precedence: bulk
Subject: Risks Digest 21.17
RISKS-LIST: Risks-Forum Digest Tuesday 26 December 2000 Volume 21 : Issue 17
FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator
***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <URL:
http://catless.ncl.ac.uk/Risks/21.17.html>
and by anonymous ftp at ftp.sri.com, cd risks .
Contents:
Martin Minow (PGN)
Australian Ansett B767 fleet grounded due to maintenance breaches (Mike Martin)
Interference forces RAF to abandon ILS (David Kennedy)
Risks of automatic firmware upgrades (Marc Roessler)
IBM and Intel push copy protection into ordinary disk drives (John Gilmore)
CERT's ActiveX security report (Richard M. Smith)
Privacy/quality risks in Quicken Online Billing (Clay Jackson)
Credit report lists ex-spouse's address (Beth Roberts)
Wanna know my salary ? (John C Haselsberger)
Re: Spam as a denial of service attack? (Steve Wildstrom)
Armageddon scenario near-miss (Scott Rainey)
Abridged info on RISKS (comp.risks)
----------------------------------------------------------------------
Date: Tue, 26 Dec 2000 15:18:39 PST
From: "Peter G. Neumann" <
[email protected]>
Subject: Martin Minow
It is with deep sadness that we note here the sudden passing of Martin Minow
last Thursday. He was a long-standing, noble, insightful contributor to
RISKS, dating back to Volume 1, number 33, on 1 Jan 1986. A quick search
shows that he had 172 messages in RISKS over the past 15 years, including
translations of some otherwise inaccessible news items that appeared in
Swedish sources. He was a delightful person, and will be sorely missed by
many of us. Thanks to all of you who forwarded the e-mail message from his
brother,
[email protected].
Greg Marriott <
[email protected]> added URLs for Martin's Web pages:
http://www.vmeng.com/minow/
http://homepage.mac.com/k6mam/
http://www.ag.ohio-state.edu/~natres/faculty/homepage.html
PGN
------------------------------
Date: Sun, 24 Dec 2000 08:52:40 +1100
From: "mike martin" <
[email protected]>
Subject: Australian Ansett B767 fleet grounded due to maintenance breaches
On 23 Dec 2000, Ansett Airlines, Australia's second national airline,
grounded six of its fleet of seven B767-200 aircraft (its largest domestic
aircraft) when "it realised that important maintenance inspections had not
been carried out". (The seventh aircraft was already out of service for
maintenance.) See
http://www.abc.net.au/news/2000/12/item20001224050838_1.htm and
http://www.smh.com.au/news/0012/24/national/national1.html.
This, at perhaps the busiest travel weekend of the year, and when Ansett has
been steadily losing market share to Qantas. Oddly enough, while this
inconvenienced thousands of passengers, it was reported that only 18 flights
were cancelled (what do these aircraft do all day then?).
It appears that a mandatory 25,000-cycle maintenance check was completely
overlooked, but the good news (if true) is that an Ansett spokesperson was
reported by the Australian ABC network as saying that "the decision to take
the aircraft out of service was entirely [Ansett's] own". So, if there were
risks introduced by cost cutting or other measures by management of Ansett,
owners Air New Zealand, or part shareholder Singapore Airlines, the system
corrected itself.
Albeit, likely with huge commercial pain. One Ansett customer was quoted by
the *Sun Herald* Sunday newspaper as saying, "I haven't flown Ansett for 20
years and it's only now that I remember why."
http://www.smh.com.au/news/0012/24/national/national2.html
While there is no reason to consider that Australian airline travel is more
risky than it used to be, the landing of a Qantas B747 in a Bangkok golf
course last year
http://www.theage.com.au/news/20000430/A31680-2000Apr29.html
was the first of a number of breakdowns of types we have not hear about
before. Earlier this year, the new Sydney Airport control tower was blacked
out by electrical supply failures twice within a few days. The result was
short term chaos.
Last week the control tower was evacuated due to smoke from burning computer
equipment. However, backup procedures cut in quickly and the old control
tower took over.
Conclusion?
Positive... I think.
It seems that maybe organisations are becoming more transparent about risks,
and improving measures to deal with them. While passengers inconvenienced by
the Ansett grounding might have a different view, it was, from the
information publicly available, a brave decision.
