The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 20 Issue 78

Sunday 6 February 2000

Contents

o CIA Director Deutch and MLS
Jeremy Epstein
o CERT Advisory CA-2000-02
CERT Advisory
o NSA system inoperative for four days
PGN
o Leak lets 64 get rich quick
David Shaw
o EFIS failure main suspect in Crossair crash
Peter B. Ladkin
o Terra spacecraft problems
Peter B. Ladkin
o Patients will be able to wear their hearts on the Internet
NewsScan
o Yahoo suit compares cookies to stalking
NewsScan
o China to require encryption information
NewsScan
o Study criticizes health sites for privacy intrusions
NewsScan
o AT&T Business Internet Service DNS major outage 28 Jan 2000
Randy Holcomb
o More risks with MS Outlook
Jason Axley
o Who is at risk with this virus advertisement?
Bob Heuman
o Organisms do not adapt to their environment!
Bob Frankston
o *Fatal Words*
Bob Frankston
o abcnews.com manually updates copyright year
David Glicksberg
o People For Internet Responsibility issues and status report
Lauren Weinstein
o New Security Paradigms Workshop 2000: Call For Papers
Crispin Cowan
o Info on RISKS (comp.risks)

CIA Director Deutch and MLS

Jeremy Epstein <jepstein@monumental.com>
Tue, 1 Feb 2000 09:40:14 -0500 (EST)

An article in *The New York Times* 1 Feb 2000 details former CIA Director Deutch's use of unclassified Macintosh computers in his homes to store thousands of highly classified documents on the same computer he used to access AOL, Citibank's personal banking service, and other services. The investigation seems to have been delayed and perhaps limited as a result of Deutch's position.

It's old hat that personal computers (be they Windows, Macintosh, or UNIX-based) are inherently unsuitable for Multi-Level Security (MLS). What we see here is that even though all the proper procedures were in place, the human element is sufficient to undermine all of the technical controls. As long as we have people, we'll have RISKS!

Full article at http://www.nytimes.com/yr/mo/day/news/washpol/cia-impeach-deutch.html

[Multilevel security may not seem to be an issue here *internally* because John Deutch had access to all of the information on his systems, considered as SYSTEM HIGH -- that is all logically at the highest level. However, surfing the (unclassified) Web is clearly a NO-NO from such a machine. RISKS readers are of course familiar with the risks of Web browsing. However, an added note in this case was the report that the visited sites included a porn site. Deutch apparently denied having accessed porn any sites, suggesting that it might have been done by one of his offspring? If that is indeed true, it would make the presence of highly classified information on a multiuser workstation even more untenable. (On one hand, even if such a PC claimed to be multilevel secure, that would be a VERY BAD misuse. On the other hand, RISKS readers know how one can be duped into visiting sites other than what was expected, as in clicking on whitehouse.com instead of whitehouse.gov, or in clicking on a Trojan-horsed URL.) PGN]

CERT Advisory CA-2000-02

CERT Advisory <cert-advisory@cert.org>
Wed, 2 Feb 2000 12:23:25 -0500 (EST)
CERT Advisory CA-2000-02
Malicious HTML Tags Embedded in Client Web Requests

This advisory is being published jointly by the CERT Coordination Center,
DoD-CERT, the DoD Joint Task Force for Computer Network Defense (JTF-CND),
the Federal Computer Incident Response Capability (FedCIRC), and the
National Infrastructure Protection Center (NIPC).

   Original release date: February 2, 2000
   [Subsequently revised.  Please pick up the latest version at
    http://www.cert.org/advisories/CA-2000-02.html
   and see
    http://www.cert.org/tech_tips/malicious_code_FAQ.html
   as well as a later note on disabling Java
    http://www.cert.org/tech_tips/malicious_code_FAQ.html#java
   .  PGN]

Systems Affected
     * Web browsers
     * Web servers that dynamically generate pages based on unvalidated
       input

Overview
   A web site may inadvertently include malicious HTML tags or script in
   a dynamically generated page based on unvalidated input from
   untrustworthy sources. This can be a problem when a web server does
   not adequately ensure that generated pages are properly encoded to
   prevent unintended execution of scripts, and when input is not
   validated to prevent malicious HTML from being presented to the user.

