Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
From: RISKS List Owner (riskocsl.sri.com)
Date: Mon Oct 01 2001 - 18:30:42 CDT
RISKS-LIST: Risks-Forum Digest Monday 1 October 2001 Volume 21 : Issue 67
FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator
***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <URL:http://catless.ncl.ac.uk/Risks/21.67.html>
and by anonymous ftp at ftp.sri.com, cd risks .
Aftermath of 11 September 2001 (PGN)
GAO reports on terrorism (Monty Solomon)
Warding off cyberterrorist attacks (NewsScan)
Hackers face life imprisonment under 'Anti-Terrorism' Act (Monty Solomon)
Gartner "Nimda Worm shows you can't always patch fast enough"
Hacker re-writes Yahoo! news stories (Gary Stock)
YAHA: Yet Another Hotmail Attack (Alistair McDonald)
Hackers and others win big in Net casino attacks (Ken Nitz)
Creator of Kournikova virus gets 150 hours of community service (Abigail)
"Good Samaritan" hacker pleads guilty to breaking and entering
U.S. court shuts down deceptive Web sites (Jim Griffith)
Report on vulnerabilities of GPS (Joseph Bergin)
All public hospitals in Gothenburg Sweden Crippled by nimda (Peter Håkanson)
Y2K flaw blamed for Down's Syndrome test errors (Les Weston)
Re: Oxygen tank kills MRI exam subject (PGN)
E-voting in Australia (Tony Jones)
Australians voice anger over online spying (Monty Solomon)
World Trade Center in RISKS (Jay R. Ashworth)
We only reveal a few digits of your account number, don't worry (Dan Jacobson)
X-ray machine risk (Asa Bour)
Increasing RISKS of UPPER CASE (Stuart Prescott)
2002 USENIX Annual Technical Conference - Call for papers (Ann Tsai)
Abridged info on RISKS (comp.risks)
Date: Mon, 1 Oct 2001 11:06:12 PDT
From: "Peter G. Neumann" <neumanncsl.sri.com>
Subject: Aftermath of 11 September 2001
The Risks Forum has long advocated the importance of increased awareness of
risks and avoidance of critical systems with too many inherent weak links.
On 11 Sep 2001, the Internet stood up well and was a very important source
of information; land-based and cellular telephone systems experienced major
outages in lower Manhattan. A few companies such as Cantor-Fitzgerald and
eSpeed suffered huge personnel losses, but were nevertheless able to resume
operations quickly -- through various combinations of advanced planning and
rapid recovery strategies. There are many lessons that are worth recording
here, so I would like to invite some of you to contribute short but pithy
items on what was achieved, what was learned, and what insights you might
have gained. [Thanks to Scott Rainey for encouraging me to do this.]
Date: Thu, 20 Sep 2001 17:28:02 -0400
From: "monty solomon" <montyroscom.com>
Subject: GAO reports on terrorism
Combating Terrorism: Selected Challenges and Related
Recommendations. GAO-01-822, September 20.
Aviation Security: Terrorist Acts Demand Urgent Need to Improve Security at
the Nation's Airports, by Gerald L. Dillingham, director, physical
infrastructure issues, before the Senate Committee on Commerce, Science, and
Transportation. GAO-01-1162T, September 20.
Aviation Security: Terrorist Acts Illustrate Severe Weaknesses in Aviation
Security, by Gerald L. Dillingham, director, physical infrastructure, before
a joint hearing of the Senate and House Appropriations Subcommittees on
Transportation and Related Agencies. GAO-01-1166T, September 20.
Date: Mon, 01 Oct 2001 08:19:36 -0700
From: "NewsScan" <newsscannewsscan.com>
Subject: Warding off cyberterrorist attacks
Internet experts believe that the threat of cyber-attacks are increasing,
though not necessarily from Osama bin Laden's AlQaida network, which seems
focused on destroying physical targets and killing civilians. Georgetown
University computer science professor Dorothy Denning says, "It's my
understanding that they're not teaching this in the terrorist-training
camps," but rather that the danger comes from "these thousands of affiliates
or sympathizers." Stephen Northcutt, who runs an information warfare
simulation for the SANS Institute, warns that terrorist could "potentially
paralyze commerce" and might be able to "accomplish a cascading failure of
the electronic grid." (*San Jose Mercury News*, 1 Oct 2001; NewsScan Daily,
1 October 2001; http://www.siliconvalley.com/docs/news/depth/cyber100101.htm)
[Also, there is clearly renewed interest in off-site backup data storage.
