precedence: bulk Subject: Risks Digest 20.94 RISKS-LIST: Risks-Forum Digest Friday 7 July 2000 Volume 20 : Issue 94 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at and by anonymous ftp at ftp.sri.com, cd risks . Contents: Software upgrade cancels hundreds of train tickets (Ian Shorrocks) Lottery coincidence reported by Infobeat caused by computer crash (Bob Heuman) Total power outage at Sydney Airport leaves 20 planes circling (Mike Hogsett) U.K. ATC System Failure (Andres Zellweger) Re: Collapse of UK air-traffic control computer (Mark Richards) Mix-up sends Spanish bank e-mail to Virginia BBoard (NewsScan) 17,000 bank details plucked from GST Site (Keith A Rhodes) One more Y2K glitch, on countdown (Floyd Johnson) Australian DST rules changed for Olympics (Mark Lutton) Cyber-extortion (Doneel Edelson) Hacker did *NOT* endanger shuttle astronauts (Jay D. Dyson) Norton Antivirus 2000 defect on Win2000 Content (Jeremy Epstein) Re: Microsoft software *can* damage your hardware! (Peter Van Eynde) REVIEW: "Firewalls: A Complete Guide", Marcus Goncalves (Rob Slade) CERIAS symposium (Gene Spafford) The Software Engineering Symposium (Carol Biesecker) Call for registration ESORICS and RAID 2000 (Frederic Cuppens) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Thu, 6 Jul 2000 14:49:40 -0400 From: Ian Shorrocks Subject: Software upgrade cancels hundreds of train tickets Guildford Station in Surrey, UK is one of many stations fitted with much hated automatic ticket barriers by the operators, South West Trains Ltd. The barrier checks the magnetic stripe on the back of the ticket to determine if the ticket is valid and admits you to the station platforms or allows you to leave. As far as anyone is aware, there was nothing wrong with the barriers other than the annoyance they cause as queues form during the Rush hours, as the gates open and close somewhat slowly. Last week, CTS, the company that provided the barriers, decided to upgrade the software. Long suffering Risks Digest readers will not be surprised to learn that the operation of the barriers following the upgrade was not as CTS; the Rail company or anyone else expected. Instead of allowing the holder of a valid ticket access to the platforms, the barrier instead erased the information on the magnetic stripe, thus permanently invalidating the ticket. South West Trains then had the problem of reissuing all the affected tickets (several hundred by all accounts) and manually checking tickets until the problem was resolved. There is no substitute for complete lack of proper testing or for un-necessary software changes. The risk is: does the same cavalier attitude to testing apply to the software running the signalling system? ------------------------------ Date: Tue, 04 Jul 2000 00:14:42 -0400 From: rsh@idirect.com Subject: Lottery coincidence reported by Infobeat caused by computer crash Oregon Lottery officials thought it was a joke when someone called to say The Columbian had published the winning Pick 4 lotto numbers a few hours before they were drawn. When they learned the caller was right, they dispatched Lloyd W. Beil, a detective with the Oregon State Police gaming enforcement section. "Game security is our most valuable commodity," said David Hooper, an Oregon Lottery spokesman. As it turned out, the newspaper's computer system in this city across the Columbia River from Portland, Ore., crashed Wednesday. In the scramble to re-create a lost page, a copy editor mistakenly pulled the winning Pick 4 numbers from Virginia and billed them as the Tuesday night's winning pick in Oregon. Those same winning numbers, 6-8-5-5, were also drawn later Wednesday evening in Oregon. [AP item, Lottery numbers published by fluke (*Infobeat*, Jul 3 2000) http://www.infobeat.com/stories/cgi/story.cgi?id=2567832665-960 R.S. (Bob) Heuman, Toronto, ON, Canada ------------------------------ Date: Fri, 07 Jul 2000 14:19:10 -0700 From: Mike Hogsett Subject: Total power outage at Sydney Airport leaves 20 planes circling Another story of primary and secondary power system failure... [On the evening of 6 Jul 2000, the main power and the backup power for the Sydney air-traffic control system both failed at 6 p.m., a period of peak activity. The power outage lasted for about two minutes, and it took another 10 minutes to reboot the computers. The fallback strategy involved "pilot-to-pilot communications and predetermined holding patterns." The Community and Public Sector Union national organizer Alistair Waters was quoted: ``As you keep cutting back and cutting back, the chances of failure