[risks] Risks Digest 21.67

From: RISKS List Owner (riskoat_private)
Date: Mon Oct 01 2001 - 16:30:42 PDT

  • Next message: RISKS List Owner: "[risks] Risks Digest 21.68"

    RISKS-LIST: Risks-Forum Digest  Monday 1 October 2001  Volume 21 : Issue 67
       ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator
    ***** See last item for further information, disclaimers, caveats, etc. *****
    This issue is archived at <URL:http://catless.ncl.ac.uk/Risks/21.67.html>
    and by anonymous ftp at ftp.sri.com, cd risks .
    Aftermath of 11 September 2001 (PGN)
    GAO reports on terrorism (Monty Solomon)
    Warding off cyberterrorist attacks (NewsScan)
    Hackers face life imprisonment under 'Anti-Terrorism' Act (Monty Solomon)
    Gartner "Nimda Worm shows you can't always patch fast enough" 
      (Alistair McDonald)
    Hacker re-writes Yahoo! news stories (Gary Stock)
    YAHA: Yet Another Hotmail Attack (Alistair McDonald)
    Hackers and others win big in Net casino attacks (Ken Nitz)
    Creator of Kournikova virus gets 150 hours of community service (Abigail)
    "Good Samaritan" hacker pleads guilty to breaking and entering 
      (Declan McCullagh)
    U.S. court shuts down deceptive Web sites (Jim Griffith)
    Report on vulnerabilities of GPS (Joseph Bergin)
    All public hospitals in Gothenburg Sweden Crippled by nimda (Peter Håkanson)
    Y2K flaw blamed for Down's Syndrome test errors (Les Weston)
    Re: Oxygen tank kills MRI exam subject (PGN)
    E-voting in Australia (Tony Jones)
    Australians voice anger over online spying (Monty Solomon)
    World Trade Center in RISKS (Jay R. Ashworth)
    We only reveal a few digits of your account number, don't worry (Dan Jacobson)
    X-ray machine risk (Asa Bour)
    Increasing RISKS of UPPER CASE (Stuart Prescott)
    2002 USENIX Annual Technical Conference - Call for papers (Ann Tsai)
    Abridged info on RISKS (comp.risks)
    Date: Mon, 1 Oct 2001 11:06:12 PDT
    From: "Peter G. Neumann" <neumannat_private>
    Subject: Aftermath of 11 September 2001
    The Risks Forum has long advocated the importance of increased awareness of
    risks and avoidance of critical systems with too many inherent weak links.
    On 11 Sep 2001, the Internet stood up well and was a very important source
    of information; land-based and cellular telephone systems experienced major
    outages in lower Manhattan.  A few companies such as Cantor-Fitzgerald and
    eSpeed suffered huge personnel losses, but were nevertheless able to resume
    operations quickly -- through various combinations of advanced planning and
    rapid recovery strategies.  There are many lessons that are worth recording
    here, so I would like to invite some of you to contribute short but pithy
    items on what was achieved, what was learned, and what insights you might
    have gained.  [Thanks to Scott Rainey for encouraging me to do this.]
    Date: Thu, 20 Sep 2001 17:28:02 -0400
    From: "monty solomon" <montyat_private>
    Subject: GAO reports on terrorism
    Combating Terrorism: Selected Challenges and Related
    Recommendations. GAO-01-822, September 20.
    Aviation Security: Terrorist Acts Demand Urgent Need to Improve Security at
    the Nation's Airports, by Gerald L. Dillingham, director, physical
    infrastructure issues, before the Senate Committee on Commerce, Science, and
    Transportation. GAO-01-1162T, September 20.
    Aviation Security: Terrorist Acts Illustrate Severe Weaknesses in Aviation
    Security, by Gerald L. Dillingham, director, physical infrastructure, before
    a joint hearing of the Senate and House Appropriations Subcommittees on
    Transportation and Related Agencies. GAO-01-1166T, September 20.
