The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 18 Issue 83

Friday 21 February 1997

Contents

o TCAS and the F-16 incidents
PGN
o B777 autopilot/flight-director problems?
Peter Ladkin
o Myths about digital signatures
Edward Felten
o Suit Over Computer Use
David Kennedy
o Bank Sued for Racist E-Mail
David Kennedy
o Computer glitch mails out multiple driver's licenses
Dave Tarabar
o Proprietary data formats and backcompatibility
Lloyd Wood
o Web banking
Harold Asmis
o Forgeries and Dejanews
Robert Ames
o Judge Shuts Down Another Cyberporn Scam
Edupage
o Who made the call in the Moldova porn scam?
Doug Claar
o Virus mailed out on PhotoDisc CD-ROM
John C. Rivard
o Y2K "problem" in virus?
Jim Griffith
o Mobile code security mailing list
Edward Felten
o ActiveX basic problem
Paul Robinson
o MS on the CCC ActiveX virus
Tod Nielsen and Brad Silverberg via Lloyd Wood
o Microsoft "defends" ActiveX
Travis Winfrey
o Info on RISKS (comp.risks)

TCAS and the F-16 incidents

"Peter G. Neumann" <neumann@csl.sri.com>
Thu, 20 Feb 97 11:03:13 PST
There have now been four recent incidents involving F-16s and commercial
airliners with the TCAS automated collision avoidance system.

1. On 5 Feb 1997, two Air Force F-16s closed on a Nation's Air Boeing 727
passenger jet heading for JFK in NY.  A TCAS alarm caused the 727 pilot to
take evasive action, flooring three passengers and crew members.  This
occurred in a fairly large restricted area through which the 727 had been
cleared to fly.  One of the F-16 pilots had earlier identified the 727 as a
passenger plane, but continued to chase it ``as an intruder into his
airspace''.  The instructor pilot told his trainee pilot to stay out of the
way ``till this, uh, bozo gets out of the airspace.''  He was eventually
ordered to stop the chase, but ``the command may have been delayed because
the fighter pilot was on the wrong frequency'' (according to the Air Force
report).

2. On 7 Feb 1997, four Air National Guard F-16s from Andrews Air Force Base
passed an American Eagle commuter plane bound from Raleigh to NY.  Three of
the F-16s were above the commuter plane, one below.  A TCAS alarm caused the
American Eagle pilot to take evasive action.

3. Also on 7 Feb 1997, two Air Force F-16s entered the safety zone around an
American Airlines jet over Palacios TX.

4. Also on 7 Feb 1997, two Air Force F-16s entered the safety zone around an
Northwest Airlines jet over Clovis, NM.

The Air Force insists that none of these cases was a close call (that is,
with less than 500 feet separation), and that such close encounters have
happened routinely in the past without causing concern -- before the advent
of TCAS.  So, we can chalk this up either as an indication that TCAS works
(albeit too well?), or as a failure of the Air Force to understand the risks
of false alarms in someone else's safety system!

[Sources: items in *The Washington Post* 8 Feb 1997, *Los Angeles Times*, 11
Feb 1997, A14, and *The New York Times*, 19 Feb 1997.]


B777 autopilot/flight-director problems?

Peter Ladkin <ladkin@TechFak.Uni-Bielefeld.DE>
Tue, 18 Feb 1997 17:58:08 +0100
Flight International (19-25 Feb 97, p4) reports that the UK AAIB is looking
into an uncommanded-rudder-movement incident on a British Airways Boeing
777-200A in October 1996. The B777 is a fly-by-wire (FBW) aircraft.

The aircraft departed Heathrow en route Jeddah, and was forced to turn back.
A UK CAA Occurrence Report talks of uncommanded movement of rudder and
rudder pedals during climb and cruise, at random intervals. The flaperons
were also observed to move, it is surmised in counterresponse to the rudder
movements. "Large rudder input" was required on the landing. An intermittent
fault in the two autopilot/flight-director computers is suspected, and
they're being lab-tested -- as are the rudder backdrive actuators.

