precedence: bulk Subject: Risks Digest 21.36 RISKS-LIST: Risks-Forum Digest Wednesday 25 April 2001 Volume 21 : Issue 36 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at and by anonymous ftp at ftp.sri.com, cd risks . Contents: Computer system crash stalls D.C. Metro (PGN) UPS Shutdown (Kent Borg) Trial by CCTV (M Taylor) Risks of fabricating funny data (Bill Hopkins) Foreign Flimflam (Keith A Rhodes) Wireless Spam (NewsScan) Slack goes when California DMV gains access to SSA database (Elizabeth Weise) U.S. Government cyberdefense lacking (Dave Stringer-Calvert) Errors in AFFX GeneChip Database (Gregory Soo) 35,000-pound hacking challenge cracked (Jay Anantharaman) Microsoft's wonderful solution for Outlook security (Dave Stringer-Calvert) Re: Amtrak 'Sharing' Information With D.E.A. (John Noble) Re: Aasta train crash (Dag-Erling Smorgrav) Re: V-22: Titanium properties (Edwin M. Culver) Bathtub Burnout (Jan Verbrueggen) Re: Hidden highway robbery within ... contracts? (Norman Gray) Risks of using filtering proxies (Marc Roessler) Power safety (Marcus L. Rowland) First Workshop on Information Security System Rating and Ranking (Jack Holleran) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Wed, 25 Apr 2001 07:52:39 -0700 (PDT) From: "Peter G. Neumann" Subject: Computer system crash stalls D.C. Metro Washington D.C. Metro's $20 million central computer system crashed at 5:15 p.m. during the evening rush hour on 24 Apr 2001. The central system provides real-time graphics to the downtown control center. Similar malfunctions occurred in 1998 and 1999 (e.g., RISKS-20.60). In the 15 months following its installation, this BDM system crashed 50 times, according to the Metro. Coincidentally, a six-car train that had broken down 8 minutes earlier was stuck in the tunnel between Friendship Heights and Bethesda, and had to be towed out. The outage caused system-wide delays, with some passengers facing platform delays up to 45 minutes. Fortunately, the automated train operation system continued working, although manual switching was required, and signals failed at three junctions (Medical Center, Rosslyn, and L'Enfant Plaza). http://www.washingtonpost.com/wp-dyn/articles/A60653-2001Apr24.html ------------------------------ Date: 12 Apr 2001 13:47:57 -0000 From: Kent Borg Subject: UPS Shutdown On the evening of 11 April 2001, a fairly large chunk of Somerville, MA, USA lost power for two-some hours. I was very smug about having a nice little UPS for my even littler basement server, and that it ran for nearly two hours before giving me its "last chance to shutdown" beeps, at which point I did a blind login and "shutdown -h now". Then I turned on the monitor power, which sent the UPS over the edge to complete shutown. I left it that way, hard power switch on the computer still "on" and we went to dinner, me smugly thinking the server would come up with the mains power. Nope. The Belkin UPS I bought has a soft power switch that doesn't turn on again when power is reapplied. The battery charges, but the UPS power button must be pressed for two-seconds to get power back out back, making this model completely unsuited for unattended operation. I could find nothing in the instructions point out this "feature". Lesson: Yet another case where having a UPS can be worse then nothing. Test your systems with someone watching. -kb, the Kent who is now in the market for a UPS with a simple hard power switch that will stay "on". ------------------------------ Date: Mon, 23 Apr 2001 17:06:52 -0300 (ADT) From: M Taylor Subject: Trial by CCTV Source: Trial by CCTV claims innocent victim, by Kieren McCarthy 19 Apr 2001 Allan Dunne was arrested, publicly accused of being a criminal, and lost his job because he took 20 pounds out of his own account from a cash machine. He was caught on CCTV making the transaction shortly just after a thief had used the same cash machine. The footage was shown on Granada TV's Crimefile show. Allan went to the police with records from his own bank account, but was arrested and suspended from his job. Evidence that CCTV is not perfect? ------------------------------ Date: Mon, 23 Apr 2001 16:22:59 -0400 From: "Bill Hopkins" Subject: Risks of fabricating funny data In 1998, techies at *The New York Times* made up amusing capsule descriptions for some old movies, with themselves as stars, while testing a new update path to the TV listing service's database. Contrary to expectations, the capsules were saved, and when one of the movies was scheduled, The Times published its bogus description. Who could have anticipated the movie would be scheduled on 1 Apr 