Subject: RISKS DIGEST 17.36
RISKS-LIST: Risks-Forum Digest Tues 26 September 1995 Volume 17 : Issue 36
FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator
***** See last item for further information, disclaimers, etc. *****
Contents:
The latest maths bug in a Microsoft product (Ian Mason)
Security Flaw Found in Netscape (Edupage)
Third Netscape weakness found (PGN)
German telephone cards cracked (Klaus Brunnstein)
British Telecom replaces payphone software (Phil Payne)
London Underground gets hacked (Clive D.W. Feather)
Another punched-card saga (Terry Ireland)
Hottest New Computer (F. Barry Mulligan)
Cardiff Software Shipped Teleforms 4.0 with self-destruct timebomb (Lubetkin)
European Governments Agree to Ban Strong Crypto (Ross Anderson)
Searching via the catless RISKS Web Pages (Lindsay F. Marshall)
Yet another airport tower outage (Alan Tignanelli [2])
Re: SSNs for E-mail addresses! (Dave Parnas)
Re: Abandoned oil tank phones... (Sean Reifschneider)
Don't believe everything you read (hacking Citibank ATMs) (John Pettitt)
CitiBank overdraft protection (John Pettitt)
Call-box scams in California (Kevin Maguire)
ABRIDGED info on RISKS (comp.risks)
----------------------------------------------------------------------
Date: Tue, 26 Sep 95 01:00 BST-1
From:
[email protected] (Ian Mason)
Subject: The latest maths bug in a Microsoft product
When does 1.40737488355328 = 0.64? When you're a user of Microsoft's Excel
spreadsheet.
For several years a (now well known) maths bug existed in the Calculator
applet that came bundled with Microsoft Windows. This remained uncorrected
in several releases over a considerable period of time.
A new maths related bug has now surfaced in another Microsoft product.
Type or paste 1.40737488355328 into a cell in a copy of Microsoft's
Excel spreadsheet and you will be rewarded, not with the number you
expect but with 0.64. If you perform arithmetic with this it will act as
if 0.64 had been entered so it is not simply a display error. When
the number is used as part of a formula the error is not apparent.
A friend who used to work in the UK investment banking business tells me
that much of the planning of the privatisation of most of Britain's state
owned industries was carried out using Excel. Perhaps we now have the real
explanation for the state of the British Economy?
The risk? Don't use software from a man who freely claims that what he
really wanted to be was a lawyer.
Ian Mason
------------------------------
Date: Tue, 19 Sep 1995 16:50:52 -0400 (EDT)
From: Educom <
[email protected]>
Subject: Security Flaw Found in Netscape (Edupage, 19 September 1995)
Two Berkeley computer science graduate students interested in cryptography
have identified a serious security flaw in the Netscape software for
browsing the World Wide Web. Netscape says a repaired version will be
available for free downloading from
<
http://home.netscape.com > within a week.
(John Markoff, The New York Times, 19 Sep 1995 A1)
[This flaw has been widely reported elsewhere on the net, and involved
a weakness in the use of a pseudorandom number generator to create the
crypto seed. Knowledge of the weakness enables the key to be reverse-
engineered with significantly less than exhaustive effort. PGN]
------------------------------
Date: Mon, 25 Sep 95 16:33:39 PDT
From: "Peter G. Neumann" <
[email protected]>
Subject: Third Netscape weakness found
Yet another weakness was discovered in Netscape's Internet software, found
by the "Cypherpunks". This flaw can crash the Navigator browser software.
"The flawed software isn't able to read very long numbers. An Internet user
could exploit the flaw by planting a bit of text containing a long number,
causing computers used by unsuspecting readers of the text to crash." This
one is also being repaired. [Abstracted by PGN from "Netscape Says Hackers
Uncover 3rd Flaw in Its Internet Software", By Heather Green, Bloomberg
Business News, 25 Sep 1995, in The New York Times. The first weakness was
the French and British cracking of Netscape's 40-bit crypto, in
RISKS-17.27,28,29.]