    Date: Mon, 01 Oct 2001 08:19:36 -0700
    From: "NewsScan" <newsscanat_private>
    Subject: Warding off cyberterrorist attacks
    Internet experts believe that the threat of cyber-attacks are increasing,
    though not necessarily from Osama bin Laden's AlQaida network, which seems
    focused on destroying physical targets and killing civilians. Georgetown
    University computer science professor Dorothy Denning says, "It's my
    understanding that they're not teaching this in the terrorist-training
    camps," but rather that the danger comes from "these thousands of affiliates
    or sympathizers." Stephen Northcutt, who runs an information warfare
    simulation for the SANS Institute, warns that terrorist could "potentially
    paralyze commerce" and might be able to "accomplish a cascading failure of
    the electronic grid." (*San Jose Mercury News*, 1 Oct 2001; NewsScan Daily,
    1 October 2001; http://www.siliconvalley.com/docs/news/depth/cyber100101.htm)
      [Also, there is clearly renewed interest in off-site backup data storage.
    Date: Tue, 25 Sep 2001 16:32:58 -0400
    From: Monty Solomon <montyat_private>
    Subject: Hackers face life imprisonment under 'Anti-Terrorism' Act
    Hackers face life imprisonment under 'Anti-Terrorism' Act; Justice
    Department proposal classifies most computer crimes as acts of terrorism
    By Kevin Poulsen, 23 Sep 2001
    Hackers, virus-writers and web site defacers would face life imprisonment
    without the possibility of parole under legislation proposed by the Bush
    Administration that would classify most computer crimes [and maybe noncrimes
    (PGN)?] as acts of terrorism.  The Justice Department is urging Congress to
    quickly approve its Anti-Terrorism Act (ATA), a twenty-five page proposal
    that would expand the government's legal powers to conduct electronic
    surveillance, access business records, and detain suspected terrorists.
    [See http://www.securityfocus.com/news/257 for the full item.  PGN]
    Date: Fri, 21 Sep 2001 13:07:00 +0100
    From: Alistair McDonald <alistairat_private>
    Subject: Gartner "Nimda Worm shows you can't always patch fast enough"
    Gartner is recommending that IIS users who have been hit by the recent MS
    exploits should "immediately" consider moving to alternatives such as Apache
    or iPlanet.  http://www4.gartner.com/DisplayDocument?doc_cd=101034
    But when will those in control take note?  I'm sure that a lot of NT/200
    sysadmins (and especially Webmasters) are aware of the limitations of their
    platform, but corporate strategy means that they are a "Microsoft shop".
    Alistair McDonald 	Bacchus Consultancy 	www.bacchusconsultancy.com
    Date: Mon, 24 Sep 2001 09:50:34 -0400
    From: Gary Stock <gstockat_private>
    Subject: Hacker re-writes Yahoo! news stories
      Will Knight, New Scientist, 20 Sep 01
    A computer security expert has revealed how he altered news articles posted
    to Yahoo!'s web site without permission. The incident highlights the danger
    of hackers posting misleading information to respected news outlets.
    Freelance security consultant Adrian Lamo demonstrated that, armed only with
    an ordinary Internet browser, he could access the content management system
    used by Yahoo!'s staff use to upload daily news.  He added the false quotes
    to stories to prove the hole was real to computer specialist site Security
    Focus.  Yahoo! has issued a statement saying the vulnerability has been
    fixed and security is being reviewed.  But experts say that the incident
    demonstrates a serious risk. "Just think how much damage you could do by
    changing the quarterly results of a company in a story," says J J Gray, a
    consultant with computer consultants @Stake.
    Gary Stock, CIO & Technical Compass, Nexcerpt, Inc.  1-616.226.9550
    Date: Fri, 21 Sep 2001 09:49:00 +0100
    From: Alistair McDonald <alistairat_private>
    Subject: YAHA: Yet Another Hotmail Attack
    Yet another attack on hotmail. Computing (20 Sept 2001) reports that one can
    hack the hotmail web site, and redirect users to another site. This brings
    up the possibility of password collecting. The hacker, known as "Oblivion",
    reported this to the bugtraq mailing list. The exploit involves smuggling
    javascript code through the filters used at hotmail.
