precedence: bulk
Subject: Risks Digest 21.02
RISKS-LIST: Risks-Forum Digest Saturday 26 August 2000 Volume 21 : Issue 02
FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator
***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <URL:
http://catless.ncl.ac.uk/Risks/21.02.html>
and by anonymous ftp at ftp.sri.com, cd risks .
Contents:
Hoaxes: When will they learn? (Dave Farber)
NY State's running out of fingerprint IDs (Danny Burstein)
Mobile phone malware on i-mode in Japan (Kevin Connolly)
Firepower via Web interface (Anatole Shaw)
Sydney Airport baggage system fails for second time in five days
(Stellios Keskinidis)
Airline E-Ticket risks (Paul Wallich)
Risks on public transit: mechanical and human failures in Toronto
(Stephen van Egmond)
Bangkok robot security guard (Torrey Hoffman)
Professor stole 40 student SSNs and IDs to get credit cards (Joan L. Brewer)
Kaiser Permanente medical e-mails go astray (Sheri Alpert)
Wake up, your TV is talking to your bracelet (NewsScan)
SSL Server Security Survey (Monty Solomon)
*The Globe and Mail* Web site exposing search-engine log file
(Esteban Gutierrez-Moguel)
Blocked e-mail and Web sites (PGN)
Major security hole in new online organizer service (Paul van Keep)
Hackers breach Firewall-1 (PGN)
GAO says EPA's computer security is "riddled" with weaknesses
(Declan McCullagh)
Bruce Schneier's Secrets and Lies (PGN)
Software Risk Management Conference ISACC (Gary McGraw)
Abridged info on RISKS (comp.risks)
----------------------------------------------------------------------
Date: Fri, 25 Aug 2000 14:24:13 -0400
From: Dave Farber <
[email protected]>
Subject: Hoaxes: When will they learn?
We have had the technology to do digitally signed authentication for many
years and yet still companies and people do not sign their email and look
what happens, and I mean REAL signatures not just what the Congress thinks
is digitally signed material. Dave
Shares of the Emulex Corporation plunged more than 60 percent Friday
following the distribution of a bogus press release about the computer
network equipment maker's earnings. Trading in the stock was halted for
about three hours after the hoax started showing up in financial news
reports. The hoax wiped more than $2 billion off the company's stock market
value, leaving it around $2 billion.
Emulex's shares finally resumed trading at 1:30 p.m. Eastern time and
recaptured most of their loss. The stock was lately trading down 6, or 5.3
percent, at 107 1/16 after earlier plunging as low as 43.
The fake press release, which appeared on the Internet around the time of
the market's opening bell, claimed that Emulex would restate it fiscal
fourth-quarter earnings as a loss. There were also headlines that the
Securities and Exchange Commission was investigating accounting
irregularities at the company and that Emulex's president and chief
executive, Paul Folino, was stepping down.
[Source:
http://www.nytimes.com/yr/mo/day/news/financial/25tsc-emulex.html
From Dave Farber's IP list.
See also
http://cnnfn.cnn.com/2000/08/25/companies/emulex/ . PGN]
------------------------------
Date: Sat, 26 Aug 2000 01:44:20 -0400 (EDT)
From: danny burstein <
[email protected]>
Subject: NY State's running out of fingerprint IDs
In a problem officials are comparing to the Y2K scare, the state says
it will run out of numbers to assign to the fingerprints it keeps on
file -- and will begin recycling old ones -- next year.
[Source: State's running out of fingers to count IDs on,
by Greg Wilson, *NY Daily News*, 25 Aug 2000]
The article continues by pointing out that there are only seven digits for
the ID field, meaning a total of 9,999,999 records. (I'd be a bit surprised
if they had actually started with "0000001" rather than "1000001", but since
these date from the old paper card days it's quite possible.).
With NYS's population being about 18 million (subject to whether you use the
"actual enumeration" census figures or the "statistical correction" - but
that's another Risk entirely...) and with records going back for decades,
the justice division is rapidly running out of numbers.
So, effective in August 2001, they anticipate reusing ID numbers of people
who have died or otherwise been removed from the register.
