precedence: bulk
Subject: Risks Digest 20.78
RISKS-LIST: Risks-Forum Digest Sunday 6 February 2000 Volume 20 : Issue 78
FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator
***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <URL:
http://catless.ncl.ac.uk/Risks/20.78.html>
and by anonymous ftp at ftp.sri.com, cd risks .
Contents:
CIA Director Deutch and MLS (Jeremy Epstein)
CERT Advisory CA-2000-02 (CERT Advisory)
NSA system inoperative for four days (PGN)
Leak lets 64 get rich quick (David Shaw)
EFIS failure main suspect in Crossair crash (Peter B. Ladkin)
Terra spacecraft problems (Peter B. Ladkin)
Patients will be able to wear their hearts on the Internet (NewsScan)
Yahoo suit compares cookies to stalking (NewsScan)
China to require encryption information (NewsScan)
Study criticizes health sites for privacy intrusions (NewsScan)
AT&T Business Internet Service DNS major outage 28 Jan 2000 (Randy Holcomb)
More risks with MS Outlook (Jason Axley)
Who is at risk with this virus advertisement? (Bob Heuman)
Organisms do not adapt to their environment! (Bob Frankston)
*Fatal Words* (Bob Frankston)
abcnews.com manually updates copyright year (David Glicksberg)
People For Internet Responsibility issues and status report (Lauren Weinstein)
New Security Paradigms Workshop 2000: Call For Papers (Crispin Cowan)
Abridged info on RISKS (comp.risks)
----------------------------------------------------------------------
Date: Tue, 1 Feb 2000 09:40:14 -0500 (EST)
From: Jeremy Epstein <
[email protected]>
Subject: CIA Director Deutch and MLS
An article in *The New York Times* 1 Feb 2000 details former CIA Director
Deutch's use of unclassified Macintosh computers in his homes to store
thousands of highly classified documents on the same computer he used to
access AOL, Citibank's personal banking service, and other services. The
investigation seems to have been delayed and perhaps limited as a result of
Deutch's position.
It's old hat that personal computers (be they Windows, Macintosh, or
UNIX-based) are inherently unsuitable for Multi-Level Security (MLS). What
we see here is that even though all the proper procedures were in place, the
human element is sufficient to undermine all of the technical controls. As
long as we have people, we'll have RISKS!
Full article at
http://www.nytimes.com/yr/mo/day/news/washpol/cia-impeach-deutch.html
[Multilevel security may not seem to be an issue here *internally*
because John Deutch had access to all of the information on his
systems, considered as SYSTEM HIGH -- that is all logically at the
highest level. However, surfing the (unclassified) Web is clearly a NO-NO
from such a machine. RISKS readers are of course familiar with the risks
of Web browsing. However, an added note in this case was the report that
the visited sites included a porn site. Deutch apparently denied having
accessed porn any sites, suggesting that it might have been done by one of
his offspring? If that is indeed true, it would make the presence of
highly classified information on a multiuser workstation even more
untenable. (On one hand, even if such a PC claimed to be multilevel
secure, that would be a VERY BAD misuse. On the other hand, RISKS readers
know how one can be duped into visiting sites other than what was
expected, as in clicking on whitehouse.com instead of whitehouse.gov,
or in clicking on a Trojan-horsed URL.) PGN]
------------------------------
Date: Wed, 2 Feb 2000 12:23:25 -0500 (EST)
From: CERT Advisory <
[email protected]>
Subject: CERT Advisory CA-2000-02
CERT Advisory CA-2000-02
Malicious HTML Tags Embedded in Client Web Requests
This advisory is being published jointly by the CERT Coordination Center,
DoD-CERT, the DoD Joint Task Force for Computer Network Defense (JTF-CND),
the Federal Computer Incident Response Capability (FedCIRC), and the
National Infrastructure Protection Center (NIPC).
