Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
From: RISKS List Owner (riskocsl.sri.com)
Date: Sun May 05 2002 - 17:09:45 CDT
RISKS-LIST: Risks-Forum Digest Sunday 5 May 2002 Volume 22 : Issue 05
FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator
***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <URL:http://catless.ncl.ac.uk/Risks/22.05.html>
and by anonymous ftp at ftp.sri.com, cd risks .
"Don't Touch That Dial--Or You're Under Arrest!" (Lauren Weinstein)
Re: "Don't Touch That Dial--Or You're Under Arrest!" (Dan Gillmor)
Vivendi suspects electronic vote fraud (NewsScan)
Lost password' delays Mali vote count (PGN)
Online voting in UK (Toby Gottfried)
How to rig an election (*The Economist* via Mohammad Al-Ubaydli)
Seattle City light billing disputes (Jason Axley)
Risks of differing Unices (Theo Markettos)
CIA warns of Chinese plans for cyber-attacks on U.S. (Mike Hogsett)
Smart inventory control overshoot (Paul Breed)
California DMV online data base (Bruce Stein)
A new risk to computers worldwide: W32/KLEZ.H" in MS Outlook
(John Schwartz via John F. McMullen)
How not to warn about viruses (Rob Slade)
IE 6 Privacy features open users to attack (Monty Solomon)
Midwest Express Web site security (Midwest Express)
Robot cameras 'will predict crimes before they happen' (Merlyn Kline)
Re: Online banking system failure in a big way (Ishikawa)
Re: Nanny-Cam may leave a home exposed (Marc Roessler)
Abridged info on RISKS (comp.risks)
Date: Sun, 05 May 2002 14:51:01 -0700
From: Lauren Weinstein <laurenvortex.com>
Subject: "Don't Touch That Dial--Or You're Under Arrest!"
Greetings. According to some in the entertainment industry, consumers risk
becoming outlaws if they skip the commercials during television programs!
The latest Fact Squad Radio short audio segment concerns the escalating
technology and political battle between the entertainment industry and their
consumers, and is entitled:
"Don't Touch That Dial--Or You're Under Arrest!"
It's playable via:
Lauren Weinstein +1 (818) 225-2800
laurenpfir.org or laurenvortex.com or laurenprivacyforum.org
Co-Founder, PFIR, People For Internet Responsibility: http://www.pfir.org;
Fact Squad: http://www.factsquad.org; URIICA - Union for Representative
International Internet Cooperation and Analysis - http://www.uriica.org
Moderator, PRIVACY Forum - http://www.vortex.com
From: Dan Gillmor <dgillmorsjmercury.com>
Date: Sun, 05 May 2002 14:16:49
Subject: Re: "Don't Touch That Dial--Or You're Under Arrest!"
[From Dave Farber's IP, written in response to Dave's posting a
notice from Lauren Weinstein similar to the above. PGN]
Dave, today's column [by Dan] is on point:
If you are reading this column in the newspaper, but did not read every
article and look at every advertisement in previous sections, stop now. You
must go back and look at all of that material before continuing with this
If you are reading this column on the Web and did not go to the newspaper's
home page first, stop now. Go to the home page and navigate through whatever
sequence of links our page designers have created to reach this page, and
don't you dare fail to look at the ads.
Ridiculous? Of course.
Tell that to the dinosaurs at some major media and entertainment companies.