2001? Oh, to be a fly on the wall when that went down! [www.nytimes.com/2001/04/03/pageoneplus/corrections.html] [Cap-sules rush in where mangles cheer to sched. PGN] ------------------------------ Date: Tue, 27 Feb 2001 08:40:56 -0500 From: "Keith A Rhodes" Subject: Foreign Flimflam International thieves are using stolen credit card numbers to buy from U.S. vendors over the Internet. Goods received at U.S. addresses are then being rerouted overseas. One thief had over 300 stolen cards and had purchased $900,000 in merchandise. On-line credit-card fraud is currently estimated at $24 million per day. Prosecution is of course complicated by multiple jurisdictions. [Source: Article by Laura Lorek, Interactive Week, 25 Feb 2001; PGN-ed] ------------------------------ Date: Mon, 16 Apr 2001 08:00:34 -0700 From: "NewsScan" Subject: Wireless Spam The text-messaging services now included as a standard feature by many wireless companies make it simple for senders of junk mail to target a specific audience by geographic location and pass the costs of their messages on to the people being spammed. Todd Bernier, a wireless technology analyst with Morningstar, predicts: "This will become a huge problem when text messages become more popular in the states. The industry is going to have to do something to control itself. People just won't tolerate it." (AP/*USA Today*, 13 Apr 2001; NewsScan Daily, 16 April 2001 http://www.usatoday.com/life/cyber/tech/2001-04-13-wireless-spam.htm ------------------------------ Date: Tue, 24 Apr 2001 16:25:02 -0400 From: eweise Subject: Slack goes when California DMV gains access to SSA database Apparently the California DMV gained access to the computerized database of the Social Security Administration at the beginning of the year. Sometime in February or March the DMV began bouncing back all requests to renew drivers licenses in which the name given did not exactly match the name in the SSA computers. I learned of this the day my license expired when I attempted to renew it and was told that because my Social Security number was issued under the name Beth back in the 1960s, according to the DMV I was attempting to defraud the government "and possibly engaged in identity theft" by attempting to get a drivers license under the name Elizabeth Weise--despite the fact that the State of California has accorded me a drivers license under that name for eight years now. A call to the Social Security Administration confirmed that since the DMV was given the ability to hook directly into the SSA's computers, they've been flooded with Robert-Bob's, Richard-Dicks's and Alex-Alexander's who are all being told they can't renew their licenses until they officially change their names. For the record, the clerk at the SSA told me "We understand that Beth and Elizabeth are the same person and it doesn't bother us, but the DMV won't let it by any more." To fix this one must personally go to an SSA office and have them change their official record. The identification they require? A California drivers license. Elizabeth Weise, Technology Reporter, USA Today Life Section 2912 Diamond St. #407, San Francisco CA 94131 415/452-8741 eweise@usatoday.com ------------------------------ Date: Thu, 05 Apr 2001 20:03:19 -0700 From: Dave Stringer-Calvert Subject: U.S. Government cyberdefense lacking U.S. General Accounting Office reviews of 24 agencies (including Treasury, the IRS, and Social Security) reveal that security gaps place ``a broad range of critical operations and assets at risk from fraud, misuse, and disruption.'' During the year 2000, 155 federal computer systems (some with sensitive information) were taken over by unauthorized users who gained full administrative privileges. The military recorded 715 serious attacks in that period. [Source: Study of government computers faults security, by Poornima Gupta, Reuters, 5 Apr 2001; PGN-ed http://www.siliconvalley.com/docs/news/reuters_wire/1053144l.htm] ------------------------------ Date: Wed, 7 Mar 2001 20:03:15 -0500 From: "Gregory Soo hotmail" Subject: Errors in AFFX GeneChip Database Affymetrix Inc. http://www.affymetrix.com/ has discovered errors in some of its gene chips, involving the UniGene U74 database used to design its Murine Gene U74 set of GeneChip arrays. The arrays are used to analyze mice tissues and cells. [Source" Affymetrix Discovers Errors in GeneChip Database; GlacierRISKS of database errors propagated into nucleotide-array analysis... 