precedence: bulk
Subject: Risks Digest 20.56

RISKS-LIST: Risks-Forum Digest  Friday 3 September 1999  Volume 20 : Issue 56

  FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
  ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <URL:http://catless.ncl.ac.uk/Risks/20.56.html>
and at ftp.sri.com/risks/ .

 Contents:
Online gambling software flaw (Matthew Schmid)
Test page for dangerous ActiveX controls (Richard M. Smith)
Intuit strikes again (Gary Cattarin)
Danish UPS (Finn Jensen in rec.humor.funny)
Tandy bug? (Lindsay Marshall)
E*Trade and the Dow Jones (Theodore Y. Ts'o)
U.S. top-secret messages go astray (Andrew Johnson)
UPenn bug report (Rebecca Mercuri)
Local company stung by Y2K bug (Doneel Edelson)
Smart Card Forum annual meeting (Donna Farmer)
Abridged info on RISKS (comp.risks)

----------------------------------------------------------------------

Date: Fri, 3 Sep 1999 05:26:02 -0700 (PDT)
From: "Matthew Schmid" <[email protected]>
Subject: Online gambling software flaw

Regardless of its quasi-legal status, online gambling presents an entire
raft of risks.  Key questions include: Will your personal information be
handled securely (for example, will the credit card number you're paying
with be stolen or the fact that you're gambling at all be leaked)?  What if
the gaming site is hacked?  Could you be playing against cheating insiders
or players acting in collusion?  Are the games implemented correctly and
fairly?  Is the software secure?  In response to the last question, we have
demonstrated that the answer is no.

The Software Security Group at Reliable Software Technologies
(www.rstcorp.com) has discovered a serious flaw in the implementation of
Texas Hold 'em Poker that is distributed by ASF Software, Inc.
(www.asfgames.com).  We have exploited this flaw in the lab.  Our exploit
allows a player (us) to calculate the exact deck being used for each hand in
real time.  That means a player using our exploit knows the cards in every
opponent's hand as well as the cards that will make up the flop (cards
placed face up on the table after rounds of betting).  We can win every
time.  A malicious attacker could use our exploit to bilk innocent players
of actual money without ever being caught.  ASF Software has been notified
of the flaw.

Currently we know of three online casinos (www.planetpoker.com,
www.purepoker.com, and www.deltacasino.com) that appear to use ASF
Software's implementation of Texas Hold 'em Poker.  All three Websites allow
players to compete for real money.  There is also a demo casino
(www.casinococo.com) that allows players to gamble with play money.  We have
only used our exploit against the demo casino.

The flaw exists in the card shuffling algorithm used to generate each deck.
Ironically, the code was publicly displayed at www.planetpoker.com/ppfaq.htm
with the idea of showing how fair the game is to interested players (the
page has since been taken down).  In the code, a call to randomize() is
included to produce a random deck before each deck is generated.  The
implementation, built with Delphi 4 (a Pascal IDE), seeds the random number
generator with the number of milliseconds since midnight according to the
system clock. That means the output of the random number generator is easily
predicted.  A predictable "random number generator" is a very serious
security problem.

There are a number of other problems in the implementation that could lead
to complete security compromise.  We have only exploited the easiest one at
this time.

The broad take-home message from this work is simple: when software
misbehaves, bad things can happen.  Our mission in the Software Security
Group is to stamp out insecure code before it is placed in service.  Members
of the group involved with the Gambling exploit are: Brad Arkin, Frank Hill,
Scott Marks, Matt Schmid, and TJ Walls.  The Software Security Group is led
by Dr.Gary McGraw.

Matt Schmid, Reliable Software Technologies  <[email protected]>

------------------------------

Date: Sun, 29 Aug 1999 14:04:32 -0400
From: "Richard M. Smith" <[email protected]>
Subject: Test page for dangerous ActiveX controls

There are a number of outstanding problems with ActiveX controls that are
awaiting patches from Microsoft.  I've put together a test page which will
determine which dangerous ActiveX controls are installed on a system.  Here
is the URL:

   http://www.tiac.net/users/smiths/acctroj/axcheck.htm

I think the best solution for right now is to turn off ActiveX in IE4 and
IE5.