They insist they have the right to tell you precisely how you may use their
[For IP archives see:
Date: Mon, 29 Apr 2002 09:13:08 -0700
From: "NewsScan" <newsscannewsscan.com>
Subject: Vivendi suspects electronic vote fraud
Vivendi Universal, the Paris-based media giant, is calling for a criminal
investigation of suspected fraud by unnamed computer hackers during a
shareholders vote by Internet last week. Vivendi thinks the vote tampering
"could have been carried out by a small team armed with a transmitter-
receiver and detailed knowledge of the procedures and technical protocols of
electronic voting." (AP/*The Washington Post*, 29 Apr 2002; NewsScan Daily,
29 Apr 2002)
Date: Tue, 30 Apr 2002 8:42:06 PDT
From: "Peter G. Neumann" <neumanncsl.sri.com>
Subject: Lost password' delays Mali vote count
The announcement of the results of Mali's presidential election on 28 Apr
2002 has been suspended after a computer technician had a car accident,
election officials have said. He is the only person with the password to
access the election centre's computers. The technician was reportedly
recovering in the hospital. [BBC, PGN-ed]
[... except that nobody wanted to admit how easy it might have been to
break in without knowing the password, which would have blown the cover of
the folks who had already rigged the election? PGN]
[This item was noted by several readers. TNX]
Date: Thu, 2 May 2002 15:51:53 -0700
From: "Toby Gottfried" <tobygottfriedville.net>
Subject: Online voting in UK
Apparently the British are making moves toward voting in a "high tech" way.
"... But if there are unexpected results from next week's local elections
in the UK it is entirely possible that they will be blamed on hackers,
programming errors or network failures. The reason is that the May 2002
local elections are being used to test a selection of alternative voting
methods. Most of these are 'e-voting' systems which use computers and
networks, including the Internet. So if something unexpected happens there
will be a temptation to blame it on the computers rather than take it as an
reflection of a change in local opinion. ..."
Quoting from the start and end of
which has links to more articles,
Residents of Sheffield and Liverpool will be able to vote over the
Internet and by mobile phone text message in the May local government
elections as part of a nationwide wave of 30 innovative electoral pilots
announced today. [ Feb 5 2002 ]
The pilots will provide a crucial first test of Internet voting, and could
be a step towards an online general election. ..... His announcement
came as the independent Electoral Reform Society (ERS) warned that the
government should not rush into online voting. Ministers need to ensure
the technology used is thoroughly tested and that tough safeguards are in
place to prevent fraud.
Date: Tue, 30 Apr 2002 15:00:27 -0400
From: "Dr Mohammad Al-Ubaydli" <moidiopathic.com>
Subject: How to rig an election (*The Economist*)
[An article from *The Economist* print edition, 25 Apr 2002, considers a
situation which readily generalizes to a state with N Congressional
districts in which one redistricting gives results of N to 0 representatives
one way, and another redistricting gives results of 1 to N-1 the other way.
Starkly PGN-ed from Dave Farber's IP
Date: Tue, 23 Apr 2002 11:33:02 -0700
From: Jason Axley <jason-risksaxley.net>
Subject: Seattle City light billing disputes
Still no light has been shed on what is causing the massive overcharging of
many Seattle City Light customers -- some as much as 10 times above normal.
Seattle City Light, beleaguered by scores of customer complaints about
inflated bills, now plans to do things "the Nordstrom way," meaning it
will resolve billing disputes quickly and in the customer's favor when
there's a question, Mayor Greg Nickels vowed yesterday.
The city made some headway in trying to turn around what has become a
public-relations disaster. But after promising Friday to come up with a
definitive explanation on the inflated bills for the mayor by Monday, it
came up a bit short.
The hearing examiner "indicated that all my bills were from direct meter
reads, so the bill in question was not a makeup bill," O'Leary said. "He
also said the bill on its face was wrong. His conclusion was, however,
that the meter never lies, and I must prove I did not use the power. How
does one prove a negative?"
Zarker emphasized that the billing problem does not lie with the city's
new $40 million computer. "It works," he declared.
[Source: *Seattle Times*, "Nickels says City Light billing disputes will be
resolved quickly, in customer's favor", 16 Apr 2002]
Date: Tue, 30 Apr 2002 22:05:33 +0100 (BST)
From: Theo Markettos <theomchiark.greenend.org.uk>
Subject: Risks of differing Unices
Both Linux and HPUX provide a 'killall' command. Under Linux 'killall
<process name>' is used to kill all processes with the given name -- for
example, as root one might kill all instantiations of httpd.