Original release date: February 2, 2000
[Subsequently revised. Please pick up the latest version at
http://www.cert.org/advisories/CA-2000-02.html
and see
http://www.cert.org/tech_tips/malicious_code_FAQ.html
as well as a later note on disabling Java
http://www.cert.org/tech_tips/malicious_code_FAQ.html#java
. PGN]
Systems Affected
* Web browsers
* Web servers that dynamically generate pages based on unvalidated
input
Overview
A web site may inadvertently include malicious HTML tags or script in
a dynamically generated page based on unvalidated input from
untrustworthy sources. This can be a problem when a web server does
not adequately ensure that generated pages are properly encoded to
prevent unintended execution of scripts, and when input is not
validated to prevent malicious HTML from being presented to the user.
[This is referred to as "cross-site scripting". Note that
executables in the URL itself can have nasty effects. PGN]
------------------------------
Date: Sun, 30 Jan 2000 04:31:15 -0500
From: "Peter G. Neumann" <
[email protected]>
Subject: NSA system inoperative for four days
For almost the entire work week of 24 Jan 2000, failures of NSA computers
caused an information blackout for intercepted messages. The failure was
blamed by one report on a ``system overload'', by another report on a
software problem. [Sources: NSA System Inoperative for Four Days,
by Walter Pincus, *The Washington Post*, 30 Jan 2000, Page A2,
http://www.washingtonpost.com/wp-dyn/articles/A49286-2000Jan29.html;
Kinder, gentler NSA admits human frailties, Thomas C. Greene,
http://www.theregister.co.uk/000131-000001.html]
------------------------------
Date: Fri, 4 Feb 2000 11:54:27 +1100
From: David Shaw <
[email protected]>
Subject: Leak lets 64 get rich quick
On Wednesday, February 2, 2000, the Reserve Bank of Australia (RBA)
formally announced an increase in the official interest rates of 0.5%.
The formal announcement was made at 09:30. However, in what turned out to be
an embarrassing mistake for the RBA, 64 people were sent an e-mail at 09:24
(i.e., 6 minutes early) advising them of the rate increase. This was quite
remarkable in itself, as the RBA has a near-legendary record of security.
The information proved to be very valuable for two reasons. Not only
was the information available early to a very small segment of the
market, the size of the rate increase was unexpected. Virtually the
entire market had been expecting/predicting an increase of just 0.25%.
In the 6 minutes prior to 09:30, approximately AUD$3 billion worth of
bill and bond futures were dumped on the market.
The record of trades at the Sydney Futures Exchange demonstrates the
selling frenzy. When interest rates last rose, on November 3, 1999,
336 three-year bond futures contracts and 324 90-day bank bill futures
were traded between 09:25 and 09:30. The corresponding trades preceding
yesterday's announcement were 2,739 and 2,811.
To quote an unnamed trader: "Some people made a lot of money in those
few minutes."
Source: *Sydney Morning Herald* (www.smh.com.au). Thursday Feb 3, 2000.
David Shaw, Alcatel Australia Limited
[email protected]
------------------------------
Date: Wed, 02 Feb 2000 11:07:21 +0100
From: "Peter B. Ladkin" <
[email protected]>
Subject: EFIS failure main suspect in Crossair crash
Flight data displays such as airspeed and attitude indicators as well
as navigation displays on modern commercial aircraft are nowadays
electronic, replacing mechanical displays that were common until
10-15 years ago. Mechanical displays are often used as backup,
although there are electronic backup displays available on the market.
Mechanical displays were/are not susceptible to total outage. Airspeed
indicators are basically differential barometers, and mechanical
attitude indicators are gyroscopes.
According to Flight International's David Learmount (01-07.02.2000,
p12), Electronic Flight Instrument System (EFIS) failure is the "main
possibility" being looked at by the Swiss accident investigation people
(BEAA) in the crash of the Crossair Saab 340B just after takeoff from
Zuerich on 10 January. This was Crossair's first accident. I emphasise
that the causes of the accident have not been established. It is hoped
that the non-volatile memory on the EFIS displays can be recovered
and read, to determine how what the pilots were seeing corresponds
(or not!) with the flight profile recorded by the flight data recorder.
