The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 18 Issue 84

Friday 21 February 1997

Contents

o Highly classified files copied by Croat teens?
PGN
o Windows 95 will crash in 2038!
David Perrell via Chuck Wozniak
o Year 2K and my VCR...
Nicholas C. Weaver
o Downloading UPS-captured Signatures
Sharif Torpis
o Re: Myths about digital signatures
Theodore Y. Ts'o
o Re: MS on the CCC ActiveX virus
Fred Cohen
Steve Kilbane
o ActiveX - a real world view
John Pettitt
o ActiveX exploitation code in iX 3/97
Thomas Koenig
o Re: Bank Sued for Racist E-Mail
Jon Seymour
o Re: Who made the call in the Moldova porn scam?
John Kohl
Marc Horowitz
o Info on RISKS (comp.risks)

Highly classified files copied by Croat teens?

"Peter G. Neumann" <neumann@csl.sri.com>
Thu, 20 Feb 97 19:30:43 PST
Dave Farber <farber@cis.upenn.edu> noted a 19 Feb 1997 Reuter report from
Zagreb indicating that 3 Croatian teenagers apparently broke Pentagon
protection codes on the Internet and copied classified files from the
Anderson nuclear installation and an unnamed satellite research center.
``The damage caused by the teenagers' destruction of high-profile protection
programs could reach half a million dollars,'' according to the Zagreb
daily, *Vecernji List*.  The three youths attend a special Zadar
math-science school.  ``Principal Zdravko Curko said the three had no
criminal intent and their `success' was a compliment to their education.''
[PGN Abstracting]

Might we suspect that the files were actually unclassified, that the $.5M is
overblown, and that the breakins did not require much high-tech attacks?
[Are they just looking for something to Cro-at?]


Windows 95 will crash in 2038!

<Chuck_Wozniak@quantumdata.com>
Tue, 17 Dec 96 08:30:19 -0800
Accidental Year 2096 in e-mail message crashes Navigator w/ Win 95

The following was posted to two HTML related mail lists. The individual had
his computer date accidentally set to 2096.  Any mail that he sent or posted
to a news group would crash the reader's computer if they were running
Netscape Navigator Mail under Windows 95. The entire content, with headers,
is supplied below.

Chuck Wozniak, Applications Engineer, Quantum Data, Inc.

 - - - - - - - - - - - - - - - -

Date: 11/25/96 7:59 AM
>From: "David Perrell" <davidp@earthlink.net>
Subject: Sorry if you crashed (W95 FYI: Chaos in 2038!)

It was brought to my attention that my posts to these lists have caused
Netscape Mail running on Win95 to crash.  I tried to test this by sending
myself a message but was unable to run NS Mail at all.

I'm glad to say I found the problem: In the course of a HD upgrade my system
clock had somehow built a 100-year bridge to the 21st century and was set to
2096. Subsequent testing shows that dates beyond 2038 cause many unwanted
side effects in Win95, including the aforementioned crashes when NS Mail
receives a message so dated.

Having returned to the present, I retrieved my previously sent test message
dated 2096, and, sure enough, NS Mail crashed.

Sorry if anyone experienced this problem. It was not intentional.

(Also sorry that I rewrote/resent a 'transparent text' post on www-style. I
thought one of these crashes had trashed the message.)

David Perrell


Year 2K and my VCR...

"Nicholas C. Weaver" <nweaver@CS.Berkeley.EDU>
Fri, 21 Feb 1997 10:23:24 -0800 (PST)
As one of the few people who actually PROGRAMS his VCR, it came as a shock
to me the realization that this piece of electronics (roughly two years old)
will fail in the year 2000.  One wonders how prevalent this problem is, in
embedded systems shipping today.  And I doubt there will be a bug fix for my
VCR.

Nicholas C. Weaver  nweaver@cs.berkeley.edu

  [Are you talking about something that will fail only at midnight, or
  forever after the midnight turnover going into 1 Jan 2000?  Furthermore,
  do you think the VCR makers are creative enough in their planned
  obsolescence to realize that this might be a nice way to induce you to
  buy a new VCR?  PGN]


Downloading UPS-captured Signatures

Sharif Torpis <storpis@redhead.pbi.net>
Tue, 18 Feb 1997 13:15:59 -0800 (PST)
>From a UPS ad in the Feb 1997 Wired:

  Once a signature is captured and downloaded to our mainframe, you can use
  UPS OnLine Tracking Software to view it. You can even print it. To get the
  software, just call 1-800-XXX-XXXX or visit our web site at www.ups.com.

Sure, we've all known about the capturing ever since UPS started doing it,
but now malicious users can add this to their toolbag. The more things
change the more they stay the same.