Under HPUX, killall kills _every_ process, except those required for
shutdown. It takes an optional signal argument, but ignores this if it
doesn't recognise it as a valid signal name. Hence 'killall httpd' kills
everything except a handful of processes required for shutdown. If not
running as root, it kills all processes owned by the current user.
The RISK? Don't assume something that is safe on one OS is on another,
and don't assume that running a command without arguments to get help will
do the right thing.
Date: Thu, 25 Apr 2002 14:07:50 -0700
From: Mike Hogsett <hogsettcsl.sri.com>
Subject: CIA warns of Chinese plans for cyber-attacks on U.S.
U.S. intelligence officials believe the Chinese military is working to
launch wide-scale cyber-attacks on American and Taiwanese computer networks,
including Internet-linked military systems considered vulnerable to
sabotage, according to a classified CIA report.
Date: Mon, 29 Apr 2002 14:15:16 -0700
From: Paul Breed <PaulNetburner.com>
Subject: Smart inventory control overshoot
I've been working on an old car, in the process of removing the spot welds I
needed a specific sized bullet tipped drill bit. The bit would only last
about 5 welds and I had hundreds to do. The only place I could find locally
to buy the bits was in a pack of 15 various size bits at the local home
So, over the period of three months, I purchased all of their drill sets,
every weekend (usually 3 sets). Now I have disassembled the old car and
don't need more bits. The last time I was in the home center they had so
many of these drill bit sets that they were overflowing on to the floor.
From my experience the computerized inventory system has a delay of about 3
months. It determined that this item sold out for 12 weeks straight,
plugged this into it's inventory tracking prediction S/W and ordered
hundreds and hundreds of sets......
Date: Wed, 24 Apr 2002 17:17:50 -0700
From: Bruce Stein
Subject: California DMV online data base
From the Los Angeles Times, 24 Apr 2002
At the California DMV Web site at http://www.smogcheck.ca.gov , click on
"Vehicle Smog Check History". Enter just a license plate number, and you
will be provided with:
Vehicle Identification Number (VIN)
Make, Model, and Year of the vehicle
The date and location of every smog test the vehicle has had.
The location of the smog test is almost always the neighborhood where the
In the case of Personalized License Plates, you get all of the vehicles the
plate has ever been on.
Date: Sat, 27 Apr 2002 10:45:57 -0400 (EDT)
From: "John F. McMullen" <observerwestnet.com>
Subject: A new risk to computers worldwide: W32/KLEZ.H" in MS Outlook
[Source: John Schwartz, *The New York Times*, 27 Apr 2002]
A rogue computer program that is the online equivalent of a quick-change
artist is infecting computers around the world via e-mail and clogging
computer networks. The program, W32/KLEZ.H, is a "blended threat,"
combining elements of a virus, which infects machines, and a worm, which
transports itself from machine to machine. It also tries to disable some
antivirus programs. It makes itself hard for users to spot by changing its
e-mail subject line, message and name of the attachment at random, drawing
from a database that includes, for example, such subject lines as "Hello,
honey," and "A very funny Web site." The program has grown increasingly
common as users unknowingly activate it sometimes without even opening the
e-mail attachment that carries the virus and allow it to send copies of
itself to those in the victim's e-mail address file. [PGN-excerpted]
Date: Thu, 2 May 2002 10:28:11 -0800
From: Rob Slade <rsladesprint.ca>
Subject: How not to warn about viruses
The Klez family of viruses is not new: on the publicity page that I provide
at http://www.osborne.com/virus_alert/ I first warned of the family in
November of 2001. However, the author (or authors) has been continually
active, and some of the recent variants (particularly Klez.H) have been
successful enough that the virus warnings have been flying around the net.
Unfortunately, not all of the warnings have been particularly helpful. Klez
os one of the new breed of polymorphic e-mail viruses. Unlike Melissa,
Loveletter, Hybris, or Sircam with their identifiable subject lines,
attachment filenames, implied pornography, or ungrammatical message bodies,
Klez variants present with a wide variety of subjects, bodies, filenames,
topics, and (most recently) senders.