Even so, the threads at www.pprune.org abound with contrary suspicions.
Neither the regulator, Civil Aviation Safety Authority Australia, nor the
Australian Transport Safety Board has yet posted any comment on the event on
their web sites.
We shall see.
Mike Martin, Sydney
[email protected]
------------------------------
Date: Tue, 26 Dec 2000 13:50:33 -0500
From: David Kennedy CISSP <
[email protected]>
Subject: Interference forces RAF to abandon ILS
RAF to abandon faulty landing system, by Mark Henderson, science correspondent
excerpted from
http://www.thetimes.co.uk/article/0,,2-58265,00.html
ROYAL AIR FORCE pilots will stop using a bad-weather navigation system
from January 1 because new commercial radio frequencies have made it
unreliable, the Ministry of Defence said yesterday. Pilots of military
planes and helicopters fitted with the Instrument Landing System (ILS)
will not be allowed to use it to land in poor weather in the new
year. Instead they will have to ask air traffic controllers to talk down
their flights.
o Commercial FM growth cited as cause.
o Commercial ILS on different frequencies has not been affected.
o Affected aircraft are Nimrod reconnaissance and search and rescue
helicopters. RAF transport a/c have already been upgraded and tactical
aircraft do not use ILS.
"There is no operational impact whatsoever," a ministry of Defense
spokeswoman said. "It is a worldwide problem which affects all countries."
"New landing assistance systems use more reliable technology, such as
global positioning satellites, which are not affected by radio
frequencies. ILS can also be disrupted by signals from mobile telephones."
Dave Kennedy CISSP Director of Research Services TruSecure Corp.
http://www.trusecure.com
------------------------------
Date: Fri, 22 Dec 2000 18:11:30 +0100
From: Marc Roessler <
[email protected]>
Subject: Risks of automatic firmware upgrades
In 1992 (RISKS-14.06), David Honig reported that a "certain
very-popular-workstation-tape-storage-device will reload its firmware upon
finding a firmware-reconfiguration tape within its maw upon power-cycling."
Funny how history keeps repeating.. seems the same technique is now used
for upgrading the firmware of dolby digital sound processors. Those are
used in movie theaters for processing the stream of digital data which is
read optically from the 35mm film.
Citing
http://www.dolby.com/cinema/cp500bro.html:
[..] Moreover, updates to the audio coding used for Dolby Digital
soundtracks, which are included from time to time right on Dolby Digital
release prints, download automatically into the CP500 the first time such
a print is played in the cinema. [..]
In a German discussion forum dedicated to the projection of cinema movies
(
http://www.filmvorfuehrer.de/forum/) on 9 Nov 2000, the following was
posted by Stefan Mueller:
(translated from German)
The trailer of "Billy Elliott" has got some nasty bug: If the trailer is
being cut right behind start mark three, the CP500 will do a software
reset with data upload as the trailer runs through the machine. Either
Dolby Digital crashes completely or the Cat 673 is set to factory default,
which means setting the digital soundhead delay to 500 perforations,
i.e. the digital sound lags 5.5 seconds behind the picture. [..]
Nice, isn't it?
Concerning David Honig's report: I own a streamer which seems to have been
built in 1995 (same company? maybe same streamer?), and according to the
manual it has this "feature", too. Though no power-cycling is necessary, the
firmware upgrade will happen right after inserting the "Firmware Upgrade
Tape" into the drive. I guess this barrier (the need to power-cycle the
device) was removed for better user friendliness.. (or it is some different
kind of streamer and it never had this barrier, which is just as bad). I
won't go into the evil details of what to do to a streamer's firmware in
order to maximize the devastating effect as i am sure you all can make up
some nice ideas yourself.
It seems this "auto-firmware-upgrade" feature is making its way in more
and more products. I just can't wait for cars to be firmware upgraded by
refueling them at the gas station. *irony*
------------------------------
Date: Thu, 21 Dec 2000 13:16:03 -0800
From: John Gilmore <
[email protected]>
Subject: IBM and Intel push copy protection into ordinary disk drives
[From
[email protected]; Source:
Stealth plan puts copy protection into every hard drive
http://www.theregister.co.uk/content/2/15620.html]
*The Register* has broken a story of the latest tragedy of copyright mania
in the computer industry. Intel and IBM have invented and are pushing a
change to the standard spec for PC hard drives that would make each one
enforce "copy protection" on the data stored on the hard drive. You
wouldn't be able to copy data from your own hard drive to another drive, or
back it up, without permission from some third party. Every drive would
have a unique ID and unique keys, and would encrypt the data it stores --
not to protect YOU, the drive's owner, but to protect unnamed third parties
AGAINST you.
