An article in *The New York Times* 1 Feb 2000 details former CIA Director Deutch's use of unclassified Macintosh computers in his homes to store thousands of highly classified documents on the same computer he used to access AOL, Citibank's personal banking service, and other services. The investigation seems to have been delayed and perhaps limited as a result of Deutch's position.
It's old hat that personal computers (be they Windows, Macintosh, or UNIX-based) are inherently unsuitable for Multi-Level Security (MLS). What we see here is that even though all the proper procedures were in place, the human element is sufficient to undermine all of the technical controls. As long as we have people, we'll have RISKS!
Full article at http://www.nytimes.com/yr/mo/day/news/washpol/cia-impeach-deutch.html
CERT Advisory CA-2000-02 Malicious HTML Tags Embedded in Client Web Requests This advisory is being published jointly by the CERT Coordination Center, DoD-CERT, the DoD Joint Task Force for Computer Network Defense (JTF-CND), the Federal Computer Incident Response Capability (FedCIRC), and the National Infrastructure Protection Center (NIPC). Original release date: February 2, 2000 [Subsequently revised. Please pick up the latest version at http://www.cert.org/advisories/CA-2000-02.html and see http://www.cert.org/tech_tips/malicious_code_FAQ.html as well as a later note on disabling Java http://www.cert.org/tech_tips/malicious_code_FAQ.html#java . PGN] Systems Affected * Web browsers * Web servers that dynamically generate pages based on unvalidated input Overview A web site may inadvertently include malicious HTML tags or script in a dynamically generated page based on unvalidated input from untrustworthy sources. This can be a problem when a web server does not adequately ensure that generated pages are properly encoded to prevent unintended execution of scripts, and when input is not validated to prevent malicious HTML from being presented to the user. [This is referred to as "cross-site scripting". Note that executables in the URL itself can have nasty effects. PGN]
For almost the entire work week of 24 Jan 2000, failures of NSA computers caused an information blackout for intercepted messages. The failure was blamed by one report on a ``system overload'', by another report on a software problem. [Sources: NSA System Inoperative for Four Days, by Walter Pincus, *The Washington Post*, 30 Jan 2000, Page A2, http://www.washingtonpost.com/wp-dyn/articles/A49286-2000Jan29.html; Kinder, gentler NSA admits human frailties, Thomas C. Greene, http://www.theregister.co.uk/000131-000001.html]
On Wednesday, February 2, 2000, the Reserve Bank of Australia (RBA) formally announced an increase in the official interest rates of 0.5%.
The formal announcement was made at 09:30. However, in what turned out to be an embarrassing mistake for the RBA, 64 people were sent an e-mail at 09:24 (i.e., 6 minutes early) advising them of the rate increase. This was quite remarkable in itself, as the RBA has a near-legendary record of security.
The information proved to be very valuable for two reasons. Not only was the information available early to a very small segment of the market, the size of the rate increase was unexpected. Virtually the entire market had been expecting/predicting an increase of just 0.25%.
In the 6 minutes prior to 09:30, approximately AUD$3 billion worth of bill and bond futures were dumped on the market.
The record of trades at the Sydney Futures Exchange demonstrates the selling frenzy. When interest rates last rose, on November 3, 1999, 336 three-year bond futures contracts and 324 90-day bank bill futures were traded between 09:25 and 09:30. The corresponding trades preceding yesterday's announcement were 2,739 and 2,811.
To quote an unnamed trader: "Some people made a lot of money in those few minutes."
Source: *Sydney Morning Herald* (www.smh.com.au). Thursday Feb 3, 2000.
David Shaw, Alcatel Australia Limiteddavid.firstname.lastname@example.org
Flight data displays such as airspeed and attitude indicators as well as navigation displays on modern commercial aircraft are nowadays electronic, replacing mechanical displays that were common until 10-15 years ago. Mechanical displays are often used as backup, although there are electronic backup displays available on the market. Mechanical displays were/are not susceptible to total outage. Airspeed indicators are basically differential barometers, and mechanical attitude indicators are gyroscopes.
According to Flight International's David Learmount (01-07.02.2000, p12), Electronic Flight Instrument System (EFIS) failure is the "main possibility" being looked at by the Swiss accident investigation people (BEAA) in the crash of the Crossair Saab 340B just after takeoff from Zuerich on 10 January. This was Crossair's first accident. I emphasise that the causes of the accident have not been established. It is hoped that the non-volatile memory on the EFIS displays can be recovered and read, to determine how what the pilots were seeing corresponds (or not!) with the flight profile recorded by the flight data recorder. (This is a benefit not provided by mechanical displays, although it would hardly make up for the susceptibility of EFIS to outages!)
EFIS failures have been noted in particular in incidents involving a Virgin A340 and a Martinair B767 (see the compendium Computer-Related Incidents With Commercial Aircraft on my WWW site). A Formosa Airlines Saab 340B descended into the ocean on 18 March 1998, and it has been rumored that one EFIS display was known before the flight not to be functioning.
