The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 18 Issue 69

Thursday 19 December 1996

Contents

o Bright Field crash in New Orleans computer related
PGN
o Bright Field: Risks of smart safety systems?
David Lesher
o Major denial-of-service attack on WebCom in San Francisco bay area
PGN
o Connecticut DPUC gets slammed
Daniel Pouzzner
o U.S. program export controls ruled unconstitutional in No.California
PGN
o German Cabinet Approves Internet Regulation
PGN
o More savings we can count on our fingers...
Jeffrey Sorensen
o URGENT! Major HOLE in NCSA httpd servers...
Matthew Healy
o Warning! Security risks with ActiveX!
B Fiero
o Re: November 1996 CACM article on InfoWar Defense
Geoff Kuenning
o Re: Software hunts and kills Net viruses
Gregory B. Sorkin
o First Workshop on Building and Using CORBAsec ORBs [urgent]
Richard Soley
o New Security Paradigms '97, call for papers
Yvo Desmedt
o Info on RISKS (comp.risks)

Bright Field crash in New Orleans computer related

"Peter G. Neumann" <neumann@csl.sri.com>
Tue, 17 Dec 96 8:49:42 PST
According to John Hammerschmidt of the NTSB, preliminary investigations into
the freighter *Bright Field* crashing into the Riverwalk in New Orleans
suggest that an oil-pump failure caused the ship's computer to automatically
reduce speed.  A standby pump kicked in, but under reduced power the ship's
maneuverability was decreased.  The impact cut a 200-foot swath into shops
and a hotel condominium complex, and the pedestrian walkway.  A language
barrier between the Chinese-speaking captain (and crew) and the
English-speaking pilot reportedly may also have contributed.  The
Liberian-registered 69,000-ton ship was not equipped with a U.S.-recommended
voice recorder, and a second voice recorder was not functioning.  Coast
Guard Captain Gordon Marsh confirmed that large ships lose steering power as
often as once a week.  [Source: various news items, including *San Francisco
Chronicle*, 17 Dec 1996]


Bright Field: Risks of smart safety systems?

David Lesher <wb8foz@netcom.com>
Tue, 17 Dec 1996 07:50:00 -0800 (PST)
[... see previous item ...]

The pilot appears to have performed a miraculous job of parallel-parking the
761-foot vessel in the 900-foot space between two heavily populated
entertainment boats.

The RISK? While [the automatic reactions] clearly saved an engine that
likely costs millions to rebuild, could the sacrifice of the engine have
prevented the collision?  Or would have the engine exploded; throwing LARGE
pieces around and killing people that way?

Is the low-speed version of the Airbus dilemma -- who knows more; the pilot
or the computer?


Major denial-of-service attack on WebCom in San Francisco bay area

"Peter G. Neumann" <neumann@csl.sri.com>
Tue, 17 Dec 1996 08:56:06 -0500
A 200-message-per-second SYN-flood attack (see RISKS-18.45 for the precursor
PANIX attack, and RISKS-18.48 for some defenses) was launched against WebCom
(a large WWW service provider), affecting more than 3000 Web sites for 40
hours during most of what was otherwise a very busy shopping weekend.  The
attack began Saturday morning PST shortly after midnight.

The initial attack triggered an automatic pager warning.  WebCom engineers
then traced the attack back to PSINet.  Ten hours later PSINet traced it to
MCI lines.  MCI traced the attack route back to CANet, an ISP in Ontario,
and then back to BC.Net.  WebNet was unable to stanch the flood, so MCI
finally blocked all traffic from CANet to WebCom -- allowing WebCom to
restore service.

Apparently, WebCom had experienced a milder SYN attack the weekend before,
so it was better prepared than it might have been otherwise.

[Source: High-Tech Attack Shuts Down Web Provider in Santa Cruz, an AP item
written by but not attributed to Elizabeth Weise, seen in the *San Francisco
Chronicle*, 17 Dec 1996, C18.  PGN Stark Abstracting]

  ["Betty G. O'Hearn" <betty@infowar.com> submitted the entire AP item.]


Connecticut DPUC gets slammed

Daniel Pouzzner <douzzer@mit.edu>
Tue, 17 Dec 1996 13:53:22 -0500 (EST)
In an amusing twist on the now-tired practice of slamming, Connecticut's
Department of Public Utility Control (DPUC) had 6 of its 14 long-distance
lines switched involuntarily from MCI to Wiltel.  The story, run today (17
Dec) as a full-width headline on the front page of the Hartford Courant,
quotes a DPUC employee: "They did WHAT???  Excuse me, we're the DPUC, and we
got slammed?"