Date: Tue, 25 Sep 2001 16:32:58 -0400
From: Monty Solomon <montyroscom.com>
Subject: Hackers face life imprisonment under 'Anti-Terrorism' Act
Hackers face life imprisonment under 'Anti-Terrorism' Act; Justice
Department proposal classifies most computer crimes as acts of terrorism
By Kevin Poulsen, 23 Sep 2001
Hackers, virus-writers and web site defacers would face life imprisonment
without the possibility of parole under legislation proposed by the Bush
Administration that would classify most computer crimes [and maybe noncrimes
(PGN)?] as acts of terrorism. The Justice Department is urging Congress to
quickly approve its Anti-Terrorism Act (ATA), a twenty-five page proposal
that would expand the government's legal powers to conduct electronic
surveillance, access business records, and detain suspected terrorists.
[See http://www.securityfocus.com/news/257 for the full item. PGN]
Date: Fri, 21 Sep 2001 13:07:00 +0100
From: Alistair McDonald <alistairbacchusconsultancy.com>
Subject: Gartner "Nimda Worm shows you can't always patch fast enough"
Gartner is recommending that IIS users who have been hit by the recent MS
exploits should "immediately" consider moving to alternatives such as Apache
or iPlanet. http://www4.gartner.com/DisplayDocument?doc_cd=101034
But when will those in control take note? I'm sure that a lot of NT/200
sysadmins (and especially Webmasters) are aware of the limitations of their
platform, but corporate strategy means that they are a "Microsoft shop".
Alistair McDonald Bacchus Consultancy www.bacchusconsultancy.com
Date: Mon, 24 Sep 2001 09:50:34 -0400
From: Gary Stock <gstocknexcerpt.com>
Subject: Hacker re-writes Yahoo! news stories
Will Knight, New Scientist, 20 Sep 01
A computer security expert has revealed how he altered news articles posted
to Yahoo!'s web site without permission. The incident highlights the danger
of hackers posting misleading information to respected news outlets.
Freelance security consultant Adrian Lamo demonstrated that, armed only with
an ordinary Internet browser, he could access the content management system
used by Yahoo!'s staff use to upload daily news. He added the false quotes
to stories to prove the hole was real to computer specialist site Security
Focus. Yahoo! has issued a statement saying the vulnerability has been
fixed and security is being reviewed. But experts say that the incident
demonstrates a serious risk. "Just think how much damage you could do by
changing the quarterly results of a company in a story," says J J Gray, a
consultant with computer consultants Stake.
Gary Stock, CIO & Technical Compass, Nexcerpt, Inc. 1-616.226.9550
Date: Fri, 21 Sep 2001 09:49:00 +0100
From: Alistair McDonald <alistairbacchusconsultancy.com>
Subject: YAHA: Yet Another Hotmail Attack
Yet another attack on hotmail. Computing (20 Sept 2001) reports that one can
hack the hotmail web site, and redirect users to another site. This brings
up the possibility of password collecting. The hacker, known as "Oblivion",
reported this to the bugtraq mailing list. The exploit involves smuggling
Alistair McDonald Bacchus Consultancy www.bacchusconsultancy.com
Date: Mon, 10 Sep 2001 09:14:27 -0700
From: Ken Nitz <nitzSDL.sri.com>
Subject: Hackers and others win big in Net casino attacks
[The article is on risks in on-line gambling, and particularly
CryptoLogic, Inc., a Canadian on-line casino games developer that has been
hacked. One of their sites had been "fixed" so that craps and video slot
players could not lose, with winnings totalling $1.9 million. Every dice
throw turned up doubles, and every slot spin generated a perfect match.
Whether it was an insider attack or a penetration is not clear from the
article. (We noted the likelihood of hacking of Internet gambling sites
in RISKS-19.27, 1 Aug 1997, not to mention my 1995 April Fool's piece in
RISKS-17.02.) Interesting question: which laws against hacking will apply
to subversions of illegal Internet gambling parlors? Who gets to
prosecute remote attacks on off-shore operations? PGN-ed]
Date: Fri, 28 Sep 2001 01:16:42 +0200
From: "Abigail" <abigailfoad.org>
Subject: Creator of Kournikova virus gets 150 hours of community service
27 Sep 2001
The 20-year-old creator for the Kournikova virus, J. de W. from Sneek, was
sentenced to 150 hours of community service by the court of Leeuwarden this
Thursday. The prosecution demanded the maximum of 240 hours of community
service. In February De W. released on the Internet the so-called
wormvirus, which spread itself as an e-mail message. The virus was activated
by clicking the e-mail which was titled Anna Kournikova (the tennis
player). This lead to inconvenience of Internet users all over the world.