   [This is referred to as "cross-site scripting".  Note that
   executables in the URL itself can have nasty effects.  PGN]


NSA system inoperative for four days

"Peter G. Neumann" <Neumann@CSL.sri.com>
Sun, 30 Jan 2000 04:31:15 -0500
For almost the entire work week of 24 Jan 2000, failures of NSA computers
caused an information blackout for intercepted messages.  The failure was
blamed by one report on a ``system overload'', by another report on a
software problem.  [Sources: NSA System Inoperative for Four Days,
by Walter Pincus, *The Washington Post*, 30 Jan 2000, Page A2,
http://www.washingtonpost.com/wp-dyn/articles/A49286-2000Jan29.html;
Kinder, gentler NSA admits human frailties, Thomas C. Greene,
http://www.theregister.co.uk/000131-000001.html]


Leak lets 64 get rich quick

David Shaw <David.Shaw@alcatel.com.au>
Fri, 4 Feb 2000 11:54:27 +1100

On Wednesday, February 2, 2000, the Reserve Bank of Australia (RBA) formally announced an increase in the official interest rates of 0.5%.

The formal announcement was made at 09:30. However, in what turned out to be an embarrassing mistake for the RBA, 64 people were sent an e-mail at 09:24 (i.e., 6 minutes early) advising them of the rate increase. This was quite remarkable in itself, as the RBA has a near-legendary record of security.

The information proved to be very valuable for two reasons. Not only was the information available early to a very small segment of the market, the size of the rate increase was unexpected. Virtually the entire market had been expecting/predicting an increase of just 0.25%.

In the 6 minutes prior to 09:30, approximately AUD$3 billion worth of bill and bond futures were dumped on the market.

The record of trades at the Sydney Futures Exchange demonstrates the selling frenzy. When interest rates last rose, on November 3, 1999, 336 three-year bond futures contracts and 324 90-day bank bill futures were traded between 09:25 and 09:30. The corresponding trades preceding yesterday's announcement were 2,739 and 2,811.

To quote an unnamed trader: "Some people made a lot of money in those few minutes."

Source: *Sydney Morning Herald* (www.smh.com.au). Thursday Feb 3, 2000.

David Shaw, Alcatel Australia Limited

david.shaw@alcatel.com.au



EFIS failure main suspect in Crossair crash

"Peter B. Ladkin" <ladkin@rvs.uni-bielefeld.de>
Wed, 02 Feb 2000 11:07:21 +0100

Flight data displays such as airspeed and attitude indicators as well as navigation displays on modern commercial aircraft are nowadays electronic, replacing mechanical displays that were common until 10-15 years ago. Mechanical displays are often used as backup, although there are electronic backup displays available on the market. Mechanical displays were/are not susceptible to total outage. Airspeed indicators are basically differential barometers, and mechanical attitude indicators are gyroscopes.

According to Flight International's David Learmount (01-07.02.2000, p12), Electronic Flight Instrument System (EFIS) failure is the "main possibility" being looked at by the Swiss accident investigation people (BEAA) in the crash of the Crossair Saab 340B just after takeoff from Zuerich on 10 January. This was Crossair's first accident. I emphasise that the causes of the accident have not been established. It is hoped that the non-volatile memory on the EFIS displays can be recovered and read, to determine how what the pilots were seeing corresponds (or not!) with the flight profile recorded by the flight data recorder. (This is a benefit not provided by mechanical displays, although it would hardly make up for the susceptibility of EFIS to outages!)

EFIS failures have been noted in particular in incidents involving a Virgin A340 and a Martinair B767 (see the compendium Computer-Related Incidents With Commercial Aircraft on my WWW site). A Formosa Airlines Saab 340B descended into the ocean on 18 March 1998, and it has been rumored that one EFIS display was known before the flight not to be functioning.

Peter Ladkin, University of Bielefeld

http://www.rvs.uni-bielefeld.de



Terra spacecraft problems

"Peter B. Ladkin" <ladkin@rvs.uni-bielefeld.de>
Wed, 12 Jan 2000 11:06:42 +0100

*Flight International*, 11-17 Jan 2000, p29, reports that NASA has fixed "computer and antenna faults" on the Terra spacecraft, launched 18 Dec 1999. Terra is part of the Earth Observing System. "The main computer shut down shortly after launch because of a bug in the navigation software, according to NASA." The failure occurred a minute before the winter solstice, while the sun's position in the nav software was being updated.