The change was orchestrated and confirmed by SNET, the local telephone
monopoly; SNET also confirmed that Wiltel (owned by WorldCom, of Jackson
Mississippi, and the fourth largest long distance carrier) had sent a
request to SNET that the switchover be made.

The practice of slamming is so common that it behooves regulators to
consider how the infrastructure might be altered to make the practice
impossible. As a starting point, the hand-written signature of the client
(or representative thereof) should be required for any change of service,
but future systems will surely involve digital signatures which are issued
on a per-call basis. As the line between packet-switched networks and
pseudocircuit-switched networks continues to blur, a new type of competition
will eventually come to the fore.  In the future, we should expect smart
telephones to automatically choose the cheapest route to a destination.

In the meantime, with customers essentially at the mercy of whimsical
telephony moguls, only two policies are viable: either avoid becoming
a dialtone customer in the first place (avoiding both slamming, and
outright theft of service by phone card and cell phone profile
trafficking rings), or be eternally vigilant.

-Daniel Pouzzner  Westport, CT


U.S. program export controls ruled unconstitutional in No.California

"Peter G. Neumann" <neumann@csl.sri.com>
Thu, 19 Dec 96 8:42:45 PST
U.S. District Judge Marilyn Hall Patel has ruled in favor of Daniel
Bernstein, whose Snuffle encryption program (and corresponding Unsnuffle for
decryption) had been considered a munition under the ITAR regulations -- and
therefore subject to export controls.  She ruled that the government
restrictions on the export of encryption programs are an unconstitutional
interference with freedom of speech.  However, the ruling does not extend to
the constitutionality of the export controls themselves.  Somewhat
curiously, the ruling is not applicable outside of California's Northern
District (e.g., Silicon Valley).

Earlier, dissemination of his research paper describing the algorithm had
been blocked by the State Department in 1993.  However, when that paper was
deemed distributable abroad in 1995, the distribution of the software itself
was still subject to export controls -- whereupon Bernstein sued.  (See
RISKS-18.05.)


German Cabinet Approves Internet Regulation

"Peter G. Neumann" <neumann@csl.sri.com>
Wed, 18 Dec 1996 03:34:31 -0500
German Chancellor Helmut Kohl's cabinet has approved a bill that seeks to
protect Internet users' privacy and prevent smut and Nazi propaganda.  The
new law covers businesses such as telebanking and database services, as well
as online services.  Perhaps redundant, acts already prohibited in Germany
such as conducting fraudulent business -- will also be illegal
electronically.  Responsibility for suspect content is on the ``suppliers'',
not the service providers.  The law requires the use of ``digital
signatures''.  It bans certain forms of tracking of individual usage, and
encourages some anonymity.  It also calls for descriptors that would permit
automatic filtering of material unsuitable for minors.  [Sort of a minor's
lamp?]  [Source: a Reuters item, by Terence Gallagher, 11 Dec 1996, via
BEYOND THE FRINGE: vol 27 no 16, from: alm@znet.com, contributed in its
entirety to RISKS by Betty O'Hearn, betty@infowar.com 813-367-7277.  PGN
Stark Abstracting.]


More savings we can count on our fingers...

Jeffrey Sorensen <sorenj@alumni.rpi.edu>
Tue, 17 Dec 1996 10:54:03 -0500
Way back in RISKS-13.40, I complained about New York's plan to install
fingerprinting systems for welfare recipients.  Back then the fraud was
estimated to be between $150 million and $2 billion, give or take 3 decimal
places.

I now live in Connecticut, and the 12 Dec 1996 _New Haven Advocate_ reports
that the Connecticut fingerprinting system (to catch welfare recipients
"red-handed") cost $5.1 million.  The system has discovered six *possible*
cases of fraud out of 70,000 recipients.  That's $850,000 each for people
who receive $300 a month.

Of course, the state maintains that the system has worked as a scarecrow and
that an estimated 3,000 of the 7,000 people who never showed up to be
fingerprinted probably never will.  So there.

This isn't the first time that flimsy science is invoked in a hot-button
political issue.  Troubling questions remain:

    (1) Does the fingerprinting system work as intended, i.e. is it
        an accurate biometric device?  How many are wrongly accused of
        being welfare cheats?  How many cheats does the system miss?
    (2) How much fraud is there in the welfare system?  Approximately?
    (3) In the absence of answers to 1 & 2, how do we judge if these
        systems are worth their price?
    (4) Is it appropriate to subject welfare recipients to this
        additional burden, or is it intended to demean and demoralize
        an already disadvantaged group?
    (5) Of those who are afraid, for whatever reason, to be
        fingerprinted, how many are being denied legitimate benefits?
    (6) Who in the political system cares about any of this?

