume, ISsue]. Also, new AUSTRALIAN archives at http://mirror.aarnet.edu.au/risks/ and http://the.wiretapped.net/security/textfiles/risks-digest/ . PostScript copy of PGN's comprehensive historical summary of one liners: illustrative.PS at ftp.sri.com/risks . ------------------------------ End of RISKS-FORUM Digest 20.83 ************************