------------------------------
Date: Sun, 17 Sep 1995 13:58:43 +0200
From: Klaus Brunnstein <
[email protected]>
Subject: German telephone cards cracked
German Telecom suffered losses from a telephone card attack that was
detected recently, according to several German media reports. A gang of
telephone card crackers, evidently based in Hamburg (but likely NOT related
to InFamous Chaos Computer Club :-), had analysed German Telecom's chipcard
program that controls telephone cells equipped with telephone cards readers,
and they found a trick whereby the card program automagically filled up
after completing any call to again hold the full amount of 50 DM. The head
of the gang was jailed last week by UK police, and equipment (of the chief
programmer?) was confiscated in a Hamburg flat, including some "chipcard
simulation program".
Reports are (as often) rather contradictory; while some say that
manufacturing was "manual", others assume industrial production with a
damage of 1 billion DM (assuming that 1 Mio cards had been manufactured).
German Telecom informed that about 1,000 chipcards may have been
distributed, and that the damage so far amounted to less than 1 Mio DM.
Accordings to reports, German Telecom has changed essential parameters of
the chipcard control program so that such falsified telecards can no longer
work. This change was activated from the central computer controlling all
telephone cells equipped with telephone chip-cards. Moreover, one Sunday
newspaper (WamS) reports that a monitoring program was installed that from
the central computer can detect unusually heavy usage of telephone cells by
comparison with "normal use" (potentially something like an Intrusion
Detecting program, though likely not as advanced as NIDES :-) and give some
immediate alarm.
Klaus Brunnstein (Univ.Hamburg, 17 September 1995)
------------------------------
Date: Mon, 18 Sep 95 17:29:37 GMT
From:
[email protected] (Phil Payne)
Subject: British Telecom replaces payphone software
[Source: An article by Rebecca Maer, PA News, abstracted by PGN]
British Telecom has known for some time that about 9% of their public phone
boxes could be subverted by its software that permits some sort of escape
code to bypass charging. However, knowledge of that code has now been
spreading like wildfire, resulting in lots of free calls. BT is now
modifying the almost 12,000 phones thus affected.
Phil Payne, Managing Director, Sievers Consulting UK, +44 385302803
[email protected] Fax/BBS: +44 1536723021 Fido: 2:2503/415
------------------------------
Date: Sun, 24 Sep 1995 17:40:44 +0100 (BST)
From: "Clive D.W. Feather" <
[email protected]>
Subject: London Underground gets hacked
>From "Computing" 1995-09-21
London Underground is fighting to clean up its computer systems after one
of its own trainees hacked in and posted an offensive message on the digital
displays located above tube platforms around the capital.
Computing can reveal that on 16 August a message appeared on displays at
Piccadily, Elephant & Castle and Regent's Park underground stations
declaring 'All signalmen are w***ers'.
The message went unnoticed by tube staff for more than 12 hours before being
removed. There were no complaints from the thousands of commuters. But,
despite being cleared, the message reappeared on tube station displays on 29
August.
Two days later, London Underground IT staff were called in to locate the
problem. The message had apparently been saved onto the system and was
randomly generated at the later date.
A London Underground spokesman told Computing: 'When we train people we
usually take them around on an induction course. It seems one of the
trainees obviously had more experience than the others. He managed to hack
into the computer, bypass the input codes and put a message on the dot
matrix displays.'
He added: 'The reappearance [of the message] was due to a technical glitch
and not a deliberate action. The trainee is no longer an employee.'