When determining the sentence, the court took into consideration that the
boy had no previous run-in with justice, that he turned himself in, and that
material damages were limited. The American investigation service FBI
reported an amount of $166.827 in damages.
Date: Thu, 27 Sep 2001 12:53:53 -0400
From: Declan McCullagh <declanwell.com>
Subject: FC: "Good Samaritan" hacker pleads guilty to breaking and entering
[Follow-up on RISKS-21.62 items. PGN]
'Good Sam' Hacker 'Fesses Up, By Declan McCullagh, 27 Sep 2001 declanwired.com
It seemed like such a straightforward example of prosecutorial misconduct:
An Oklahoma man was being investigated by the Justice Department for helping
a newspaper fix a Web site security hole.
The outcry among the geek community last month began with an uncritical
story on LinuxFreak.org entitled "Cyber Citizen Lands Felony Charges?" Sites
such as Slashdot soon picked up the sad tale of 24-year-old Brian K. West as
evidence of out-of-control, tech-clueless government lawyers, and urged
everyone to e-mail the U.S. Attorney in charge of the prosecution.
Making the story even more appealing to the open-source community was the
Microsoft angle: West was said to have reported to the Poteau (Oklahoma)
Daily News and Sun a security flaw in Microsoft NT 4.0 IIS and Microsoft
FrontPage. But a guilty plea that West signed tells a far different story
-- and shows how easily a well-meaning community of programmers and system
administrators can be led astray.
[Politech archive on U.S. v. Brian K. West:
[PGN-excerpted from the Sperling release:
While probing the site, defendant made copies of six proprietary
Practical Extraction Report Language (PERL) scripts that were part of
the source code running the PDNS Web page. Defendant also obtained
password files from PDNS and used those passwords to access other parts
of the PDNS Web page. Defendant electronically shared the scripts and
the password files for the PDNS Webs ite with another individual.
Defendant's access to the Web page involved interstate communications.
Date: Mon, 1 Oct 2001 14:59:23 -0500 (CDT)
Subject: U.S. court shuts down deceptive Web sites
Reuters reports that the U.S. District Court in Philadelphia has ordered
John Zuccarina to shut down sites operated by him. The Federal Trade
Commission filed a complaint against Zuccarina, claiming that he has
purchased domain names which are misspellings or other "one-offs" of
popular sites, which he uses to "blitz" unsuspecting visitors with pop-up
ads, from which the user cannot escape, in order to receive advertising
revenue (estimated between $800K and $1 million). Zuccarina has registered
some 5500 domains, including www.annakurnikova.com, 41 variants of
"Britney Spears", and others.
Date: Tue, 11 Sep 2001 07:31:31 -0400
From: Joseph Bergin <berginfpace.edu>
Subject: Report on vulnerabilities of GPS
Yesterday (10 Sept. 2001) the U.S. Transportation dept released a report
on the vulnerabilities of the Global Positioning System. The report can
be obtained from
There is a short story about it in *The New York Times 11 Sep 2001:
The report notes that GPS is being increasingly relied on for life-critical
performance in transportation and recommends that various backups be
maintained and new ones developed.
Joseph Bergin, Professor, Pace University, Computer Science, One Pace Plaza,
NY NY 10038 berginfpace.edu HOMEPAGE http://csis.pace.edu/~bergin/
Date: Tue, 25 Sep 2001 10:42:55 +0200
From: Peter Håkanson <peteripsec.nu>
Subject: All public hospitals in Gothenburg Sweden Crippled by nimda
The hospitals in "Västra Götaland" sweden (west coast, population 1M)
were isolated fron Internet during 23 Sep 2001. Some of internal networks
had to be partitioned to prevent nimda spreading further. Reservations and
computer-based medical records were unavailable. http://www.vgregion.se
The fact that a hospital chain has so relaxed security is amazing. It's
also amazing that whole organizations are kept hostage of a vendor that's
not even cost-effective.
What would happen in case we get a *real* threat to security??
Peter Håkanson, IPSec sverige, Bror Nilssons gata 16 Lundbystrand
S-417 55 Gothenburg Sweden "Safe by design" +46707328101 peteripsec.nu
Date: Fri, 14 Sep 2001 13:24:33 +0100
From: Les Weston <trusteemsemailexpire.com>
Subject: Y2K flaw blamed for Down's Syndrome test errors
The Y2K problem is being blamed for incorrect Down's Syndrome results being
given to more than 150 pregnant women throughout northern England between
January and May last year. As a result, four Down's syndrome pregnancies
went undetected. Amongst other factors, the mother's age is used to assess
her risk category. Only those in the high-risk category undergo further
tests for the syndrome. Staff noticed the strange results coming from the
system, but initially thought they was due to a different mix of women being
Les Weston, Quinag-CSL, Edinburgh.