It's perhaps important to point out the difference between the flight
management system (FMS), of which the autopilot/flight-director is part, and
the aircraft control system. The term `fly-by-wire' is used by aerospace
engineers (but not usually journalists) to refer to digital-computer
operation of the control system. Many non-FBW aircraft, some which have been
in service for 14 years now, have digital computer-controlled FMS's. In this
B777 incident, FMS problems are suspected (but not yet confirmed), whereas
control-system problems are not.

Peter Ladkin


Myths about digital signatures

Edward Felten <felten@CS.Princeton.EDU>
Wed, 19 Feb 1997 17:12:43 -0500
There has been a lot of public discussion lately about digital signatures on
mobile code.  Several myths permeate this discussion.  I'd like to puncture
three of them.

* Myth 1: Digital signatures let you know who wrote a program, or where it
came from.

Reality: Anybody can remove the author's signature or add their own
signature.  At best, a signature tells you that the signer endorsed the
program recently.  Endorsement is more useful than authorship anyway; most
people care more about whether their corporate MIS department has endorsed a
program than about who wrote the program.

* Myth 2: If X has signed a program, and I trust X, then it is safe for me
to download the program.

Reality: There have been plenty of incidents of reputable and well-meaning
organizations spreading viruses or serving as the base for security
attacks.  Before accepting a download from X, it's not enough to ask "Do I
trust X?"  One must also ask questions like "How carefully has X managed
his cryptographic keys?" and "What is the probability that X's security has
been penetrated?"

* Myth 3: Digital signatures provide accountability; if a program signed by
X is malicious, the victim can sue X.

Reality: Suppose I accept a download signed by X.  A few seconds later
there is some mysterious network traffic and then my disk gets wiped clean.
 X could be the culprit.  Or X could be innocent --- that code I downloaded
from Y three days ago could have waited a while before detonating.  Or
somebody could have exploited a bug somewhere else in my system.  I have *no
evidence* to distinguish these cases --- all the evidence disappeared when
my disk was erased.  (We can assume the attacker is smart enough to remove
the hostile code from his site immediately after the attack.)

If the attacker doesn't erase my disk, I can't trust the apparent evidence
anyway.  After all, the attacker had free run of my system and could have
planted whatever "evidence" he liked.  The evidence, whether real or not,
will collapse in the first cross-examination.

Signatures can provide accountability, but only with much more rigorous
logging and auditing than today's consumer software provides.


Suit Over Computer Use

David Kennedy <76702.3557@CompuServe.COM>
18 Feb 97 22:00:21 EST
Courtesy of United Press International via CompuServe's Executive News Service:

UW prof accused of copying porno pics (UPI US & World, 13 Feb 1997)

> MADISON, Wis., Feb. 13 (UPI) -- The University of Wisconsin-Madison is
> facing (Thursday) a sexual harassment lawsuit, claiming a former medical
> professor used campus computers to copy hundreds of pornographic pictures
> from the Internet.

Another employee is suing because the professor propositioned her.

DMK Comment: Privacy fanatics balk when companies claim privilege over the
contents and uses of the systems the companies own.  In this case, the
university is being held responsible for the actions of one of their
employees.  Given the academic-freedom environments in most (all?) American
Universities (and probably elsewhere), the university is in a no-win
position.

Dave Kennedy [CISSP] Research Team Chief, National Computer Security Assoc.


Bank Sued for Racist E-Mail

David Kennedy <76702.3557@CompuServe.COM>
19 Feb 97 21:00:09 EST
Courtesy of the Dow Jones News Service via CompuServe's Executive News Service:

Citibank Workers File Bias Lawsuit Over Racist E-Mail (Dow Jones, 18 Feb 1997)

   By Frances A. McMorris
   Staff Reporter of The Wall Street Journal

> NEW YORK -- Two black employees of the Citibank NA unit of Citicorp filed
> a race discrimination lawsuit after racist jokes were allegedly sent via
> electronic mail by several bank supervisors.  The e-mail was identical to a
> set of racially charged jokes at the center of a lawsuit against Morgan
> Stanley & Co.

