precedence: bulk Subject: Risks Digest 22.05 RISKS-LIST: Risks-Forum Digest Sunday 5 May 2002 Volume 22 : Issue 05 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at and by anonymous ftp at ftp.sri.com, cd risks . Contents: "Don't Touch That Dial--Or You're Under Arrest!" (Lauren Weinstein) Re: "Don't Touch That Dial--Or You're Under Arrest!" (Dan Gillmor) Vivendi suspects electronic vote fraud (NewsScan) Lost password' delays Mali vote count (PGN) Online voting in UK (Toby Gottfried) How to rig an election (*The Economist* via Mohammad Al-Ubaydli) Seattle City light billing disputes (Jason Axley) Risks of differing Unices (Theo Markettos) CIA warns of Chinese plans for cyber-attacks on U.S. (Mike Hogsett) Smart inventory control overshoot (Paul Breed) California DMV online data base (Bruce Stein) A new risk to computers worldwide: W32/KLEZ.H" in MS Outlook (John Schwartz via John F. McMullen) How not to warn about viruses (Rob Slade) IE 6 Privacy features open users to attack (Monty Solomon) Midwest Express Web site security (Midwest Express) Robot cameras 'will predict crimes before they happen' (Merlyn Kline) Re: Online banking system failure in a big way (Ishikawa) Re: Nanny-Cam may leave a home exposed (Marc Roessler) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Sun, 05 May 2002 14:51:01 -0700 From: Lauren Weinstein Subject: "Don't Touch That Dial--Or You're Under Arrest!" Greetings. According to some in the entertainment industry, consumers risk becoming outlaws if they skip the commercials during television programs! The latest Fact Squad Radio short audio segment concerns the escalating technology and political battle between the entertainment industry and their consumers, and is entitled: "Don't Touch That Dial--Or You're Under Arrest!" It's playable via: http://www.factsquad.org/radio Lauren Weinstein +1 (818) 225-2800 lauren@pfir.org or lauren@vortex.com or lauren@privacyforum.org Co-Founder, PFIR, People For Internet Responsibility: http://www.pfir.org; Fact Squad: http://www.factsquad.org; URIICA - Union for Representative International Internet Cooperation and Analysis - http://www.uriica.org Moderator, PRIVACY Forum - http://www.vortex.com ------------------------------ From: Dan Gillmor Date: Sun, 05 May 2002 14:16:49 Subject: Re: "Don't Touch That Dial--Or You're Under Arrest!" [From Dave Farber's IP, written in response to Dave's posting a notice from Lauren Weinstein similar to the above. PGN] Dave, today's column [by Dan] is on point: http://www.siliconvalley.com/mld/siliconvalley/business/columnists/3200101.htm Dear Reader: If you are reading this column in the newspaper, but did not read every article and look at every advertisement in previous sections, stop now. You must go back and look at all of that material before continuing with this column. If you are reading this column on the Web and did not go to the newspaper's home page first, stop now. Go to the home page and navigate through whatever sequence of links our page designers have created to reach this page, and don't you dare fail to look at the ads. Ridiculous? Of course. Tell that to the dinosaurs at some major media and entertainment companies. They insist they have the right to tell you precisely how you may use their products. [For IP archives see: http://www.interesting-people.org/archives/interesting-people/ ] ------------------------------ Date: Mon, 29 Apr 2002 09:13:08 -0700 From: "NewsScan" Subject: Vivendi suspects electronic vote fraud Vivendi Universal, the Paris-based media giant, is calling for a criminal investigation of suspected fraud by unnamed computer hackers during a shareholders vote by Internet last week. Vivendi thinks the vote tampering "could have been carried out by a small team armed with a transmitter- receiver and detailed knowledge of the procedures and technical protocols of electronic voting." (AP/*The Washington Post*, 29 Apr 2002; NewsScan Daily, 29 Apr 2002) http://www.washingtonpost.com/wp-dyn/articles/A64981-2002Apr29.html ------------------------------ Date: Tue, 30 Apr 2002 8:42:06 PDT From: "Peter G. Neumann" Subject: Lost password' delays Mali vote count The announcement of the results of Mali's presidential election on 28 Apr 2002 has been suspended after a computer technician had a car accident, election officials have said. He is the only person with the password to access the election centre's computers. The technician was reportedly recovering in the hospital. [BBC, PGN-ed] http://news.bbc.co.uk/hi/english/world/africa/newsid_1959000/1959327.stm [... except that nobody wanted to admit how easy