Peter Ladkin, University of Bielefeldhttp://www.rvs.uni-bielefeld.de
*Flight International*, 11-17 Jan 2000, p29, reports that NASA has fixed "computer and antenna faults" on the Terra spacecraft, launched 18 Dec 1999. Terra is part of the Earth Observing System. "The main computer shut down shortly after launch because of a bug in the navigation software, according to NASA." The failure occurred a minute before the winter solstice, while the sun's position in the nav software was being updated.
On the other side of things, the antenna "was repaired by alterations to the software", at which one can only marvel. Maybe Uri Geller is now programming for a living. Or maybe they meant the problem was worked around.
Peter Ladkinladkin@rvs.uni-bielefeld.de www.rvs.uni-bielefeld.de
In a venture with Microsoft and IBM, Minneapolis-based medical device company Medtronic will invest more than $230 million to develop a system that will allow heart patients to send cardiac data to cardiologists via the Internet, from their homes or remote locations worldwide. The company's medtronic.com division will be the focal point of a new Patient Management Business. [http://www.sjmercury.com/svtech/news/breaking/merc/docs/082323.htm, Reuters in *San Jose Mercury News*, 24 Jan 2000, via NewsScan Daily, 24 Jan 2000]
[On 31 Jan 2000] China's government plans to institute a rule requiring foreign firms in China to disclose what type of software they use for encrypting their electronic messages. Eventually, the companies must divulge details about employees using the software, making it easier for authorities to monitor personal and commercial Internet use. The new rules also bar Chinese companies from buying products containing foreign-designed encryption software, a move that could stymie the growth of Internet use in that country. Diplomatic missions are exempted, but the regulations cover the routers and servers that make up the backbone of China's networks, most of which came from foreign companies. "If IBM or Hewlett-Packard wants to sell an e-commerce Web server to China, it might have to isolate which parts relate to security" and find a Chinese company to write the software, says the director of the U.S. Information Technology Office's Beijing branch. "I don't think Chinese companies have that ability." [*Wall Street Journal*, 25 Jan 2000 http://interactive.wsj.com/articles/SB948739893578536271.htm via NewsScan Daily, 25 Jan 2000]
In a study conducted for the California HealthCare Foundation, the Georgetown University's Health Privacy Project has found that drkoop.com, webmd.com, ivillage.com, yahoo.com, onhealth.com, and other Web sites that provide information on health matters are cavalier about privacy practices: "The privacy policies of health Web sites do not match up with their own practices." Example: some companies share e-mail addresses and other visitor data even though their Web sites promised they would do no such thing. The companies are disputing the study findings. [Reuters/*San Jose Mercury News* 1 Feb 2000, http://www.sjmercury.com/svtech/news/breaking/internet/docs/160309l.htm; NewsScan Daily, 2 Feb 2000]
At 1400 EDT AT&T Business Internet Services (formerly IBM Global Network Internet Services) lost both primary and backup Domain Name Servers; resulting in the inability of AT&T Business Internet Customers to use the service.
The DNS's were back online a few minutes short of 2300 EDT.
The recent threads about information hiding in MS Outlook are quite timely as I've just recently discovered an interesting information hiding "feature" of MS Outlook.
I received an e-mail from an MS Outlook user that was transmitted to me via SMTP. The e-mail was in MIME multipart/alternative format and, as such, had two attachments: a plain text version of the e-mail content and another attachment with the exact same message in HTML format. Outlook has settings that let users control which format they sent Internet users e-mail in and this user has Outlook configured to send both versions (I believe that this is the default setting when sending to non-Exchange addresses).
I replied to this individual using Pine but then this individual responded saying that my message was received, but that there wasn't any additional text in it. I thought this strange as I can see in my sent-mail that I did reply with additional text. So, I sent the message again and again was told that there wasn't any text in the message.
It turns out that what was happening was that I had modified the plain text version of the multipart/alternative MIME message (which is the one that Pine opens as the actual message), but that when Pine sent the reply, it included the HTML "alternative" version as an attachment as well (although this was an alternative for the *original* message) Outlook then ignores the modified plain text version because it thinks that the attached HTML version is the same message, just in HTML. So, the recipient was seeing the original HTML message that I hadn't modified and was not able to see the plan text version. Outlook doesn't even list the plaintext version as an attachment so Outlook users cannot access the information there even if they wanted to!
Ironically, the text that Exchange or Outlook puts in the message header for non-MIME-compliant MUAs says "This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible."
Jason AT&T Wireless Services, IT Security UNIX Security Operations Specialist
The following is a message I received via my subscription to this security jobs list. I have to wonder - if anyone answers it, what will happen... Will they get the job, or will they be investigated by the FBI, NSA, etc. I know that I would NOT answer it. Of course, I also have to wonder who the US Military will be targetting should they hire someone with the attributes desired. [Assuming they even can trust that individual...]