> The plaintiffs, Alvin Williamson, a vice-president, and Brenda Curtis, a
> secretary, contend that several Citibank supervisors, including
> vice-presidents, spread the offensive e-mail to specific colleagues around
> the country.  The e-mail created a "pervasively abusive racially hostile
> work environment," the plaintiffs said in their lawsuit.

:: Mail sent on Jan 28th.  Suit claims little or no action was taken against
those who spread the message, although the company acknowledged an incident
did take place and it was "putting into effect disciplinary actions" against
the perpetrators.

DMK Comment: Another company is being sued for objectionable content of
employee computer use.

Dave Kennedy [CISSP] Research Team Chief, National Computer Security Assoc.


Computer glitch mails out multiple driver's licenses

Dave Tarabar <dtarabar@systemsoft.com>
Thu, 20 Feb 1997 09:02:54 -0500
*The Boston Globe*, 20 Feb 1997, has a picture of a woman holding six
copies of her new driver's license which came in the mail on the same day.

Two years ago, the Massachusetts Registry of Motor Vehicles converted to a
new state-of-the-art system for producing driver's licenses. When a person
renews a license, a digital color picture is taken. You are given a
temporary paper license and are told that your permanent license will arrive
shortly in the mail. The permanent license is a single piece of plastic
(like a credit card). It should be more tamper-resistant than previous
licenses, which had a Polaroid picture laminated to paper.  So far there
have been no reported problems with the system.

It appears that in certain cases, the system was spitting out multiple
copies of a license and mailing them on the same day. A spokesman for the
Registry says that a computer programming error has been identified and
fixed. The Registry says that about 50 people reported receiving multiple
licenses. The major Risk here is that extra licenses could be sold (or
stolen) for the purpose of false IDs.

Another feature (or risk?) of the digital photographs is that it is no
longer necessary to go in person to the Registry when renewing your license
or replacing a lost or stolen license.  You can just send a check.

For many people, the most serious risk is that there is no longer only one
copy of their driver's license picture :-)

Dave Tarabar, SystemSoft Corp., 2 Vision Drive Natick, MA 01760
dtarabar@systemsoft.com 1-508-647-2952


Proprietary data formats and backcompatibility

Lloyd Wood <L.Wood@surrey.ac.uk>
Wed, 19 Feb 1997 16:25:36 +0000 (GMT)
>From the Electronic Telegraph, Connected Newsbytes, Tuesday 18 Feb 1997:

   Microsoft says that it has solved the problem of forward
   compatibility - the way that old word processors can't read
   documents produced by newer versions of the same software.
   Apparently, if you're still using Office97 10 years from now and
   someone sends you an Office2007 file, your computer will lead you
   on to the Web to download a converter utility.

There are a number of risks inherent in this (assuming a network connection,
assuming that the web hasn't undergone a sea change to a completely
different access protocol), but these risks are experienced by you, the user
of software that writes its data in a proprietary, publically undocumented,
format that leaves you nothing else to fall back on.

In fact, these risks will encourage you to upgrade Office (or Acrobat's
'portable'-document-format pdf reader, say) regularly to avoid them. Is this
the best way forward?

L.

Software marketing - so good it's almost criminal.
<URL:http://www.sat-net.com/L.Wood/><L.Wood@ieee.org>+44-1483-300800x3435


Web banking

Harold Asmis <harold.w.asmis@hydro.on.ca>
Thu, 13 Feb 1997 12:37:30 -0500
Problem: Quirks in either our Corporation's implementation of caching or in
other sites' interpretation of how caching works, has allowed the ability
for complete strangers (in the organization) to view your confidential bank
accounts.

Two weeks ago, we were setting up My Yahoo (a customized web page) for
somebody (strictly technical news :).  After setting up, we were quite
surprised to get somebody else's web page.  Ha, ha we thought, and it never
happened again.

Now I've been informed that somebody was checking their Bank of Montreal web
bank account.  This is fairly heavily protected by user name and password.
Lo and Behold, he came up with somebody else's (in the organization) bank
account!  This fellow almost came to blows accusing that person of using his
PC at night! :)

What is happening here?  I believe that MBANX is probably being slack about
caching and the use of common IP firewalls, but we are probably caching
something that shouldn't be cached.