it might have been to break in without knowing the password, which would have blown the cover of the folks who had already rigged the election? PGN] [This item was noted by several readers. TNX] ------------------------------ Date: Thu, 2 May 2002 15:51:53 -0700 From: "Toby Gottfried" Subject: Online voting in UK Apparently the British are making moves toward voting in a "high tech" way. And there are the worriers ... http://www.bbc.co.uk/webwise/column/col128.shtml http://www.bbc.co.uk/webwise/column/col139.shtml "... But if there are unexpected results from next week's local elections in the UK it is entirely possible that they will be blamed on hackers, programming errors or network failures. The reason is that the May 2002 local elections are being used to test a selection of alternative voting methods. Most of these are 'e-voting' systems which use computers and networks, including the Internet. So if something unexpected happens there will be a temptation to blame it on the computers rather than take it as an reflection of a change in local opinion. ..." Followup: Quoting from the start and end of http://society.guardian.co.uk/modlocalgov/story/0,7999,645401,00.html which has links to more articles, Residents of Sheffield and Liverpool will be able to vote over the Internet and by mobile phone text message in the May local government elections as part of a nationwide wave of 30 innovative electoral pilots announced today. [ Feb 5 2002 ] The pilots will provide a crucial first test of Internet voting, and could be a step towards an online general election. ..... His announcement came as the independent Electoral Reform Society (ERS) warned that the government should not rush into online voting. Ministers need to ensure the technology used is thoroughly tested and that tough safeguards are in place to prevent fraud. ------------------------------ Date: Tue, 30 Apr 2002 15:00:27 -0400 From: "Dr Mohammad Al-Ubaydli" Subject: How to rig an election (*The Economist*) [An article from *The Economist* print edition, 25 Apr 2002, considers a situation which readily generalizes to a state with N Congressional districts in which one redistricting gives results of N to 0 representatives one way, and another redistricting gives results of 1 to N-1 the other way. Starkly PGN-ed from Dave Farber's IP http://www.interesting-people.org/archives/interesting-people/ http://www.economist.com/world/na/displayStory.cfm?story_id=1099030] ------------------------------ Date: Tue, 23 Apr 2002 11:33:02 -0700 From: Jason Axley Subject: Seattle City light billing disputes Still no light has been shed on what is causing the massive overcharging of many Seattle City Light customers -- some as much as 10 times above normal. Some quotes: Seattle City Light, beleaguered by scores of customer complaints about inflated bills, now plans to do things "the Nordstrom way," meaning it will resolve billing disputes quickly and in the customer's favor when there's a question, Mayor Greg Nickels vowed yesterday. The city made some headway in trying to turn around what has become a public-relations disaster. But after promising Friday to come up with a definitive explanation on the inflated bills for the mayor by Monday, it came up a bit short. The hearing examiner "indicated that all my bills were from direct meter reads, so the bill in question was not a makeup bill," O'Leary said. "He also said the bill on its face was wrong. His conclusion was, however, that the meter never lies, and I must prove I did not use the power. How does one prove a negative?" Zarker emphasized that the billing problem does not lie with the city's new $40 million computer. "It works," he declared. [Source: *Seattle Times*, "Nickels says City Light billing disputes will be resolved quickly, in customer's favor", 16 Apr 2002] http://archives.seattletimes.nwsource.com/cgi-bin/texis.cgi/web/vortex/display?slug=citylight16m0&date=20020416 ------------------------------ Date: Tue, 30 Apr 2002 22:05:33 +0100 (BST) From: Theo Markettos Subject: Risks of differing Unices Both Linux and HPUX provide a 'killall' command. Under Linux 'killall ' is used to kill all processes with the given name -- for example, as root one might kill all instantiations of httpd. Under HPUX, killall kills _every_ process, except those required for shutdown. It takes an optional signal argument, but ignores this if it doesn't recognise it as a valid signal name. Hence 'killall httpd' kills everything except a handful of processes required for shutdown. If not running as root, it kills all processes owned by the current user. The