The "bad guys" can use these controls to do all sorts of nasty stuff in Web
pages, HTML E-mail messages, and even newsgroup messages.  Affected products
are Internet Explorer, Outlook, Outlook Express, and Eudora.

Note: the test page requires IE4 or IE5.  Netscape users are safe because
Navigator does not support ActiveX controls.

Richard

------------------------------

Date: Wed, 1 Sep 1999 20:54:13 -0700
From: "Gary Cattarin" <[email protected]>
Subject: Intuit strikes again

Intuit blows it again.  Should we be surprised?

Go to:  http://privacy.intuit.com/  Read all the high and mighty "We're so
careful about your privacy it hurts" crap.

At the bottom, find a link that reads, "If you would like to review or
change your contact preferences, please click here."  Enter your last name
and ZIP code.  No, wait, enter ANYONE'S last name and ZIP code who you think
might use any Intuit product.  It's not hard to think of someone who might.
Of course, you are taken - without any verification whatsoever - right to
that individual's privacy profile, where you can determine your friend's,
neighbor's, enemy's, or mother's choice of receiving junk snail mail,
e-mail, and/or phone solicitations from Intuit, or whether Intuit may spread
their information across the globe (only to "vigorously screened companies"
of course!!!).  You can even change their e-mail - so perhaps you can use
someone else's profile to create SPAM into your favorite enemy's inbox!
(Oh, if Dick Nixon were still alive...)

Risk?  Privacy statements and policies mean nothing if the company maintains
no control over the information required to implement them.  Weak attempts
at "privacy control" allow easy abuse and further multiply the problem.

So go ahead!  Protect your neighbor from junk mail.  I did.  (He'd thank me
for it if he ever knew I could do that.)

Gary Cattarin - [email protected]
(Humans will guess the real address - e-mail address-grabbing scanners will
not!)

------------------------------

Date: Tue, 31 Aug 1999 19:30:00 PDT
From: Finn Jensen <[email protected]>
Newsgroups: rec.humor.funny
Subject: Danish UPS

 [Courtesy of Aram Khalili, Jim Griffith, and Julian Thomas]

To good to be true, but it is.  From the Tele Danmark (ISP) homepage,
translated from Danish.

>This morning, Tele Denmark Internet was out of order, because the power
>supply failed. It meant that customer couldn't connect to the Internet.
>
>The problem occu[r]red at 7:45, when a truck drove into the cabinet that
>supplies Tele Denmark Internet with power. The truck was delivering a new
>uninterruptible power supply, and therefore the old UPS had been disconnected.
>At 9:00 the power returned and the different system began to reestablish, and
>everything is expected to return to normal again by 10:30. Tele Denmark
>Internet regrets the disturbance to its customers.

[http://www.opasia.dk/online/tele_danmark/index.html, English here cleaned up
       a bit for humor's sake - ed.]

------------------------------

Date: Fri, 3 Sep 1999 14:09:52 +0100 (GMT)
From: [email protected]
Subject: Tandy bug?

The following story was recently forwarded to the EGR mailing list. I
wonder if anyone knows anything more about it?  L.

2) William Slattery shares the following personal experience. All you
reporters out there might take special note.

  Y2K is here!

  I got a check in the mail last week from Tandy Corporation:
  $891.24. A nice chunk of change that there is no way in the world
  they could owe me.

  Here is what I think happened. Because of my odd habit of paying
  off most of my bills to the nearest ten dollars OVER what I
  actually owe (it makes the math easier when I balance my
  checkbook), I had a small credit on my Radio Shack credit card.
  Their computer looked at the end of the billing period, which
  fell after the infamous 9/9/99, and said Wowza!, this guy has had
  a five dollar credit on our books since January 1 of 1900. Since
  company policy is to pay off credits on inactive accounts, I'm
  going to calculate the interest and cut this guy a check.