The same guy who leads the DVD Copy Control Association is heading the
organization that licenses this new technology -- John Hoy. He's a
front-man for the movie and record companies, and a leading figure in the
California DVD lawsuit. These people are lunatics, who would destroy the
future of free expression and technological development, so they could sit
in easy chairs at the top of the smoking ruins and light their cigars off
'em.
The folks at Intel and IBM who are letting themselves be led by the nose are
even crazier. They've piled fortunes on fortunes by building machines that
are better and better at copying and communicating WHATEVER collections of
raw bits their customers desire to copy. Now for some completely
unfathomable reason, they're actively destroying that working business
model. Instead they're building in circuitry that gives third parties
enforceable veto power over which bits their customers can send where.
(This disk drive stuff is just the tip of the iceberg; they're doing the
same thing with LCD monitors, flash memory, digital cable interfaces,
BIOSes, and the OS. Next week we'll probably hear of some new industry-wide
copy protection spec, perhaps for network interface cards or DRAMs.) I
don't know whether the movie moguls are holding compromising photos of Intel
and IBM executives over their heads, or whether they have simply lost their
minds. The only way they can succeed in imposing this on the buyers in the
computer market is if those buyers have no honest vendors to turn to. Or if
those buyers honestly don't know what they are being sold.
So spread the word. No copy protection should exist ANYWHERE in generic
computer hardware! It's up to the BUYER to determine what to use their
product for. It's not up to the vendors of generic hardware, and certainly
not up to a record company that's shadily influencing those vendors in
back-room meetings. Demand a policy declaration from your vendor that they
will build only open hardware, not covertly controlled hardware. Use your
purchasing dollars to enforce that policy.
Our business should go to the honest vendors, who'll sell you a drive and an
OS and a motherboard and a CPU and a monitor that YOU, the buyer, can
determine what is a valid use of. Don't send your money to Intel or IBM or
Sony. Give your money to the vendors who'll sell you a product that YOU
control.
John
------------------------------
Date: Fri, 22 Dec 2000 13:25:20 -0500
From: "Richard M. Smith" <
[email protected]>
Subject: CERT's ActiveX security report
This past summer, CERT sponsored a two-day workshop on security issues with
ActiveX controls. The final report was just released today and is available
as a PDF file at the CERT Web site:
http://www.cert.org/reports/activeX_report.pdf
There is a lot of good information in the report about how individuals and
organizations can reduce security risks in Internet Explorer when using
ActiveX controls.
In addition, there is a section aimed at software developers on how to
create safer controls.
A good bit of the technical information in the report has not been made
public before.
Richard
------------------------------
Date: Fri, 22 Dec 2000 16:34:34 -0800
From: "Clay Jackson" <
[email protected]>
Subject: Privacy/quality risks in Quicken Online Billing
I'm a pretty trusting fellow, and a very early adopter of new technology,
but the disclaimer in Quicken 2001's Online Billing agreement gave even me
pause:
"....USER ACKNOWLEDGES THAT HE OR SHE BEARS THE ENTIRE RISK AS TO THE
QUALITY AND PERFORMANCE OF THE ONLINE BILLING SERVICE"
I'm currently a 'wage slave', but have done my share of consulting - I sure
wish I could get this blatant a disclaimer in MY contracts. To add possible
injury to the insult, the NEXT page (when I clicked 'Accept' on this) asked
me for my SSN, birthdate, place of birth and mother's maiden name, with NO
indication as to where and how this information might be used, or even if
the transmission would be 'secure' or encrypted in any way. Needless to
say, I cancelled out of THAT agreement.