(This is a benefit not provided by mechanical displays, although it
would hardly make up for the susceptibility of EFIS to outages!)
EFIS failures have been noted in particular in incidents involving
a Virgin A340 and a Martinair B767 (see the compendium
Computer-Related Incidents With Commercial Aircraft on my WWW site).
A Formosa Airlines Saab 340B descended into the ocean on 18 March 1998,
and it has been rumored that one EFIS display was known before the
flight not to be functioning.
Peter Ladkin, University of Bielefeld
http://www.rvs.uni-bielefeld.de
------------------------------
Date: Wed, 12 Jan 2000 11:06:42 +0100
From: "Peter B. Ladkin" <
[email protected]>
Subject: Terra spacecraft problems
*Flight International*, 11-17 Jan 2000, p29, reports that NASA has fixed
"computer and antenna faults" on the Terra spacecraft, launched 18 Dec
1999. Terra is part of the Earth Observing System. "The main computer shut
down shortly after launch because of a bug in the navigation software,
according to NASA." The failure occurred a minute before the winter
solstice, while the sun's position in the nav software was being updated.
On the other side of things, the antenna "was repaired by alterations to the
software", at which one can only marvel. Maybe Uri Geller is now
programming for a living. Or maybe they meant the problem was worked
around.
Peter Ladkin
[email protected] www.rvs.uni-bielefeld.de
------------------------------
Date: Mon, 24 Jan 2000 09:25:03 -0700
From: "NewsScan" <
[email protected]>
Subject: Patients will be able to wear their hearts on the Internet
In a venture with Microsoft and IBM, Minneapolis-based medical device
company Medtronic will invest more than $230 million to develop a system
that will allow heart patients to send cardiac data to cardiologists via the
Internet, from their homes or remote locations worldwide. The company's
medtronic.com division will be the focal point of a new Patient Management
Business.
[
http://www.sjmercury.com/svtech/news/breaking/merc/docs/082323.htm, Reuters
in *San Jose Mercury News*, 24 Jan 2000, via NewsScan Daily, 24 Jan 2000]
[And what about the reverse direction? Would you like to have YOUR
heart interactively controllable by doctors and insurance companies and
everyone else on the Internet? PGN]
------------------------------
Date: Mon, 31 Jan 2000 08:09:56 -0700
From: "NewsScan" <
[email protected]>
Subject: Yahoo suit compares cookies to stalking
A lawsuit filed by Dallas-based Universal Image Inc. accuses Yahoo! of
violating Texas law when it collects "cookies" from Web site visitors. "We
think the court will declare the use of cookies illegal in Texas," says
Universal attorney Lawrence Friedman. "It is electronic stalking. It
violates the eavesdropping statutes, and from a civil aspect it's an
invasion of privacy." Friedman says he plans to file a class-action lawsuit
against the company. Meanwhile, DoubleClick was sued last week by a
California woman who claims the online ad company illegally collected and
sold her personal and demographic data. [ZDNet/MSNBC 28 Jan 2000)
http://www.msnbc.com/news/363455.asp; NewsScan Daily, 31 Jan 2000]
------------------------------
Date: Tue, 25 Jan 2000 08:18:19 -0700
From: "NewsScan" <
[email protected]>
Subject: China to require encryption information
[On 31 Jan 2000] China's government plans to institute a rule requiring
foreign firms in China to disclose what type of software they use for
encrypting their electronic messages. Eventually, the companies must divulge
details about employees using the software, making it easier for authorities
to monitor personal and commercial Internet use. The new rules also bar
Chinese companies from buying products containing foreign-designed
encryption software, a move that could stymie the growth of Internet use in
that country. Diplomatic missions are exempted, but the regulations cover
the routers and servers that make up the backbone of China's networks, most
of which came from foreign companies. "If IBM or Hewlett-Packard wants to
sell an e-commerce Web server to China, it might have to isolate which parts
relate to security" and find a Chinese company to write the software, says
the director of the U.S. Information Technology Office's Beijing branch. "I
don't think Chinese companies have that ability." [*Wall Street Journal*, 25
Jan 2000
http://interactive.wsj.com/articles/SB948739893578536271.htm via
NewsScan Daily, 25 Jan 2000]
[According to later reports, very few are signing up. PGN]
------------------------------
Date: Wed, 02 Feb 2000 09:39:09 -0700
From: "NewsScan" <
[email protected]>
Subject: Study criticizes health sites for privacy intrusions
In a study conducted for the California HealthCare Foundation, the
Georgetown University's Health Privacy Project has found that drkoop.com,
webmd.com, ivillage.com, yahoo.com, onhealth.com, and other Web sites that
provide information on health matters are cavalier about privacy practices:
"The privacy policies of health Web sites do not match up with their own
practices." Example: some companies share e-mail addresses and other
visitor data even though their Web sites promised they would do no such
thing. The companies are disputing the study findings.