7 Mar 2001 http://dowjones.work.com/index.asp and http://quote.yahoo.com/ PGN-ed] ------------------------------ Date: Mon, 23 Apr 2001 17:41:15 -0700 From: Jay Anantharaman Subject: 35,000-pound hacking challenge cracked (From Dave Farber's IP) A team of computer hackers has gained 35,000 pounds for hacking into a computer system just twenty-four hours after the competition began. Argus Systems organised the competition -- to break into a Web server locked down using its security product called PitBull -- to promote its products and to coincide with the start of Infosec, the UK's premier computer security event. Undeniably, the stunt backfired and is an embarrassment for Argus Systems Group, as well for as security consultant firm Integralis and hardware vendor Fujitsu Siemens, which helped organise the stunt and have coordinated three similar competitions in the US and Germany without suffering setbacks. [http://uk.news.yahoo.com/010423/152/bmqfd.html From Dave Farber's IP. For Dave's archives, see http://www.interesting-people.org/ PGN] ------------------------------ Date: Fri, 06 Apr 2001 11:01:51 -0700 From: Dave Stringer-Calvert Subject: Microsoft's wonderful solution for Outlook security Microsoft is apparently defending against e-mail viruses (such as Melissa and I Love You) by restricting the types of file attachments that can be opened or downloaded by the newest version of its Outlook 2002, which will reject over 30 types of attachments -- including program execution files, batch files, Windows help files, Java and Visual Basic scripting files, photo CD images, screensavers and HTML application files. [Source: Microsoft's virus antidote: Ban attachments, Is Microsoft making the cure worse than the sickness? by Joe Wilcox, CNET News.com; PGN-ed http://dailynews.yahoo.com/h/cn/20010406/tc/ microsoft_s_virus_antidote_ban_attachments_1.html (URL split)] [We are getting close to the old days of IBM mainframes (which also had weak -- if nonexistent -- operating system protection), where, in the absence of RACF or similar security applique, the best advice was not to allow any users, compilers, and especially system programmers on the system -- just canned pre-vetted turnkey application programs. PGN] ------------------------------ Date: Sun, 15 Apr 2001 18:57:38 -0400 From: John Noble Subject: Re: Amtrak 'Sharing' Information With D.E.A. (From Dave Farber's IP) > Something to think about next time you decide to ride the rails: Amtrak > has acknowledged that one of its ticketing offices has been "sharing > information" about passengers with the Drug Enforcement Administration, > and then taking a 10 percent cut of any assets seized from drug couriers. It gets better ... "We provide a limited amount of information about our passengers to the D.E.A. and other agencies as a part of their law enforcement activities," said Debbie Hare, an Amtrak spokeswoman. "I can't tell you how long it has been going on, but this program exists all across the country." So it's not "one of its ticketing offices," but "all across the country." "A computer link from Amtrak's ticketing terminal in Albuquerque to the local D.E.A. office allows agents to peruse passengers' names and itineraries and to see whether they paid in cash or credit. The information determines which passengers will be questioned or have their luggage searched by drug-sniffing dogs." Names, itineraries, cash/credit. This is profiling. They don't give you a pass when you use a credit card, because then you could beat the surveillance by using a credit card. They can't investigate everybody who pays cash because they don't have the manpower. All they get is a vague indication of wealth and possible preference for anonymity. So they go to names and itineraries -- national origin, race, gender, religion, urban/rural. Now we're cookin'. Maybe they toss in the ticket agent's flag based on his "gut feeling." I wonder if he gets a bonus when he's right. John Noble [From Dave Farber's IP. For Dave's archives, see http://www.interesting-people.org/ Incidentally, apparently Amtrak has just backed off. 25 Apr 2001. PGN] ------------------------------ Date: 24 Apr 2001 22:42:43 +0200 From: Dag-Erling Smorgrav Subject: Re: Aasta train crash (Kline, RISKS-21.35) Merlyn Kline is assuming that the handsets in question are digital GSM handsets. As far as I know, they're not - they use an older analog system called NMT, which has better audio quality and longer range than GSM, and better coverage in out-of-the-way parts of Norway. As to battery life, this is hardly a problem on a train, which has plenty of power to spare; and even the most power-hungry GSM handsets have sufficient battery capacity to last a six- or seven-hour shift (the handsets apparently follow the crew). In any