The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 20 Issue 66

Weds 1 December 1999

Contents

o ATM User Trapped for 9 Hours
Jack Burke
o Dell loses five days' production time to FunLove Virus
Mich Kabay
o Risk of portable signs
Geoff Speare
o Irish telephone network outage brings Y2K fears
Dermot Casey
o Firestation fire blamed on Y2K computer fix
Kevin Whelan
o Halifax suspends net share dealing over security flaw
Nigel Cole
o Hacker links Staples to online rival Office Depot
Mich Kabay
o Risks of "anonymous" e-mail accounts
Bruce Schneier
o Sticky fingers with e-mail
Peter Wayner
o Privacy breach + plaintext passwords + denial of service
David Mediavilla
o Netscape 4.7 Danger: "Active" Newsgroup Messages
John David Galt
o Expanding, Embracing, Devouring: IE 5.0 Task Scheduler Elevates
RA Downes
o No bounds checking in Microsoft RTF controls
RA Downes
o More on DVD encryption cracked
Bruce Schneier
o Computer virus tears through companies
Dave Farber
o Info on RISKS (comp.risks)

ATM User Trapped for 9 Hours

Jack Burke <jfb3@mindspring.com>
Sun, 28 Nov 1999 12:40:10 -0500
Talk about poor planning by a New Jersey bank--I can't believe that no one
thought of this situation.

The short version:  a bank's inside-the-lobby ATM machine was being used by
a man when the lobby's outside doors automatically locked at 9pm on
Thanksgiving evening.  There was no alarm button (apparently not even a
fire alarm lever), no emergency exit, and no way out until the bank manager
showed up the next morning (although I wonder why he didn't break the door
or window to escape).

The man rightfully closed his account the next day.

http://www.apbnews.com/newscenter/breakingnews/1999/11/27/trapped1127_01.html

  [Also noted by Daniel P. B. Smith]


Dell loses five days' production time to FunLove Virus

Mich Kabay <mkabay@compuserve.com>
Mon, 22 Nov 1999 13:48:50 -0500
Dell Computer's plant in Cork,[*] Ireland suffered five days of downtime
after the company discovered that 500 of its computers had been infected
with the FunLove virus.  Staff had to track down the source of the infection
and eradicate the virus from all its systems.  Paul Taylor (Reuters) wrote,
"the attack is regarded as one of the most damaging seen in Europe."  In
addition to the lost production time, the incident damaged customer
relations, with some customers complaining about the delay in delivery of
their systems.

M. E. Kabay, PhD, CISSP / Director of Education
R&D Group, ICSA Labs <http://www.icsa.net>

  [Subsequent added note: Limerick City, not Cork?  PGN]


Risk of portable signs

Geoff Speare <geoff@igcn.com>
Mon, 22 Nov 1999 09:45:20 -0500
The highway I use in my commute to work has been under construction for
several months. The construction people were kind enough to park a portable
sign unit (LCD display, 3 lines of 8 chars, readable from the car) a couple
miles before the construction site. Normally, this sign warns of things
like blasting, change in traffic patterns, etc. However, this morning, the
sign read:

  BATTERYS
    NEED
  CHARGING

The risk? That a generation will grow up thinking that "batteries" is
spelled with a Y...

Geoff Speare <geoff@igcn.com>


Irish telephone network outage brings Y2K fears

"Casey, Dermot (CAP, GCF)" <Dermot.Casey@gecapital.com>
Tue, 23 Nov 1999 09:25:57 +0100
To summarise Eircom Ireland main teleco had a major failure last Friday
afternoon. An upgrade which took place either Thursday night or Friday
morning failed. When they switched to backup systems these also failure due
to some embedded "software bugs" as described on the radio. The collapse of
the first exchange caused a domino effect on exchanges in the centre of
Dublin and businesses were left without a service from about 2.30 p.m to
6.00 p.m. Some 80,000 land-lines were effected initially, but this rose
significantly as other exchanges were hit. People making calls to numbers in
the affected areas were unable to reach them.  To compound the problem
Eircoms Cell phone customers in the same area where left without service due
to an independant problem. The countrys other mobile network Esat was
unaffected.  A few interesting points, why do people insist on upgrading
during the working week when the risks are obvious.  The second is this was
Eircoms first big test for disaster recovery and it didn't come out very
well. The Irish Telecoms Users Group has questioned Eircoms Y2K preparedness
based on this incident. An Eircom spokesperson said that they were Y2K ready
( 25 million project, 70 dedicated staff over a number of years) but
admitted there were likely to be "glitches" in the system.  see the Irish
Times Archive for text of a story covering the incident.
http://www.ireland.com/scripts/search/highlight.plx?TextRes=eircom&Path=/new
spaper/finance/1999/1120/fin50.htm