Clive D.W. Feather, 322 Regents Park Road, Demon Internet Ltd., Gateway House
Finchley, London N3 2QQ +44 181 371 1000
[email protected]
------------------------------
Date: Sun, 24 Sep 95 20:06:10 -0700
From: Terry Ireland <
[email protected]>
Subject: Another punched-card saga
I saw the story about French Punched (post) Cards. It reminds me of a true
story from the mid-60s. I worked with an outstanding programmer, who was
blind. He took a 2-week vacation, and while he was gone, several people ran
a program he had written. Suddenly, it failed to work. A later diagnosis
showed that: (1) He used the cards with corners cut off so he could find his
place. (2) the card he used to mark the beginning of the data was blank
(see 3) and in backwards (a blank card turned over is still a blank card).
(3) The computer was an IBM with a system that always read one card ahead,
thus the need for the blank card just before the data. (4) The first time
we ran his program, the card reader jammed (and wouldn't you know it) on the
blank card. (5) The operator went to fix the jam, saw the blank card in
backwards, and threw it away, thinking it was the problem. (6) It became
the problem, as that missing blank card was necessary for the program to
run.
Terry
------------------------------
Date: Sat, 23 Sep 1995 16:53:09 -0500 (CDT)
From: "F. Barry Mulligan" <
[email protected]>
Subject: Hottest New Computer
The Atlanta Journal/Constitution, Sat 23 Sept 95
Business in Brief (from unidentified wire service)
"POWERBOOK BATTERY: Apple Computer Inc. said it will start shipping its
PowerBook portable computers Monday with an older style of battery, after
a new type of battery caught fire in two computers and triggered a recall."
The article identifies a lithium ion battery in the 5300 series, which
was introduced in August, as the source of the problem. It will be replaced
with a nickel metal hydride battery and the price will be cut by $100.
I've seen add-on batteries described as 'bricks'; I guess this one is a
briquette.
/* barry /&
[... which would be a *sobriquette* for an assaulty battery!
Very sobering. Old item, but one for the archives. PGN]
------------------------------
Date: 15 Sep 95 07:13:00 EDT
From:
[email protected]
Subject: Cardiff Software Shipped Teleforms 4.0 with self-destruct timebomb
I just discovered yesterday when I tried to boot Teleforms Version 4.0 from
Cardiff Software that the company unwittingly shipped the program earlier
this year with a built-in time bomb from a German company, re: Recognition,
that effectively shuts down all copies of version 4.0 when your system date
reaches 9-1-95. I don't know how many copies of Version 4.0 shipped, but the
tech support person I spoke to described the situation at their phone center
when the rogue code was discovered as "interesting." The official company
statement is that the vendor included a piece of demo code in the program
and failed to disable one line of code containing the timebomb. Cardiff is
providing a free patch file on its BBS and on CompuServe.
------------------------------
Date: 20 Sep 1995 12:24:10 GMT
From:
[email protected] (Ross Anderson)
Subject: European Governments Agree to Ban Strong Crypto
According to an article in `Communications Week International', the
34-nation Council of Europe has agreed to outlaw strong encryption products
which do not make keys available to governments.
The article, `Euro-Clipper chip scheme proposed', is on the front page of
the magazine's issue 151, dated 18th September, which arrived in my mail
this morning.
It relates that the policy was approved on the 8th September at Strasbourg
by the Council, and coincides with an attempt by the European Commission to
propose a pan-European encryption standard. The Council - unlike the
Commission - has no statutory powers to enforce its recommendations.
However, Peter Csonka, the chairman of the committee that drafted the
document (and an administrative officer at the Council's division of crime
problems) says that `it is rare for countries to reject Council of Europe
recommendations'.
The proposal would make telecomms operators responsible for decrypting
traffic and supplying it to governments when asked. It would also `change
national laws to enable judicial authorities to chase hackers across
borders'.
Opposition to this measure was expressed by Mike Strezbek, VP responsible
for European telecomms at JP Morgan, who said that his organisation `will
challenge any attempt to limit the power of our network encryption
technologies very strongly'.
Czonka said that the Council had given consideration to business interests
but had tries to strike a balance between privacy and justice. However, `it
remains possible that cryptography is available to the public which cannot
be deciphered,' his document says. `This might lead to the conclusion to put
restrictions on the possession, distribution, or use of cryptography.'