Until this is resolved, I recommend that web accounts be only checked at
home.

Harold W. Asmis harold.w.asmis@hydro.on.ca 1-416.592.7379 fax 416.592.5322
[Disclaimers]


Forgeries and Dejanews

Robert Ames <amesr@interlog.com>
Mon, 17 Feb 1997 08:21:44 -0500
It seems that an effective way to attack an individual is to forge a Usenet
article purportedly from that person, and to include in the article
"admissions" or bigotted statements which would reflect poorly on his
character.  The forged article is then collected by Dejanews and similar
organizations and archived.  It becomes part of the Dejanews "profile" on
the supposed author.

I was one of the victims of a series of forgeries in August and September,
1996.  The perpetrator originated at ixc.net in New York, and then telnetted
to news.uu.net and other open news servers to post as the victim.  Although
I cancelled the forged article and posted a PGP-signed repudiation, the
article was still archived at Dejanews, and was recently used by someone to
"prove" that I had made statements which put me in a bad light.

Since this is a general problem which can impact on anyone, I feel it needs
to be discussed.  Perhaps news archivers should be under the same scrutiny
as credit reporting agencies.


Judge Shuts Down Another Cyberporn Scam (Edupage, 20 February 1997)

<educom@elanor.oit.unc.edu>
Thu, 20 Feb 1997 15:40:44 -0500
A federal district judge in New York has shut down an operation that lured
pornography-seekers into visiting Web sites that surreptitiously dialed a
telephone number in Moldova in the former Soviet Union, running up
exorbitant long-distance phone charges.  The scam is similar to several
others which have been uncovered in recent months.  A Web surfer is enticed
to visit sites with names such as sexygirls, beavisbutthead, and ladult,
which promise "All Nude All Free Pictures" and require that a special
"viewer" must be downloaded to review the images.  However, the viewer
contains software that turns off the user's local connection to an Internet
Service Provider and silently dials the number in Moldova.  The Federal
Trade Commission says this is "one of the most insidious scams" it has ever
seen.  (*The New York Times*, 20 Feb 1997; Edupage, 20 February 1997; see
RISKS-18.80 for the earlier story.)

  [A similar Reuters item was noted by Avi Rubin <rubin@research.att.com>.
  PGN]


Who made the call in the Moldova porn scam?

Doug Claar <dclaar@hprtnyc.ptp.hp.com>
Thu, 20 Feb 1997 00:35:44 -0800
The San Jose Mercury News online service, discussing the Moldova porn scam,
has two conflicting quotes, which raise an interesting question: Who is
responsible?  According to the article, The director of the FTC's Bureau of
Consumer Protection, says "The defendants in this case are using software to
hijack the computer's modem", which implies the defendants (who provided the
trojan program) are at fault.

Later on, the article quotes AT&T's security manager, Richard Petillo, who
said that the customers who were victimized are expected to pay their bills
because "The subscribers actually made the calls and it would be unfair to
other subscribers to offer those people the option of not paying the
charges."  So AT&T claims that the users are at fault, though they clearly
have a good reason to take that position, since they'll have to pay if the
customers don't.

Equating common sense and legal reality is always chancy, but if you steal
my car and commit a crime, I don't *think* that I would be found to be at
fault. But if you steal my phone line, AT&T thinks I'm at fault.

Doug Claar


Virus mailed out on PhotoDisc CD-ROM

"John C. Rivard" <jcr@mcs.com>
Wed, 19 Feb 1997 15:29:56 -0600
PhotoDisc Inc. (http://www.photodisc.com) sells digital stock photography.
They send out CD-ROM discs to their customers that contain mostly
low-resolution images that can be used for comping during page layout. You
pay to receive the high-resolution version for final production. The discs
can be read on Macintosh and Windows machines, and also includes an image
browser/catalog program, as well as Adobe Acrobat 3.0 (used to read the
included documentation).