happening grow and grow. And that does risk safety.'' PGN-ed] http://dailynews.yahoo.com/h/nm/20000707/od/airport_dc_1.html ------------------------------ Date: Thu, 6 Jul 2000 08:42:42 -0400 From: ZellwegA@cts.db.erau.edu (Andres Zellweger) Subject: U.K. ATC System Failure According to *Aviation Week*, 26 Jun 2000, the U.K. ATC computer failure reported in RISKS-20.93 was due to Flight Processing Software at the West Drayton ATC Center. As a result of the failure, flight progress strips "had to be produced manually, a labor-intensive practice that forced NATS to slow down the amount of traffic in the U.K. airspace. NATS eventually reinstated the previous software program, which stabilized the system." The new software was developed internally by NATS and had been installed three weeks prior to the failure. It is interesting to note that, while the system recovered after four hours, the effects of the failure was felt for the entire weekend and as far away as Paris and Frankfurt. (I sat on the ground at Malpensa on a flight bound to IAD for at least two hours waiting to be rerouted to avoid the U.K. airspace.) The other problem with the U.K. ATC system reported in RISKS-20.93 occurred on 9 Jun 2000. It was also a problem with the flight data processing software. That 20-minute failure was due to human error -- repeated "bad" flight data input from another ATC Center. The problem was fixed through procedural means. ------------------------------ Date: Thu, 6 Jul 2000 09:45:19 -0400 From: "Mark Richards" Subject: Re: Collapse of UK air-traffic control computer PGN noted that huge delays in US Domestic air service were "blamed alternatively on thunderstorms and on air-traffic control congestion", noting Boston's ugly, congested, dirty, confusing, unfriendly Logan airport among them (sorry, couldn't help myself). Add another reason: it's reported locally that pilots from many airlines are refusing landing clearances that involve the simultaneous use of a crossing active runway for departure. A recent incident where takeoff clearance was given to one flight while another was landing is used as case-in-point: they nearly collided (reports were from 100-300 feet vertical separation) at the intersection! The old saying "Arrive Alive" certainly fits. Mark Richards ------------------------------ Date: Fri, 07 Jul 2000 07:09:51 -0700 From: "NewsScan" Subject: Mix-up sends Spanish bank e-mail to Virginia BBoard One of Spain's largest banks -- and its most aggressive in terms of moving operations onto the Internet -- is suffering from an identity crisis that has resulted in thousands of messages being routed to Bulletin Board VA, run by a rural Virginia man who publishes a weekly shopper with a circulation of 10,000. Banco Bilboa Vizcaya Argentaria, which goes by the acronym BBVA after Banco Bilbao Vizcaya merged with Argentaria SA last fall, is the owner of the "grupobbva.com" domain name, but many employees, customers and outside vendors mistakenly send their sometimes-sensitive e-mail to "bbva.com," a domain name owned by Bulletin Board VA. "When all this e-mail started coming in, I didn't know who to contact. I didn't know who to talk to," says Bulletin Board VA owner Jim Caldwell. "To me it is beyond the stage of funny." Some of the messages contain bank account numbers and balances, and at least one contained confidential information about a possible bank acquisition. BBVA says it's in the process of changing its domain name to "bbva.es," and hopes that will solve the problem. Caldwell certainly hopes so -- he says he spends up to two hours a day clearing his server of the mislabeled messages. [*Wall Street Journal*, 7 Jul 2000 http://interactive.wsj.com/articles/SB962887042191508928.htm; NewsScan Daily, 7 Jul 2000] ------------------------------ Date: Thu, 29 Jun 2000 10:35:15 -0400 From: "Keith A Rhodes" Subject: 17,000 bank details plucked from GST Site In Australia, someone claimed to have accessed a Treasury Department Web site www.gstassist.gov.au that had essentially no security. By indexing from 1 to 17,000, he was able to obtain the bank records of that many registered GST Startup certificate suppliers. (There were apparently 27,000 records in all, but access stopped when the site was disabled.) He then sent e-mail to each these companies (which can honour a $200 GST-related rebate on computers, software, services and other items required for small and medium companies to prepare for Australia's new taxation system) with its own relevant details. [Source: Bank details plucked from GST Site, By Nicole Manktelow, ZDNet