[Also noted by several others. TNX. Overconfidence in the PathLAN
computer was blamed for errors, occurring between 4 Jan and 24 May 2001.
Date: Sun, 30 Sep 2001 10:44:16 PDT
From: "Peter G. Neumann" <neumanncsl.sri.com>
Subject: Re: Oxygen tank kills MRI exam subject (RISKS-21.55)
Westchester Medical Center was fined $22,000 for 11 violations related
to the death of the 6-year-old boy killed by the magnetically attracted
stray oxygen tank carried into the room by a doctor.
Date: Sun, 23 Sep 2001 06:31:10 +1000 (EST)
From: tmjenternet.com.au (Tony Jones)
Subject: E-voting in Australia
On 20 October 2001 there will be an election of members of the Legislative
Assembly of the Australian Capital Territory. It is hoped that about 9% of
voting will be done using a new electronic voting system. Further details
are at <http://www.elections.act.gov.au/Elecvote.html>.
For the electronic system, no independently verifiable copy of a voter's
choices will be kept. The selections made by a voter and displayed on the
monitor of the voting computer will be, we're led to believe, what go into
the duplicated databases for counting.
RISKS readers will be reassured to know that (see
"The new software will be subjected to extensive testing to ensure it is
accurate and secure, as well as easy to use. The software will be used on
standard computer hardware, that will not be connected to any external
networks. The system will also include numerous backups and safeguards to
ensure that voting data will not be lost. This will guarantee the security
of the electronic voting and counting processes," Mr Green [the ACT
Electoral Commissioner] said.
I hope Murphy is not eligible to vote.
[Actually, given the flakiness and lack of security in existing
all-electronic voting systems, it is likely that Murphy's entire surrogate
extended family will be able to vote repeatedly, many times over. PGN]
Date: Sat, 8 Sep 2001 13:08:38 -0400
From: Monty Solomon <montyroscom.com>
Subject: Australians voice anger over online spying
Australians voice anger over online spying
By Rachel Lebihan, ZDNet Australia News, 07 September 2001
Only three percent of surveyed ZDNet readers believe Internet Service
Providers should monitor all user activity, following a parliamentary report
that recommends user logs should be kept on customers' online activities.
The diminutive support for tighter online monitoring was transcended by a
resounding 60 percent of polled readers who said they would kick up a fuss
until the law was changed, if ISPs were forced to maintain access logs.
Date: Tue, 11 Sep 2001 16:36:04 -0400
From: "Jay R. Ashworth" <jrabaylink.com>
Subject: World Trade Center in RISKS
In light of this morning's events, which I will not minimize by trying
to select an adjective to describe, I thought it might be interesting
to search the RISKS archives, and see how the building's history
figures in that sphere.
First, there's coverage of the car bombing, and how the evac plan and
generators failed, in
with follow-on in
There's other coverage of the bombing, as well, in
which discusses how the building operators are allowed to violate the
building codes that they would be otherwise bound by.
discusses the fact that damned near every TV and most of the radio broadcast
antennas serving NYC and Eastern NY State just hit the ground as well; that
had to be making life miserable for people trying to get the word out.
discusses an ATM outage in NJ attributable to the evac from that bombing.
Another outage in California happened at least in part because the backup
systems were otherwise occupied due to that same situation:
notes in passing that the WTC is not alone in having such problems.
[Discussion of the Citicorp problems and unlikely events. PGN]
Jay R. Ashworth, Member of the Technical Staff, Baylink, Tampa Bay, Florida
http://baylink.pitas.com +1 727 804 5015 jrabaylink.com
Date: 12 Sep 2001 13:04:10 +0800
From: Dan Jacobson <jidannideadspam.com>
Subject: We only reveal a few digits of your account number, don't worry
> Re: Consumer Reports password policy risks (Bumgarner, RISKS-21.65)
> ... but does give the last five digits
Sounds like the Taiwan power company sending bills with only the last few
digits of your auto-payment bank account revealed, the phone company sending
theirs with only the first few digits revealed. Steal two envelopes and
you've got the account number?