Firestation fire blamed on Y2K computer fix

Kev <kwhelan@gamma.aei.ca>
Mon, 22 Nov 1999 00:59:04 -0500
This past Tuesday's *Montreal Gazette* reports a fire that caused $500,000
damage to a local fire station.  The fire started when one of the firemen
left french fries cooking when responding to an alarm. The breaker system
designed to cut off power to the stove when this occurs had been
disconnected ... because it was incompatible with the new Y2K compatible
computer system recently installed!!!

In addition to the irony of a fire destroying the fire station and a safety
system being disconnected because it's incompatible to the new computer
system, the station had recently been the object of a successful community
effort to save the historic old building from destruction during a
development project.

According to a city official a patch is required to make the power cut off
system compatible with the new system. No details were given regarding the
hardware or software for either the new Y2K system or the power cut off
system.

Ah, the risks of avoiding risks!

Kevin Whelan <kwhelan@mail.aei.ca>


Halifax suspends net share dealing over security flaw

Nigel Cole <postmaster@zebekia.demon.co.uk>
Fri, 26 Nov 1999 20:33:54 +0000
I originally caught this on CEEFAX teletext service in the UK, but
(naturally) it's also on the web:

http://news.bbc.co.uk/hi/english/business/newsid_538000/538285.stm

Summary: The Halifax (a UK bank) has suspended its online share dealing
service after a serious security flaw was found. The flaw made it
possible for customers to not only see other customers' accounts, but
also to buy and sell shares from them.

Dr. Nigel Cole   postmaster@zebekia.demon.co.uk

  [also noted by David Stringer-Calvert in the *Yorkshire Evening Press*,
  27 Nov 1999]


Hacker links Staples to online rival Office Depot

Mich Kabay <mkabay@compuserve.com>
Tue, 30 Nov 1999 12:51:32 -0500
On 9 Oct 1999, someone breached security on the Staples Web site and
redirected browsers to the Web site of Office Depot, the victim's major
competitor.  On 30 Nov 1999, Staples announced on that it filed a federal
"John Doe" lawsuit against its assailant(s) claiming damages for lost
business and for the recovery effort.  Staples and Office Depot both said
they doubted that Office Depot was in any way responsible for the attack.

M. E. Kabay, PhD, CISSP / Director of Education
R&D Group, ICSA Labs <http://www.icsa.net>


Risks of "anonymous" e-mail accounts

Bruce Schneier <schneier@counterpane.com>
Tue, 30 Nov 1999 15:20:17 -0600
Someone sent a bomb threat from an account from an account named
shadowmega@hotmail.com.  The police contacted Hotmail, and found that the
Hotmail account had been accessed at a particular date and time, using an IP
address owned by America Online.  Using the AOL information, police
identified exactly who was using that IP address at that time and were able
to trace the sender to his apartment in Brooklyn.

Full story:
http://www.zdnet.com/zdtv/cybercrime/news/story/0,3700,2324068,00.html

Moral: Don't assume that your anonymous e-mail account is anonymous.

Bruce Schneier, CTO, Counterpane Internet Security, Inc.  Ph: 612-823-1098
3031 Tisch Way, 100 Plaza East, San Jose, CA 95128       Fax: 612-823-1590


Sticky fingers with e-mail

Peter Wayner <pcw@flyzone.com>
Tue, 23 Nov 1999 07:51:52 -0500
According to the AP, a company which acted both as an ISP and a bookseller
would use its position in the chain of e-mail to intercept e-mail messages
between Amazon and customers who had accounts at the ISP. The ISP apparently
used the information to try to gain a competitive advantage as it entered
the business. New management settled for a fine of $250,000. There was no
mention if the ISP maintained the ability to turn its rack of servers into
40-bit crypto crackers.