Australia, and Paul Zucker, PC Week Australia; PGN-ed] ------------------------------ Date: Fri, 07 Jul 2000 12:43:50 -0400 From: Floyd Johnson Subject: One more Y2K glitch, on countdown The U.S. Naval Observatory in Washington, DC, has a web site that lists a count down timer to "Countdown to the Year 2000 !": http://tycho.usno.navy.mil/frontpage.html and when the link is followed we do find the "USNO Millennium Program". However, and here is the kicker, the millennium counter is not counting down to 2000, but to 2001. The pages cite 1 Jan 2001 as the beginning of the new millennium: http://psyche.usno.navy.mil/millennium/ Golleeeee ... if the US Navy can't get it right, how can the rest of us expect to get there on time [:)]. [Both pages are written by the USNO.] Floyd H. Johnson, 87 Parkway Drive, North Chili, NY 14514 1-716-594-0942 floydj@netins.net [On the other hand, there is an explanation on the latter site that the next millennium begins on 1 Jan 2001. Go figure. I presume it is last year's program recycled. PGN] ------------------------------ Date: Thu, 6 Jul 2000 17:48:23 -0400 From: "Mark Lutton" Subject: Australian DST rules changed for Olympics Several Australian states have changed the Daylight Savings Time rules so that DST will be in effect for the year 2000 Olympic Games in Sydney in September. (late winter for them). Normally DST begins in October. I suppose the benefits are substantial. Quite a bit of electricity for stadium lighting will be saved. I wonder if anyone considered the costs and the risks. This affects just about every computer in Australia, and many automated installations like radio stations, time-lock bank vaults and security systems. Microsoft is taking it calmly and has issued a notice at http://www.microsoft.com/australia/support/timezone/2000.htm. I guess there was some reason they couldn't just schedule every event to start an hour earlier. ------------------------------ Date: Thu, 6 Jul 2000 10:31:29 -0400 From: "Edelson, Doneel" Subject: Cyber-extortion Instances of "cyber-extortion" are increasing dramatically, according to Dave Marziliano, an FBI agent in New York who specializes in computer crime and security. Cyber-extortion involves hackers blackmailing companies by threatening to turn over purloined strategic data to their competitors. Marziliano says these cases are growing due to an increase in the number of hackers, particularly in underdeveloped countries. Most incidents involve relatively small amounts of money, $50,000 to $100,000, which many companies would rather pay than take the chance of losing competitive advantage. [Source: InformationWeek Online, columnist John Soat, and InformationWeek magazine, July 3, 2000, page 150.] ------------------------------ Date: Wed, 5 Jul 2000 13:56:26 -0700 (PDT) From: "Jay D. Dyson" Subject: Hacker did *NOT* endanger shuttle astronauts (Re: Rubin, RISKS-20.93) Bob Jacobs/Dwayne Brown Headquarters, Washington, DC July 3, 2000 (Phone: 202/358-1600) Ed Campion/Eileen Hawley Johnson Space Center, Houston, TX (Phone: 281/483-5111) COMPUTER HACKER NEVER ENDANGERED SHUTTLE ASTRONAUTS News reports that a computer hacker endangered the lives of Space Shuttle astronauts during a 1997 mission are wrong. A report from the British Broadcasting Corporation (BBC) said a hacker compromised NASA computers, endangering the lives of American astronauts. NASA's Inspector General's office found that during the STS-86 mission in September of 1997, the transmission of routine medical information was slightly delayed due to a computer hacker. However, the transmission was successfully completed. At no time was communication between NASA and the astronauts compromised. The communication interruption occurred between internal ground-based computer systems. There has never been an interruption of communication service with the Shuttle due to computer hacker attacks. The command and control communications links between Mission Control and a Space Shuttle in orbit are extremely well insulated. The 1997 incident is currently under investigation by NASA Inspector General's office. Courtesy of NASA HQ. Send questions to them, not me. Side note: Knowing what I know about how the mission-critical systems are *not* on the Net, the BBC story rings utterly false. JDD [Jay, I guess you might be SURPRISED on your supposition! PGN] ------------------------------ Date: Thu, 6 Jul 2000 16:53:27 -0400 From: "Jeremy Epstein" Subject: Norton Antivirus 2000 defect on Win2000 Content Seems that if you're one of those vigilant people who always download the latest virus