Apparently another international organisation, the OECD, has called a
conference of its members in December to devise a strategy on encryption.
I for one will be making clear to my MP that his stand on this issue will
determine how I cast my ballot at the next election. I note that John Major
stated in a 1994 parliamentary written reply to David Shaw MP that the
government did not intend to legislate on data encryption. I am
disappointed that government policy has changed to the point of supporting
the Council of Europe, and that this change has sneaked through during the
parliamentary recess.
Ross Anderson
------------------------------
Date: Wed, 20 Sep 95 10:37:34 0100
From: "Lindsay F. Marshall" <
[email protected]>
Subject: Searching via the catless RISKS Web Pages
I think I have finally managed to shake out most of the bugs from the RISKS
search web page. You should now be able to do complex queries and see the
whole of the archive. Please give it a go and let me know if you find any
more problems. Thanks to all the RISKS Web readers that keep me informed of
things wrong with the pages - one couldn't ask for a readership better
informed about potential difficulties!!
Thanks. Lindsay
------------------------------
Date: 18 Sep 95 12:18:26 EDT
From: Alan Tignanelli <
[email protected]>
Subject: Yet another airport tower outage
Summarizing from the Pittsburgh Post-Gazette, 18 Sept 1995, page 1:
The loss of both radio and radar contact at Pittsburgh International Airport
briefly caused a "potentially dangerous situation, but no near misses."
According to the FAA, radio and radar contact was lost for less than a minute
before backup systems kicked in. According to an air traffic controller on
duty, however, radio was out for about 90 seconds, and radar for five to eight
minutes.
"These things aren't supposed to happen, but it did," said Larry Buffalini, an
air traffic controller and vice president of the Pittsburgh local of the
National Air Traffic Controller Association.
Arlene Salac, spokeswoman for the FAA's eastern region, said a problem with
MCI telecommunications lines caused the problem.
Controllers used battery powered radios to stay in contact with the 38
flights in the local airspace. The backup radar is turned on manually, and
takes five to eight minutes to come online according to Buffalini. [So what
about the FAA's "less than a minute" estimate? - AT] Salac's account
differed. She said that, according to her briefing, the controllers had
immediate use of backup radar.
After recapping recent incidents familiar to RISKS readers, Salac states,
"To compare this to what happened in Chicago or Oakland is inappropriate.
It's not on the same scale. Not that it's not important, but it doesn't
have the same range of impact. Pittsburgh doesn't cover as wide an area."
Okay, I can't really argue with the area covered, but that seems to be a
pretty callous statement when you consider what could have happened, along
with the fact that a lot of people around here are still fairly upset about
USAir Flight 427 (which just marked its one year anniversary Sept 8), and
the fact that that problem still has not been found.
Alan Tignanelli
------------------------------
Date: 19 Sep 95 07:50:20 EDT
From: Alan Tignanelli <
[email protected]>
Subject: Yet another airport tower outage
The FAA is investigating why two backup systems "failed to kick in" after
the power outage on 23 Sep 1995. The backup generator that is supposed to
restore power in "5 or 6 seconds" didn't. When the power came back, the
primary radar system "failed to restart as designed." The secondary system
did restart, but it tracks only aircraft with transponders that respond to
radio probes from the ground. In addition, controllers said its performance
was erratic. After the third time the secondary system failed to work, the
controllers elected to switch over to the radar provided by the regional air
traffic control center in Cleveland (which I neglected to mention in
yesterday's post - AT). This switch caused controllers to increase vertical
and horizontal separation between flights in the area. According to the
FAA, 36 flights were delayed.
Duquesne Light (local power company - AT) could find no evidence of an
outage in the area, but could not rule one out. A break in the system (a
limb on a wire is the example given) sits for 30 seconds before the system
tries to repair itself automatically. If this works, no record is made. If
it fails, a second attempt, after 4.5 minutes (it doesn't say if this is
after the original outage or after the repair attempt - AT) is recorded.