Sharif Torpis (storpis@pbi.net), Network Engineering, Pacific Bell Internet


Re: Myths about digital signatures (Felten, RISKS-18.83)

"Theodore Y. Ts'o" <tytso@MIT.EDU>
Fri, 21 Feb 1997 16:31:27 -0500
   * Myth 2: If X has signed a program, and I trust X, then it is safe for me
   to download the program.  [...]

Ed, It's even worse than what you described.  Even if X has carefully
managed his cryptographic keys, and X's security hasn't been penetrated, X
might not have designed the component carefully, or have executed a
competent implementation of that design.

For example, if an Active X component has a loophole where (with the right
document) said component can be induced to interpret and execute arbitrary
Visual Basic statements, even if the signer was honest, and legitimate, and
properly went through all of the Microsoft certification procedures, it
still might be possible to exploit a security bug in the Active X component.
The Java security model at least *thinks* about this issue, where as the
Active X approach completely punts about this concern.

So this is a double-edged RISK, combining the RISK of people not
understanding what the digital signature means, and the RISK of more and
more complex applications with powerful macro facilities being used in
interesting ways (the prime example being the Word concept virus; the
demarkation between code and data can get awfully blurry!).

Both of these RISKS aren't new ones, but when combined with the web and the
automatic downloading of Active X components, the potential for problems
caused by this combined set of RISKS is quite scary and sobering.

- Ted


Re: MS on the CCC ActiveX virus (RISKS-18.83)

Fred Cohen <fc@ca.sandia.gov>
Fri, 21 Feb 1997 11:46:11 -0800 (PST)
Re: SBN Wire: News Flash, Brad Silverberg

> You may have heard reports about a malicious software program created and
> demonstrated recently by the Chaos Computer Club (CCC) in Hamburg, Germany.
> I want to personally assure you that Microsoft(R) Internet Explorer 3.0 has
> the appropriate safeguards to protect against this type of threat.  By using
> its default security level (High) that comes pre-set, Internet Explorer 3.0
> will not download and run any "unsigned" control such as the one from the
> CCC.

I appreciate your insightful opinion on this matter, however...
    Anyone can get a signature key without authenticating their
        legitimacy.  It's relatively easy to break into a system and take a
        legitimate key.  The default may be changed by the user for one use
        and remain changed.  Other flaws in Explorer may be used to turn
        that feature on - then look out.

> The CCC demonstrated its malicious executable code running on Microsoft
> Internet Explorer 3.0, though they could just as easily have demonstrated a
> similar attack on any other browser.  While it is unfortunate that hackers
> have created this harmful program, it does point out the need for users to
> act cautiously and responsibly on the Internet, just as they do in the
> physical world.

I appreciate your insightful opinion on this matter, however...
    This is not accurate.  The very nature of ActiveX makes it
    impossible to operate it securely.  Unlike other vendors who
    make attempts at providing improved protection, ActiveX is a
    hole waiting to be exploited.

> Malicious code can be written and disguised in many ways - within
> application macros, Java(tm) applets, ActiveX(tm) controls, Navigator
> plug-ins, Macintosh(R) applications and more.  For that reason, with
> Internet Explorer 3.0, Microsoft has initiated efforts to protect users
> against these threats.  Microsoft Authenticode(tm) in Internet Explorer 3.0
> is the only commercial technology in use today that identifies who published
> executable code you might download from the Internet, and verifies that it
> hasn't been altered since publication.

I appreciate your insightful opinion on this matter, however...
    No disguise is needed for malicious ActiveX programs.  Any ActiveX
    program can potentially - either maliciously or by accident or even
    as a result of configuration differences, cause a system crash, the
    corruption or destruction of information and/or unlimited leakage
    and it doesn't depend on some hard-to-find hole in an otherwise
    secure application.  It is a direct result of the methods used by
    Microsoft, cannot be easily cured with any bug-fix.

> If users choose to change the default security level from High to Medium,
> they still have the opportunity to protect themselves from unsigned code.
> At a Medium setting, prior to downloading and running executable software on
> your computer, Microsoft Internet Explorer presents you with a dialog either
> displaying the publisher's certificate, or informing you that an "unsigned
> control" can be run on your machine.  At that point, in either case, you are
> in control and can decide how to proceed.

I appreciate your insightful opinion on this matter, however...
    Even if you choose wisely, ActiveX is a hole waiting to be exploited
    and provides essentially no protection.  As the folks at Microsoft
    know well, impediments are easily and commonly removed - and the
    use of the display box for popular applications is likely to result in
    the question being turned off in favor of easy access.