RISK? Don't assume something that is safe on one OS is on another, and don't assume that running a command without arguments to get help will do the right thing. ------------------------------ Date: Thu, 25 Apr 2002 14:07:50 -0700 From: Mike Hogsett Subject: CIA warns of Chinese plans for cyber-attacks on U.S. U.S. intelligence officials believe the Chinese military is working to launch wide-scale cyber-attacks on American and Taiwanese computer networks, including Internet-linked military systems considered vulnerable to sabotage, according to a classified CIA report. http://www.latimes.com/news/nationworld/world/la-042502china.story ------------------------------ Date: Mon, 29 Apr 2002 14:15:16 -0700 From: Paul Breed Subject: Smart inventory control overshoot I've been working on an old car, in the process of removing the spot welds I needed a specific sized bullet tipped drill bit. The bit would only last about 5 welds and I had hundreds to do. The only place I could find locally to buy the bits was in a pack of 15 various size bits at the local home center. So, over the period of three months, I purchased all of their drill sets, every weekend (usually 3 sets). Now I have disassembled the old car and don't need more bits. The last time I was in the home center they had so many of these drill bit sets that they were overflowing on to the floor. From my experience the computerized inventory system has a delay of about 3 months. It determined that this item sold out for 12 weeks straight, plugged this into it's inventory tracking prediction S/W and ordered hundreds and hundreds of sets...... ------------------------------ Date: Wed, 24 Apr 2002 17:17:50 -0700 From: Bruce Stein Subject: California DMV online data base From the Los Angeles Times, 24 Apr 2002 http://www.latimes.com/news/printedition/highway1/la-000028975apr24.story At the California DMV Web site at http://www.smogcheck.ca.gov , click on "Vehicle Smog Check History". Enter just a license plate number, and you will be provided with: Vehicle Identification Number (VIN) Make, Model, and Year of the vehicle The date and location of every smog test the vehicle has had. The location of the smog test is almost always the neighborhood where the car lives. In the case of Personalized License Plates, you get all of the vehicles the plate has ever been on. ------------------------------ Date: Sat, 27 Apr 2002 10:45:57 -0400 (EDT) From: "John F. McMullen" Subject: A new risk to computers worldwide: W32/KLEZ.H" in MS Outlook [Source: John Schwartz, *The New York Times*, 27 Apr 2002] A rogue computer program that is the online equivalent of a quick-change artist is infecting computers around the world via e-mail and clogging computer networks. The program, W32/KLEZ.H, is a "blended threat," combining elements of a virus, which infects machines, and a worm, which transports itself from machine to machine. It also tries to disable some antivirus programs. It makes itself hard for users to spot by changing its e-mail subject line, message and name of the attachment at random, drawing from a database that includes, for example, such subject lines as "Hello, honey," and "A very funny Web site." The program has grown increasingly common as users unknowingly activate it sometimes without even opening the e-mail attachment that carries the virus and allow it to send copies of itself to those in the victim's e-mail address file. [PGN-excerpted] ------------------------------ Date: Thu, 2 May 2002 10:28:11 -0800 From: Rob Slade Subject: How not to warn about viruses The Klez family of viruses is not new: on the publicity page that I provide at http://www.osborne.com/virus_alert/ I first warned of the family in November of 2001. However, the author (or authors) has been continually active, and some of the recent variants (particularly Klez.H) have been successful enough that the virus warnings have been flying around the net. Unfortunately, not all of the warnings have been particularly helpful. Klez os one of the new breed of polymorphic e-mail viruses. Unlike Melissa, Loveletter, Hybris, or Sircam with their identifiable subject lines, attachment filenames, implied pornography, or ungrammatical message bodies, Klez variants present with a wide variety of subjects, bodies, filenames, topics, and (most recently) senders. Recently I got my hands on what has to be one of the worst examples of a virus warning that I've ever seen: > I have been advised that ther is a very bad computer virus out. If opened > the virus will attach itself to your address book. > > If you get an e-mail from W32.klez@jena.nn > > Do not open the attachment > > Delete it right away I might note that, although I can't tell the source of this misinformation, it make several obvious errors. The attempt at a CARO virus name has a few problems: it doesn't have a variant designation (such as Klez.H), there appears to be some confusion with another extent virus (which makes mention of "Jenna"), and the "mass mailer" designation is usually .mm rather than .nn. More importantly, Klez does not have a consistent "From" indicator. Also, this particular company uses Microsoft Outlook for e-mail, and has no policy regarding the preview pane or other security related configuration. By the time anyone notices that an attachment exists, it will likely be too late. (More recent Klez variants tend to pick a real e-mail address harvested from the infected computer to generate the "From" line in generated e-mail. Therefore, those attempting to track infections will often concentrate on a machine or user that is not the source of the infection. I have heard from someone in another company who has been targeted by management as the source of the infection. This was interesting in that he was travelling at the time of the occurrence, and his computer was not connected to the Internet at all for a few days on either side of the event.) For those interested in trying to detect Klez messages, three of the more reliable, but by no means universal, indicators are that, viewed manually, the MIME file type often does not match the filename extension, the filename extension is one of the usual executable crowd (.BAT, .PIF, .SCR, .EXE, etc.), and the size of the encoded file usually ranges between 120K and 180K. (The old advice to avoid running attachments still holds true, albeit with a few provisos. Those who use Microsoft Outlook or Outlook Express may, because of the specialized construction of the message, still be at risk even if the attachment is not run deliberately run by the user. Due to this same construction, users of other mailers, such as Pegasus or Netscape Communicator, may never see the attachment at all, and therefore may be at no risk.) rslade@vcn.bc.ca rslade@sprint.ca slade@victoria.tc.ca p1@canada.com http://victoria.tc.ca/techrev or http://sun.soci.niu.edu/~rslade ------------------------------ Date: Thu, 25 Apr 2002 02:13:41 -0400 From: Monty Solomon Subject: IE 6 Privacy features open users to attack By Brian McWilliams, *Newsbytes*, 23 Apr 2002 Security flaws in privacy features added to Microsoft's Web browser could enable attackers to perform several privacy-robbing attacks, including hijacking victims' MSN Messenger accounts, a security researcher warned. According to Thor Larholm, a developer with Denmark-based Internet portal Jubii.dk, "severe" bugs in the "Privacy Report" feature in Internet Explorer version 6 can be exploited "in effect removing all privacy." Last week, Larholm posted an advisory and harmless demonstrations of the flaws at his personal Web site. One example showed how the browser bugs enable a Web site to launch programs that exist on the user's hard disk. Another demo page silently sends a message to users in the target's MSN Messenger contact list. ... http://www.newsbytes.com/news/02/176077.html ------------------------------ Date: Fri, 26 Apr 2002 21:41:18 -0700 From: Midwest Express Subject: Midwest Express Web site security [via Mark Luntzel] On the morning of Monday April 22, Midwest Express Airlines was informed that customer profile data had been published on the Internet, specifically on the U.S. Space and Naval Warfare Systems Command Web site. The data published contained a handful of user profiles including names and e-mail addresses. This screenshot of data was captured from the Midwest Express test server, not the actual Web site. This test server is used for testing new enhancements to www.midwestexpress.com. Midwest Express has always taken steps to ensure security. As a result of this situation, a number of additional precautionary measures were taken to ensure that customer data was protected: * The U.S. Space and Naval Warfare Web site immediately removed the defaced Web page from the Internet. * A security company was contracted to eliminate any vulnerability to our test server. * All customer passwords to Web profiles were changed to protect and restrict access to the customer data. Since all passwords have been changed, the next time you visit midwestexpress.com and login to your profile, you will be prompted to change your own password upon successfully answering a challenge/response question that you created. While