    Alistair McDonald 	Bacchus Consultancy 	www.bacchusconsultancy.com
    Date: Mon, 10 Sep 2001 09:14:27 -0700
    From: Ken Nitz <nitzat_private>
    Subject: Hackers and others win big in Net casino attacks
      [The article is on risks in on-line gambling, and particularly
      CryptoLogic, Inc., a Canadian on-line casino games developer that has been
      hacked.  One of their sites had been "fixed" so that craps and video slot
      players could not lose, with winnings totalling $1.9 million.  Every dice
      throw turned up doubles, and every slot spin generated a perfect match.
      Whether it was an insider attack or a penetration is not clear from the
      article.  (We noted the likelihood of hacking of Internet gambling sites
      in RISKS-19.27, 1 Aug 1997, not to mention my 1995 April Fool's piece in
      RISKS-17.02.)  Interesting question: which laws against hacking will apply
      to subversions of illegal Internet gambling parlors?  Who gets to
      prosecute remote attacks on off-shore operations?  PGN-ed]
    Date: Fri, 28 Sep 2001 01:16:42 +0200
    From: "Abigail" <abigailat_private>
    Subject: Creator of Kournikova virus gets 150 hours of community service
    >From http://www.volkskrant.nl/nieuws/nieuwemedia/1001567916953.html
    (in Dutch).
    27 Sep 2001
    The 20-year-old creator for the Kournikova virus, J. de W. from Sneek, was
    sentenced to 150 hours of community service by the court of Leeuwarden this
    Thursday. The prosecution demanded the maximum of 240 hours of community
    service.  In February De W. released on the Internet the so-called
    wormvirus, which spread itself as an e-mail message. The virus was activated
    by clicking the e-mail which was titled Anna Kournikova (the tennis
    player). This lead to inconvenience of Internet users all over the world.
    When determining the sentence, the court took into consideration that the
    boy had no previous run-in with justice, that he turned himself in, and that
    material damages were limited. The American investigation service FBI
    reported an amount of $166.827 in damages.
    Date: Thu, 27 Sep 2001 12:53:53 -0400
    From: Declan McCullagh <declanat_private>
    Subject: FC: "Good Samaritan" hacker pleads guilty to breaking and entering
      [Follow-up on RISKS-21.62 items.  PGN]
    'Good Sam' Hacker 'Fesses Up, By Declan McCullagh, 27 Sep 2001 declanat_private
    It seemed like such a straightforward example of prosecutorial misconduct:
    An Oklahoma man was being investigated by the Justice Department for helping
    a newspaper fix a Web site security hole.
    The outcry among the geek community last month began with an uncritical
    story on LinuxFreak.org entitled "Cyber Citizen Lands Felony Charges?" Sites
    such as Slashdot soon picked up the sad tale of 24-year-old Brian K. West as
    evidence of out-of-control, tech-clueless government lawyers, and urged
    everyone to e-mail the U.S. Attorney in charge of the prosecution.
    Making the story even more appealing to the open-source community was the
    Microsoft angle: West was said to have reported to the Poteau (Oklahoma)
    Daily News and Sun a security flaw in Microsoft NT 4.0 IIS and Microsoft
    FrontPage.  But a guilty plea that West signed tells a far different story
    -- and shows how easily a well-meaning community of programmers and system
    administrators can be led astray.
      [Politech archive on U.S. v. Brian K. West:
      [PGN-excerpted from the Sperling release:
        While probing the site, defendant made copies of six proprietary
        Practical Extraction Report Language (PERL) scripts that were part of
        the source code running the PDNS Web page.  Defendant also obtained
        password files from PDNS and used those passwords to access other parts
        of the PDNS Web page.  Defendant electronically shared the scripts and
        the password files for the PDNS Webs ite with another individual.
        Defendant's access to the Web page involved interstate communications.