Privacy breach + plaintext passwords + denial of service

<David Mediavilla>
Wed, 1 Dec 1999 19:42:23 +0100
I left my resume at JobUniverse http://www.idg.es/JobUniverse/curriculum.asp,
a Spanish job search site.  The site claims to keep personal data safe and
to have registered with the Spanish Personal Data Agency (See my post on
RISKS-20.65 http://catless.ncl.ac.uk/Risks/20.65.html#subj15 )

On 30 Nov 1999, I received e-mail reminding me of updating the resume.
It was politely signed by some Javier Nieto, director of IDG.ES. It included
my e-mail address and the password I used. This is a risk but not very high.

The problem comes when they sent to some addresses (not all) another message
including in To: field lots of e-mail addresses (I printed one and it covers
4 pages). In the body, the reminder text including the e-mail address
_and_password_ of lots of subscribers. I haven't counted them but the
message weighs 170-190 KB (57 pages).  And better, they sent this message
several times. I received 12, others 182 or 48 copies.

After several hours, they removed the resume service from the web.

So privacy breach + plaintext passwords + denial of service. I haven't heard
about viruses... yet.

David Mediavilla Ezquibela  <davidme.forum@bigfootNOSPAM.com>


Netscape 4.7 Danger: "Active" Newsgroup Messages

<John_David_Galt@acm.org>
Wed, 01 Dec 1999 13:11:15 -0800
Last night, I encountered the newsgroup spam message quoted in full below.
As soon as it is viewed, it causes my browser, Netscape Communicator 4.7, to
load an unwanted web page -- even though I have preferences set to disable
Java and JavaScript in news and mail messages.  (The ">" I have added on
each line disables this "feature.")

This behavior, of course, opens one's system to all the kinds of mischief
a hostile web page can do, from giving spammers your e-mail address to
running mischievous Java applets or viruses on your machine.  Yet when I
complained of this on Netscape's forum (the netscape.communicator
newsgroup hosted at secnews.netscape.com), it was laughed off and they
appear to have no intention of doing anything about it.

No browser has any business ever loading a URL unless the user requests it!

John David Galt

> Message-ID: <3841D1F1.C01EAA5D@softcom.net>
> Date: Sun, 28 Nov 1999 17:08:01 -0800
> From: "Jonathan H. Ballard" <cybertronix@softcom.net>
> Organization: Cybertronix
> X-Mailer: Mozilla 4.51 [en] (X11; I; FreeBSD 3.2-RELEASE i386)
> X-Accept-Language: en
> MIME-Version: 1.0
> Newsgroups: ca.test, ca.driving, ca.earthquakes, ca.environment, ca.general
> Subject: HOPE
> Content-Type: text/html; charset=UTF-8
> Content-Transfer-Encoding: 7bit
> NNTP-Posting-Host: 209.160.172.191
> X-Trace: 30 Nov 1999 17:06:02 -0800, 209.160.172.191
> Lines: 12
> Path:
news-west.eli.net!sdd.hp.com!enews.sgi.com!news.idt.net!howland.erols.net!newsfeed.fast.net!uunet!ffx.uu.net!news.sac.bfp.net!209.160.172.191
> Xref: news-west.eli.net ca.test:900 ca.driving:6671 ca.earthquakes:1464 ca.environment:3407 ca.general:17258
>
>
> --
>  cybertronix@softcom.net  jon.ballard@usa.net
>    http://www.softcom.net/users/cybertronix
>       Save a Tree -> Know How to eMail
>  ;)         CopyRight Ballard


Expanding, Embracing, Devouring: IE 5.0 Task Scheduler Elevates

<main@radsoft.net>
Tue, 30 Nov 1999 17:59:03 +0000
Re:
  http://www.ntsecurity.net/go/load.asp?iD=/security/tasksched.htm

What this article will demonstrate is that installing a web browser from
Microsoft changes the topology of the underlying operating system - even
on Windows NT.

Ken Thompson used to say, "keep your hands off the drivers." With all
the ridiculous crashes IE4 and IE5 have been guilty of, it's obvious
Microsoft has never heeded that good advice.