No need to worry if your ID number matches that of a serial murderer,
though. The article continues that:
Officials offered assurances that the numbers crunch will not result
in the misidentification of law-abiding citizens who are issued
numbers previously assigned to criminals.
Why am I not reassured?
------------------------------
Date: Fri, 25 Aug 2000 08:25:13 +0100
From:
[email protected]
Subject: Mobile phone malware on i-mode in Japan
The risk is that people designing new mobile phone functions do not learn from
the mistakes in the MS Word macro "virus enabling" feature.
http://www.zdnet.co.uk/news/2000/31/ns-17205.html
"Hundreds of Japanese i-mode users were stung by a prank which
forced phones to dial "110" -- the police emergency telephone
number in Japan -- during an online quiz."
Kevin Connolly
------------------------------
Date: Thu, 17 Aug 2000 19:44:36 -0400 (EDT)
From: Anatole Shaw <
[email protected]>
Subject: Firepower via Web interface
http://www.bangkokpost.net/170800/170800_News03.html
[FIXED in archive copies. PGN]
The Thailand Research Fund has unveiled a new robot, resembling a giant
ladybug with a couple of extra limbs. The unit is equipped with
visible-spectrum and thermal vision, and a gun. According to Prof.
Pitikhet Suraksa, its shooting habits can be automated, or controlled "from
anywhere through the Internet" with a password. The risks of both modes are
obvious, but the latter is new to this arena. Police robots of this ilk
have been around for a long time, but are generally radio-controlled. The
apparent goal here is to make remote firepower available on-the-spot from
around the Internet, which means insecure clients everywhere. How long will
it take for one of these passwords to be leaked via a keyboard capture, or a
browser bug? Slowly, we're bringing the risks of online banking to
projectile weaponry.
------------------------------
Date: Sun, 20 Aug 2000 19:07:17 +1000 (EST)
From: stellios keskinidis <
[email protected]>
Subject: Sydney Airport baggage system fails for second time in five days
As a result of an hour-long computer glitch during the integration of the
security system with the main baggage-handling system, Sydney airport's new
$43 million baggage system failed on 20 Aug 2000 for the second time in five
days (with the Olympic Games a month away). (The previous problem was in
the new checked bag screening system.) [Source: PGN-ed from
http://news.ninemsn.com.au/01_national/story_8815.asp, 20 Aug 2000]
[Same article also noted by Steve Gillanders. PGN]
------------------------------
Date: Tue, 1 Aug 2000 16:39:31 -0400
From: Paul Wallich <
[email protected]>
Subject: Airline E-Ticket risks
Continental Airlines has installed a very efficient new system for travelers
whose tickets exist only in computerized form: swipe a credit card or other
means of ID, tell the touch screen how many bags you have to check and
answer the usual security questions about who packed them and whether
they've been out of your sight, and it prints out a boarding pass. You can
also change your seat and (possibly) other aspects of your itinerary on the
spot.
The machines are supposed to be tended by agents who check your luggage
(should you have any to check) and look at a photo ID to make sure you're
who your credit card says you are. But in some busy airports (say, for
example, Detroit last weekend) the machines appear to function unmonitored.
There's a long list of risks here relating both to terrorism and to
theft, and I don't see any obvious way of fixing them in the context
of the current system, except perhaps to require an ID check
somewhere downstream of the boarding pass issuance.
(Of course it doesn't make me any happier to note that with the endemic
delays in today's air transport system you also have passengers leaving
aircraft and then reboarding with no verifiable checks on either identity or
luggage.)
Paul Wallich
[email protected]
------------------------------
Date: Wed, 16 Aug 2000 21:47:07 -0400
From: Stephen van Egmond <
[email protected]>
Subject: Risks on public transit: mechanical and human failures in Toronto
http://www.ttc.ca/postings/gso-comrpt/documents/report/f910/_conv.htm
This URL gives an interesting report the Toronto Transit Commission
describing an alarming situation on a revenue train. It provides a lot
more detail than you might find in a media article.
The sequence of mechanical and human failures that contributed to the
dangerous situation is interesting, as is the TTC's response, which
includes:
* training (i.e., pounding on the table and saying "don't do that")
* reducing training (i.e., not teaching operators how to do a dangerous
procedure)
* physical hacks
For background, the TTC runs trains in sets of six cars composed of three
mated pairs. Each car has an operator's cab where motion and doors can be
controlled, and a window which, when opened, reveals door control buttons.