    Date: Mon, 1 Oct 2001 14:59:23 -0500 (CDT)
    From: griffithat_private
    Subject: U.S. court shuts down deceptive Web sites
    Reuters reports that the U.S. District Court in Philadelphia has ordered
    John Zuccarina to shut down sites operated by him.  The Federal Trade
    Commission filed a complaint against Zuccarina, claiming that he has
    purchased domain names which are misspellings or other "one-offs" of
    popular sites, which he uses to "blitz" unsuspecting visitors with pop-up
    ads, from which the user cannot escape, in order to receive advertising
    revenue (estimated between $800K and $1 million).  Zuccarina has registered
    some 5500 domains, including www.annakurnikova.com, 41 variants of
    "Britney Spears", and others.
    Date: Tue, 11 Sep 2001 07:31:31 -0400
    From: Joseph Bergin <berginfat_private>
    Subject: Report on vulnerabilities of GPS
    Yesterday (10 Sept. 2001) the U.S. Transportation dept released a report
    on the vulnerabilities of the Global Positioning System. The report can 
    be obtained from 
    There is a short story about it in *The New York Times 11 Sep 2001:
    The report notes that GPS is being increasingly relied on for life-critical
    performance in transportation and recommends that various backups be
    maintained and new ones developed.
    Joseph Bergin, Professor, Pace University, Computer Science, One Pace Plaza, 
      NY NY 10038  berginfat_private  HOMEPAGE http://csis.pace.edu/~bergin/
    Date: Tue, 25 Sep 2001 10:42:55 +0200
    From: Peter Håkanson <peterat_private>
    Subject: All public hospitals in Gothenburg Sweden Crippled by nimda
    The hospitals in "Västra Götaland" sweden (west coast, population 1M)
    were isolated fron Internet during 23 Sep 2001.  Some of internal networks
    had to be partitioned to prevent nimda spreading further.  Reservations and
    computer-based medical records were unavailable.  http://www.vgregion.se
    The fact that a hospital chain has so relaxed security is amazing.  It's
    also amazing that whole organizations are kept hostage of a vendor that's
    not even cost-effective.
    What would happen in case we get a *real* threat to security??
    Peter Håkanson, IPSec sverige, Bror Nilssons gata 16  Lundbystrand
    S-417 55  Gothenburg   Sweden  "Safe by design"  +46707328101   peterat_private
    Date: Fri, 14 Sep 2001 13:24:33 +0100
    From: Les Weston <trusteemseat_private>
    Subject: Y2K flaw blamed for Down's Syndrome test errors
    The Y2K problem is being blamed for incorrect Down's Syndrome results being
    given to more than 150 pregnant women throughout northern England between
    January and May last year.  As a result, four Down's syndrome pregnancies
    went undetected.  Amongst other factors, the mother's age is used to assess
    her risk category. Only those in the high-risk category undergo further
    tests for the syndrome.  Staff noticed the strange results coming from the
    system, but initially thought they was due to a different mix of women being
    Full report:
    Les Weston, Quinag-CSL, Edinburgh.
      [Also noted by several others.  TNX.  Overconfidence in the PathLAN
      computer was blamed for errors, occurring between 4 Jan and 24 May 2001.
    Date: Sun, 30 Sep 2001 10:44:16 PDT
    From: "Peter G. Neumann" <neumannat_private>
    Subject: Re: Oxygen tank kills MRI exam subject (RISKS-21.55)
    Westchester Medical Center was fined $22,000 for 11 violations related
    to the death of the 6-year-old boy killed by the magnetically attracted
    stray oxygen tank carried into the room by a doctor.
    Date: Sun, 23 Sep 2001 06:31:10 +1000 (EST)
    From: tmjat_private (Tony Jones)
    Subject: E-voting in Australia
    On 20 October 2001 there will be an election of members of the Legislative
    Assembly of the Australian Capital Territory. It is hoped that about 9% of
    voting will be done using a new electronic voting system. Further details
    are at <http://www.elections.act.gov.au/Elecvote.html>.
    For the electronic system, no independently verifiable copy of a voter's
    choices will be kept.  The selections made by a voter and displayed on the
    monitor of the voting computer will be, we're led to believe, what go into
    the duplicated databases for counting.