  So here we are. I phoned Tandy headquarters (817-415-3011) and
  talked with the person in charge of this sort of thing, Lisa
  Mapes. I told her there was no way Radio Shack could owe me 900
  bucks because I hadn't spent that much money in their stores in
  my whole life. I told her I thought they had a Y2K problem. She
  laughed at me. It was not a good laugh. It was the "you're so
  ridiculous it's hilarious" kind of laugh. Ms. Mapes told me to go
  ahead and cash the check. Radio Shack really owes me this money,
  she says, even though they are completely unable to explain WHY
  they owe me the dough.

  I told reporters at The New York Times and National Public Radio
  that all their stories warning about Y2K were finally starting to
  pay off. I figured that after years of running Chicken Little
  stories -- the sky is gonna fall! the sky is gonna fall! -- it
  would make a good little story when the first chunks of sky
  actually started landing on people's heads. Apparently not. They
  seem profoundly uninterested.

  To a mind as comprehensive as yours, I am sure the potential for
  gaining fabulous wealth is immediately apparent. The key to
  getting rich off Y2K is to open numerous small accounts under
  assumed names, lodge small credits in them, and wait for the
  checks to roll in. If I'd thought of it sooner -- and could get
  rid of this pesky conscience -- I'd be a rich man today.

------------------------------

Date: Thu, 2 Sep 1999 16:33:57 -0400
From: "Theodore Y. Ts'o" <[email protected]>
Subject: E*Trade and the Dow Jones

After suffering through the E*Trade / Red Hat fiasco, where each time I
talked to a human being, I was really impressed, but each time I had to deal
with the web page software I was less than impressed, I suppose I shouldn't
be surprised about much from E*Trade's web page.

But imagine my amusement when I looked at E*Trade's main web page, which
according to its Market Watch, as of 9/2/1999, at 2:49pm the Dow Jones
Industrial Average was $1.00, down $10936.88.  Somehow, I have a little bit
of trouble believing that.  Either that, or that stock market bubble that
Greenspan keeps worrying about was far more real than anyone ever believed!:-)

(Given that the Nasdaq has only dropped 21.5 points today, I'm assuming the
DJIA didn't really lose over ten thousand points.)

Obviously, E*Trade's software doesn't have any "that can't *possibly* be
right" checks, so when it somehow got the bogus data about the value of the
DJIA, the software very happily calculated that if the index is currently
worth one dollar, then it must have dropped $10,936.88 since yesterday.

Fortunately, it's pretty obvious that the DJIA on the Market Watch web page
couldn't possibly be right, but this brings up some obvious questions that
should be familiar to all Risks readers: what if some other dumb computer
program which was rigged to do program trading decided this meant it should
dump all of its holdings in a hurry?  (Or buy lots of stocks since obviously
everything is cheap.)  What if the numbers on E*Trade's Market Watch were
off by some significant amount, but not in a way which made it immediately
obvious that it was in space?  Could a human being be taken in by its a
likely-looking-but-wrong DJIA, and mistakingly make some trades based an
incorrect market index?

                                               - Ted

P.S.  I've saved a copy of the gif image displayed by E*Trade's Market
Watch, for those who'd like to see this for themselves.  It can be found
at:
       http://web.mit.edu/tytso/www/etrade-djia.gif

------------------------------

Date: Fri, 3 Sep 1999 18:30:53 +1200
From: "Andrew Johnson (A.J.)" <[email protected]>
Subject: U.S. top-secret messages go astray

A common risk inherent in all of our communication technology is...well,
once again, human error.  Next week New Zealand hosts the APEC conference in
Auckland, being attended by a substantial number of world leaders, including
President Clinton from the U.S.

So imagine if Saji Phillips, a chicken farmer from Auckland, had been one of
those people who holds a grudge: He was accidentally faxed the security
arrangements for the U.S. Embassy and U.S. Delegation, including Mr Clinton,
today N.Z. time (3 September 1999).

See Newsroom.co.nz : http://www.newsroom.co.nz/story.asp?s=5469

 [Another story says this had happened repeatedly.]

The Risk here is very clear... imagine how much that information would be
worth to the right person!  Not that anyone would think that free trade is a
bad thing, of course. *ahem*...