Stephen van Egmond
http://bang.dhs.org/
------------------------------
Date: Thu, 17 Aug 2000 09:49:24 -0700
From: Torrey Hoffman <
[email protected]>
Subject: Bangkok robot security guard
I think that even long-time RISKS readers will find this to be a bad idea of
prize-winning magnitude. (Perhaps RISKS should give out yearly awards for
the worst (most risky) ideas implemented in software systems. Outlook VBS
scripting comes to mind...)
The world's first armed robot security guard that can open fire on
intruders while controlled through the Internet was unveiled in Bangkok
yesterday. It is one of five Thai-made hi-tech robots revealed by the
Thailand Research Fund.
Asst Prof Pitikhet Suraksa, of the King Mongkut Institute of Technology's
Lat Krabang campus, said his roboguard was developed from an unarmed
"telerobot" built in Australia in 1994. "The robot is equipped with a
camera and sensors that track movement and heat. It is armed with a pistol
that can be programmed to shoot automatically or wait for a fire order
delivered with a password from anywhere through the Internet. With
further development the technology could be applied to building robot
guards for important places, including museums that house precious
artifacts."
Deployment of this could lead to all sorts of interesting scenarios. The
first time it perforates one of the cleaning staff, will the owners blame it
on a "programming glitch"? [... potential puns about loose cannons ...]
Torrey Hoffman <
[email protected]>
[With no human in the loop, this would be really terrible. However, even
with a human in the loop, it is another egregious example of security
supposedly enforced by passwords floating sniffably unencrypted around the
Internet! And with a little IP spoofing, a penetrator might even be
untraceable. Perhaps Prof Suraksa needs an effrontal robotomy. As the
old joke goes, this may be a case in which you can always telerobot, but
you can't tell it much. PGN]
------------------------------
Date: Thu, 17 Aug 2000 17:19:05 -0700
From: "Pegasus" <
[email protected]>
Subject: Professor stole 40 student SSNs and IDs to get credit cards
According to prosecutors, Cadello got names and Social Security numbers of
unwitting students from the school computer and named them as "parents" of
fictitious children whose Massachusetts birth certificates he forged. He
then obtained new Social Security numbers with those names and used them
to obtain various sets of ID and apply for credit cards (40 sets). The
incident has cost the university thousands of dollars for a new computer
system that lists students without using their Social Security numbers.
[
http://seattletimes.nwsource.com/news/local/html98/altprof17m_20000817.html
Central Washington professor sentenced in fraud, Mike Carter, *Seattle
Times*, 17 Aug 2000]
Here is the really weird part. When he was arrested the students protested
and gave him support (?). Well at least someone found a flaw in their
database. Perhaps other colleges can learn from this one. ;-)
Joan L. Brewer BS CSE -- retired...
------------------------------
Date: Thu, 10 Aug 2000 02:18:59 -0400 (EDT)
From: Sheri Alpert <
[email protected]>
Subject: Kaiser Permanente medical e-mails go astray
Beginning on 2 Aug 2000, Kaiser Permanente accidentally sent 858 e-mail
messages from nurses and pharmacists (some including sensitive medical
information) to the wrong people. Blame was placed on "human error" and a
"technological glitch" in upgrading their Web site. Kaiser spokesperson
Beverly Hayon said Kaiser has "fixed the problem. We have changed protocols
for sending out e-mails. We feel safe saying this particular problem will
never happen again." [Source: article by Bill Brubaker, *The Washington
Post*, 10 Aug 2000 E01]
------------------------------
Date: Wed, 16 Aug 2000 09:51:39 -0700
From: "NewsScan" <
[email protected]>
Subject: Wake up, your TV is talking to your bracelet
A new system called Whispercode, designed by a New Jersey company for
monitoring the effectiveness of TV advertising, will involve the encoding of
commercials with inaudible, identifying signals that can be picked up by a
small device worn by a participant (perhaps in a bracelet or keychain) and
relayed to a nearby recording box that records the fact that the wearer was
in the room when the commercial was broadcast. [It should be noted, though,
the system can't detect whether the participant is awake, attentive, and not
bored to death.] The company's chief executive officer says, "With
Whispercode, we will finally be providing our clients with a true accounting
of where their advertising money is going." (*The New York Times*, 15 Aug 2000
http://partners.nytimes.com/library/financial/columns/081600tv-adcol.html;
NewsScan Daily, 16 August 2000
------------------------------
Date: Sun, 13 Aug 2000 23:05:14 -0400
From: Monty Solomon <
[email protected]>
Subject: SSL Server Security Survey
SSL Server Security Survey, Eric Murray,
[email protected] 31 Jul 2000
A random sample of 8081 different secure Web servers running the SSL
protocol in active use on the Internet shows that 32% are dangerously weak.