    RISKS readers will be reassured to know that (see
      "The new software will be subjected to extensive testing to ensure it is
      accurate and secure, as well as easy to use. The software will be used on
      standard computer hardware, that will not be connected to any external
      networks. The system will also include numerous backups and safeguards to
      ensure that voting data will not be lost. This will guarantee the security
      of the electronic voting and counting processes," Mr Green [the ACT
      Electoral Commissioner] said.
    I hope Murphy is not eligible to vote.
      [Actually, given the flakiness and lack of security in existing
      all-electronic voting systems, it is likely that Murphy's entire surrogate
      extended family will be able to vote repeatedly, many times over.  PGN]
    Date: Sat, 8 Sep 2001 13:08:38 -0400
    From: Monty Solomon <montyat_private>
    Subject: Australians voice anger over online spying
    Australians voice anger over online spying
    By Rachel Lebihan, ZDNet Australia News, 07 September 2001
    Only three percent of surveyed ZDNet readers believe Internet Service
    Providers should monitor all user activity, following a parliamentary report
    that recommends user logs should be kept on customers' online activities.
    The diminutive support for tighter online monitoring was transcended by a
    resounding 60 percent of polled readers who said they would kick up a fuss
    until the law was changed, if ISPs were forced to maintain access logs.
    Date: Tue, 11 Sep 2001 16:36:04 -0400
    From: "Jay R. Ashworth" <jraat_private>
    Subject: World Trade Center in RISKS
    In light of this morning's events, which I will not minimize by trying
    to select an adjective to describe, I thought it might be interesting
    to search the RISKS archives, and see how the building's history
    figures in that sphere.
    First, there's coverage of the car bombing, and how the evac plan and
    generators failed, in 
    with follow-on in 
    There's other coverage of the bombing, as well, in 
    which discusses how the building operators are allowed to violate the
    building codes that they would be otherwise bound by.
    discusses the fact that damned near every TV and most of the radio broadcast
    antennas serving NYC and Eastern NY State just hit the ground as well; that
    had to be making life miserable for people trying to get the word out.
    discusses an ATM outage in NJ attributable to the evac from that bombing.
    Another outage in California happened at least in part because the backup
    systems were otherwise occupied due to that same situation:
    notes in passing that the WTC is not alone in having such problems.
    [Discussion of the Citicorp problems and unlikely events.  PGN]
    Jay R. Ashworth, Member of the Technical Staff, Baylink, Tampa Bay, Florida
    http://baylink.pitas.com   +1 727 804 5015  jraat_private
    Date: 12 Sep 2001 13:04:10 +0800
    From: Dan Jacobson <jidanniat_private>
    Subject: We only reveal a few digits of your account number, don't worry
      > Re: Consumer Reports password policy risks (Bumgarner, RISKS-21.65)
      > ... but does give the last five digits
    Sounds like the Taiwan power company sending bills with only the last few
    digits of your auto-payment bank account revealed, the phone company sending
    theirs with only the first few digits revealed.  Steal two envelopes and
    you've got the account number?
      http://www.geocities.com/jidanni/ Tel+886-4-25854780
    Date: Thu, 27 Sep 2001 23:16:04 -0400 (EDT)
    From: Asa Bour <boureaat_private>
    Subject: X-ray machine risk
    I had to get some x-rays recently. I felt real confident when I saw a bright
    yellow post-it note on the x-ray machine with bold print stating that the
    measurements were in mm (millimeters) and not in cm (centimeters).  Since
    the note was needed, one can assume they had problems with people
    calibrating the machine properly with the right units.  I think the x-ray
    software interface needs some improvement to eliminate this danger of
    E. Asa Bour <boureaat_private>
    http://www.scripturememory.org/  http://www.schemer.com/
    Date: Mon, 24 Sep 2001 16:18:34 +1000
    From: Stuart Prescott <s.prescottat_private>
    Subject: Increasing RISKS of UPPER CASE
    I recently received a confirmation e=mail from an Australian domestic
    airline confirming a booking I had made over the web. The entire e-mail was 
    in capitals (were they shouting at me or was it all "very important"?)
    including a little URL at the bottom for more information on in-flight health:
    >  OFFICE.