Instead, they now muck about with the innards of your operating system
when all they're really supposed to do is install a user mode
application.

The mind boggles.

RA Downes, Radsoft Laboratories  http://www.radsoft.net


No bounds checking in Microsoft RTF controls

<main@radsoft.net>
Thu, 25 Nov 1999 14:08:50 +0000
I am speechless. Totally speechless. And for reasons which might become
clearer later, I have a lump in my throat. This is not funny anymore.
Dammit, it is not. I am mad.

The morning mailbox contained a newsletter on NT security, and this
newsletter had an article about an attack on the Microsoft Rich Edit
(RTF) controls. The URL given is:

  http://www.ntsecurity.net/go/load.asp?iD=/security/richedit1.htm

As there are a few discrepancies in the RTF code reproduced there, I
made the mistake of assuming that this was a limited problem. But after
disconnecting and thinking about the matter a bit (thinking still does
have its advantages, even in this age when, thanks to Microsoft,
information is at your fingertips) I realized it was "easy peasy" to
crash any of Microsoft's Rich Edit (RTF) controls any time I wanted, and
set about doing so.

But let's make sure everyone is up to speed before we continue.

RTF is a Microsoft invention (or so they claim) for formatting text. RTF
stands for "Rich Text Format", thereof the description "Rich Edit" often
used to describe this "technology". Microsoft encapsulates this
"technology" all over the place, in their Office suite, in FrontPage,
and in two resident system DLLs, RICHED32.DLL and RICHED20.DLL. Again,
the attack works on _any_ version of the DLL, and not just one or the
other as the article at the above URL implies.

RTF consists of a number of "tokens" all introduced with the (you
guessed it) backslash. An RTF file is always enclosed in braces (what
good this does no one knows, next question please) and after the initial
opening brace the token "\rtf1" should follow immediately. (The article
online at the URL above incorrectly gives this token as "\rtf" - the '1'
on the end, to the best of my knowledge, is necessary.)

As the article states, the buffer used for interpreting RTF tokens seems
to be 36 bytes. This is such a ridiculous magic number it's not funny. I
can't get past this one at all. The backslash is regarded as part of the
token in this context: thus any character sequence beginning with a
backslash and continuing with at least 35 characters before the next
token will send the control south.

Also, RTF tokens are considered to conform to the American alphabet: any
non American alphabetic character in a token will in effect break the
token and avoid the attack.

Another tidbit that might prove beneficial to readers: the initial MS
Rich Edit control, Riched32.DLL, was written in C, the follow up,
Riched20.DLL (sic) is written in C++, and Microsoft probably regards
this latter DLL as a vast improvement, which it is not. But as this
attack works on all generations of the control it can be concluded that
the same brain dead code snippet is in effect here in all cases.

The buffer for parsing an RTF token is 36 bytes (including backslash
character)  - and no checks are used in the code to make sure the buffer
does not overflow.

There is evidence in the disassembly of a character pointer being
incremented with the postfix ++ operator - that the loop not check that
this pointer is within bounds really and truly boggles the mind.

I can think of hundreds, thousands, hundreds of thousands of loops I
have written and seen over the years, everyone of course having a bounds
check built in. I mean, this is very _basic_ programming, isn't it?

  for (cp = buf; cp < buf + BUFSIZE; cp++)
    /* * */

I mean, this is all really very _elementary_, isn't it? Tell me I'm
wrong! Please, someone, _anyone_, tell me I'm wrong!!!!

I used to think so. But now that "Redmond RuleZ", who knows what goes
anymore? The real pity is that in a week, as everyone becomes aware of
this issue and what is behind it, that people will just end up
_accepting_ it. Crimenee!!!!

This RTF control in all its generations is one of the most used controls
from the Microsoft arsenal. That this control be subject to the
kindergarten programming practices of Redmond is more than at least this
author can stomach.

This is absolutely horrendous. I feel literally physically sick. This is
not funny any more.

