precedence: bulk Subject: Risks Digest 21.05 RISKS-LIST: Risks-Forum Digest Weds 20 September 2000 Volume 21 : Issue 05 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at and by anonymous ftp at ftp.sri.com, cd risks . Contents: Qualcomm CEO's laptop vanishes, containing corporate secrets (NewsScan, David Lesher) Computers shut down aircraft engines in flight (Mike Beims) Russian troops block power shutoff (Doneel Edelson) OPEC site hacked (Mike Hogsett) Navy carrier to run Win 2000 (Mike Ellims) Re: Windows NT/2000 palm sync (Avi Rubin) Re: Identity theft (Carl Ellison) Re: D.01: Off by x100 (Terry Carroll) Re: New Pentium III chip recalled: typo (Gideon Yuval) Risks of using HTML Mail and HTTP proxy "censorware" together (Dan Birchall) Concorde crash report (Peter Kaiser) Computerized air-conditioning risks (Pere Camps) ``Netspionage'' is the real security threat on the Net (NewsScan) Hackers offered $10,000 bait (NewsScan) A subtle fencepost error in real life (Andrew Koenig) New credit-card solution? (Joshua M Bieber) Reconstructing Privacy - Conference Announcement (Gene N Haldeman) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Mon, 18 Sep 2000 06:55:57 -0700 From: "NewsScan" Subject: Qualcomm CEO's laptop vanishes, containing corporate secrets After addressing a national business journalists' meeting in Irvine, California, Qualcomm chief executive Irvin Jacobs found that someone had stolen his laptop computer, which he left on the floor of a hotel conference room. The thief acquired not only an IBM Thinkpad but also the Qualcomm secrets it contains, because Jacobs had just finished telling the audience that the slide-show presentation he was giving with his laptop contained proprietary information that could be valuable to foreign governments. People in the area "included registrants, exhibitors and guests at our conference, hotel staff and perhaps others.'' Qualcomm, a leader in the wireless industry, and is the world's leading developer of a technology known as CDMA, which makes high-speed Internet access available on wireless devices. (Reuters/*San Jose Mercury News*, 18 Sep 2000 http://www.sjmercury.com/svtech/news/breaking/ap/docs/412258l.htm; NewsScan Daily, 18 September 2000) NewsScan Daily is underwritten by Arthur Andersen and IEEE Computer Society, world-class organizations making significant and sustained contributions to the effective management and appropriate use of information technology. NSD is written by John Gehl and Suzanne Douglas, editors@NewsScan.com. [NewsScan items are reproduced here with the very gracious permission of Gehl and Douglas. Further reuse should respect their copyrights. PGN] ------------------------------ Date: Mon, 18 Sep 2000 22:36:02 -0400 (EDT) From: David Lesher Subject: Qualcomm CEO's laptop vanishes, containing corporate secrets This was bound to happen, if not then & there and to him, then to another CEO-type. It will again. It's a clear message that folks of all levels need to practice safe-computing by using real encryption on all data files. It's also a message to crypto companies. Create real tools for this task, ones that even C[E,F,T]O's can grok how to use {1}. A recent USENIX study reported that a large percentage of users failed to use PGP correctly. {1: Getting them to follow practices is the 2nd half of the problem; as the Deutch case demonstrates....} wb8foz@nrk.com [v].(301) 56-LINUX ------------------------------ Date: Mon, 18 Sep 2000 15:57:01 -0400 From: Mike Beims Subject: Computers shut down aircraft engines in flight The Aerospace Online newsletter reports that some Full Authority Digital Engine Control (FADEC) units have performed uncommanded shut downs of an aircraft's engine in flight. This led to the United State's Federal Aviation Administration issuing an Airworthiness Directive (AD) requiring that no more than one engine per airplane may use the suspect FADEC's. The root cause of the FADEC computer malfunction is a power transistor, and the AD lists the FADEC units affected by their serial numbers. From http://www.aerospaceonline.com: 2) AD released on Allison AE 3007A/C series turbofan engines FAA adopted a final rule applicable to Allison Engine Company AE 3007A and AE 3007C series turbofan engines that requires inspection before further flight to determine that no more than one engine with a suspect FADEC is installed on the same airplane. The rule was prompted by reports of uncommanded in-flight shutdowns of engines caused by a potential hardware failure