definitions, you could be in trouble. If you downloaded Norton Antivirus 2000's virus definitions between June 16 and 19 and then used them on Windows 2000, you would hang the system. The problem stems (in part) from the fact that they appear to be downloading some sort of active content ("new script file scanning techniques" is the way they described it), and those got confused by certain device files. Security software shouldn't (a) dynamically load updates to itself or (b) reduce reliability! ------------------------------ Date: Wed, 5 Jul 2000 23:31:56 +0200 From: Peter Van Eynde Subject: Re: Microsoft software *can* damage your hardware! (Slade RISKS-20.93) > Are we reaching the limits of safe operation with plastic disks? Or is it > only defects in manufacture that cause this type of problem? The German magazine C'T did a report on a similar case a few months ago. Their conclusion was that a hairline fracture in the plastic ring that surrounds the center hole can cause the CD to break-up under the stress of a X-speed CD-ROM drive. They advised to check your CD's for hairline fractures or/and to use software to artificially slow down the CD drive to a more reasonable speed. This also has the nice side-effect of reducing the whine... ------------------------------ Date: Wed, 5 Jul 2000 08:00:32 -0800 From: Rob Slade Subject: REVIEW: "Firewalls: A Complete Guide", Marcus Goncalves BKFWCMGD.RVW 20000517 "Firewalls: A Complete Guide", Marcus Goncalves, 2000, 0-07-135639-8, U$54.95 %A Marcus Goncalves goncalves@process.com goncalves@arcweb.com %C 300 Water Street, Whitby, Ontario L1N 9B6 %D 2000 %G 0-07-135639-8 %I McGraw-Hill Ryerson/Osborne %O U$54.95 800-565-5758 fax: 905-430-5020 %P 678 p. + CD-ROM %T "Firewalls: A Complete Guide" Despite the change of name, this is not just essentially the second edition of "Firewalls Complete" (cf. BKFWCMPL.RVW), it is identical, right down to the price. While there is a large amount of information in this book, and a particularly valuable compilation of vendor data, I am not sure that I can agree with the claim to be complete, even though the preface says it has been expanded. (The only specific expansion mentioned involves protocols.) It is difficult to point out particular gaps in the work, since the whole volume could still use a thorough reorganization. Part one has been renamed to reflect the emphasis on TCP/IP. Chapter one deals with the TCP/IP suite of protocols. It does address protocol related weaknesses, but the protocols and attacks are not related, appearing in disorganized and even random material. Some attacks are described incorrectly, and sections even seem to contradict each other, such as the text emphasizing login controls and then discussing IP spoofing, which takes over legitimate logins. This appears to set the stage for a technical treatment of the subject. Networking details continue in chapter two with an overview of the various connection methods over the net. I am always delighted to get more information about new Kermit products, but I would sympathize with any reader who was confused about what this material may have to do with firewalls. Encryption gets a brief review in chapter three. The content gets the basics across, but is of uneven depth between topics. Chapter four does start to provide security, and specifically firewall, related information in regard to the Web, but also includes a ten page CGI script that might be less useful. The data is good, but seems to be somewhat random and unstructured. Advanced Web security areas (including a more detailed examination of ActiveX vulnerabilities) is found in chapter five. Chapter six looks at much the same material. Firewall technologies, implementations, and limitations are discussed in part two. Chapter seven attempts to define firewalls and describe firewall technologies. The discussion of firewall types has been expanded, but is still confused. The chapter also suffers from duplicate sentences and even paragraphs, and obviously could have used another copy edit. Vulnerabilities of individual Internet applications are the subject of chapter eight, but many concerns mentioned are more potential than actual (and thus difficult to defend against) while a good deal of the content (including yet another complete, ten page Perl script, this one a version from three years before the first) is repeated from earlier chapters. "Setting Up a Firewall Security Policy," in chapter nine, is much broader, touching on many security topics that may have little or nothing to do with firewalls. An example is the