What next? What is the risk to the rest of us? Does anyone really think a security jobs listserve has only US subscribers?
R.S. (Bob) Heuman, Toronto, ON, Canada
> FROM: Drissel, James W. <james.drissel@CMET.AF.MIL> > DATE: January 27, 2000 16:18 > TO: SECURITYJOBS@SECURITYFOCUS.COM <SECURITYJOBS@SECURITYFOCUS.COM> > Subject: Virus coder wanted > Computer Sciences Corporation in San Antonio, TX is looking for a good > virus coder. Applicants must be willing to work at Kelly AFB in San > Antonio. Other exploit experience is helpful. > Send Resumes/questions to email@example.com [Although RISKS generally avoids running job ads, and especially Advirusements, this one has some interesting RISKS-Related Ramifications. R-R&R? PGN]
(Was: Lessons of Y2K, Toby Gottfried, RISKS-20.77) This is backwards? ORGANISMS DO NOT ADAPT TO THEIR ENVIRONMENT. That is a fallacy called adaptionism!!! Evolution works by not anticipating the need for solutions but having enough disparate solutions so that, given a problem, it's likely that there will be a solution that works. This resiliency is the real reason that Y2K was a nonissue. Systems as brittle as the ones posited by the Y2K theorists don't work in practice and have largely been eliminated from the ecosystem. New brittleness will be discovered and some will be replaced by small scale alternatives and other failures may be larger scale. The big danger is the hubris associated with the notion that we must have a vision to avoid pitfalls. Of course we shouldn't be stupid and should anticipate obvious problems. But it is far more important to assume that we will continue to surprised and need to have enough "fat" available to survive problems. It's also foolish to posit that we must model safety on static systems and limit our possibilities to what we can do unaided and unenhanced. If we eschew mechanical aids, why should we be more tolerant of cognitive aids such as logic, reason and testing which often confound common sense and faith. In nature (to personify emergent behavior) systems only function in riskful dynamic states. The static state for an organism or other ecosystem is called death. The conversion of necessities into luxuries is most natural. Skin, for example, is no longer an option. Nature can't be fooled but we can do a fine job in deluding ourselves.
In an essay I'm writing, I was reminded of the book *Fatal Words* by Steven Cushing [ISBN 0-226-13201-3]. It's about misunderstandings between pilots and instructions from the ground and other consequences of the World War II communications and avionics still in use. A great example of what happens when certification and irrational fear of risk prevent improvements in technology and safety. Bob Frankston http://www.Frankston.com
Articles written during the first week or so of 2000 on abcnews.com have a misdated notice at the bottom of the page: "Copyright (C)1999 ABC News Internet Ventures." However, the dateline (which shows the place, month, and day, but usually omits the year) and the URL (which has an embedded date of the form YYMMDD) together clearly mark the article's date. One can still view articles exhibiting this glitch, for example: http://www.abcnews.go.com/sections/science/DailyNews/clone_cells000105.html I notified abcnews.com Tech Support on January 6, and within several days, all new articles had the correct copyright year. This leads me to believe that abcnews.com may use a hardcoded copyright year, which someone forgot to update in a timely fashion. I wonder how many programs and systems out there require manual year rollover ... in this case, the slipup was of little consequence. Dave Glicksberg — firstname.lastname@example.org
Greetings. The current version of the PFIR (People For Internet Responsibility) "Issues" document, and a status report regarding PFIR activities, are now available via the PFIR Web site at: http://www.pfir.org The issues document covers a wide range of important Internet and Web topics. It is (and will continue to be) a work in progress, and while quite comprehensive is undergoing rapid expansion. Many of the topics relate to privacy issues, technology risks, and other matters that should be of interest to current and potential Internet users. Your input and comments regarding both of these documents would be very much appreciated via the e-mail addresses indicated within the docs themselves. Thanks very much. --Lauren-- email@example.com Lauren Weinstein Moderator, PRIVACY Forum - http://www.vortex.com Co-Founder, PFIR: People for Internet Responsibility - http://www.pfir.org Member, ACM Committee on Computers and Public Policy
Call For Papers New Security Paradigms Workshop 2000 An ACM/SIGSAC sponsored workshop 19 - 21 September 2000 Ballycotton, County Cork, Ireland http://www.nspw.org/ [This is a very small but remarkably insightful workshop, in its 8th year. Registration is limited by acceptance of submitted papers and justifications for why you should attend. If you wish to participate, FIRST contact both Program Chairs — Cristina Serban (firstname.lastname@example.org) and Brenda Timmerman (email@example.com) soon. Final submissions are due toward the end of March. Some further information will be emerging at http://www.nspw.org/ . PGN]
Please report problems with the web pages to the maintainer