Volume 4 of this disc arrived last week. Today I received a snail-mailed
letter dated February 13, 1997 from Tom Hughes, President of PhotoDisc Inc.,
RE: "Problem discovered with Acrobat Reader Software on Comping Disc 4." It
is directed to Macintosh users only, and warns against launching the Adobe
Acrobat software on this disc, because it is "corrupt" and "may result in
system file difficulties." The letter continues, "If you use an antiviral
utility, chances are good it's already caught the problem."

In the "unlikely event" that you have already "installed" Acrobat 3.0, the
company has provided a downloadable utility
(http://www.photodisc.com/solution) that can "rid your computer of all
corrupt files." This "utility" is John Norstad's excellent freeware
Macintosh anti-virus program, Disinfectant.

Of course, the problem isn't "corruption" at all; PhotoDisc distributed an
application infected with a virus, specifically MBDF B, a virus that has
been in the wild since at least February 1992. This virus, according to the
Disinfectant documentation, can spread and infect both applications and
system files.

I applaud PhotoDisc for taking prompt action, both in warning their users
and in sending a replacement disc.

However, I question their vagueness about and apparent unwillingness to
admit the true nature of the problem in their warning letter. Nowhere in
this letter does the word "virus" even occur.

I also have to fault them for not understanding and communicating correct
information about the problem: contrary to instructions in their letter and
on their web site, your system CAN be infected without installing or copying
the infected application. In fact, simply running Acrobat from the CD ROM
will infect the System file on the user's machine.

It's an old RISK: scan your golden master for virii! (And this was a really
OLD and well-known virus: Any Mac anti-virus software released in the last
four years would have caught this.)

PhotoDisc recommends destroying Comping Disc 4 if you use a Macintosh. They
will be sending a "clean, safe replacement disc" to all users, Windows
included, next week. This disc will also include Disinfectant.

John C. Rivard       http://www.mcs.net/~jcr/       mailto:jcr@mcs.com


Y2K "problem" in virus?

Jim Griffith <griffith@netcom.com>
Thu, 20 Feb 1997 17:10:25 -0800
Has anyone bothered to look and see if the Michaelangelo virus will be
bitten by the Y2K problem?  One can only hope...

Jim

  [How many virus creators are concerned with good
  software engineering practice?  Or does it matter?  PGN]


Mobile code security mailing list

Edward Felten <felten@CS.Princeton.EDU>
Wed, 19 Feb 1997 19:58:39 -0500
We are starting a moderated mailing list to discuss security issues relating
to mobile code systems like Java, ActiveX, and JavaScript.  To join, send
e-mail to majordomo@cs.princeton.edu; your message body should contain the
single line

"subscribe secure-mobile-code"

or if your desired TO: address is different from your FROM: address,

"subscribe secure-mobile-code" (append your TO: address here)


ActiveX basic problem

Paul Robinson <foryou@erols.com>
Wed, 19 Feb 1997 13:33:51 -0500
As it has been pointed out in *Dr. Dobbs' Journal*, an ActiveX control is no
less than a Windows Dynamic Link Library (DLL) that has all the power and
capability of any other DLL loaded on a Windows system, i.e.  any damn thing
it wants to do.

This alone should ring the death knell on use of ActiveX for anything other
than perhaps on an intranet behind a firewall that does not allow any
incoming traffic, and maybe not even then.

Paul Robinson, Evergreen Software


MS on the CCC ActiveX virus (fwd)

Lloyd Wood <L.Wood@surrey.ac.uk>
Fri, 21 Feb 1997 16:06:20 +0000 (GMT)
Here is Microsoft's official line on the security of ActiveX.

This leaves a very nasty taste in my mouth. The onus on the users to be
responsible with their tools, as usual, rather than on the developers to
create safer tools.  Lloyd
<URL:http://www.sat-net.com/L.Wood/><L.Wood@ieee.org>+44-1483-300800x3435

---------- Forwarded message ----------
Date: Fri, 21 Feb 1997 10:31:18 -0500
>From: glen mccready <glen@qnx.com>
Subject: MS on the CCC ActiveX virus
Forwarded-by: garman@phs.k12.ar.us (Jason Garman)
>From: Site Builder Network <sbn@MICROSOFT.COM>
Subject: SBN Wire: News Flash

Dear Site Builder Network Member,

Tomorrow, Microsoft will be posting the attached letter to our web site, and
sending it out to the Internet Explorer community.  In it, Brad Silverberg
addresses head-on the recent security questions facing the industry
regarding malicious, unsigned controls.  We know this issue is important to
you and your customers, and wanted to give you a heads-up.