If things continue this way, the states will probably blow their block
grants on those new millimeter wavelength holographic imaging scanners...

sorenj@alumni.rpi.edu


URGENT! Major HOLE in NCSA httpd servers...

Matthew D. Healy <Matthew.Healy@yale.edu>
Wed, 18 Dec 1996 11:42:10 -0500
One of the utilities that comes with NCSA httpd -- a cgi program called phf
-- has a serious security hole.  With a suitable URL, it can be tricked into
sending the /etc/passwd file to any user.  A number of computers here at
Yale School of Medicine have been compromised in this manner.

To check whether YOUR password file has been downloaded:

egrep 'phf' /etc/httpd.dir/logs/access_log | grep 'passwd'
            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ (or wherever your WWW server log is)

When I checked the logs on our WWW servers, I found that people in several
different countries have recently downloaded /etc/passwd files.  So the bad
guys know about this one.  Many bad guys know about this one.

IF YOU HAVE BEEN HIT BY THIS, then:

1. disable the phf script until you can install a version that refuses
to display the password file

2. CHANGE YOUR PASSWORDS!  When you do, choose passwords that will resist
   cracking with a dictionary.  Remember that under most flavors of Unix
   only the first 8 characters of a password matter, so a password like
   apricot57tree is really just apricot5 to a cracker!

Matthew D. Healy Ph.D., Center for Medical Informatics, Yale School of Medicine
Matthew.Healy@yale.edu  http://paella.med.yale.edu/~healy


Warning! Security risks with ActiveX!

BFiero CT <bfieroct@aol.com>
17 Dec 1996 04:46:04 GMT
With Java, there was a sort of `Java virus' scare. Remember, anyone?  It
ended up being an application that put a load on your processor.  It was
real tough to hit that Back or Stop button in Netscape to stop the
application, and then not go to that site anymore. Java programmers were
quick to point out that the Java language can't access your operating system
at all, much less do any damage.

But with Microsoft's Active-X, there are many more serious concerns.  A
programmer can access your memory and disk i/o sub-systems using Microsoft's
Active-X. What does that mean? Well, ... the easiest thing a malicious
person would do is plant a virus quietly on your system, or simply delete
important files. But I believe Gates' plan is to be able to extract more
information from your system. What? Forget so soon that when you
electronically register Win95, your directory tree structure and other
information is sent to M.$.  with your registration info?

This a quote from `Computerworld'. December 2, 1996 Vol. 30 No.49
On page 139 you'll find ...

*_*_*_*_Quote Begin

FIX ACTIVE-X SECURITY PROBLEMS. Objects built with ActiveX can access system
resources on users' desktops, which can lead to security breaches or
corruption of PC data. Microsoft's answer is to provide certification the
ActiveX code comes from the developer that users think it comes from. But
that isn't good enough, said Oliver Pflug, president of SiteCast. Users must
"set up software to receive certificates, understand the entire process and
have a way of verifying the certificate," he said. "It's awkward."

*_*_*_*_Quote End

Is this what you want when using the Internet? To have to worry about
properly setting up software to prevent people from taking advantage of
M.S.'s intentional security flaws? And even then, this doesn't prevent a
`certified' content provider from accessing data from your system.

At Comdex it was finally made public knowledge that Billyboy plans on
creating a `Microsoft Java.' Why? Because as hard as Microsoft tried, it
couldn't take over and control the development of the real Java. So now
instead of supporting something that would be a good thing, Gates wants to
use strong-arm tactics to wipe out something that works well and replace it
with his versions and `visions' of how he feels it should be. Of course,
people are hard at work making M.S. Java incompatible with what is out there
now. And code is already being worked on that will enable M.S. Java to be
able to extract information from your system while you use the Web, just as
ActiveX does now.

It's bad enough that Microsoft can retrieve stuff from your hard drive, but
here's one thing I really fear ... As you may know, web pages are stored on
your hard disk in a cache as you view them. Frequently accessed sites can be
retrieved from there and displayed more quickly. But say someone writes some
Active-X or M.S. Java code to randomly grab a couple of those cache files
while you view their web page? Let's say they get one where you entered your
credit card # to order that rare Pink Floyd album from a record dealer on
the web. Or possibly a file on your disk that contains sensitive personal or
business information?

All I can say is... Be afraid of using M.S. products, be very afraid.