information on viruses, which is generally trite. The overview of antiviral software betrays no knowledge of activity monitoring or change detection classes of programs. The recommended protection procedure suggests copying downloaded programs to a floppy disk rather than the hard disk, which is both useless (malicious software invoked from floppy will generally happily destroy data on your hard drive) as well as being impractical in these days of enormous packages. The more effective approach would involve a type of firewall: an isolated machine that could download software and test it before the programs were used on production machines. Chapter ten is supposed to address issues of design and implementation, but deals primarily with considerations for evaluation of specific products, as well as some suggestions for what to do once you've been hit. The question of design is made more problematic by the fact that the second major type of firewall Goncalves proposes, an application gateway, while first mentioned in chapter seven, is not defined until chapter eleven as a more generic form of a proxy server, which is itself first mentioned in chapter five but not described until this point. Chapter twelve covers basic auditing of the firewall, while chapter thirteen mentions a few firewall products. Part three is chapter fourteen, which lists firewall vendors and products. Descriptions of the products are extensive, and sometimes technically detailed, but it is difficult to call them evaluations, since there is little analysis of strengths and weaknesses. It is also hard to make comparisons, since there is little similarity of format in the entries. Appendix A is a collection of vendor contact information. Goncalves' writing on any given section is quite readable. Explanations are clear and illustrations can even be amusing. At times it seemed that the material was moving into common traps and misconceptions, but ultimately the analysis is generally balanced and realistic. However, in some cases there is an apparent contradiction between one paragraph and the next. The incongruity disappears on more rigorous scrutiny, but the text can be startling. In addition, the structure of the book, both overall and within individual chapters, leaves something to be desired. It can be difficult to follow developing concepts, and also to use the book as a reference by going back to specific topics to pick up particular points. As an adjunct to Cheswick and Bellovin's "Firewalls and Internet Security" (cf. BKFRINSC.RVW) or Chapman and Zwicky's more practical "Building Internet Firewalls" (cf. BKBUINFI.RVW), this work does have useful information. As a reference or introduction it falls short. copyright Robert M. Slade, 1998, 2000 BKFWCMGD.RVW 20000517 rslade@vcn.bc.ca rslade@sprint.ca slade@victoria.tc.ca p1@canada.com http://victoria.tc.ca/techrev or http://sun.soci.niu.edu/~rslade ------------------------------ Date: Sat, 24 Jun 2000 20:42:15 -0500 From: Gene Spafford Subject: CERIAS symposium CERIAS (Center for Education and Research in Information Assurance and Security) will be co-sponsoring a symposium on requirements engineering for information security and privacy. From the announcement: Security requirements for new electronic commerce and Internet applications exceed the traditional requirements for network security and traditional software systems. Security requirements are more complex and increasingly critical. Informally stated and de facto requirements are often of critical importance in the design and operation of these systems, but they are frequently not taken into account. The symposium is intended to provide researchers and practitioners from various disciplines with a highly interactive forum to discuss security and privacy-related requirements. Specifically, we encourage those in the fields of requirements engineering, software engineering, information systems, information and network security as well as trusted systems to present their approaches to analyzing, specifying and testing requirements to increase the level of security provided to users interacting with pervasive commerce, research and government systems. We intend this to be a significant event in developing new approaches to better security design and operation. We would like to ask your help to ensure that this happens. Please let colleagues and other likely-interested parties know about this symposium. You can print off copies of the CFP and circulate them. You can also point people to the symposium WWW page: . You can also think about submitting something