On the other side of things, the antenna "was repaired by alterations to the software", at which one can only marvel. Maybe Uri Geller is now programming for a living. Or maybe they meant the problem was worked around.

Peter Ladkin

ladkin@rvs.uni-bielefeld.de www.rvs.uni-bielefeld.de



Patients will be able to wear their hearts on the Internet

"NewsScan" <newsscan@newsscan.com>
Mon, 24 Jan 2000 09:25:03 -0700

In a venture with Microsoft and IBM, Minneapolis-based medical device company Medtronic will invest more than $230 million to develop a system that will allow heart patients to send cardiac data to cardiologists via the Internet, from their homes or remote locations worldwide. The company's medtronic.com division will be the focal point of a new Patient Management Business. [http://www.sjmercury.com/svtech/news/breaking/merc/docs/082323.htm, Reuters in *San Jose Mercury News*, 24 Jan 2000, via NewsScan Daily, 24 Jan 2000]

[And what about the reverse direction? Would you like to have YOUR heart interactively controllable by doctors and insurance companies and everyone else on the Internet? PGN]

Yahoo suit compares cookies to stalking

"NewsScan" <newsscan@newsscan.com>
Mon, 31 Jan 2000 08:09:56 -0700

A lawsuit filed by Dallas-based Universal Image Inc. accuses Yahoo! of violating Texas law when it collects "cookies" from Web site visitors. "We think the court will declare the use of cookies illegal in Texas," says Universal attorney Lawrence Friedman. "It is electronic stalking. It violates the eavesdropping statutes, and from a civil aspect it's an invasion of privacy." Friedman says he plans to file a class-action lawsuit against the company. Meanwhile, DoubleClick was sued last week by a California woman who claims the online ad company illegally collected and sold her personal and demographic data. [ZDNet/MSNBC 28 Jan 2000) http://www.msnbc.com/news/363455.asp; NewsScan Daily, 31 Jan 2000]


China to require encryption information

"NewsScan" <newsscan@newsscan.com>
Tue, 25 Jan 2000 08:18:19 -0700

[On 31 Jan 2000] China's government plans to institute a rule requiring foreign firms in China to disclose what type of software they use for encrypting their electronic messages. Eventually, the companies must divulge details about employees using the software, making it easier for authorities to monitor personal and commercial Internet use. The new rules also bar Chinese companies from buying products containing foreign-designed encryption software, a move that could stymie the growth of Internet use in that country. Diplomatic missions are exempted, but the regulations cover the routers and servers that make up the backbone of China's networks, most of which came from foreign companies. "If IBM or Hewlett-Packard wants to sell an e-commerce Web server to China, it might have to isolate which parts relate to security" and find a Chinese company to write the software, says the director of the U.S. Information Technology Office's Beijing branch. "I don't think Chinese companies have that ability." [*Wall Street Journal*, 25 Jan 2000 http://interactive.wsj.com/articles/SB948739893578536271.htm via NewsScan Daily, 25 Jan 2000]

[According to later reports, very few are signing up. PGN]

Study criticizes health sites for privacy intrusions

"NewsScan" <newsscan@newsscan.com>
Wed, 02 Feb 2000 09:39:09 -0700

In a study conducted for the California HealthCare Foundation, the Georgetown University's Health Privacy Project has found that drkoop.com, webmd.com, ivillage.com, yahoo.com, onhealth.com, and other Web sites that provide information on health matters are cavalier about privacy practices: "The privacy policies of health Web sites do not match up with their own practices." Example: some companies share e-mail addresses and other visitor data even though their Web sites promised they would do no such thing. The companies are disputing the study findings. [Reuters/*San Jose Mercury News* 1 Feb 2000, http://www.sjmercury.com/svtech/news/breaking/internet/docs/160309l.htm; NewsScan Daily, 2 Feb 2000]


AT&T Business Internet Service DNS major outage 28 Jan 2000

"Randy Holcomb" <randy_holcomb@attglobal.net>
Fri, 28 Jan 2000 23:24:58 -0600

At 1400 EDT AT&T Business Internet Services (formerly IBM Global Network Internet Services) lost both primary and backup Domain Name Servers; resulting in the inability of AT&T Business Internet Customers to use the service.