    No prizes for guessing whether or not the all-uppercase URL works...
    So the RISKS... other than making the entire message much harder to read,
    you can also break things.
    Date: Tue, 18 Sep 2001 13:34:59 -0700
    From: Ann Tsai <mktgadmat_private>
    Subject: 2002 USENIX Annual Technical Conference - Call for papers
    2002 USENIX Annual Technical Conference, June 9-14, 2002, Monterey, CA
    Submissions to the General Refereed Sessions Track are due on November
    19, 2001.
    FREENIX is a special track within the USENIX Annual Technical Conference
    that showcases the latest developments and applications in freely
    redistributed technology. The FREENIX track covers the full range of
    software and source code including but not limited to Apache, Darwin,
    FreeBSD, GNOME, GNU, KDE, Linux, NetBSD, OpenBSD, Perl, PHP, Python, Samba,
    Tcl/Tk and more.
    The FREENIX program committee is looking for papers about projects with a
    solid emphasis on nurturing the open source/freely available software
    community and talks which advance the state of the art of freely
    redistributable software. Areas of interest include, but are not limited
    Submissions to the Freenix Track are due on November 12, 2001.
    Submission guidelines and conference details are available on our Web site:
    The 2002 USENIX Annual Technical Conference is sponsored by
    USENIX, The Advanced Computing Systems Association. www.usenix.org
    Date: 12 Feb 2001 (LAST-MODIFIED)
    From: RISKS-requestat_private
    Subject: Abridged info on RISKS (comp.risks)
     The RISKS Forum is a MODERATED digest.  Its Usenet equivalent is comp.risks.
    => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) 
     if possible and convenient for you.  Alternatively, via majordomo, 
     send e-mail requests to <risks-requestat_private> with one-line body
       subscribe [OR unsubscribe] 
     which requires your ANSWERing confirmation to majordomoat_private .  
     [If E-mail address differs from FROM:  subscribe "other-address <x@y>" ;
     this requires PGN's intervention -- but hinders spamming subscriptions, etc.]
     Lower-case only in address may get around a confirmation match glitch.
       INFO     [for unabridged version of RISKS information]
     There seems to be an occasional glitch in the confirmation process, in which
     case send mail to RISKS with a suitable SUBJECT and we'll do it manually.
       .MIL users should contact <risks-requestat_private> (Dennis Rears).
       .UK users should contact <Lindsay.Marshallat_private>.
    => The INFO file (submissions, default disclaimers, archive sites, 
     copyright policy, PRIVACY digests, etc.) is also obtainable from
     http://www.CSL.sri.com/risksinfo.html  ftp://www.CSL.sri.com/pub/risks.info
     The full info file will appear now and then in future issues.  *** All 
     contributors are assumed to have read the full info file for guidelines. ***
    => SUBMISSIONS: to risksat_private with meaningful SUBJECT: line.
    => ARCHIVES are available: ftp://ftp.sri.com/risks or
     ftp ftp.sri.com<CR>login anonymous<CR>[YourNetAddress]<CR>cd risks
       [volume-summary issues are in risks-*.00]
       [back volumes have their own subdirectories, e.g., "cd 20" for volume 20]
     http://catless.ncl.ac.uk/Risks/VL.IS.html      [i.e., VoLume, ISsue].
       Lindsay Marshall has also added to the Newcastle catless site a 
       palmtop version of the most recent RISKS issue and a WAP version that
       works for many but not all telephones: http://catless.ncl.ac.uk/w/r
     http://the.wiretapped.net/security/info/textfiles/risks-digest/ .
     http://www.planetmirror.com/pub/risks/ ftp://ftp.planetmirror.com/pub/risks/
    ==> PGN's comprehensive historical Illustrative Risks summary of one liners:
        http://www.csl.sri.com/illustrative.html for browsing, 
        http://www.csl.sri.com/illustrative.pdf or .ps for printing
    End of RISKS-FORUM Digest 21.67

    This archive was generated by hypermail 2b30 : Mon Oct 01 2001 - 17:06:09 PDT