Local police reported that burglar alarms at two homes and a business went
off at about the same time, "often a sign of a power surge or power outage."
[Summarized from an article in the 19 Sep 1995 Pittsburgh Post-Gazette]
That's right. It happened again. Apparently, a tree limb had fallen
across a power line, and when workers were trying to remove it, it broke
the circuit, causing the tower to lose radar coverage. Radio also was
out, but only for about a minute.
Isn't it curious that they've apparently backed off the "less than a
minute" claim in the original article? Also, no direct FAA quotes this
time. Kind of makes you wonder about the reports that no flights were in
danger.
Alan Tignanelli
------------------------------
Date: Sun, 17 Sep 95 09:25:51 EDT
From:
[email protected] (Dave Parnas)
Subject: Re: SSNs for E-mail addresses! (RISKS-17.35)
This type of irresponsible behaviour is not at all unusual. At McMaster
University the Computer Services group continues to use the student number
as logon id and e-mail address in spite of the fact that may Profs post
grades "anonymously" using student numbers.
Prof. David Lorge Parnas, Communications Research Lab, Dept. of Electrical and
Computer Engineering, McMaster University, Hamilton, Ontario Canada L8S 4K1
------------------------------
Date: Fri, 22 Sep 1995 11:02:33 -0500 (CDT)
From: Sean Reifschneider <
[email protected]>
Subject: Re: Abandoned oil tank phones...
>The phone company eventually traced the calls to an abandoned oil tank
>in Maryland. It was rigged to call the oil company when the oil level
>was low, but the phone number was scrambled and it called her instead.
This story seems to be reported as a "truth is stranger than fiction"
story, but I think it's more important than that. I'm sure most of us
have gotten mis-directed FAX calls before, but this is slightly different.
People would freak out if it had been an abandoned baby, the entity that had
done the abandoning would I'm sure be facing criminal charges as a result.
Is an abandoned oil tank any less serious though? Is there no
decommissioning process for oil tanks?
The RISK may be that the tank was calling for help and nobody cared to
listen. Did the tank start calling when they removed all oil from the tank,
or did it happen because the oil that was left there somehow got down below
the trigger level? If the oil level went down, where did it go?
Another RISK may be that these details were made clear in the CNN
information, but as there was no synopsys, and the hot-link to the CNN story
is dead, I have no way of knowing. Should an archive such as the one that
holds RISKS have as the major substance of one of the articles a link that
is likely to not be around in 2 more weeks, let alone on the 20th
anniversary of RISKS?
Sean
------------------------------
Date: Sat, 23 Sep 1995 19:02:57 +0100
From: John Pettitt <
[email protected]>
Subject: Don't believe everything you read (hacking Citibank ATMs)
A recent issue of 2600 (a hacker magazine) had info on a supposed control
mode on Citibank ATM machines (the ones the the touch screen). The article
went on to say that if you tapped the screen twice (a double click) it went
into a control mode with crude graphics and strange 'tap out your pin
number' interface.
The local CitiBank confirms my thoughts on this - it's a visually impaired
user mode. It's public info and they will even supply an audio tape on how
to use it!
2600 strikes again :-)
John Pettitt, VP Engineering, CyberSource Corporation
[email protected] +1 415 473 3065 (V) +1 415 473 3066 (F)
------------------------------
Date: Sat, 23 Sep 1995 18:57:26 +0100
From: John Pettitt <
[email protected]>
Subject: CitiBank overdraft protection
CitiBank bounced one of my checks a couple of months back. The reason it
bounced is a classic human error / bad systems design risk.
I wrote a large check to the state of california to cover tax on a capital
gains (far too large IMHO but thats another issue). To cover the check I
asked citibank to wire funds from a sterling account to my US dollar
citigold checking account. Knowing that transfers between these accounts
takes longer than they claim it does (a whole other issue between me and
them) I called my branch and told the what was going on. They assured me
that since I had more than 5 times the check amount in other accounts they
would cover it.