The DNS's were back online a few minutes short of 2300 EDT.


More risks with MS Outlook

Jason Axley <jason.axley@attws.com>
Tue, 1 Feb 2000 10:05:34 -0800 (PST)

The recent threads about information hiding in MS Outlook are quite timely as I've just recently discovered an interesting information hiding "feature" of MS Outlook.

I received an e-mail from an MS Outlook user that was transmitted to me via SMTP. The e-mail was in MIME multipart/alternative format and, as such, had two attachments: a plain text version of the e-mail content and another attachment with the exact same message in HTML format. Outlook has settings that let users control which format they sent Internet users e-mail in and this user has Outlook configured to send both versions (I believe that this is the default setting when sending to non-Exchange addresses).

I replied to this individual using Pine but then this individual responded saying that my message was received, but that there wasn't any additional text in it. I thought this strange as I can see in my sent-mail that I did reply with additional text. So, I sent the message again and again was told that there wasn't any text in the message.

It turns out that what was happening was that I had modified the plain text version of the multipart/alternative MIME message (which is the one that Pine opens as the actual message), but that when Pine sent the reply, it included the HTML "alternative" version as an attachment as well (although this was an alternative for the *original* message) Outlook then ignores the modified plain text version because it thinks that the attached HTML version is the same message, just in HTML. So, the recipient was seeing the original HTML message that I hadn't modified and was not able to see the plan text version. Outlook doesn't even list the plaintext version as an attachment so Outlook users cannot access the information there even if they wanted to!

Ironically, the text that Exchange or Outlook puts in the message header for non-MIME-compliant MUAs says "This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible."

Jason AT&T Wireless Services, IT Security UNIX Security Operations Specialist


Who is at risk with this virus advertisement?

"R.S. \(Bob\) Heuman" <rsh@idirect.com>
Sat, 29 Jan 2000 21:03:52 -0500

The following is a message I received via my subscription to this security jobs list. I have to wonder - if anyone answers it, what will happen... Will they get the job, or will they be investigated by the FBI, NSA, etc. I know that I would NOT answer it. Of course, I also have to wonder who the US Military will be targetting should they hire someone with the attributes desired. [Assuming they even can trust that individual...]

What next? What is the risk to the rest of us? Does anyone really think a security jobs listserve has only US subscribers?

R.S. (Bob) Heuman, Toronto, ON, Canada

> FROM: Drissel, James W. <james.drissel@CMET.AF.MIL>
> DATE: January 27, 2000 16:18
> TO: SECURITYJOBS@SECURITYFOCUS.COM <SECURITYJOBS@SECURITYFOCUS.COM>

> Subject: Virus coder wanted

> Computer Sciences Corporation in San Antonio, TX is looking for a good
> virus coder.  Applicants must be willing to work at Kelly AFB in San
> Antonio.  Other exploit experience is helpful.

> Send Resumes/questions to james.drissel@cmet.af.mil

  [Although RISKS generally avoids running job ads, and especially
  Advirusements, this one has some interesting RISKS-Related Ramifications.
  R-R&R? PGN]


Organisms do not adapt to their environment!

"Bob Frankston" <rmf2gRisks@bobf.Frankston.com>
Mon, 31 Jan 2000 12:41:37 -0500
(Was: Lessons of Y2K, Toby Gottfried, RISKS-20.77)

This is backwards?

ORGANISMS DO NOT ADAPT TO THEIR ENVIRONMENT. That is a fallacy called
adaptionism!!!

Evolution works by not anticipating the need for solutions but having enough
disparate solutions so that, given a problem, it's likely that there will be
a solution that works.

This resiliency is the real reason that Y2K was a nonissue. Systems as
brittle as the ones posited by the Y2K theorists don't work in practice and
have largely been eliminated from the ecosystem. New brittleness will be
discovered and some will be replaced by small scale alternatives and other
failures may be larger scale.