case, this point is moot -- better communications probably wouldn't have made much of a difference in this particular accident; there simply wasn't enough time. BTW, a few days before my previous article went out on RISKS, the Norwegian Railway Authority (in charge of tracks, station and other infrastructure) was fined NOK 10M (approx. USD 1.1M) for non-adherence to safety regulations. More than a year after the accident, very little has been done to raise the standard of the line where it occurred. The railway authority are whining that the impact of the fine on their budget will delay security work; then again, they've never shown any willingness to to assume responsibility for their own actions in the past, so why start now? Dag-Erling Smřrgrav - des@thinksec.com ------------------------------ Date: Sun, 08 Apr 2001 23:07:17 -0400 From: "Edwin M. Culver" Subject: Re: V-22: Titanium properties (Ladkin, RISKS-21.33) Peter B. Ladkin wrote "...titanium, whilst light and strong, is also quite brittle..." Before becoming a full time programmer in the early 90's, I was a structural test engineer at a helicopter maker (the one not involved in the Osprey ;-) ). First, some engineer speak: "brittle" refers to materials which don't exhibit permanent deformation, or set. Glass is an example of a material which is usually brittle. Titanium-based alloys are light and strong...and not brittle. Or at least not more brittle than the comparable steel or aluminum based aerospace alloys. Most titanium based alloys have better fatigue properties than most steels or aluminum alloys. Titanium has some shortcomings: it can be quite difficult to work (it's flammable), and threads in titanium gall (kind of stick to themselves), but the aerospace industry is quite used to dealing with these. I'll peruse the GAO articles when I get a chance, but don't really expect any surprises. While tiltrotor technology is not very new (the original tilt rotor aircraft was built in the 1950's), the V-22 is the first attempt at a production aircraft. It has many problems of both fixed wing aircraft and helicopters and a few that would be unique. E. M. Culver ------------------------------ Date: Thu, 12 Apr 2001 13:51:49 +0200 From: "Dr. Jan C. =?iso-8859-1?Q?Vorbr=FCggen?=" Subject: Bathtub Burnout (Re: Nordal, RISKS-21.33; Mercuri,-21.34) I actually find both conclusions misleading. The original one was: > The risk of putting non-reliable legacy equipment in the same room > as your $30,000 servers with hundreds of concurrent users is obvious. The risk of using systems - hardware and software - that result in unexpected outages leading to the irretrievable loss of data really is the issue here. If the server "went away", why did the users loose their work? It's not that the server's disk actually burnt! - and properly designed systems survive even that (cf. Credit Lyonnais), at a cost, of course. So what _really_ happened? I can still envisage a scenario where shutting down the server incidentally lead to data loss, but from the description provided, I would say the reaction to smoke in the room was quite proper. Jan Vorbrüggen - MediaSec Technologies, Berliner Platz 6-8, D-45127 Essen GERMANY Research & Development +49 201 437 5252 http://www.mediasec.com ------------------------------ Date: Tue, 17 Apr 2001 13:13:07 +0100 (BST) From: Norman Gray Subject: Re: Hidden highway robbery within ... contracts? (RISKS-21.32) I was rather alarmed to notice that the Yahoo! terms of service[1] (which I would _never_ have looked at without the prompt of this RISKS posting) have an apparently similar licence. However, it refers only to `publicly accessible areas of the Service', which they explicitly say excludes `Yahoo services intended for private communication such as Yahoo! Mail' and several other things. Though I presume that the point of these `licences' is merely to allow Yahoo to continue to deliver archived postings in future, the licence does go much further than that. The Microsoft version, however, goes further even than the Yahoo one, and doesn't even obviously fail to cover a mail message I might send _to_ a hotmail user. The RISK, I'm sure, is that you could unwittingly hazard your or your institution's IPR, and be forced to spend time with the local lawyers. [1] http://docs.yahoo.com/info/terms/ (section 8) Norman Gray http://www.astro.gla.ac.uk/users/norman/ Physics and Astronomy, University of Glasgow, UK norman@astro.gla.ac.uk ------------------------------ Date: Wed, 4 Apr 2001 17:45:49 +0200 From: Marc Roessler Subject: Risks of using filtering proxies In RISKS-18.65 James Cameron wrote