Recently I got my hands on what has to be one of the worst examples of a virus
warning that I've ever seen:
> I have been advised that ther is a very bad computer virus out. If opened
> the virus will attach itself to your address book.
> If you get an e-mail from W32.klezjena.nn
> Do not open the attachment
> Delete it right away
I might note that, although I can't tell the source of this misinformation,
it make several obvious errors. The attempt at a CARO virus name has a few
problems: it doesn't have a variant designation (such as Klez.H), there
appears to be some confusion with another extent virus (which makes mention
of "Jenna"), and the "mass mailer" designation is usually .mm rather than
.nn. More importantly, Klez does not have a consistent "From" indicator.
Also, this particular company uses Microsoft Outlook for e-mail, and has no
policy regarding the preview pane or other security related configuration.
By the time anyone notices that an attachment exists, it will likely be too
(More recent Klez variants tend to pick a real e-mail address harvested from
the infected computer to generate the "From" line in generated e-mail.
Therefore, those attempting to track infections will often concentrate on a
machine or user that is not the source of the infection. I have heard from
someone in another company who has been targeted by management as the
source of the infection. This was interesting in that he was travelling at
the time of the occurrence, and his computer was not connected to the
Internet at all for a few days on either side of the event.)
For those interested in trying to detect Klez messages, three of the more
reliable, but by no means universal, indicators are that, viewed manually,
the MIME file type often does not match the filename extension, the filename
extension is one of the usual executable crowd (.BAT, .PIF, .SCR, .EXE,
etc.), and the size of the encoded file usually ranges between 120K and
(The old advice to avoid running attachments still holds true, albeit with a
few provisos. Those who use Microsoft Outlook or Outlook Express may,
because of the specialized construction of the message, still be at risk
even if the attachment is not run deliberately run by the user. Due to this
same construction, users of other mailers, such as Pegasus or Netscape
Communicator, may never see the attachment at all, and therefore may be at
Date: Thu, 25 Apr 2002 02:13:41 -0400
From: Monty Solomon <montyroscom.com>
Subject: IE 6 Privacy features open users to attack
By Brian McWilliams, *Newsbytes*, 23 Apr 2002
Security flaws in privacy features added to Microsoft's Web browser could
enable attackers to perform several privacy-robbing attacks, including
hijacking victims' MSN Messenger accounts, a security researcher warned.
According to Thor Larholm, a developer with Denmark-based Internet portal
Jubii.dk, "severe" bugs in the "Privacy Report" feature in Internet Explorer
version 6 can be exploited "in effect removing all privacy." Last week,
Larholm posted an advisory and harmless demonstrations of the flaws at his
personal Web site. One example showed how the browser bugs enable a Web site
to launch programs that exist on the user's hard disk. Another demo page
silently sends a message to users in the target's MSN Messenger contact
Date: Fri, 26 Apr 2002 21:41:18 -0700
From: Midwest Express
Subject: Midwest Express Web site security
[via Mark Luntzel]
On the morning of Monday April 22, Midwest Express Airlines was informed
that customer profile data had been published on the Internet, specifically
on the U.S. Space and Naval Warfare Systems Command Web site. The data
published contained a handful of user profiles including names and e-mail
addresses. This screenshot of data was captured from the Midwest Express
test server, not the actual Web site. This test server is used for testing
new enhancements to www.midwestexpress.com.
Midwest Express has always taken steps to ensure security. As a result of
this situation, a number of additional precautionary measures were taken to
ensure that customer data was protected:
* The U.S. Space and Naval Warfare Web site immediately removed the defaced
Web page from the Internet.
* A security company was contracted to eliminate any vulnerability to our
* All customer passwords to Web profiles were changed to protect and
restrict access to the customer data.
Since all passwords have been changed, the next time you visit
midwestexpress.com and login to your profile, you will be prompted to change
your own password upon successfully answering a challenge/response question
that you created.