Re: November 1996 CACM article on InfoWar Defense (Cohen, RISKS-18.68)

Geoff Kuenning <geoff@ficus.cs.ucla.edu>
18 Dec 1996 00:21:34 GMT
I am quite surprised that our esteemed moderator allowed Mr. Cohen's rather
excitable, accusatory, and low-content article to be published as it
appeared.  Peter must have been having a busy day, or perhaps this was the
cleaned-up version.  [Geoff, You are kind.  But I try not to be a draconian
censor -- only a moderator.  Besides, it triggered *your* response.  PGN]

In any case, I fear that it is Mr. Cohen who misses the point.  The issue is
not one of cluelessness, it's one of priorities.  Mr. Cohen asks:

> Questions: Suppose we had absolute and perfect privacy but still had the
> current inadequate level of information assurance.
>
>    Could the phone system still be brought down? Yes
>    Could the power grid still be brought down? Yes
>    Could air traffic still be brought down? Yes
>    Does privacy protection solve the information assurance problem? NO!
>
> Question: Suppose we had absolute and perfect information assurance.
>
>    Could we still have perfect privacy? Probably

The point Mr. Cohen misses is that for some of us, privacy is vastly more
important than information assurance.  I'm not willing to accept his
"probably."  So all I have to do is turn his questions around, replacing all
of his yesses with "probably" or even just "maybe," note that we could then
have perfect privacy, and for me the decision is preferable.  It's hardly an
accident that the Founding Fathers of the United States chose to make law
enforcement more difficult than it has to be.

Some of us (e.g., many FBI employees) place security above liberty.  Others
prefer the reverse choice.  In neither case does that reflect on the quality
of our reasoning.

Mr. Cohen is not clueless, but neither am I.  I am, however, trying to be
somewhat more polite.

Geoff Kuenning  g.kuenning@ieee.org geoff@ITcorp.com
http://fmg-www.cs.ucla.edu/geoff/


Re: Software hunts and kills Net viruses (Rosbach, RISKS-18.65)

"Gregory B. Sorkin" <sorkin@watson.ibm.com>
Tue, 17 Dec 96 14:05:11 -0500
RISKS-18.65 contains an item "Software hunts and kills Net viruses" (Hans
A. Rosbach) that refers to a London *Times* article of the same title.  (The
*Sunday Times*, 1 Dec 1996, Innovations: Bits & Bytes.)  Curiously, the same
section of the Times includes articles entitled "Skull pins keep wigs in
place" and "Cheeseburgers are rich in cancer-fighting compounds".  (See
http://www.sunday-times.co.uk/news/
pages/sti/96/12/01/stiinnbit01003.html?1483095.)

Despite the fact that the article quotes me by name, as far as I know I was
not interviewed by the *London Times*, and certainly the article gives an
inaccurate account of IBM AntiVirus.

It is true that IBM AntiVirus contains a neural network which detects new
viruses by generalizing from old ones.  It is also true that we are building
towards an "immune system for cyberspace", whose functions will include an
automated analysis of any new virus detected on a machine, and transmission
of the results --- notably a procedure for removing the virus --- to
affiliated machines.  The prototype software is undergoing extensive
testing, and will not be released until we are confident of its reliability.

We would of course never design a program to spread to any system
whose owner hadn't explicitly arranged for it to be there, nor do we
have any release scheduled for this week.

For those interested in the technical details, let me also mention that
temporal difference learning has nothing to do with the neural network in
IBM AntiVirus.  Temporal difference learning was used for the very powerful
backgammon-playing neural network developed by Gerry Tesauro, and Gerry also
helped develop the anti-viral neural net, but there is no other connection
between the backgammon network and the anti-viral one.

For more information about computer viruses in general and
IBM AntiVirus in particular, please see http://www.av.ibm.com/

Gregory Sorkin, IBM T.J. Watson Research Center, 30 Saw Mill River Road
Hawthorne NY 10532  <sorkin@watson.ibm.com>


First Workshop on Building and Using CORBAsec ORBs [urgent]

Richard Mark Soley <soley@omg.org>
Wed, 18 Dec 1996 17:06:10 -0500
To Persons Interested in Security in Distributed Object Systems,
the deadline for workshop participation is 20 Dec 1996.