[Reuters/*San Jose Mercury News* 1 Feb 2000,
http://www.sjmercury.com/svtech/news/breaking/internet/docs/160309l.htm;
NewsScan Daily, 2 Feb 2000]
------------------------------
Date: Fri, 28 Jan 2000 23:24:58 -0600
From: "Randy Holcomb" <
[email protected]>
Subject: AT&T Business Internet Service DNS major outage 28 Jan 2000
At 1400 EDT AT&T Business Internet Services (formerly IBM Global Network
Internet Services) lost both primary and
backup Domain Name Servers; resulting in the inability of
AT&T Business Internet Customers to use the service.
The DNS's were back online a few minutes short of 2300 EDT.
------------------------------
Date: Tue, 1 Feb 2000 10:05:34 -0800 (PST)
From: Jason Axley <
[email protected]>
Subject: More risks with MS Outlook
The recent threads about information hiding in MS Outlook are quite timely
as I've just recently discovered an interesting information hiding "feature"
of MS Outlook.
I received an e-mail from an MS Outlook user that was transmitted to me via
SMTP. The e-mail was in MIME multipart/alternative format and, as such, had
two attachments: a plain text version of the e-mail content and another
attachment with the exact same message in HTML format. Outlook has settings
that let users control which format they sent Internet users e-mail in and
this user has Outlook configured to send both versions (I believe that this
is the default setting when sending to non-Exchange addresses).
I replied to this individual using Pine but then this individual responded
saying that my message was received, but that there wasn't any additional
text in it. I thought this strange as I can see in my sent-mail that I did
reply with additional text. So, I sent the message again and again was told
that there wasn't any text in the message.
It turns out that what was happening was that I had modified the plain text
version of the multipart/alternative MIME message (which is the one that
Pine opens as the actual message), but that when Pine sent the reply, it
included the HTML "alternative" version as an attachment as well (although
this was an alternative for the *original* message) Outlook then ignores the
modified plain text version because it thinks that the attached HTML version
is the same message, just in HTML. So, the recipient was seeing the
original HTML message that I hadn't modified and was not able to see the
plan text version. Outlook doesn't even list the plaintext version as an
attachment so Outlook users cannot access the information there even if they
wanted to!
Ironically, the text that Exchange or Outlook puts in the message header for
non-MIME-compliant MUAs says "This message is in MIME format. Since your
mail reader does not understand this format, some or all of this message may
not be legible."
Jason AT&T Wireless Services, IT Security UNIX Security Operations Specialist
------------------------------
Date: Sat, 29 Jan 2000 21:03:52 -0500
From: "R.S. \(Bob\) Heuman" <
[email protected]>
Subject: Who is at risk with this virus advertisement?
The following is a message I received via my subscription to this security
jobs list. I have to wonder - if anyone answers it, what will happen...