Midwest Express is confident in the security of its Web site, we are always assessing our Web site for potential vulnerabilities and taking appropriate steps when needed. We assure you that your customer information, purchases and other transactions are secure. Tom Vick, Senior Vice President and Chief Marketing Officer ------------------------------ Date: Mon, 22 Apr 2002 13:36:51 +0100 From: "Merlyn Kline" Subject: Robot cameras 'will predict crimes before they happen' According to the UK broadsheet *The Independent*, Dr Sergio Velastin, of Kingston University's Digital Imaging Research Centre, has developed software to analyse CCTV images for the purpose of predicting crime: http://news.independent.co.uk/uk/crime/story.jsp?story=287307 Quote from the article: Scientists at Kingston University in London have developed software able to anticipate if someone is about to mug an old lady or plant a bomb at an airport. It works by examining images coming in from close circuit television cameras (CCTV) and comparing them to behaviour patterns that have already programmed into its memory. The software, called Cromatica, can then mathematically work out what is likely to happen next. And if it is likely to be a crime it can send a warning signal to a security guard or police officer. ------------------------------ Date: Sun, 21 Apr 2002 09:16:09 +0900 From: Ishikawa Subject: Re: Online banking system failure in a big way (RISKS-22.03) Here are a few interesting points to follow up the original story of online banking system failure of Japan's Mizuho bank. It has been revealed that the Tokyo Electric utility which services the heavily populated Tokyo and its surrounding areas had asked the (soon-to-be) Mizuho bank for a dry-run of the utility bills payment before the merger back in February. The utility company was worried about the large scale change and requested that about 100,000 sample bills be run through the new integrated system to see if such bills are handled correctly. However, the bank turned down the request saying that their internal testing would be enough. Obviously it was not! The utility company requested the testing albeit the first refusal, but then again the request was turned down. One of the reasons for the overload at the bank was mentioned as the failure of many transactions due to incorrect input data. It seems that the new integrated banking system required the conversion of old branch numbers of three banks into the newly assigned branch numbers. Some branch numbers were common among the three banks and they needed to be reassigned a new number once Mizuho bank went into operation. Apparently, some companies requesting the automatic billing failed to update the branch numbers in their transaction input (on MT!) and such transactions were deemed errors and manual intervention to inspect and rectify the aborted transactions were necessary. Some of the double billings, etc. were attributed to the incorrect handling of magnetic tapes. Some tapes were obviously run through the system twice under the confused circumstances. I think by failing to perform the 100,000 bills test run, the bank missed a great opportunity to test the integrated computer system and make sure the the manual steps to intervene in case of failure is well organized and known to operation staff members. There ARE now visible damages. The utility companies (gas, electricity) and telephone companies can't figure out whether their bills were paid by the subscribers. The amount of money mentioned amounts to 25,000,000,000 yen. (That's approximately US$191 million at 1 dollar = 130.5 yen.) Mizuho bank is negotiating with telephone companies and others to pay an agreed-upon ball-park sum of money, but since individual transactions can't be confirmed, the utility company can't figure out, say, if I paid the bill, so to speak. It seems that the utility companies decided to send out BLANK invoice notices without filling in the status of the payment that were due in April!) The utility companies are considering to ask the bank to pay for the additional cost to send complete receipts to their customers. Small companies are hit hard when their payments didn't make it on time due to the banking failure. The small business associations all over Japan seemed to be flooded with complaints of their reputation being on the line due to the delay caused by the bank, not by their own failure. I just heard a case of gas station owner whose salary payment to part time workers at the station failed to materialize in the worker's account on TV news. This is getting