RA Downes

PS. As this affects almost everyone using any kind of PC program
anywhere, I guess I'll just have to devote the rest of this day to
writing a wrapper to protect us. The idea is simple: send all references
to RTF editors to the wrapper instead, which will first parse the file
for evidence of malignant tokens, and then pass the file on to the
target editor if all is in order - or otherwise issue a warning and drop
the matter entirely. Drop me a line if you have any ideas. As Microsoft
will probably handle this "issue" as so many others - i.e. ignore it -
and as I rather trust my own code at this point far more than I trust
Microsoft's (nil trust there to be honest) I think we have to take
matters into our own hands.

RA Downes, Radsoft Laboratories  http://www.radsoft.net


More on DVD encryption cracked (RISKS-20.64-65)

Bruce Schneier <schneier@counterpane.com>
Mon, 29 Nov 1999 21:58:40 -0600
The scheme to protect DVDs has been broken.  There are now freeware programs
on the net that remove the copy protection on DVDs, allowing them to be
played, edited, and copied without restriction.

This should be no surprise to anyone, least of all to the entertainment
industry.

The protection scheme is seriously flawed in several ways.  Each DVD is
encrypted with something called Content Scrambling System (CCS).  It has a
40-bit key.  (I have no idea why.  The NSA and the FBI shouldn't care about
DVD encryption.  There aren't any encrypted terrorist movies they need to
watch.)  It's not even a very good algorithm.  But even if the encryption
were triple-DES, this scheme would be flawed.

Every DVD player, including hardware consoles that plug into your
television and software players that you can download to your computer, has
its own unique unlock key.  (Actually, each has several.  I don't know
why.)  This key is used to unlock the decryption key on each DVD.  A DVD
has 400 copies of the same unique decryption key, each encrypted with every
unlock code.  Note the global secret:  if you manage to get one unlock key
for one player, you can decrypt every DVD.

But even if this were all perfect, the scheme could never work.

The flaw is in the security model.  The software player eventually gets the
decryption key, decrypts the DVD, and displays it on the screen.  That
decrypted DVD data is on the computer.  It has to be; there's no other way
to display it on the screen.  No matter how good the encryption scheme is,
the DVD data is available in plaintext to anyone who can write a computer
program to take it.

And so is the decryption key.  The computer has to decrypt the DVD.  The
decryption key has to be in the computer.  So the decryption key is
available, in the clear, to anyone who knows where to look.  It's protected
by an unlock key, but the reader has to unlock it.

The DVD software manufacturers were supposed to disguise the decryption
program, and possibly the playing program, using some sort of software
obfuscation techniques.  These techniques have never worked for very long;
they only seem to force hackers to spend a couple of extra weeks figuring
out how the software works.  I've written about this previously in relation
to software copy protection; you can't obfuscate software.

It might be a bitter pill for the entertainment industry to swallow, but
software content protection does not work.  It cannot work.  You can
distribute encrypted content, but in order for it to be read, viewed, or
listened to, it must be turned into plaintext.  If it must be turned into
plaintext, the computer must have a copy of the key and the algorithm to
turn it into plaintext.  A clever enough hacker with good enough debugging
tools will always be able to reverse-engineer the algorithm, get the key, or
just capture the plaintext after decryption.  And he can write a software
program that allows others to do it automatically.  This cannot be stopped.

If you assume secure hardware, the scheme works.  (In fact, the industry
wants to extend the system all the way to the monitor, and eventually do the
decryption there.)  The attack works because the hacker can run a debugger
and other programming tools.  If the decryption device and the viewing
device (it must be both) is inside a tamperproof piece of hardware, the
hacker is stuck.  He can't reverse-engineer anything.  But tamperproof
hardware is largely a myth, so in reality this would just be another barrier
that someone will eventually overcome.  Digital content protection just
doesn't work; ask anyone who tried software copy protection.

One more lesson and an observation.

The lesson: This is yet another example of an industry meeting in secret and
designing a proprietary encryption algorithm and protocol that ends up being
embarrassingly weak.  I never understand why people don't use open,
published, trusted encryption algorithms and protocols.  They're always
better.

The observation: The "solution" that the entertainment industry has been
pushing for is to make reverse-engineering illegal.  They managed in the
United States: the Digital Millennium Copyright Act includes provisions to
this effect, despite the protests of the scientific and civil rights
communities.  (Yes, you can go to jail for possessing a debugger.)  They got
a similar law passed in the UK.  They're working on the EU.  This "solution"
does not work and makes no sense.