Clay Jackson <
[email protected]>
------------------------------
Date: Sun, 24 Dec 2000 12:22:18 -0500 (EST)
From: Beth Roberts <
[email protected]>
Subject: Credit report lists ex-spouse's address
Having recently decided to clear up any erroneous black marks on my credit
rating, I ordered reports from both Trans Union and Equifax. Both informed
me that they could not send my credit report because they could not verify
my current address (where I have resided for over a year).
To my surprise, I did receive a copy of my credit report, from a company
called CSC Credit Services. The report gives no clues as to whether this
company is affiliated with Trans Union, Equifax, or neither.
At the top, I see why they had such trouble believing that I live where I
do - all three of the addresses they have listed for me (one current, two
previous) are completely unfamiliar to me. Since they also have my name
listed incorrectly as my married name, I can only assume that they had
surmised I was still living with my ex-husband, and that any address
applying to his last name also applied to me.
We have been willfully ignoring each other since the divorce, but it could
be dangerous if I were a stalking or vindictive type. This would be an easy
way for me to find out where he is, regardless of any measures he might have
taken to safeguard his privacy. Alternatively, if I were seeking child
support from him, it might come in handy for me. We had no children, so this
doesn't apply.
I am not sure whether the same type of mistake is possible in the reverse
direction - that is, listing an ex-wife's post-divorce addresses in an
ex-husband's credit report. This privacy problem may only occur when there
is confusion as to the ex-wife's last name, so it may only potentially
reveal the ex-husband.
For me, it's just yet another piece of data I have to get them to correct,
in addition to the three (out of ten) incorrect credit history entries that
still show a balance due, even though I paid them off.
Beth Roberts <
[email protected]>
------------------------------
Date: Fri, 22 Dec 2000 10:34:33 -0500
From: John C Haselsberger <
[email protected]>
Subject: Wanna know my salary ?
I work for a large corporation that has recently outsourced "employment
verification" (for use in credit applications and such) to a Web-based
service,
http://www.theworknumber.com . This system works as follows: You
log into the system with a company code, a Social Security number, and a
PIN. You then can generate single-use keys to distribute to those who need
your credit or employment verification; then they log onto the same web site
with that key and have access to your salary and I believe duration of
employment.
To make the system easy-to-use, you can look up a company code given a
company name so that this tiny security barrier is useless.
The default PIN is the last 4 digits of your Social Security number. Strike
two for Security.
My company has the unfortunate habit of using Social Security numbers, even
though each employee has a unique employee number, for identification. Over
the years, I have been exposed to many other employees' Social Security
numbers, and I can only assume the reverse is true. Strike three.
While we are given the opportunity to change our PIN, the timing of this
situation while many people are off on vacation, coupled with human nature,
barely lessens this RISK. I called their customer support number, and there
is no way to "opt out" of their system.
Whereas they DO use SSL to protect the web transactions, the real risks lie
elsewhere.
John Haselsberger <
[email protected]>
------------------------------
Date: Fri, 22 Dec 2000 10:09:18 -0500
From: Steve Wildstrom <
[email protected]>
Subject: Re: Spam as a denial of service attack? (Bellovin, RISKS-21.15)
Interestingly, Verizon has failed to come up, at least in public, with any
evidence that this was in fact an attack. Given the company's dubious
service record, a lot of folks suspect this may be a pretty lame attempt to
blame a popular bogeyman for an inability to handle traffic. Sometimes, I
feel that I personally get millions of spam messages a day, but our system
generally handles it. An attack would almost certainly have involved a large
number of messages from a small number of sources and at least the mail
relays that the messages were sent through would have ben identifiable, if
not the ultimate source.
Steve Wildstrom, Technology & You Editor, *Business Week*, 1200 G St. NW #1100
Washington DC 20005 1-202-383-2203
[email protected]
------------------------------
Date: Sun, 24 Dec 2000 11:21:46 +0000
From: Scott Rainey <
[email protected]>
Subject: Armageddon scenario near-miss
It seems our favorite planet - Earth - barely missed yet another pyrotechnic
run-in with a city-killer sized asteroid. It was early Xmas Eve 2000.
Nobody saw it till it had already gone past. Range: 800,000 km. That's
barely double the distance of earth to the moon. When you figure that we've
got some serious gravity constantly inviting passing space rocks to to pay us
a visit, I'd say that it's awful dang close. Although the collision
probabilities for us and all known space rocks are officially listed as <
1e-9, I really don't trust that math.