While Midwest Express is confident in the security of its Web site, we are
always assessing our Web site for potential vulnerabilities and taking
appropriate steps when needed. We assure you that your customer information,
purchases and other transactions are secure.
Tom Vick, Senior Vice President and Chief Marketing Officer
Date: Mon, 22 Apr 2002 13:36:51 +0100
From: "Merlyn Kline" <merlynzyweb.com>
Subject: Robot cameras 'will predict crimes before they happen'
According to the UK broadsheet *The Independent*, Dr Sergio Velastin, of
Kingston University's Digital Imaging Research Centre, has developed
software to analyse CCTV images for the purpose of predicting crime:
Quote from the article:
Scientists at Kingston University in London have developed software able
to anticipate if someone is about to mug an old lady or plant a bomb at an
airport. It works by examining images coming in from close circuit
television cameras (CCTV) and comparing them to behaviour patterns that
have already programmed into its memory. The software, called Cromatica,
can then mathematically work out what is likely to happen next. And if it
is likely to be a crime it can send a warning signal to a security guard
or police officer.
Date: Sun, 21 Apr 2002 09:16:09 +0900
From: Ishikawa <ishikawayk.rim.or.jp>
Subject: Re: Online banking system failure in a big way (RISKS-22.03)
Here are a few interesting points to follow up the original story of online
banking system failure of Japan's Mizuho bank.
It has been revealed that the Tokyo Electric utility which services the
heavily populated Tokyo and its surrounding areas had asked the (soon-to-be)
Mizuho bank for a dry-run of the utility bills payment before the merger
back in February. The utility company was worried about the large scale
change and requested that about 100,000 sample bills be run through the new
integrated system to see if such bills are handled correctly. However, the
bank turned down the request saying that their internal testing would be
Obviously it was not!
The utility company requested the testing albeit the first refusal, but then
again the request was turned down.
One of the reasons for the overload at the bank was mentioned as the failure
of many transactions due to incorrect input data. It seems that the new
integrated banking system required the conversion of old branch numbers of
three banks into the newly assigned branch numbers. Some branch numbers
were common among the three banks and they needed to be reassigned a new
number once Mizuho bank went into operation. Apparently, some companies
requesting the automatic billing failed to update the branch numbers in
their transaction input (on MT!) and such transactions were deemed errors
and manual intervention to inspect and rectify the aborted transactions were
Some of the double billings, etc. were attributed to the incorrect handling
of magnetic tapes. Some tapes were obviously run through the system twice
under the confused circumstances.
I think by failing to perform the 100,000 bills test run, the bank missed a
great opportunity to test the integrated computer system and make sure the
the manual steps to intervene in case of failure is well organized and known
to operation staff members.
There ARE now visible damages.
The utility companies (gas, electricity) and telephone companies can't
figure out whether their bills were paid by the subscribers. The amount of
money mentioned amounts to 25,000,000,000 yen. (That's approximately US$191
million at 1 dollar = 130.5 yen.)
Mizuho bank is negotiating with telephone companies and others to pay an
agreed-upon ball-park sum of money, but since individual transactions can't
be confirmed, the utility company can't figure out, say, if I paid the bill,
so to speak. It seems that the utility companies decided to send out BLANK
invoice notices without filling in the status of the payment that were due
in April!) The utility companies are considering to ask the bank to pay for
the additional cost to send complete receipts to their customers.
Small companies are hit hard when their payments didn't make it on time due
to the banking failure. The small business associations all over Japan
seemed to be flooded with complaints of their reputation being on the line
due to the delay caused by the bank, not by their own failure.
I just heard a case of gas station owner whose salary payment to part time
workers at the station failed to materialize in the worker's account on TV
This is getting serious.
In Japan, many companies have 25th as the monthly salary payment day, and
since the long holiday weekend called Golden Week starts in April 27, the
banking system will be busier. It is expected that many people begin
withdrawing cash to use during the holidays and so the workload on the
banking system is expected to soar due to the monthly salary payment, and
the people taking out money from ATMs.