It came as rather a shock when it bounced.
Panic ensued - CitiBank were horrified because they didn't know why it had
bounced. I was horrified because the franchise tax board said they don't
re-present bad checks. My accountant said don't worry the tax board do
re-present. (an incidental risk - the tax board was right *they* don't
re-present but their bank *does* re-present once so the check cleared
without hurting my good rep with the tax folks).
Anyway it took three months and several more bounced checks from other
customers before citibank figured out what was happening:
Every morning the manager checks the system for overdrafts, if he does not
override the system the checks bounce. Unfortunately when he was trained
(way back when) you had to specify an account type code to do the overdraft
check. In doing so accounts like mine (a citigold CMA type account) do
not show up! If he had let it default (as new staff are trained to do)
he would have seen the citigold overdrafts. The net effect of this is that
for a three month period this summer citibank in california was bouncing
random checks from it's best customers ...
The good news it they have learned from it and issued a memo to all managers
to ensure that everybody knows why it's happening.
John Pettitt, VP Engineering, CyberSource Corporation
[email protected] +1 415 473 3065 (V) +1 415 473 3066 (F)
------------------------------
Date: 18 Sep 1995 23:32:06 GMT
From:
[email protected] (Kevin Maguire)
Subject: Call-box scams in California (PGN, RISKS-17.35)
> The remaining call boxes have now been reprogrammed to be able to dial
> only 911
That's a poor solution to the problem. The 911 system is already
overburdened by people using it for non-emergency calls; some communities
even impose a fine for making non-emergency calls to 911.
I may be wrong in this assumption, but I'd imagine that most users
of highway call boxes are suffering from flat tires, overheated engines
and similar problems which don't require immediate emergency response.
Are you sure it's set to 911 and not local non-emergency police
numbers? The one time I had to use a highway call box, in LA county,
it direct-dialed a non-emergency operator. I don't remember if I got
a police operator or CalTrans.
Kevin Maguire
[email protected]
[You are probably correct. Journalism is not an exact science. PGN]
------------------------------
Date: 6 September 1995 (LAST-MODIFIED)
From:
[email protected]
Subject: ABRIDGED info on RISKS (comp.risks)
The RISKS Forum is a moderated digest. Its USENET equivalent is comp.risks.
SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) on
your system, if possible and convenient for you. BITNET folks may use a
LISTSERV (e.g., LISTSERV@UGA): SUBSCRIBE RISKS or UNSUBSCRIBE RISKS. [...]
DIRECT REQUESTS to <
[email protected]> (majordomo) with one-line,
SUBSCRIBE (or UNSUBSCRIBE) [with net address if different from FROM:]
INFO [for further information]
CONTRIBUTIONS: to
[email protected], with appropriate, substantive Subject:
line, otherwise they may be ignored. Must be relevant, sound, in good taste,
objective, cogent, coherent, concise, and nonrepetitious. Diversity is
welcome, but not personal attacks. [...]
ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY.
Relevant contributions may appear in the RISKS section of regular issues
of ACM SIGSOFT's SOFTWARE ENGINEERING NOTES, unless you state otherwise.
RISKS can also be read on the web at URL
http://catless.ncl.ac.uk/Risks
RISKS ARCHIVES: "ftp unix.sri.com<CR>login anonymous<CR>[YourNetAddress]<CR>
cd risks<CR> or cwd risks<CR>, depending on your particular FTP. [...]
[Back issues are in the subdirectory corresponding to the volume number.]
Individual issues can be accessed using a URL of the form
http://catless.ncl.ac.uk/Risks/VL.IS.html [i.e., VoLume, ISsue]
ftp://unix.sri.com/risks [if your browser accepts URLs.]
------------------------------
End of RISKS-FORUM Digest 17.36
************************