mode in some AE 3007 series FADECs. The rule is effective 22 Sep 2000. The AD text (.pdf) is available from Aerospace Online's Download Library: http://www.aerospaceonline.com/read/nl20000912/213768 Mike Beims ------------------------------ Date: Tue, 12 Sep 2000 15:53:29 -0400 From: Doneel Edelson Subject: Russian troops block power shutoff A Russian strategic missile base had its power shut off as a result of a year-long accumulated nonpayment of bills totalling about $683,000. As a result, troops took over the utility's switching station and restored power. Earlier shutdowns affected hospitals, an air-traffic control center, coal mines, a city sewage plant, and in 1995 a nuclear submarine at an Arctic sub base. [Source: Associated Press article by Vladimir Isachenkov, 12 Sep 2000, PGN-ed] ------------------------------ Date: Wed, 13 Sep 2000 11:08:41 -0700 From: Mike Hogsett Subject: OPEC site hacked Someone identified as "fluxnyne" cracked into the OPEC Web site, posting this message: "I think I speak for everyone out there (the entire planet) when I say to you guys to get your collective a**es in gear with the crude price. We really need to focus on the poverty-stricken countries, who don't even have enough money for aspirin, let alone exorbi[t]ant prices for heating oil. I think the lives of children are paramount to your profits." [http://dailynews.yahoo.com/h/nm/20000913/od/website_dc_1.html, PGN-ed with ** filtering] ------------------------------ Date: Wed, 20 Sep 2000 09:27:47 +0100 From: Mike Ellims Subject: Navy carrier to run Win 2000 Apparently the new Navy aircraft carrier is to use windows or some derivative for at least some of it's mission critical applications. "This is a new area for us," said Keith Hodson, a Microsoft Government spokesman. "Windows-based products have not traditionally been associated with Defense Department-specific mission-critical applications." The Web site with the press release: http://www.gcn.com/vol19_no27/dod/2868-1.html As they say, who do you want to shoot today? Mike Ellims, Pi Technology mike.ellims@pitechnology.com www.pitechnology.com +44 (0)1223 441 434 ------------------------------ Date: Mon, 18 Sep 2000 19:59:26 -0400 From: Avi Rubin Subject: Re: Windows NT/2000 palm sync (Rubin, RISKS-21.04) Some people have pointed out that a virgin palm pilot would cause a pop-up window asking for the user name, so for the attack that I mentioned to work, you would have to know the username on the pilot of the person you were attacking, and set that name in the new palm. It was also pointed out that the palm databases can be backed up, in which case obviously data wouldn't be lost. There may have been a few other problems with the hypothetical attacks I mentioned. However, the main risk remains - that locking a windows machine with the alt-ctrl-del option does not prevent the palm from syncing, and you can imagine ways in which this can be abused in additions to the ones I mentioned in the original post. Perhaps disabling the serial port would be a bit draconian. Then what about the Ethernet port? What if someone wants to receive a fax while they are away, but lock the computer? Where do you draw the line between locking the computer and turning it off? These are difficult questions. I believe the sync issue when the computer is locked is a user interface problem, and yet, everyone that I tell about being able to sync the pilot after locking windows 2000 is surprised. Locking the computer is a useful feature, but it needs to be done in such a way that the user has an intuitive sense of what is locked and what isn't. I don't have the solution. Avi Rubin http://avirubin.com/ ------------------------------ Date: 17 Sep 2000 19:16:23 -0700 From: "Carl Ellison" Subject: Re: Identity theft (PGN, RISKS-21.04) I used to try to keep my SSN private -- then I realized that that's blaming the victim (me). It's not the SSN holder's fault that stores and other institutions use improper means for authenticating people. It's the store's fault. Any information held by a credit bureau is public. So is any information held by any government agency, if I'm to believe the spam I get occasionally. So, that information is not acceptable for authentication -- even in person, but especially online. It's not merely unacceptable when dealing with the credit bureau. The credit bureau poisons the information for everyone. Now -- how do we get consumer protection laws that make it clear that a consumer is not liable for any debts