These weak servers either support only the flawed SSL v2 protocol, use
too-small key sizes ("40 bit" encryption), or have expired or self-signed
certificates. Data exchanges with all types of weak servers are vulnerable
to attack.
http://www.meer.net/~ericm/papers/ssl_servers.html
------------------------------
Date: Thu, 17 Aug 2000 01:59:33 -0500 (CDT)
From: Esteban Gutierrez-Moguel <
[email protected]>
Subject: *The Globe and Mail* Web site exposing search-engine log file
The Web site of the Canadian newspaper *The Globe and Mail* seems to have a
badly configured access policy of a log file. The log file is a standard Web
server log file that contains browser information, requested data, and the
IP address of each visitor who performs a search from the online edition of
the newspaper.
A simple test of this problem is searching for some know text (for example:
"Hello World") using
http://www.theglobeandmail.com (Globe 7-day Search) and
few seconds later you will find an entry in
http://archives.theglobeandmail.com/generated/Fragments/access containing
the string "Hello+World".
------------------------------
Date: Tue, 22 Aug 2000 12:14:06 PDT
From: "Peter G. Neumann" <
[email protected]>
Subject: Blocked e-mail Web sites
Lately, we have had another flurry of reports of perfectly reasonable Web
sites and e-mail being blocked for the usual stupidities of overzealous
filtering. But this one is somewhat different:
The U.S. Air Force Space Command blocked the San Francisco Exploratorium
Yahoo site because it describes making a mixture out of baking soda and
vinegar that would blow up a Ziploc bag. Elementary fizz-ics, my dear
What's-on? [Source:
http://www.exploratorium.edu/pr/bubble_bomb.html]
------------------------------
Date: Wed, 16 Aug 2000 19:57:27 +0200
From: Paul van Keep <
[email protected]>
Subject: Major security hole in new online organizer service
The recently opened online organizer service annapa.com (Anna, your Personal
Assistant) suffered from a major security hole last week. The site has a
security statement prominently displayed on its homepage with the usual
statements about how they value their customers' data and that everything
had been audited by Arthur Andersen.
Despite this, compromising other users' data was almost trivial: after
logging in with the valid userid/password combo, all that had to be done was
to twiddle with the URL which conveniently encodes your customer id. This
simple operation gives access to all essential data from other users and
allows changing of that data including blocking access by changing that
user's password. The company behind annapa.com, IntraSites, issued a
statement on its website in which it tried to belittle the issue. A
translation of the part of the statement currently on their homepage: "[...]
updating some program modules on the site disabled one security
mechanism. This made it possible for an IT-specialist (consequently not for
a normal user), to access random and limited user data on the screen".
If all of that is true, what value does the security audit that AA performed
have? Shouldn't AA review every update before installation? Is an
IT-specialist not a 'normal' user? Aren't all crackers IT-specialists?
Wouldn't a smart user be able to do the same? Was the hole only present for
a couple of days? I sincerely doubt it.
The URL twiddling trick seems to be a common security problem. Two months
ago I encountered almost the same hole in the customer information portal
for Exact Software (www.exactsoftware.com). The whole portal was removed
from the site within an hour after I informed their CEO about the problem.