The big danger is the hubris associated with the notion that we must have a
vision to avoid pitfalls. Of course we shouldn't be stupid and should
anticipate obvious problems. But it is far more important to assume that we
will continue to surprised and need to have enough "fat" available to
survive problems.

It's also foolish to posit that we must model safety on static systems and
limit our possibilities to what we can do unaided and unenhanced. If we
eschew mechanical aids, why should we be more tolerant of cognitive aids
such as logic, reason and testing which often confound common sense and
faith.

In nature (to personify emergent behavior) systems only function in riskful
dynamic states. The static state for an organism or other ecosystem is
called death. The conversion of necessities into luxuries is most natural.
Skin, for example, is no longer an option.

Nature can't be fooled but we can do a fine job in deluding ourselves.


*Fatal Words*

"Bob Frankston" <rmf2gOther@bobf.Frankston.com>
Sun, 6 Feb 2000 01:54:47 -0500
In an essay I'm writing, I was reminded of the book *Fatal Words* by Steven
Cushing [ISBN 0-226-13201-3].  It's about misunderstandings between pilots
and instructions from the ground and other consequences of the World War II
communications and avionics still in use. A great example of what happens
when certification and irrational fear of risk prevent improvements in
technology and safety.

Bob Frankston  http://www.Frankston.com


abcnews.com manually updates copyright year

David Glicksberg <davidg@bourbaki.jpl.nasa.gov>
Wed, 2 Feb 2000 21:01:17 -0800 (PST)
Articles written during the first week or so of 2000 on abcnews.com have
a misdated notice at the bottom of the page:  "Copyright (C)1999 ABC
News Internet Ventures."  However, the dateline (which shows the place,
month, and day, but usually omits the year) and the URL (which has an
embedded date of the form YYMMDD) together clearly mark the article's
date.  One can still view articles exhibiting this glitch, for example:

http://www.abcnews.go.com/sections/science/DailyNews/clone_cells000105.html

I notified abcnews.com Tech Support on January 6, and within several days,
all new articles had the correct copyright year.  This leads me to believe
that abcnews.com may use a hardcoded copyright year, which someone forgot
to update in a timely fashion.

I wonder how many programs and systems out there require manual year
rollover ... in this case, the slipup was of little consequence.

Dave Glicksberg -- glicksbergd@acm.org


People For Internet Responsibility issues and status report

Lauren Weinstein; PRIVACY Forum Moderator <lauren@vortex.com>
Sat, 5 Feb 2000 21:15 PST
Greetings.  The current version of the PFIR (People For Internet
Responsibility) "Issues" document, and a status report regarding PFIR
activities, are now available via the PFIR Web site at:

   http://www.pfir.org

The issues document covers a wide range of important Internet and Web topics.
It is (and will continue to be) a work in progress, and while quite
comprehensive is undergoing rapid expansion.  Many of the topics relate to
privacy issues, technology risks, and other matters that should be of
interest to current and potential Internet users.

Your input and comments regarding both of these documents would be very much
appreciated via the e-mail addresses indicated within the docs
themselves.

Thanks very much.

--Lauren--
lauren@vortex.com
Lauren Weinstein
Moderator, PRIVACY Forum - http://www.vortex.com
Co-Founder, PFIR: People for Internet Responsibility - http://www.pfir.org
Member, ACM Committee on Computers and Public Policy


New Security Paradigms Workshop 2000: Call For Papers

Crispin Cowan <crispin@wirex.com>
Sat, 29 Jan 2000 03:34:42 +0000
                            Call For Papers
                  New Security Paradigms Workshop 2000
                    An ACM/SIGSAC sponsored workshop
                         19 - 21 September 2000
                   Ballycotton, County Cork, Ireland
                          http://www.nspw.org/

  [This is a very small but remarkably insightful workshop, in its 8th year.
  Registration is limited by acceptance of submitted papers and
  justifications for why you should attend.  If you wish to participate,
  FIRST contact both Program Chairs -- Cristina Serban (cserban@att.com)
  and Brenda Timmerman (btimmer@ecs.csun.edu) soon.  Final submissions are
  due toward the end of March.  Some further information will be emerging at
    http://www.nspw.org/ .  PGN]

Please report problems with the web pages to the maintainer

Top