incurred by someone claiming to be him/her unless there is irrefutable authentication during registration (e.g., videotape of the consumer signing up for the service). This means killing all issuing of credit online, by mail, by phone, etc. Maybe I'd stop getting all those credit-card applications in the mail.... [This opens a technical challenge: how can we authenticate anyone, if we rule out information that an attacker can get?] - Carl [This topic has recurred in RISKS for many years, but the people who should be learning this lesson are not listening (or lessoning -- although they may be lessening). Thus, your moderator not at all immoderately includes Carl's contribution. PGN] ------------------------------ Date: Mon, 11 Sep 2000 15:41:20 -0700 (PDT) From: Terry Carroll Subject: Re: D.01: Off by x100 (Blakley, RISKS-21.04) > I notice that both SmartMoney.com's "Map of the Market" and CNNfn's > intraday chart have gotten confused by decimalization of stock prices. > If you check out a decimalized stock (like Gateway (GTW), for example) > at either of these sites ... you'll see that both sites think that > Gateway's per-share valuation today (8/28) is $6655.00, instead of > $66.55. This is not (to the best of my knowledge) a decimalization issue, but for an interesting computer error related to stock price, check out the quote for Ford Motor Company (ticker symbol F) on Yahoo. The data includes a spurious split of Ford stock on August 3, 2000: a "-44:-24" split (or, on some screens, such as the historical data referred to below, a "1748:1000" split). However, there was no split on that date: instead, there was a stock drop due to the Firestone tire problems. You can see this most clearly by viewing a stock chart at . Yahoo shows Ford as jumping from around $26.50 (pseudo-split-adjusted) to around $29 (a 9% increase) on August 3. In reality, it dropped like a stone, from around $47 *down* to around $29 (a 45% DECREASE). Yahoo is split-adjusting for this non-existent split. The problem is also visible in the historical charts page, e.g., on . I suspect that there's some program somewhere that treats such a precipitous overnight stock price drop as a potential split, although why it's not referred to a human for verification, and why it settles on such odd ratios eludes me. I reported the error to Yahoo a couple weeks ago. They said that they'd notify their data provider (CSI Data), who would verify and correct, and that sometime in the future, the displays at Yahoo would again be correct. It's still not correct. In the meantime, I hope that no Yahoo users are trying to rely on moving averages or other historical bases to try to figure out a good time to trade in Ford. Terry Carroll, Santa Clara, CA carroll@tjc.com ------------------------------ Date: Tue, 12 Sep 2000 15:02:15 -0700 From: Gideon Yuval Subject: Re: New Pentium III chip recalled: typo (RISKS-21.04) > Intel is recalling its 1.3 gigahertz Pentium III chip I think it was 1.13GHz, not 1.3 ------------------------------ Date: 20 Sep 2000 01:56:30 GMT From: Dan Birchall Subject: Risks of using HTML Mail and HTTP proxy "censorware" together Summary: Unseen things in HTML mail may trigger HTTP censorware. First, the data points: 1. Many workplaces, including mine, have HTML-"enabled" mail software on the desktop. 2. Many workplaces (though not as many), including mine, make use of HTTP proxy "censorware" to catch employees trying to access "bad" sites (porn, hate sites, hacking sites, etc). 3. Those sites, like many others, tend to use 1x1 GIFs for spacing and the like. 4. Users who read HTML mail rarely view the source. Now, the risk: It is extremely trivial to concoct an HTML mail message containing IMG SRC calls to (near-)invisible 1x1 images, or other more damning images scaled to 1x1, from any number of "banned" sites. If such a message is received and opened by someone with an HTML mail reader, they will probably generate HTTP requests to those sites, which would be blocked/logged by proxy censorware. Thus, a prankster, BOFH, or anyone bent on malice can pull off a "joe job" by sending e-mail to such a recipient. The e-mail might appear to be totally innocent based on its content, or might even be disguised as spam, with forged headers and other junk. It doesn't matter, really, as long as the recipient's mailreader generates the HTTP requests for those files. Enough entries in the censorware log over a period of time, and someone's bound to start asking questions. Of course, the HTTP