The risk is in insufficient funding for early warning systems and sub-zero
funding for deploying solutions.
If we are REALLY lucky a smallish rock like this one will touch down in a
sparsely populated corn field, crating an instant tourist mecca and a kick in
the pants for policy wonks.... not to mention a big ratings week for CNN.
news.com.au has the first story of which I am aware @
http://news.com.au/common/story_page/0,4057,1550084%255E1702,00.html
For fresh info on what we claim to know about the sky falling, click to the
JPL news page:
http://neo.jpl.nasa.gov/news.html
[Somewhat off your normal news beat, but I'd bet it is something
with high interest for your audience. SR]
[Certainly has risks to computers and related
systems, as well as to people. TNX. PGN]
------------------------------
Date: 26 Dec 2000 (LAST-MODIFIED)
From:
[email protected]
Subject: Abridged info on RISKS (comp.risks)
The RISKS Forum is a MODERATED digest. Its Usenet equivalent is comp.risks.
=> SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent)
if possible and convenient for you. Alternatively, via majordomo,
SEND DIRECT E-MAIL REQUESTS to <
[email protected]> with one-line,
SUBSCRIBE (or UNSUBSCRIBE) [with net address if different from FROM:] or
INFO [for unabridged version of RISKS information]
.MIL users should contact <
[email protected]> (Dennis Rears).
.UK users should contact <
[email protected]>.
=> The INFO file (submissions, default disclaimers, archive sites,
copyright policy, PRIVACY digests, etc.) is also obtainable from
http://www.CSL.sri.com/risksinfo.html ftp://www.CSL.sri.com/pub/risks.info
The full info file will appear now and then in future issues. *** All
contributors are assumed to have read the full info file for guidelines. ***
=> SUBMISSIONS: to
[email protected] with meaningful SUBJECT: line.
=> ARCHIVES are available:
ftp://ftp.sri.com/risks or
ftp ftp.sri.com<CR>login anonymous<CR>[YourNetAddress]<CR>cd risks
[volume-summary issues are in risks-*.00]
[back volumes have their own subdirectories, e.g., "cd 20" for volume 20]
http://catless.ncl.ac.uk/Risks/VL.IS.html [i.e., VoLume, ISsue].
http://the.wiretapped.net/security/info/textfiles/risks-digest/ .
==> PGN's comprehensive historical Illustrative Risks summary of one liners:
http://www.csl.sri.com/illustrative.html for browsing,
http://www.csl.sri.com/illustrative.pdf or .ps for printing
------------------------------
End of RISKS-FORUM Digest 21.17
************************
Date: Sun, 24 Dec 2000 13:57:53 -0500
From: Monty Solomon <
[email protected]>
Subject: Stealth plan puts copy protection into every hard drive
http://www.theregister.co.uk/content/2/15620.html
Stealth plan puts copy protection into every hard drive
By: Andrew Orlowski in San Francisco
Posted: 20/12/2000 at 18:54 GMT
Hastening a rapid demise for the free copying of digital media, the next
generation of hard disks is likely to come with copyright protection
countermeasures built in.
Technical committees of NCTIS, the ANSI-blessed standards body, have been
discussing the incorporation of content protection currently used for
removable media into industry-standard ATA drives, using proprietary
technology originating from the 4C Entity. They're the people who brought
you CSS2: IBM, Toshiba Intel and Matsushita.
The scheme envisaged brands each drive with a unique identifier at
manufacturing time.
The proposals are already at an advanced stage: three drafts have already
been discussed for incorporating CPRM (Content Protection for Recordable
Media) into the ATA specification by the NCTIS T.13 committee. The
committee next meets in February. If, as expected, the CPRM extensions
become part of the ATA specification, copyright protection will be in
every industry-standard hard disk by next summer, according to IBM.
However, what's likely to create a firestorm of industry protest is that
the proposed mechanism introduces problems to moving data between
compliant and non-compliant hard drives. Modifications to existing backup
programs, imaging software, RAID arrays and logical volume managers will
be required to cope with the new drives, The Register has discovered.
The ramifications are enormous. Although the benefit to producers is
great - bringing the holy grail of secure content one step closer - the
costs to consumers will be significant. For example, corporate IT
departments will be unable to mix compliant and non-compliant ATA drives
as they try to enforce uniform back up policies, we've discovered.