Paul van Keep
http://www.sumatra.nl
------------------------------
Date: Sun, 13 Aug 2000 19:52:47 PDT
From: "Peter G. Neumann" <
[email protected]>
Subject: Hackers breach Firewall-1
[Source: David Raikow, Sm@rt Partner, 2 Aug 2000
http://www.zdnet.com/zdnn/stories/news/0,4586,2610719,00.html]
An audience of several hundred network security professionals watched with
rapt attention last week as a trio of hackers repeatedly penetrated one of
the industry's most trusted and popular firewall products -- Checkpoint
Software's Firewall-1. The demonstration, presented at the "Black Hat"
security conference in Las Vegas, challenged the widely accepted notion that
firewalls are largely immune to direct attack.
The panel -- John McDonald and Thomas Lopatic of German security firm Data
Protect GmbH and Dug Song of the University of Michigan -- identified three
general categories of firewall attacks. They began by demonstrating a number
of relatively simple techniques by which an attacker could impersonate an
authorized administrator, and thus gain access to the firewall application
itself.
A second type of attack tricked the firewall into believing an unauthorized
Internet connection was actually an authorized virtual private network
connection. Finally, the panel exploited a number of errors in the process
used to examine traffic passing through the firewall to sneak in dangerous
commands.
While their presentation focussed on a single commercial firewall product,
panel members repeatedly emphasized that most firewalls are vulnerable to
the types of attacks demonstrated. "The problem is not just with
[Firewall-1]," said Song. "The real problem is the blind trust most people
place in their firewalls."
Greg Smith, Checkpoint's director of product marketing for Firewall-1,
pointed out that many of the attacks demonstrated relied on improper
firewall configuration, and he asserted that they presented little practical
threat. "Not a single customer has reported a problem with any of these
issues."
Nevertheless, Checkpoint worked with McDonald, Lopatic and Song in
developing defenses against the attacks, which they released as part of
Firewall-1 Service Pack 2 immediately following the demonstration.
Checkpoint emphasized that the service pack should prevent all of the
attacks discussed, even those dependent on misconfiguration.
The panel also recommended a number of additional steps for "hardening"
firewalls, including use of strong authentication protocols, "anti-spoofing"
mechanisms and highly restrictive access rules. At the same time, they called
on the IT community to abandon the "single firewall" model of network security
and implement multiple lines of defense.
However, one observer of the session, employed by a network switch
manufacturer, thinks Checkpoint lost some credibility over its products.
"Some of the exploited areas were because of dumb programming mistakes in
the code for the firewall itself. If the [firewall] programmers can't get
it right, what other problems may still be lurking?" he pondered.
------------------------------
Date: Sat, 12 Aug 2000 11:22:30 -0400
From: Declan McCullagh <
[email protected]>
Subject: GAO says EPA's computer security is "riddled" with weaknesses
Exact URL is:
http://com-notes.house.gov/ai00215.pdf
Press release:
Bliley Releases GAO's Findings on Computer Security At EPA
Report Calls EPA's Computer Network "Riddled With Security Weaknesses"
Washington(August 11) --Ineffective, inadequate, and riddled with weaknesses.
This is how the General Accounting Office (GAO) described the Environmental
Protection Agency's (EPA) agency-wide information security program.
Commerce Chairman Tom Bliley (R-VA), who in August 1999 requested the GAO
audit of EPA's system as part of his review of the computer security
policies and programs of certain Federal agencies within the Committee's
jurisdiction, released the report today.
"The GAO report, coupled with the Committee's other recent oversight in this
area, shows that, despite the tough rhetoric, the Clinton-Gore
Administration's cyber-security policy amounts to little more than paper
pushing," Bliley said today in releasing the GAO Report.
In February of this year, after GAO's preliminary review of EPA's system
found "serious and pervasive problems," Chairman Bliley requested that EPA
take down its computer systems and initiate a major overhaul of its computer
network security. The EPA reluctantly complied.
"It is unfortunate," Bliley said, "that years of gross mismanagement at the
Agency have left these sensitive systems and data at such serious risk for
so long. But it is even more unfortunate that it took this Committee's
oversight and public pressure to motivate the Agency to undertake
responsible steps to ensure its computer systems provide adequate protection
for sensitive Agency data.