Date: Thu, 27 Sep 2001 23:16:04 -0400 (EDT)
From: Asa Bour <boureascripturememory.org>
Subject: X-ray machine risk
I had to get some x-rays recently. I felt real confident when I saw a bright
yellow post-it note on the x-ray machine with bold print stating that the
measurements were in mm (millimeters) and not in cm (centimeters). Since
the note was needed, one can assume they had problems with people
calibrating the machine properly with the right units. I think the x-ray
software interface needs some improvement to eliminate this danger of
Date: Mon, 24 Sep 2001 16:18:34 +1000
From: Stuart Prescott <s.prescottchem.usyd.edu.au>
Subject: Increasing RISKS of UPPER CASE
I recently received a confirmation e=mail from an Australian domestic
airline confirming a booking I had made over the web. The entire e-mail was
in capitals (were they shouting at me or was it all "very important"?)
including a little URL at the bottom for more information on in-flight health:
> SOME STUDIES HAVE CONCLUDED THAT PROLONGED IMMOBILITY MAY BE A RISK
> FACTOR IN THE FORMATION OF BLOOD CLOTS IN THE LEGS,
> (DVT - DEEP VEIN THROMBOSIS). IF YOU FEEL YOU MAY BE AT RISK FROM
> DVT OR OTHER HEALTH PROBLEMS, QANTAS RECOMMENDS YOU CONSULT WITH
> YOUR DOCTOR BEFORE TRAVEL. INFORMATION ON HEALTH ISSUES CAN BE
> FOUND ON OUR WEBSITE -
> IN OUR TIMETABLE AND INFLIGHT MAGAZINE OR CONTACT YOUR LOCAL QANTAS
No prizes for guessing whether or not the all-uppercase URL works...
So the RISKS... other than making the entire message much harder to read,
you can also break things.
Date: Tue, 18 Sep 2001 13:34:59 -0700
From: Ann Tsai <mktgadmusenix.org>
Subject: 2002 USENIX Annual Technical Conference - Call for papers
2002 USENIX Annual Technical Conference, June 9-14, 2002, Monterey, CA
Submissions to the General Refereed Sessions Track are due on November
FREENIX is a special track within the USENIX Annual Technical Conference
that showcases the latest developments and applications in freely
redistributed technology. The FREENIX track covers the full range of
software and source code including but not limited to Apache, Darwin,
FreeBSD, GNOME, GNU, KDE, Linux, NetBSD, OpenBSD, Perl, PHP, Python, Samba,
Tcl/Tk and more.
The FREENIX program committee is looking for papers about projects with a
solid emphasis on nurturing the open source/freely available software
community and talks which advance the state of the art of freely
redistributable software. Areas of interest include, but are not limited
Submissions to the Freenix Track are due on November 12, 2001.
Submission guidelines and conference details are available on our Web site:
The 2002 USENIX Annual Technical Conference is sponsored by
USENIX, The Advanced Computing Systems Association. www.usenix.org
Date: 12 Feb 2001 (LAST-MODIFIED)
Subject: Abridged info on RISKS (comp.risks)
The RISKS Forum is a MODERATED digest. Its Usenet equivalent is comp.risks.
=> SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent)
if possible and convenient for you. Alternatively, via majordomo,
send e-mail requests to <risks-requestcsl.sri.com> with one-line body
subscribe [OR unsubscribe]
which requires your ANSWERing confirmation to majordomoCSL.sri.com .
[If E-mail address differs from FROM: subscribe "other-address <xy>" ;
this requires PGN's intervention -- but hinders spamming subscriptions, etc.]
Lower-case only in address may get around a confirmation match glitch.
INFO [for unabridged version of RISKS information]
There seems to be an occasional glitch in the confirmation process, in which
case send mail to RISKS with a suitable SUBJECT and we'll do it manually.
.MIL users should contact <risks-requestpica.army.mil> (Dennis Rears).
.UK users should contact <Lindsay.Marshallnewcastle.ac.uk>.
=> The INFO file (submissions, default disclaimers, archive sites,
copyright policy, PRIVACY digests, etc.) is also obtainable from
The full info file will appear now and then in future issues. *** All
contributors are assumed to have read the full info file for guidelines. ***
=> SUBMISSIONS: to risksCSL.sri.com with meaningful SUBJECT: line.
=> ARCHIVES are available: ftp://ftp.sri.com/risks or
ftp ftp.sri.com<CR>login anonymous<CR>[YourNetAddress]<CR>cd risks
[volume-summary issues are in risks-*.00]
[back volumes have their own subdirectories, e.g., "cd 20" for volume 20]
http://catless.ncl.ac.uk/Risks/VL.IS.html [i.e., VoLume, ISsue].
Lindsay Marshall has also added to the Newcastle catless site a
palmtop version of the most recent RISKS issue and a WAP version that
works for many but not all telephones: http://catless.ncl.ac.uk/w/r
==> PGN's comprehensive historical Illustrative Risks summary of one liners:
http://www.csl.sri.com/illustrative.html for browsing,
http://www.csl.sri.com/illustrative.pdf or .ps for printing
End of RISKS-FORUM Digest 21.67