For more information, check out http://www.microsoft.com/security

Tod Nielsen, General Manager, Developer Relations Group

 = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

>From the Office of Brad Silverberg
Senior Vice President
Microsoft Corporation
1 Microsoft Way
Redmond, WA  98052

Dear Internet Users Everywhere:

You may have heard reports about a malicious software program created and
demonstrated recently by the Chaos Computer Club (CCC) in Hamburg, Germany.
I want to personally assure you that Microsoft(R) Internet Explorer 3.0 has
the appropriate safeguards to protect against this type of threat.  By using
its default security level (High) that comes pre-set, Internet Explorer 3.0
will not download and run any "unsigned" control such as the one from the
CCC.

The CCC demonstrated its malicious executable code running on Microsoft
Internet Explorer 3.0, though they could just as easily have demonstrated a
similar attack on any other browser.  While it is unfortunate that hackers
have created this harmful program, it does point out the need for users to
act cautiously and responsibly on the Internet, just as they do in the
physical world.

Malicious code can be written and disguised in many ways - within
application macros, Java(tm) applets, ActiveX(tm) controls, Navigator
plug-ins, Macintosh(R) applications and more.  For that reason, with
Internet Explorer 3.0, Microsoft has initiated efforts to protect users
against these threats.  Microsoft Authenticode(tm) in Internet Explorer 3.0
is the only commercial technology in use today that identifies who published
executable code you might download from the Internet, and verifies that it
hasn't been altered since publication.

If users choose to change the default security level from High to Medium,
they still have the opportunity to protect themselves from unsigned code.
At a Medium setting, prior to downloading and running executable software on
your computer, Microsoft Internet Explorer presents you with a dialog either
displaying the publisher's certificate, or informing you that an "unsigned
control" can be run on your machine.  At that point, in either case, you are
in control and can decide how to proceed.

As you know, Microsoft is committed to giving users a rich computing
experience while providing appropriate safeguards.  Most useful and
productive applications need a wide range of system services, and would be
seriously limited in functionality without access to these services.  This
means that many Java applications will have to go "outside the sandbox" to
provide users with rich functionality.  By signing code, a developer can
take advantage of these rich services while giving users the authentication
and integrity safeguards they need.  Other firms such as Sun and Netscape
are following our lead, and have announced that they will also provide code
signing for Java applets. Microsoft will also be providing an enhanced Java
security model in the future, giving users and developers flexible levels of
functionality and security.

Microsoft takes the threat of malicious code very seriously.  It is a
problem that affects everyone in our industry.  This issue is not tied to
any specific vendor or group of people.  All of us that use computers for
work, education, or just plain fun need to be aware of potential risks and
use the precautions that can insure we all get the most out of our
computers. For this reason, we are committed to providing great safeguards
against these types of threats in Internet Explorer.  We expect hackers and
virus writers to get increasingly sophisticated but we pledge we'll continue
to keep you and us one step ahead of them.

Brad Silverberg

P.s. Be sure to check out our Web Executable Security Advisor at
http://www.microsoft.com/security


Microsoft "defends" ActiveX

Travis Winfrey <travis@lombard.com>
Thu, 20 Feb 1997 10:43:36 -0800
The site http://www.news.com/News/Item/0,4,8096,00.html?latest discusses the
MS response to the activeX/quicken bug where downloaded activeX applets can
actually transfer real money out of your bank account (bug not applicable in
America).  They point to this URL:
        http://www.microsoft.com/security/
which has this instant-classic paragraph, emphasis not in the original:

        While the Java sandbox enforces a high degree of security,
        it does not let users download and run exciting multimedia
        games or other full-featured programs on their computers.
    <EM>
        As a result, users may want to download code that has full
        access to their computers' resources.
    </EM>

Please report problems with the web pages to the maintainer