> As you know, Microsoft is committed to giving users a rich computing
> experience while providing appropriate safeguards.  Most useful and
> productive applications need a wide range of system services, and would be
> seriously limited in functionality without access to these services.  This
> means that many Java applications will have to go "outside the sandbox" to
> provide users with rich functionality.  By signing code, a developer can
> take advantage of these rich services while giving users the authentication
> and integrity safeguards they need.  Other firms such as Sun and Netscape
> are following our lead, and have announced that they will also provide code
> signing for Java applets. Microsoft will also be providing an enhanced Java
> security model in the future, giving users and developers flexible levels of
> functionality and security.

I appreciate your insightful opinion on this matter, however...
    "...while providing appropriate safeguards" is just not true.
    Microsoft has a long history of providing systems with no
    protection, and only recently introduced the first system with
    even mild protection in it's NT product.  Java provides a lot of
    functionality within the "sandbox", but I am not an advocate of
    Java either. The syle of computing being pushed out to consumers
    is inherently risky and must be implemented with substantial controls
    if it is to be used safely. But this is not Microsoft's goal.

    There is nothing wrong with having signatures, but it is no
        guarantee either.

> Microsoft takes the threat of malicious code very seriously.  It is a
> problem that affects everyone in our industry.  This issue is not tied to
> any specific vendor or group of people.  All of us that use computers for
> work, education, or just plain fun need to be aware of potential risks and
> use the precautions that can insure we all get the most out of our
> computers. For this reason, we are committed to providing great safeguards
> against these types of threats in Internet Explorer.  We expect hackers and
> virus writers to get increasingly sophisticated but we pledge we'll continue
> to keep you and us one step ahead of them.

I appreciate your insightful opinion on this matter, however...  Microsoft
    still has not addressed Work Macro viruses, PC viruses, Windows
    viruses, etc.  The claim that "Microsoft takes the threat of
    malicious code very seriously" is ludicrous on its face.  This is
    the same company that has distributed viruses to its customers because
    it didn't do adequate checking of its distributions for known viruses.
    This is the company whose Windows installation deleted all of the
    README files on a system when the user upgraded.  This is the same
    company that continues to ship software with inadequate protection.
    All of this "perception management" doesn't change the fact, and it
    shouldn't sway the readers of this letter either.

FC  [Fred Cohen can be reached at tel:510-294-2087 fax:510-294-1225]

  [NOTE: I usually truncate all but a salient excerpt from included message
  text on which a responder is commenting.  In this case, it would have
  required too much editing effort to delete the interstitiated originals
  and still convey the sense of the relevant references.  Your cross-reading
  effort would also have been much greater.  PGN]


Re: MS on the CCC ActiveX virus (RISKS-18.83)

<Steve_Kilbane@cegelecproj.co.uk>
Fri, 21 Feb 1997 17:38:47 GMT
> Other firms such as Sun and Netscape are following our lead, and have
> announced that they will also provide code signing for Java applets.

This is what annoys me most about this response: not only are Microsoft
attempting to justify giving away the family silver, but they're also trying
to imply that they're the ones responsible for the idea of code signing
(just like MS and IBM have been implying that they've recently invented
multitasking....).

When Java was announced at the Sun UK User Group conference back in '95,
Chuck McManis said that code signing was in the plan, and that the main
problem was the US export controls. He also commented that while exporting
decent authentication software wasn't allowed, Sun had been told that there
was nothing wrong, in principle, in shipping "a library for doing math with
really big numbers". :-)

I wasn't following Java back when it was called Oak and set-top boxes were
the name of the game, but I wouldn't be hugely surprised to discover that
signed code was part of the plan even then. Anyone with more authority care
to comment?

steve


ActiveX - a real world view

"John Pettitt" <jpp@cybersource.com>
Fri, 21 Feb 1997 14:44:07 -0800
While at a technical level, most of what has been said about ActiveX and
security is correct. It's worth noting that users take code from untrusted
sources all the time.  While the experience of users says that code they
download is mostly well intended (even if it has harmful bugs) it's going to
be a hard sell trying to convince them that a limited Java model is "better"
than ActiveX.

I'm using ActiveX on software.net (a restartable download control from
centric development).  Our experience it that it has a close to 100%
acceptance rate by users (as compared to less than 50% for Netscape plug
ins).  Certainly the cute "certificate" dialog has a very positive impact on
user confidence.

We're about to start signing all the downloads from software.net (we
download 1600+ commercial titles).  We had an interesting debate about the
ethics of signing other peoples code.  However the user perception issue won
out, we will sign the archives that we download (but not the applications
inside them).

In all the research we've done (and we download a lot of software) users big
perceived risk is that their credit card # will be stolen.  The idea that
the copy of Microsoft Word we download to them may not be the real thing
does not even feature.