"EPA, while shocking in degree, is not alone when it comes to poor
management of cyber security. GAO and Committee oversight of other Federal
agencies continues to reveal that, rather than being a model for the private
sector to follow -- as the President has claimed he wants it to be -- the
Federal government appears instead to be a model of what not to do when it
comes to managing information security.
"In today's world, information security is crucial. It is disturbing that
government agencies with critical computer systems have paid so little
attention to this issue, and are so vulnerable to attacks. It also reflects
a lack of leadership from the White House, which under current law should be
coordinating agency efforts to improve cyber security, but isn't.
"I will continue my review of agency information systems in an effort to
improve the Federal government's weak computer security practices."
In late July 2000, Bliley requested the GAO complete a similar audit of the
Commerce Department's cyber security program. Bliley also recently launched
a review of the Food and Drug Administration's (FDA) information management
policies and practices, requesting records detailing the agency's computer
security practices and any hacker attacks against FDA.
a copy of the GAO Report is available at: www.house.gov/commerce
------------------------------
Date: Tue, 22 Aug 2000 12:14:06 PDT
From: "Peter G. Neumann" <
[email protected]>
Subject: Bruce Schneier's Secrets and Lies
Bruce's new book, *Secrets and Lies: Digital Security in a Networked World*
(Wiley), concludes that cryptography alone cannot protect business networks.
This a fine counterpoint to the mistaken belief that cryptography is the
ultimate answer to security.
"Protecting information has become increasingly difficult in the digital
world. Teen-aged hackers have compromised the security of the U.S. State
Department's web site and, in so doing, have proven that gaining access to
personal passwords and other `secure' information is far easier than many
could have ever anticipated."
The book website is
http://www.counterpane.com/sandl.html
and is discussed in
http://www.counterpane.com/crypto-gram-0008.html#1
------------------------------
Date: Fri, 18 Aug 2000 14:09:13 -0400
From: Gary McGraw <
[email protected]>
Subject: Software Risk Management Conference ISACC
Reliable Software Technologies encourages all people interested in making
software behave to attend ISACC, the Software Risk Management conference
(
http://www.isacc.com). We'll be discussing many of the topics RISKS
readers are fond of: security, reliability, and safety. And just to spice
things up, how about software certification as a controversial issue?! Hope
to see you there.
Gary McGraw, Ph.D
[email protected], Vice President, Corporate Technology
Reliable Software Technologies, Dulles, VA <
http://www.rstcorp.com/~gem>
------------------------------
Date: 13 Dec 1999 (LAST-MODIFIED)
From:
[email protected]
Subject: Abridged info on RISKS (comp.risks)
The RISKS Forum is a MODERATED digest. Its Usenet equivalent is comp.risks.
=> SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent)
if possible and convenient for you. Alternatively, via majordomo,
SEND DIRECT E-MAIL REQUESTS to <
[email protected]> with one-line,
SUBSCRIBE (or UNSUBSCRIBE) [with net address if different from FROM:] or
INFO [for unabridged version of RISKS information]
.MIL users should contact <
[email protected]> (Dennis Rears).
.UK users should contact <
[email protected]>.
=> The INFO file (submissions, default disclaimers, archive sites,
copyright policy, PRIVACY digests, etc.) is also obtainable from
http://www.CSL.sri.com/risksinfo.html ftp://www.CSL.sri.com/pub/risks.info
The full info file will appear now and then in future issues. *** All
contributors are assumed to have read the full info file for guidelines. ***
=> SUBMISSIONS: to
[email protected] with meaningful SUBJECT: line.
=> ARCHIVES are available:
ftp://ftp.sri.com/risks or
ftp ftp.sri.com<CR>login anonymous<CR>[YourNetAddress]<CR>cd risks
[volume-summary issues are in risks-*.00]
[back volumes have their own subdirectories, e.g., "cd 20" for volume 20]
http://catless.ncl.ac.uk/Risks/VL.IS.html [i.e., VoLume, ISsue].
http://the.wiretapped.net/security/textfiles/risks-digest/ .
==> PostScript copy of PGN's comprehensive historical summary of one liners:
illustrative.PS at ftp.sri.com/risks .
------------------------------
End of RISKS-FORUM Digest 21.02
************************