about the RISKS of using proxy-servers, as they 'may change your view of the Internet'. Some days ago I experienced something similar: filtering proxies changing the view of the Internet. One week ago I published a paper "Search Engines and Privacy" (http://www.franken.de/users/tentacle/papers/search-privacy.txt). It is a plain text ASCII file with some HTML tags included as examples. Some days later a friend of mine complained that something was wrong with the paper, he told me I had mentioned redirects where the quoted examples did not show any redirects at all. An HTML example which should have read was served to him as a link pointing to http://www.test.com. After some testing it became obvious that this was due to his filtering proxy, WebWasher Version 3.0 for Windows. One of the features of this proxy is changing redirected links (which e.g. AltaVista uses) to direct links. In this case this made the quote invalid, of course. This is expected behavior for a HTML file, but this is a plaintext file. It was found that the link rewriting goes along with WebWasher changing the content type from "text/plain" to "text/html". This causes an additional effect: the browser interprets the HTML tags contained within the textfile instead of displaying them. So far it seems that the content type is changed if the first line of the served document is shorter than three characters (my paper started with two empty lines). In this case the first line gets dropped. Both tested Windows versions (2.21 and 3.0) show this problem. The code maintainers were notified. Credits go to Jens Krabbenhoeft . The RISKS: While filtering proxies generally are of great benefit to privacy concerned users they may (caused by bugs) do more than you expect them to do. In this case: content rewriting regardless of host or content type and changing the content type of seemingly harmless textfiles to HTML (which makes browsers interpret them). Besides, this is a nice example for obscure bugs not showing up during regular testing. "We never experienced any bugs" does not mean that there are none. ------------------------------ Date: Mon, 23 Apr 2001 21:42:52 +0100 From: "Marcus L. Rowland" Subject: Power safety I work in a suite of school science labs, most of which were built with special "safe" mains electricity power supplies. This basically consists of a transformer unit which (a) cuts the power if a safety button is pressed, (b) splits the normal British 220-230v down to 110-115v either side of true neutral, and (c) trips if there is earth leakage of more than 5 milliamps, well below the minimum believed dangerous. Each transformer unit is a bulky box, costs about 500 UK pounds, and has to be sited in a special locked cupboard in a corridor for safety reasons. The snag here is that _all_ of the sockets in these labs are on these units, which has had several undesirable results: About half of our older portable power packs and several other appliances proved to have pilot lights working on the (supposed) low voltage from neutral to earth. Mostly they tripped the breakers as soon as they were plugged in - in one case the earth connection was faulty, so the casing was suddenly live at about 100 volts. Mostly this was obvious from day one, so it was a short-lived problem. Which cost about 500 pounds to put right... At least twice electricians working in the labs have wasted unnecessary hours on the assumption that if the "neutral" line is really 110v there is something wrong with the system. Every couple of weeks one or another of the breakers trips (usually because someone has plugged something in with a dirty plug - grease on the plug body can conduct enough power to trip the breakers). No immediate problem if no other equipment is in use; unfortunately all of the labs now have computers, network hubs, printers etc., there are also two incubators and a freezer which are supposed to be on all the time. The last time this happened was in the Easter holiday, in the lab with the freezer; it contained frozen zoological specimens, and the result after several days was unpleasant, to say the least. Whenever the power goes back on after one of these interruptions all of the computers reboot or come on if they were off. The extraction pressure safety alarms in the fume cupboards also trip, and have to be turned off manually. On several occasions equipment that was on when the power tripped has been left plugged in and switched on, and forgotten since it looked like it was off; in one case this meant that an electric heating mantle was left under a flask of oil, with nobody monitoring its temperature, for