Andrew Johnson <[email protected]> http://critique.net.nz/aj/mania/

------------------------------

Date: Wed, 1 Sep 1999 17:51:43 -0400 (EDT)
From: Rebecca Mercuri <[email protected]>
Subject: UPenn bug report

Here's the report on what happened to cut Penn entirely off from the
Internet.  R.Mercuri

Date:         Tue, 31 Aug 1999 20:11:25 -0400
Reply-To: Network Administration <[email protected]>
From: Network Administration <[email protected]>
Subject:      ****EXTERNAL CONNECTIVITY RESTORED****
Comments: To: [email protected]
To: [email protected]

Date:                   Tuesday August 31, 1999
Time:                   2:20pm - 7:30pm
Duration:               5 hours
Buildings Affected:     Entire Campus
Services Affected:      Internet Connectivity
Description:            At 2:20 this afternoon, the University's
 Internet connectivity was disrupted due to a problem with a Bell Atlantic
 high-speed line. By 7:30 this evening, Bell Atlantic had taken steps to
 restore our link to UUNet. There may be a brief interruption to our service
 in the next 24-48 hours while Bell Atlantic makes permanent repairs.

[email protected]

------------------------------

Date: Fri, 3 Sep 1999 12:18:36 -0400
From: "Edelson, Doneel" <[email protected]>
Subject: Local company stung by Y2K bug

Y2K glitches happen to even the most computer savvy folks.  Wayne Moule,
president of Northwest Metrology, a company that calibrates electronic test
equipment for federal agencies and major corporations, is a case in point.
Moule sees the damage every day and still is counting losses - $80,000 and
growing - because software he owns fell victim to a year 2000 problem. ...
[Source: Marc Benjamin, *The Bakersfield Californian*, 24 August 1999;
PGN-ed]

------------------------------

Date: Sun, 29 Aug 1999 17:40:30 -0400
From: "Donna Farmer" <[email protected]>
Subject: Smart Card Forum annual meeting

Who: Leading privacy and Internet commerce technologists
What: Smart Card Summit '99: Privacy & Security in the New Millennium
When: September 22-23, 1999
Where: JW Marriott Hotel in downtown Washington, DC
Web-information: http://www.smartcardforum.org or call (202) 530-5306.

------------------------------

Date: 23 Sep 1998 (LAST-MODIFIED)
From: [email protected]
Subject: Abridged info on RISKS (comp.risks)

The RISKS Forum is a MODERATED digest.  Its Usenet equivalent is comp.risks.
=> SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent)
if possible and convenient for you.  Alternatively, via majordomo,
SEND DIRECT E-MAIL REQUESTS to <[email protected]> with one-line,
  SUBSCRIBE (or UNSUBSCRIBE) [with net address if different from FROM:] or
  INFO     [for unabridged version of RISKS information]
.MIL users should contact <[email protected]> (Dennis Rears).
.UK users should contact <[email protected]>.
=> The INFO file (submissions, default disclaimers, archive sites,
copyright policy, PRIVACY digests, etc.) is also obtainable from
http://www.CSL.sri.com/risksinfo.html  ftp://www.CSL.sri.com/pub/risks.info
The full info file will appear now and then in future issues.  *** All
contributors are assumed to have read the full info file for guidelines. ***
=> SUBMISSIONS: to [email protected] with meaningful SUBJECT: line.
=> ARCHIVES are available: ftp://ftp.sri.com/risks or
ftp ftp.sri.com<CR>login anonymous<CR>[YourNetAddress]<CR>cd risks
  [volume-summary issues are in risks-*.00]
  [back volumes have their own subdirectories, e.g., "cd 19" for volume 19]
or http://catless.ncl.ac.uk/Risks/VL.IS.html      [i.e., VoLume, ISsue].
PostScript copy of PGN's comprehensive historical summary of one liners:
  illustrative.PS at ftp.sri.com/risks .

------------------------------

End of RISKS-FORUM Digest 20.56
************************

You are viewing proxied material from gopher.quux.org. The copyright of proxied material belongs to its original authors. Any comments or complaints in relation to proxied material should be directed to the original authors of the content concerned. Please see the disclaimer for more details.