requests are for individual files, not pages. But if the proxy is _blocking_ requests to "banned" sites (ours is), no pages could be accessed anyway, so all log entries would be of an individual-file nature. These are just blocked requests for images, rather than blocked requests for HTML files. (As a side note, if someone were ideologically opposed to the use of censorware, sending this sort of message to a large number of users behind such a proxy, including those parties charged with administering the proxy, would seem to be a fitting form of protest.) Dan Birchall - Palolo Valley, Honolulu HI - http://dan.scream.org Post your reviews; get paid: http://epinions.scream.org/join.html ------------------------------ Date: Tue, 12 Sep 2000 21:52:01 +0200 From: Peter Kaiser Subject: Concorde crash report The Bureau Enquêtes-Accidents (BEA; Office of Accident Investigation) has issued a preliminary report on the Concorde crash of 25 Jul 2000. It may be worth mentioning a couple of things here. One is that the crew apparently never knew what was wrong, because there was no means of sensing the actual problem: the catastrophic rupture of a fuel tank caused by the explosion of a tire, with massive ignition of the leaking fuel. The Concorde's engines are instrumented to detect fire, but the tanks are not; nor is there any means of detecting the rupture of a tank nor of extinguishing a tank fire. And the pilots couldn't see to the rear. So all the sensors were no use at all, and the flight was doomed before it left the ground. Undoubtedly the passengers on the left side of the plane could see the flames and the disintegration of the left wing. There's a parallel here to the instrumentation of computer systems in places, and at levels, that make it possible to diagnose problems before they result in catastrophe. The aircraft carried three types of recorders. The cockpit voice recorder had external damage, but its thermal protection worked and its tape was recovered intact. The flight data recorder (FDR) didn't entirely protect its tape from fire, and the report states that its ... recording was of moderate quality, which led to a certain number of losses of synchronization of the signal.... It was decided to search in parallel for better-quality information. They turned to the quick-access recorder (QAR, in French literally "maintenance recorder"), which is not required equipment: The QAR is an unprotected recorder. It contains a copy of the FDR's data on magneto-optical disk, and is used by Air France to analyze flights. The method of writing on this disk uses three buffer memories whose role is to store data sent by the Flight Data Acquisition Unit (FDAU) until the conditions of vibration detected by an accelerometer within the QAR are favorable to write on the disk. These are volatile memories which must be supplied with current to preserve the information they contain.... The QAR's box was crushed and the magneto-optical disk deformed. The card holding the memories, visible through the half-torn-off cover, seemed to be in good condition. Thus it was decided to concentrate work on this card. Two of the three memories had been torn off at the impact. The third was still in place and powered. No one had ever before tried to recover one of these memory units live from a damaged recorder, but after some experimentation on other units, by attaching the third memory to a parallel power supply they managed to move it intact and operational to a working card. The contents of the third memory ... could be read and a copy of the disk was sent to the BEA [where] it became clear that the data from this flight were to be found on the only one of the three memories that had remained powered. Because of the technology used, the quality of the recording was excellent and displayed no desynchronization. Thus it was unnecessary to try to read the magneto-optical disk, nor to proceed with new work to acquire a [usable] signal from the FDR's tape. So the flight data recorder didn't survive the crash unharmed, but a perfect recording was recovered from the volatile digital medium within an unprotected, vibration-sensitive, optional recorder. The preliminary report, "Accident survenu le 25 juillet 2000 au lieu-dit La Patte d'Oie de Gonesse (95) au Concorde immatriculé F-BTSC exploité par Air France", is BEA document f-sc000725p, available from BEA's Web Site (only in French). All quotations above are my translations, for whose quality I beg your forbearance. ------------------------------ Date: Tue, 19 Sep 2000 19:45:05 +0100 (BST) From: Pere Camps Subject: Computerized air-conditioning risks We just moved offices this monday to a brand new building and we found out, the hard way, that the air-conditioning machines were working much too well: we were freezing. This surprised most of us, as the new AC system was ran by a PC and it had a very user-friendly interface. It looked very robust. However me, being a long time RISKS follower, knew that having a PC for controlling your AC wasn't necessarily A Good Thing (TM). After some "debugging", we found out that the control software was buggy. We notified this to the appropriate vendor which confirmed the bug with us and told us that it would be soon be fixed. In the meantime, we have to work with gloves and the coat on... [Added note: The bug with the PC software was so huge (it looks like it only happens with our setup - the vendor claims is the first time it happens), that what we have is the AC units running continuously, no matter what the thermostat tells the control unit. Good thinking that our department (MIS Support & Internet) was the only one that stayed behind and will move in three weeks time. We know that is not good to be beta testers of v1.0 "hardware and software" (ie, building).] ------------------------------ Date: Tue, 12 Sep 2000 10:58:35 -0700 From: "NewsScan" Subject: ``Netspionage'' is the real security threat on the Net Teenage hackers who deface government sites or steal credit-card numbers attract a lot of attention, but experts say the real problem of cybercrime is corporate-sponsored proprietary information theft committed by professionals who rarely get caught. According to the American Society for Industrial Security, Fortune 1000 companies sustained losses of more than $45 billion last year from thefts of proprietary information, and a survey by the Computer Security Institute indicates over half of 600 companies polled said they suspected their competitors were a likely source of cyberattack. "Your competitors no longer have to be across town, or even across the country; they're in other countries that have different laws and business ethics," says Richard Power, who conducts the annual CSI survey. "Culpability is much less. There is a lawless frontier in terms of theft of trade secrets." Experts agree that while juvenile hackers often leave calling cards enabling them to be traced, professional information thieves are almost impossible to catch. What's even more frustrating is that many firms never know their systems have been breached. "It's difficult for people to see the theft of information," says the owner of a security firm. "Information is the only asset that can be copied or stolen but nothing can appear to be missing. You can still have the information... but have lost the value of that information." (MSNBC, 11 Sep 2000 http://www.msnbc.com/news/457161.asp; NewsScan Daily, 12 September 2000) ------------------------------ Date: Wed, 13 Sep 2000 08:18:25 -0700 From: "NewsScan" Subject: Hackers offered $10,000 bait The Secure Digital Music Initiative, a forum of 175 companies in the music, electronics, information technology and telecommunications industries dedicated to developing a secure framework for the digital distribution of music, is offering a reward of up to $10,000 to the first person to crack its codes. In an open letter to the "alternative" press, SDMI executive director Leonardo Chiariglione challenged hackers to "show off your skills, make some money, and help shape the future of the online digital music economy." SDMI has about 10 different proposals for "watermarking" technology that could be embedded in a digital music file. Portable music players complying with the SDMI standard would only work if the watermark -- an inaudible signal -- is present. SDMI has also issued the challenge to the technology departments at the University of California at San Diego, MIT, Virginia Tech and Stanford University. "The proposed technologies must pass several stringent tests: they must be inaudible, robust and run efficiently on various platforms, including PCs... So here's the invitation: Attack the proposed technologies. Crack them. By successfully breaking the SDMI protected content, you will play a role in determining what technology SDMI will adopt," said Chiariglione. (*Financial Times*, 13 Sep 2000 http://news.ft.com/news/industries/media; NewsScan Daily, 13 September 2000) ------------------------------ Date: Wed, 20 Sep 