First, unless reverse-engineering is illegal everywhere on the planet, [and
UCITA would like to do that; PGN] someone will be able to do it somewhere.
And one person is all you need; he can write software that everyone else
uses.  Second, the reverse-engineer can -- as in this case -- work
anonymously.  Laws wouldn't have helped in this case.  And third, laws can't
put the cat back into the bag.  Even if you could catch and prosecute the
hackers who did this, it wouldn't affect the hacker tools that have already
been, and continue to be, written.

What the entertainment industry can do, and what they have done in this
case, is use legal threats to slow the spread of these tools.  So far the
industry has threatened legal actions against people who have put these
software tools on their Web sites.  The result will be that these tools will
exist on hacker Web sites, but will never be in public-domain software --
Linux, for example.

The fatal flaw is that the entertainment industry is lazy, and is
attempting to find a technological solution to what is a legal problem.  It
is illegal to steal copyrights and trademarks, whether it is a DVD movie, a
magazine image, a Ralph Lauren shirt, or a Louis Vitton handbag.  This
legal protection still exists, and is still strong.  For some reason the
entertainment industry has decided that it has a legal right to the
protection of its technology, and that makes no sense.

Moreover, they are badgering legislatures into passing laws that prop up
this flawed technological protection.  In the US and UK (and possibly soon
in the EU), it is illegal to circumvent their technology, even when you
never use it to violate a copyright.  It is illegal to engage in scientific
research about the encryption used in these systems.  It is illegal to peek
under the hood of this thing you have legally bought.  So not only does
this system not work, it creates a black market where there was none
before, while doing no social good in the process.

This DVD break is a good thing.  It served no one's interests for the
entertainment industry to put their faith in a bad security system.  It is
good research, illustrating how bad the encryption algorithm is and how
poorly thought out the security model is.  What is learned here can be
applied to making future systems stronger.

http://www.wired.com/news/technology/0,1282,32263,00.html
http://www.ntk.net/index.cgi?back=archive99/now1029.txt

Summary of the DVD encryption scheme:
http://crypto.gq.nu

Geek stuff:
http://livid.on.openprojects.net/pipermail/livid-dev/1999-October/000548.html
http://livid.on.openprojects.net/pipermail/livid-dev/1999-October/000589.html
http://livid.on.openprojects.net/pipermail/livid-dev/1999-October/000609.html
http://livid.on.openprojects.net/pipermail/livid-dev/1999-October/000671.html

My essay on software copy protection:
http://www.counterpane.com/crypto-gram-9811.html#copy

My comments on the Digital Millennium Copyright Act:
http://www.zdnet.com/pcweek/news/0622/22wipo.html

New Intel software obfuscation techniques that, I predict, will be broken soon:
http://www.intel.com/pressroom/archive/releases/in110999.htm

(This originally appeared in the November issue of Crypto-Gram.  To
subscribe, visit http://www.counterpane.com/crypto-gram.html or send a
blank message to crypto-gram-subscribe@chaparraltree.com.)
Bruce Schneier, CTO, Counterpane Internet Security, Inc.  Ph: 612-823-1098
3031 Tisch Way, 100 Plaza East, San Jose, CA 95128       Fax: 612-823-1590


Computer virus tears through companies (From IP)

Dave Farber <farber@cis.upenn.edu>
Wed, 01 Dec 1999 04:42:58 -0500
Computer virus tears through companies

SAN FRANCISCO (AP) - A computer virus rampaged through corporate systems,
devouring files, crippling e-mail systems and affecting thousands of
computers Tuesday, according to anti-virus experts. The Mini-Zip virus,
related to one that caused a serious outbreak in June, was expected to
renew its assault Wednesday morning as unsuspecting users checked their
e-mail inboxes. Sal Viveros, a marketing manager for Santa Clara-based
Network Associates, which makes the McAfee anti-virus software, said some
20 large corporations had been affected by Tuesday evening. Dan Schrader,
vice president of new technology at Trend Micro in Cupertino, said he
fielded complaints of significant problems from four Fortune 500 companies
and scores of smaller companies.

http://www.infobeat.com/stories/cgi/story.cgi?id=2562345881-19a

Please report problems with the web pages to the maintainer

Top