John Pettitt, jpp@software.net, EVP, CyberSource Corporation, 408 260 6013


ActiveX exploitation code in iX 3/97

Thomas Koenig <ig25@mvmap66.ciw.uni-karlsruhe.de>
Fri, 21 Feb 1997 20:05:41 +0100 (MET)
iX Magazin 3/97 (a German computer magazine) has a fairly technical
article by Lutz Donnerhacke and Steffen Peter about the ActiveX hack.

Parts of the article can be found at
http://www.heise.de/ix/artikel/1997/03/090/code.shtml ; the exploitation
code is available at http://www.heise.de/ix/artikel/1997/03/090/code.shtml
(minus some delay loops).

Thomas Koenig, Thomas.Koenig@ciw.uni-karlsruhe.de

  [iX = neun?  nein!  PGNeu'n]


Re: Bank Sued for Racist E-Mail (Kennedy, RISKS-18.83)

Jon Seymour <jon@zeta.org.au>
Sat, 22 Feb 1997 07:23:10 +1100
> :: Mail sent on Jan 28th.  Suit claims little or no action was taken against
> those who spread the message, although the company acknowledged an incident
> did take place and it was "putting into effect disciplinary actions" against
> the perpetrators.
>
> DMK Comment: Another company is being sued for objectionable content of
> employee computer use.

The corporation is being sued, I think, because it allegedly tolerates a
culture of racism. At least part of (perhaps all?) the evidence for this
happens to be an e-mail passed between employees.  How this e-mail came to the
attention of those who wish to sue has not been specified - at least by this
discussion.

There is a risk here if the courts were to find the corporation liable
because it failed to prevent the e-mail being distributed in the first place
(hardly practical or, indeed, desirable) or it is found responsible for the
attitudes of its employees _soley_ on the basis of such e-mail.

The relationships that existed between the people with whom the e-mail was
communicated are surely relevant. For example, if the e-mail was sent to
_all_ the white members of a group, but specifically not to the black
members of the same group by the supervisor of that group then I personally
think that might well be considered unprofessional behaviour in need of a
disciplinary response. If it was sent to the black members too then that
would either be stupid, tactless or both stupid and tactless.

If the e-mail was sent between friends then, yes, the ethics of the situation
are different, even if the ethics of the "humour" itself are not.

E-Mail should not, ipso facto, be eliminated as evidence simply because it is
e-mail. E-Mail happens to have the property, unlike the spoken word, of
automatically leaving traces of itself about the place. This means that,
technically, it is good evidence. Of course, one assumes that the e-mail in
question was not digitally signed and is therefore not _very_ good evidence
:-).

Of course, this is not to say that e-mail should always be used as
evidence. Clearly privacy concerns are important. If the e-mail in this case
came to light because a system administrator snooped it, then it probably
shouldn't qualify as evidence. If it came to light because one of its
recipients decided to divulge it then it's fair game.  What's the bet that
it came to light because someone printed it and pinned it to wall?

It would be interesting to learn more about the circumstances of this matter
and what the eventual outcome of the case is. One suspects that the media
will not report it unless there is something controversial about the ruling.

jon seymour


Re: Who made the call in the Moldova porn scam? (Claar, RISKS-18.83)

John Kohl <jtk@atria.com>
21 Feb 1997 14:04:46 -0500
I'd expect that the consumers affected would have the option of suing for
actual damages (i.e. phone charges) from the fraudulent scam operators.
This would be akin to having your car stolen and illegally parked--the
parking tickets would come to you as the registered owner of the vehicle.
You could attempt to get the thief to cover your costs (if you can identify
him/her :), or argue with the municipal parking clerk to waive them.

==John


Re: Who made the call in the Moldova porn scam? (Claar, RISKS-18.83)

Marc Horowitz <marc@cygnus.com>
21 Feb 1997 15:25:09 -0500
<> ... But if you steal my phone line, AT&T thinks I'm at fault.

This is an improper analogy.  A more proper analogy: If someone steals your
car, and crashes it into another car, totalling both, the owner of the other
car is not responsible.  If someone steals your phone line and makes lots of
calls, AT&T is not responsible.

The difference is that in the car situation, one or both insurance companies
will pick up the costs (in most states), and then try to recover from the
thief.  You probably don't have wire fraud insurance.  But perhaps AT&T
should.

In reality, such insurance would probably not be a good investment for
either AT&T or the insurance company, because wire fraud, unlike car theft,
is guaranteed to happen to AT&T.  Instead, AT&T increases rates a little (in
effect, implicitly selling you the wire fraud insurance) to cover the costs
of fraud.  This seems fair, because wire fraud is relatively unlikely for
any particular customer, just like car theft.

Of course, as you point out, AT&T is better off if they can make you pay for
it, but that doesn't mean AT&T is right, it just means they're acting in
self-interest, which is exactly what most of their shareholders would want.

Marc

Please report problems with the web pages to the maintainer

Top