2000 15:15:49 -0400 (EDT) From: Andrew Koenig Subject: A subtle fencepost error in real life I recently got email from amazon.com offering me a $50 discount on any order of $100 or more from ashford.com. As it happens, my wife's wristwatch needed repair, and I decided that for $50 I wouldn't mind buying her another watch if I could find one I thought she would like. I found such a watch, for exactly $100. When I tried to order it, the ashford.com website wouldn't accept my promotional-offer code. More precisely, it accepted it but didn't indicate any discount. So I called them on the phone. The (very pleasant) sales rep said that he could place the order for me. When he tried, though, he also found that their system wouldn't accept the promotional code. He then told me that he would go ahead and place the order anyway, and once it was in their system, he would make sure that I was charged the right price. It might take a day or two, but he would make it right. I told him to go ahead. They let you track existing orders on their website. Later that day, the order was there, showing a price of $100.00. The next day, it still showed $100.00. The following day, it showed $50.01. If you've read this far, I trust that you can figure out what must have happened. Andrew Koenig, ark@research.att.com, http://www.research.att.com/info/ark [I can only assume that the resourceful sales rep added $0.01 to the price, in order to cater to a system that was implemented to offer the discount only for orders strictly greater than $100, rather than the $100 or more promised in the promotional email. ARK] ------------------------------ Date: Tue, 12 Sep 00 09:47:43 EDT From: "Joshua M Bieber (852-5436)" Subject: New credit-card solution? Safer online shopping with disposable credit cards American Express will launch a disposable credit-card service in the US next month, designed to answer the worldwide worry of online shopping. The system, Private Payments, enables cardholders to access a random one-use only credit-card number with an expiry date on the AmEx website, to be used in making one online purchase. In the event that the number is illegally accessed during a transaction, it cannot be re-used by a hacker. Visa and Mastercard are also looking at similar ideas. *The Independent Monday Review*, P9, *The Mirror*, P18 [Not comforting! JMB] ------------------------------ Date: Sat, 16 Sep 2000 19:08:48 -0400 From: Gene N Haldeman Subject: Reconstructing Privacy - Conference Announcement CPSR will hold it's Annual Meeting for 2000, "Drawing the Blinds: Reconstructing Privacy in the Information Age", October 14 & 15 on the campus of the University of Pennsylvania in Philadelphia. Marc Rotenberg of EPIC will be receiving our Norbert Wiener award, and Dave Farber will be keynoting. More info and registration is at http://www.cpsr.org/conferences/annmtg00/. Gene N Haldeman Mid-Atlantic Regional Director, Computer Professionals for Social Responsibility ------------------------------ Date: 15 Aug 2000 (LAST-MODIFIED) From: RISKS-request@csl.sri.com Subject: Abridged info on RISKS (comp.risks) The RISKS Forum is a MODERATED digest. Its Usenet equivalent is comp.risks. => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) if possible and convenient for you. Alternatively, via majordomo, SEND DIRECT E-MAIL REQUESTS to with one-line, SUBSCRIBE (or UNSUBSCRIBE) [with net address if different from FROM:] or INFO [for unabridged version of RISKS information] .MIL users should contact (Dennis Rears). .UK users should contact . => The INFO file (submissions, default disclaimers, archive sites, copyright policy, PRIVACY digests, etc.) is also obtainable from http://www.CSL.sri.com/risksinfo.html ftp://www.CSL.sri.com/pub/risks.info The full info file will appear now and then in future issues. *** All contributors are assumed to have read the full info file for guidelines. *** => SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line. => ARCHIVES are available: ftp://ftp.sri.com/risks or ftp ftp.sri.comlogin anonymous[YourNetAddress]cd risks [volume-summary issues are in risks-*.00] [back volumes have their own subdirectories, e.g., "cd 20" for volume 20] http://catless.ncl.ac.uk/Risks/VL.IS.html [i.e., VoLume, ISsue]. http://the.wiretapped.net/security/textfiles/risks-digest/ . ==> PostScript copy of PGN's comprehensive historical summary of one liners: illustrative.PS at ftp.sri.com/risks . ------------------------------ End of RISKS-FORUM Digest 21.05 ************************