Will they get the job, or will they be investigated by the FBI, NSA, etc. I
know that I would NOT answer it. Of course, I also have to wonder who the
US Military will be targetting should they hire someone with the attributes
desired. [Assuming they even can trust that individual...]
What next? What is the risk to the rest of us? Does anyone really think
a security jobs listserve has only US subscribers?
R.S. (Bob) Heuman, Toronto, ON, Canada
> FROM: Drissel, James W. <
[email protected]>
> DATE: January 27, 2000 16:18
> TO:
[email protected] <
[email protected]>
> Subject: Virus coder wanted
> Computer Sciences Corporation in San Antonio, TX is looking for a good
> virus coder. Applicants must be willing to work at Kelly AFB in San
> Antonio. Other exploit experience is helpful.
> Send Resumes/questions to
[email protected]
[Although RISKS generally avoids running job ads, and especially
Advirusements, this one has some interesting RISKS-Related Ramifications.
R-R&R? PGN]
------------------------------
Date: Mon, 31 Jan 2000 12:41:37 -0500
From: "Bob Frankston" <
[email protected]>
Subject: Organisms do not adapt to their environment!
(Was: Lessons of Y2K, Toby Gottfried, RISKS-20.77)
This is backwards?
ORGANISMS DO NOT ADAPT TO THEIR ENVIRONMENT. That is a fallacy called
adaptionism!!!
Evolution works by not anticipating the need for solutions but having enough
disparate solutions so that, given a problem, it's likely that there will be
a solution that works.
This resiliency is the real reason that Y2K was a nonissue. Systems as
brittle as the ones posited by the Y2K theorists don't work in practice and
have largely been eliminated from the ecosystem. New brittleness will be
discovered and some will be replaced by small scale alternatives and other
failures may be larger scale.
The big danger is the hubris associated with the notion that we must have a
vision to avoid pitfalls. Of course we shouldn't be stupid and should
anticipate obvious problems. But it is far more important to assume that we
will continue to surprised and need to have enough "fat" available to
survive problems.
It's also foolish to posit that we must model safety on static systems and
limit our possibilities to what we can do unaided and unenhanced. If we
eschew mechanical aids, why should we be more tolerant of cognitive aids
such as logic, reason and testing which often confound common sense and
faith.
In nature (to personify emergent behavior) systems only function in riskful
dynamic states. The static state for an organism or other ecosystem is
called death. The conversion of necessities into luxuries is most natural.
Skin, for example, is no longer an option.
Nature can't be fooled but we can do a fine job in deluding ourselves.
------------------------------
Date: Sun, 6 Feb 2000 01:54:47 -0500
From: "Bob Frankston" <
[email protected]>
Subject: *Fatal Words*
In an essay I'm writing, I was reminded of the book *Fatal Words* by Steven
Cushing [ISBN 0-226-13201-3]. It's about misunderstandings between pilots
and instructions from the ground and other consequences of the World War II
communications and avionics still in use. A great example of what happens
when certification and irrational fear of risk prevent improvements in
technology and safety.
Bob Frankston
http://www.Frankston.com
------------------------------
Date: Wed, 2 Feb 2000 21:01:17 -0800 (PST)
From: David Glicksberg <
[email protected]>
Subject: abcnews.com manually updates copyright year
Articles written during the first week or so of 2000 on abcnews.com have
a misdated notice at the bottom of the page: "Copyright (C)1999 ABC
News Internet Ventures." However, the dateline (which shows the place,
month, and day, but usually omits the year) and the URL (which has an
embedded date of the form YYMMDD) together clearly mark the article's
date. One can still view articles exhibiting this glitch, for example:
http://www.abcnews.go.com/sections/science/DailyNews/clone_cells000105.html
I notified abcnews.com Tech Support on January 6, and within several days,
all new articles had the correct copyright year. This leads me to believe
that abcnews.com may use a hardcoded copyright year, which someone forgot
to update in a timely fashion.