Restoring personal backups to a different physical drive - a common
enough occurrence when a disk has failed - will require authentication
with a central server. Imaging software used by OEMs and large
corporates to distribute one-to-many disk images will also need to be
modified.
And the move casts a shadow over some of the hottest emerging business
models: the network attached storage industry, which relies on
virtualising media pools, the digital video recorder market currently
led by TiVo and Replay, and the nascent peer-to-peer model all face
technical disruption.
How it works
Today, CPRM is implemented on DVD and removable SD disks. But the SCSI
and ATA/ATAPI proposals incorporate an extension of the scheme to allow
the encryption to be used on hard drives, in addition to removable
drives and ATAPI devices such as CD-ROMs and DVD drives.
The proposal makes use of around a megabyte of read-only storage on each
hard drive that isn't usually accessed by the end user for a "Media Key
Block". According to research scientist Jeffrey Lotspiech of IBM's
Almaden Research Lab, this is a matrix of 16 columns and some 3000 rows.
A static "Media Unique Key" in a separate, hidden area of the drive,
identifies the individual drive. Making use of broadcast encryption and
one way key algorithms, would-be hackers face a daunting number of keys
to break. CPRM adds new commands into the ATA specification.
But because the system makes use of the physical location on the device
of the encrypted item, software designed for non-compliant drives will
break in some circumstance when encrypted data files are moved.
"It requires both drives to be compliant when data is to move from one
disk to another," says Lotspiech. "And a compliant application to get
all that data to the new drive". So a hard drive containing small
individual containing non-copyable files of say, Gartner reports, will
essentially be unrestorable using existing backup programs.
Similar problems arise with RAID arrays using IDE disks, acknowledges
IBM. "This may help IT managers when auditing for copyright compliance,"
suggests IBM spokesman Mike Ross.
However the decision to make an organisation CPRM compliant. Free
copying is no longer an option:-
"It's not up to us to determine or guess what the content provider might
permit," says Ross. "Nothing will handcuff proper backup and restoring
provided the content provider permits it. Some may not permit it - but
what will the customers reaction be then?"
Well, quite. Clearly key management becomes an urgent priority when
CPRM-aware drives are introduced next year, as CPRM-aware content will
surely follow. The decision to go with CPRM in an organisation is also
an all or nothing proposition - it can't be introduced gradually.
But for home users, the party's over. CRPM paves the way for
CPRM-compliant audio CDs, and the free exchange of digital recordings
will be limited to non-CPRM media.
The Register understands there is fierce opposition to the plan from
Microsoft and its OEM customers. Generating hundreds of thousands of
images each week, the PC industry relies on data going from one master
to many reliably and smoothly. Imaging programs face the same problem as
restore software: the target disk isn't the same as the originator disk.
Microsoft Redmond already has put in a counter-proposal that eschews
low-level hardware calls.
Where were you when they copy-protected the hardware, Daddy?
The intellectual property is owned by the 4C Entity, and administered by
License Management International, LLC - a limited liability company
based in Morgan Hill, California. Company founder John Hoy told The
Register that "LMI,LC holds no intellectual property. Entities are
granted a master license."
Per-device royalties are payable to LLI,LC. License fees of between 2c
and 17c have been mooted for each device, according to documents
circulated to the T.13 group. 5c is the current rate for a DVD device.
Three possible paths lie ahead. CPRM may be bounced out of the T.x
committees. Or manufacturers may choose not to implement it, and opt for
an incomplete ATA or SCSI specification. This is deemed unlikely. Or
thirdly, manufacturers may choose to implement the new command set, but
not activate it. Although it hardly has a prominent media profile - yet
- CPRM in hardware is the most comprehensive mechanism for enforcing
rights protection the industry has seen, and is likely to be viewed by
content producers as a magic bullet. Its progress depends on whether
its proponents can overcome industry and consumer opposition. Which
might be brewing right about ... now.
------------------------------
Date: Fri, 22 Dec 2000 17:02:55 -0800
From: Mike Hogsett <
[email protected]>
Subject: More Credit Card Databases compromised
http://www.msnbc.com/msn/506714.asp
------------------------------