Since I am a customer of Mizuho, I have reason to concern...
With the revelation of the refusal to perform a dry run with the electric
utility company to test the real world workload and a top management saying
earlier at the parliament hearing about "No real harm was done to the
customers", the Mizuho bank's reputation is all time low.
The Mizuho bank seems to think that their system can withstand the workload
toward the end of the month, but who knows.
The bank has decided to stop ATMs all over Japan May 3rd and 4th, which are
part of the holiday season. They had planned to operate ATMs during the
holidays, but they deemed it necessary to stop the ATMs and check the
banking system offline throughly.
Date: Tue, 23 Apr 2002 10:56:29 +0200
From: Marc Roessler <marctentacle.franken.de>
Subject: Re: Nanny-Cam may leave a home exposed (RISKS-22.04)
This is nothing new. Such cameras are even installed in some public
restaurants and shops. Note that this basically voids all claims of the shop
owners concerning privacy and data protection -- ANYONE can receive that
data. And, as more and more cameras are installed, the risk of malicious
"camera takeovers" rises significantly. Think about webcams, cams integrated
into notebooks/cellular phones, car dashboards (detect the driver falling
asleep).. Those are easily tapped (or subverted, such as by installing
trojan software/ firmware).. this has some enormous potential. The case of
the Nanny-Cams shows the deviousness of this kind of attack: as the devices
are not suspected to be used to spy on their owner ("I own that device; that
makes it trusted"), they function more or less as hidden cameras. For more
"camera takeover" scenarios take a look at my paper "How to find hidden
Date: 29 Mar 2002 (LAST-MODIFIED)
Subject: Abridged info on RISKS (comp.risks)
The RISKS Forum is a MODERATED digest. Its Usenet equivalent is comp.risks.
=> SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent)
if possible and convenient for you. Alternatively, via majordomo,
send e-mail requests to <risks-requestcsl.sri.com> with one-line body
subscribe [OR unsubscribe]
which requires your ANSWERing confirmation to majordomoCSL.sri.com .
If Majordomo balks when you send your accept, please forward to risks.
[If E-mail address differs from FROM: subscribe "other-address <xy>" ;
this requires PGN's intervention -- but hinders spamming subscriptions, etc.]
Lower-case only in address may get around a confirmation match glitch.
INFO [for unabridged version of RISKS information]
There seems to be an occasional glitch in the confirmation process, in which
case send mail to RISKS with a suitable SUBJECT and we'll do it manually.
.MIL users should contact <risks-requestpica.army.mil> (Dennis Rears).
.UK users should contact <Lindsay.Marshallnewcastle.ac.uk>.
=> The INFO file (submissions, default disclaimers, archive sites,
copyright policy, PRIVACY digests, etc.) is also obtainable from
The full info file will appear now and then in future issues. *** All
contributors are assumed to have read the full info file for guidelines. ***
=> SUBMISSIONS: to risksCSL.sri.com with meaningful SUBJECT: line.
=> ARCHIVES are available: ftp://ftp.sri.com/risks or
ftp ftp.sri.com<CR>login anonymous<CR>[YourNetAddress]<CR>cd risks
[volume-summary issues are in risks-*.00]
[back volumes have their own subdirectories, e.g., "cd 21" for volume 21]
http://catless.ncl.ac.uk/Risks/VL.IS.html [i.e., VoLume, ISsue].
Lindsay Marshall has also added to the Newcastle catless site a
palmtop version of the most recent RISKS issue and a WAP version that
works for many but not all telephones: http://catless.ncl.ac.uk/w/r
==> PGN's comprehensive historical Illustrative Risks summary of one liners:
http://www.csl.sri.com/illustrative.html for browsing,
http://www.csl.sri.com/illustrative.pdf or .ps for printing
End of RISKS-FORUM Digest 22.05