to be considered! ------------------------------ Date: 6 Jul 2000 15:58:18 GMT From: cb@sei.cmu.edu (Carol Biesecker) Subject: The Software Engineering Symposium impacts 2000 - The Software Engineering Symposium 18-21 September 2000 Grand Hyatt at Washington Center, Washington D.C. The most up-to-date information, including the Preliminary Program, Housing, Local, and Registration details, can be found on our Web site at http://www.sei.cmu.edu/products/events/symp/ The Software Engineering Institute (SEI) Software Engineering Symposium provides a forum for discussing high-payoff emerging practices that software organizations can use today. Symposium sessions will describe current activities and research in the SEI technical program of work. These SEI efforts produce results that enable members of the software community to deliver software-intensive systems predictably better, faster, and cheaper. By July 19, 200, to express your interest, contact Software Engineering Institute Symposium Conference Coordinator Carnegie Mellon University Pittsburgh, PA 15213-3890 Phone: 412 / 268-3007 FAX: 412 / 268-5556 E-mail: symposium@sei.cmu.edu For more information about the Symposium, contact Symposium 2000 Conference Coordinator Phone: 412 / 268-3007 FAX: 412 / 268-5556 E-mail: symposium@sei.cmu.edu For general information about the SEI or to be added to our mailing list, SEI Customer Relations Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213-3890 Phone: 412 / 268-5800 FAX: 412 / 268-5758 E-mail: customer-relations@sei.cmu.edu ------------------------------ Date: Tue, 27 Jun 2000 19:25:09 +0200 (MET DST) From: Frederic Cuppens Subject: Call for registration ESORICS and RAID 2000 ESORICS 2000 Preliminary programme and call for Posters 6th European Symposium on Research in Computer Security October 4-6, 2000, Toulouse, France http://www.cert.fr/esorics2000/ Organised by ONERA Centre de Toulouse with CNAMTS-CESSI and LAAS-CNRS. Registration form is available at http://www.cert.fr/esorics2000/register.html ESORICS 2000 is jointly organized with RAID 2000: 3rd International Workshop on the Recent Advances in Intrusion Detection October 2-4, 2000, Toulouse, France http://www.raid-symposium.org/raid2000/ ------------------------------ Date: Tue, 4 Jul 2000 08:33:52 +0200 From: safecomp2000 Subject: Safecomp 2000 - Programme + Registration Sender: "Koornneef, Floor" SAFECOMP 2000 - Programme & Registration 19th International Conference on Computer Safety, Reliability and Security October 24-27, 2000 ROTTERDAM, The Netherlands The provisional programme of the Safecomp 2000 event and registration information are now available: http://www.wtm.tudelft.nl/vk/safecomp2000 Safecomp 25-26 Oct will review the state of the art, experiences and new trends in the areas of computer safety, reliability and security regarding dependable applications of computer systems. There are also five half-day tutorials 24 Oct and 27 Oct. MORE INFORMATION: http://www.wtm.tudelft.nl/vk/safecomp2000 E-mail: safecomp2000@wtm.tudelft.nl ------------------------------ Date: 13 Dec 1999 (LAST-MODIFIED) From: RISKS-request@csl.sri.com Subject: Abridged info on RISKS (comp.risks) The RISKS Forum is a MODERATED digest. Its Usenet equivalent is comp.risks. => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) if possible and convenient for you. Alternatively, via majordomo, SEND DIRECT E-MAIL REQUESTS to with one-line, SUBSCRIBE (or UNSUBSCRIBE) [with net address if different from FROM:] or INFO [for unabridged version of RISKS information] .MIL users should contact (Dennis Rears). .UK users should contact . => The INFO file (submissions, default disclaimers, archive sites, copyright policy, PRIVACY digests, etc.) is also obtainable from http://www.CSL.sri.com/risksinfo.html ftp://www.CSL.sri.com/pub/risks.info The full info file will appear now and then in future issues. *** All contributors are assumed to have read the full info file for guidelines. *** => SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line. => ARCHIVES are available: ftp://ftp.sri.com/risks or ftp ftp.sri.comlogin anonymous[YourNetAddress]cd risks [volume-summary issues are in risks-*.00] [back volumes have their own subdirectories, e.g., "cd 19" for volume 19] http://catless.ncl.ac.uk/Risks/VL.IS.html [i.e., VoLume, ISsue]. http://the.wiretapped.net/security/textfiles/risks-digest/ . ==> PostScript copy of PGN's comprehensive historical summary of one liners: illustrative.PS at ftp.sri.com/risks . ------------------------------ End of RISKS-FORUM Digest 20.94 ************************