serious. In Japan, many companies have 25th as the monthly salary payment day, and since the long holiday weekend called Golden Week starts in April 27, the banking system will be busier. It is expected that many people begin withdrawing cash to use during the holidays and so the workload on the banking system is expected to soar due to the monthly salary payment, and the people taking out money from ATMs. Since I am a customer of Mizuho, I have reason to concern... With the revelation of the refusal to perform a dry run with the electric utility company to test the real world workload and a top management saying earlier at the parliament hearing about "No real harm was done to the customers", the Mizuho bank's reputation is all time low. The Mizuho bank seems to think that their system can withstand the workload toward the end of the month, but who knows. LATER-ADDED NOTE: The bank has decided to stop ATMs all over Japan May 3rd and 4th, which are part of the holiday season. They had planned to operate ATMs during the holidays, but they deemed it necessary to stop the ATMs and check the banking system offline throughly. ------------------------------ Date: Tue, 23 Apr 2002 10:56:29 +0200 From: Marc Roessler Subject: Re: Nanny-Cam may leave a home exposed (RISKS-22.04) This is nothing new. Such cameras are even installed in some public restaurants and shops. Note that this basically voids all claims of the shop owners concerning privacy and data protection -- ANYONE can receive that data. And, as more and more cameras are installed, the risk of malicious "camera takeovers" rises significantly. Think about webcams, cams integrated into notebooks/cellular phones, car dashboards (detect the driver falling asleep).. Those are easily tapped (or subverted, such as by installing trojan software/ firmware).. this has some enormous potential. The case of the Nanny-Cams shows the deviousness of this kind of attack: as the devices are not suspected to be used to spy on their owner ("I own that device; that makes it trusted"), they function more or less as hidden cameras. For more "camera takeover" scenarios take a look at my paper "How to find hidden cameras" [1]. [1] http://www.franken.de/users/tentacle/papers/hiddencams.pdf ------------------------------ Date: 29 Mar 2002 (LAST-MODIFIED) From: RISKS-request@csl.sri.com Subject: Abridged info on RISKS (comp.risks) The RISKS Forum is a MODERATED digest. Its Usenet equivalent is comp.risks. => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) if possible and convenient for you. Alternatively, via majordomo, send e-mail requests to with one-line body subscribe [OR unsubscribe] which requires your ANSWERing confirmation to majordomo@CSL.sri.com . If Majordomo balks when you send your accept, please forward to risks. [If E-mail address differs from FROM: subscribe "other-address " ; this requires PGN's intervention -- but hinders spamming subscriptions, etc.] Lower-case only in address may get around a confirmation match glitch. INFO [for unabridged version of RISKS information] There seems to be an occasional glitch in the confirmation process, in which case send mail to RISKS with a suitable SUBJECT and we'll do it manually. .MIL users should contact (Dennis Rears). .UK users should contact . => The INFO file (submissions, default disclaimers, archive sites, copyright policy, PRIVACY digests, etc.) is also obtainable from http://www.CSL.sri.com/risksinfo.html ftp://www.CSL.sri.com/pub/risks.info The full info file will appear now and then in future issues. *** All contributors are assumed to have read the full info file for guidelines. *** => SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line. => ARCHIVES are available: ftp://ftp.sri.com/risks or ftp ftp.sri.comlogin anonymous[YourNetAddress]cd risks [volume-summary issues are in risks-*.00] [back volumes have their own subdirectories, e.g., "cd 21" for volume 21] http://catless.ncl.ac.uk/Risks/VL.IS.html [i.e., VoLume, ISsue]. Lindsay Marshall has also added to the Newcastle catless site a palmtop version of the most recent RISKS issue and a WAP version that works for many but not all telephones: http://catless.ncl.ac.uk/w/r http://the.wiretapped.net/security/info/textfiles/risks-digest/ . http://www.planetmirror.com/pub/risks/ ftp://ftp.planetmirror.com/pub/risks/ ==> PGN's comprehensive historical Illustrative Risks summary of one liners: http://www.csl.sri.com/illustrative.html for browsing, http://www.csl.sri.com/illustrative.pdf or .ps for printing ------------------------------ End of RISKS-FORUM Digest 22.05 ************************