I wonder how many programs and systems out there require manual year
rollover ... in this case, the slipup was of little consequence.
Dave Glicksberg --
[email protected]
------------------------------
Date: Sat, 5 Feb 2000 21:15 PST
From:
[email protected] (Lauren Weinstein; PRIVACY Forum Moderator)
Subject: People For Internet Responsibility issues and status report
Greetings. The current version of the PFIR (People For Internet
Responsibility) "Issues" document, and a status report regarding PFIR
activities, are now available via the PFIR Web site at:
http://www.pfir.org
The issues document covers a wide range of important Internet and Web topics.
It is (and will continue to be) a work in progress, and while quite
comprehensive is undergoing rapid expansion. Many of the topics relate to
privacy issues, technology risks, and other matters that should be of
interest to current and potential Internet users.
Your input and comments regarding both of these documents would be very much
appreciated via the e-mail addresses indicated within the docs
themselves.
Thanks very much.
--Lauren--
[email protected]
Lauren Weinstein
Moderator, PRIVACY Forum -
http://www.vortex.com
Co-Founder, PFIR: People for Internet Responsibility -
http://www.pfir.org
Member, ACM Committee on Computers and Public Policy
------------------------------
Date: Sat, 29 Jan 2000 03:34:42 +0000
From: Crispin Cowan <
[email protected]>
Subject: New Security Paradigms Workshop 2000: Call For Papers
Call For Papers
New Security Paradigms Workshop 2000
An ACM/SIGSAC sponsored workshop
19 - 21 September 2000
Ballycotton, County Cork, Ireland
http://www.nspw.org/
[This is a very small but remarkably insightful workshop, in its 8th year.
Registration is limited by acceptance of submitted papers and
justifications for why you should attend. If you wish to participate,
FIRST contact both Program Chairs -- Cristina Serban (
[email protected])
and Brenda Timmerman (
[email protected]) soon. Final submissions are
due toward the end of March. Some further information will be emerging at
http://www.nspw.org/ . PGN]
------------------------------
Date: 13 Dec 1999 (LAST-MODIFIED)
From:
[email protected]
Subject: Abridged info on RISKS (comp.risks)
The RISKS Forum is a MODERATED digest. Its Usenet equivalent is comp.risks.
=> SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent)
if possible and convenient for you. Alternatively, via majordomo,
SEND DIRECT E-MAIL REQUESTS to <
[email protected]> with one-line,
SUBSCRIBE (or UNSUBSCRIBE) [with net address if different from FROM:] or
INFO [for unabridged version of RISKS information]
.MIL users should contact <
[email protected]> (Dennis Rears).
.UK users should contact <
[email protected]>.
=> The INFO file (submissions, default disclaimers, archive sites,
copyright policy, PRIVACY digests, etc.) is also obtainable from
http://www.CSL.sri.com/risksinfo.html ftp://www.CSL.sri.com/pub/risks.info
The full info file will appear now and then in future issues. *** All
contributors are assumed to have read the full info file for guidelines. ***
=> SUBMISSIONS: to
[email protected] with meaningful SUBJECT: line.
=> ARCHIVES are available:
ftp://ftp.sri.com/risks or
ftp ftp.sri.com<CR>login anonymous<CR>[YourNetAddress]<CR>cd risks
[volume-summary issues are in risks-*.00]
[back volumes have their own subdirectories, e.g., "cd 19" for volume 19]
or
http://catless.ncl.ac.uk/Risks/VL.IS.html [i.e., VoLume, ISsue].
Also, new AUSTRALIAN archives at
http://mirror.aarnet.edu.au/risks/ and
http://the.wiretapped.net/security/textfiles/risks-digest/ .
PostScript copy of PGN's comprehensive historical summary of one liners:
illustrative.PS at ftp.sri.com/risks .
------------------------------
End of RISKS-FORUM Digest 20.78
************************