several hours after power was restored. The cupboards containing the transformer units have ventilation slots. Whenever I have to reset one I usually find that someone has dropped some waste paper through the slots, a fire risk. A couple of years ago we rebuilt two labs and were able to replace two of these units with normal earth leakage and circuit breakers; there has since been no trouble, nobody has been electrocuted, and we have never had any loss of power in those labs. I'm now trying to get the rest replaced. Every electrician I've talked to has told me that the degree of "safety" offered by these units is way beyond anything that would normally be considered necessary. The risks should be reasonably obvious; over- specified and over-sensitive safety equipment can sometimes cause hazards of its own. Marcus L. Rowland ------------------------------ Date: Tue, 27 Mar 2001 11:43:32 -0500 From: Jack Holleran Subject: First Workshop on Information Security System Rating and Ranking Call for Participation FIRST WORKSHOP ON INFORMATION SECURITY SYSTEM RATING AND RANKING (commonly but improperly known as "Security Metrics") Williamsburg, Virginia, 21-23 May 2001 Sponsored by: Applied Computer Security Associates (ACSA) and The MITRE Corporation After more than 20 years of effort in "security metrics," the evolution of product evaluation criteria identification, Information Assurance (IA) quantification, and risk assessment/analysis methodology development, has led to the widespread need for a single number or digraph rating of the "security goodness" of a component or system. Computer science has steadily frustrated this need--it has neither provided generally accepted, reliable measures for rating IT security nor has it applied any measures for security assurance. The goals of this workshop are to recap the current thinking on "IA metrics" activities and to formulate a path for future work on IA rating/ranking systems. Topics will include identifying workable successes or capturing lessons learned from our failures, clarifying what is measurable, and the addressing the impact of related technology insertion. The expected workshop result is the determination of "good" indicators of the IA posture of a system. The workshop will serve as a forum for group discussion, with topics determined by the participants. Submission of a 4-to-5-page position paper is required for workshop attendance. Deadline for submission of papers EXTENDED TO 4 MAY 2001. For further information, please see: www.acsac.org/measurement ------------------------------ Date: 12 Feb 2001 (LAST-MODIFIED) From: RISKS-request@csl.sri.com Subject: Abridged info on RISKS (comp.risks) The RISKS Forum is a MODERATED digest. Its Usenet equivalent is comp.risks. => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) if possible and convenient for you. Alternatively, via majordomo, SEND DIRECT E-MAIL REQUESTS to with one-line, SUBSCRIBE (or UNSUBSCRIBE) which now requires confirmation to majordomo@CSL.sri.com (not to risks-owner) [with option of E-mail address if not the same as FROM: on the same line, which requires PGN's intervention -- to block spamming subscriptions, etc.] or INFO [for unabridged version of RISKS information] .MIL users should contact (Dennis Rears). .UK users should contact . => The INFO file (submissions, default disclaimers, archive sites, copyright policy, PRIVACY digests, etc.) is also obtainable from http://www.CSL.sri.com/risksinfo.html ftp://www.CSL.sri.com/pub/risks.info The full info file will appear now and then in future issues. *** All contributors are assumed to have read the full info file for guidelines. *** => SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line. => ARCHIVES are available: ftp://ftp.sri.com/risks or ftp ftp.sri.comlogin anonymous[YourNetAddress]cd risks [volume-summary issues are in risks-*.00] [back volumes have their own subdirectories, e.g., "cd 20" for volume 20] http://catless.ncl.ac.uk/Risks/VL.IS.html [i.e., VoLume, ISsue]. Lindsay Marshall has also added to the Newcastle catless site a palmtop version of the most recent RISKS issue and a WAP version that works for many but not all telephones: http://catless.ncl.ac.uk/w/r http://the.wiretapped.net/security/info/textfiles/risks-digest/ . http://www.planetmirror.com/pub/risks/ ftp://ftp.planetmirror.com/pub/risks/ ==> PGN's comprehensive historical Illustrative Risks summary of one liners: http://www.csl.sri.com/illustrative.html for browsing, http://www.csl.sri.com/illustrative.pdf or .ps for printing ------------------------------ End of RISKS-FORUM Digest 21.36 ************************