  FIRST WORKSHOP ON BUILDING AND USING CORBASEC ORBS
  Marriott Inner Harbor, Baltimore, MD 21201, 1-3 April 1997
  Co-Sponsored by the Object Management Group and the National Security Agency

The Object Management Group (OMG) CORBA specification includes security
protocols and services that are being widely adopted.  Unfortunately, a full
understanding of the strengths and weaknesses of the security aspects of the
CORBA standards requires experience with Object Oriented Technology,
Information Technology Security and operational system planning, development
and deployment. OMG is hosting this workshop to bring together individuals
with varying sets of these types of experience to examine, explain and
critique the adopted OMG security specifications and other similar and
related work.

The workshop approach will be to have individuals with the full range of
OOT, IT Security, and Operational System experience examine and discuss, in
turn, the content and meaning of the CORBA Security standards, the design
issues relevant to realizing the CORBA Security standards in ORBs, and the
design issues relevant to using ORBs meeting the CORBA Security standards as
the foundation for operational systems.

Interested individuals or organizations are invited to submit a brief
position statement of one printed page (or 60 80-character email lines of
text) outlining a position on one or more of the three major categories
[CORBA security standards, Secure ORB design issues, Secure ORB usage
issues] by 20 December 1996 to secws-submissions@omg.org .  [Contact Richard
Soley or David Chizmadia immediately for detailed information.  I did not
find it on the omg.org webpage.  PGN]

WORKSHOP COMMITTEE Co-Chairs:

Dr. Richard Soley                       Mr. David Chizmadia
Vice President & Technical Director     Office of INFOSEC Computer Research
Object Management Group                 National Security Agency
soley@omg.org                           dmc@tycho.ncsc.mil


New Security Paradigms '97, call for papers

"Dr. Yvo Desmedt" <desmedt@blatz.cs.uwm.edu>
Thu, 19 Dec 1996 00:09:12 -0600
                        PRELIMINARY CALL FOR PAPERS
                         NEW SECURITY PARADIGMS '97
A workshop sponsored by ACM and the University of Newcastle upon Tyne.
                  Langdale Hotel, Great Langdale, Cumbria, UK
                           23 - 26 September 1997

Paradigm shifts disrupt the status quo, destroy outdated ideas, and open the
way to new possibilities.  This workshop explores deficiencies of current
computer security paradigms and examines radical new models which address
those deficiencies.  Previous years' workshops have identified problematic
aspects of traditional security paradigms and explored a variety of possible
alternatives.  Participants have discussed alternative models for access
control, intrusion detection; new definitions of security, privacy, secrecy
and trust; biological and economic models of security; multiple policies;
and a wide variety of other topics.  The 1997 workshop will strike a balance
between building on the foundations laid in past years and exploring in new
directions.

  [This is an important workshop, but attendance is limited to about 25
  people.  Somewhat surprisingly, the committee folks in the full notice
  total 23, but I suppose that they are not all going to attend.  To
  participate, please get from Mary Ellen Zurko or Catherine Meadows the
  full information regarding your submitted paper, justification for your
  would-be invitation, and your commitment to attend all three days, which
  must be received by 4 April 1997.  PGN]

 E-mail to:                         newparadigms97@opengroup.org
 use anonymous FTP from:            ftp.cs.uwm.edu
           in directory:            /pub/new-paradigms
 Use World Wide Web from:           http://www.cs.uwm.edu/~new-paradigms

NEW SECURITY PARADIGMS '97 WORKSHOP ORGANIZERS
  Steering Committee:  Tom Haigh, Bob Blakley, Mary Ellen Zurko,
                       Catherine Meadows, John Dobson, Hilary Hosmer
  Workshop Co-Chair: Tom Haigh, voice: +1 (612) 628-2738,
    fax  : +1 (612) 628-2701, email: Haigh@sctc.com
    post : Tom Haigh, Secure Computing Corp., 2678 Long Lake Road
           Roseville, MN 55113  USA
  Workshop Co-Chair: Bob Blakley, voice: +1 (512) 838-8133
    fax  : +1 (512) 838-0156, email: blakley@vnet.ibm.com
    post : Bob Blakley, IBM, 11400 Burnet Road, Mail Stop 9134
           Austin, TX  78758  USA
  Program Committee Co-Chair: Mary Ellen Zurko, voice: +1 (617) 621-7231
    fax  : +1 (617) 621-8696, email: zurko@osf.org
    post : Mary Ellen Zurko, The Open Group Research Institute
           11 Cambridge Center, Cambridge, MA 02142  USA
  Program Committee Co-Chair: Catherine Meadows, voice: +1 (202) 767-3490
    fax  : +1 (202) 404-7942, email: Meadows@itd.nrl.navy.mil
    post : Catherine Meadows, Naval Research Laboratory Code 5543
           Washington, DC 20375  USA

Please report problems with the web pages to the maintainer

Top