Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
Talk about poor planning by a New Jersey bank--I can't believe that no one thought of this situation. The short version: a bank's inside-the-lobby ATM machine was being used by a man when the lobby's outside doors automatically locked at 9pm on Thanksgiving evening. There was no alarm button (apparently not even a fire alarm lever), no emergency exit, and no way out until the bank manager showed up the next morning (although I wonder why he didn't break the door or window to escape). The man rightfully closed his account the next day. http://www.apbnews.com/newscenter/breakingnews/1999/11/27/trapped1127_01.html [Also noted by Daniel P. B. Smith]
Dell Computer's plant in Cork,[*] Ireland suffered five days of downtime after the company discovered that 500 of its computers had been infected with the FunLove virus. Staff had to track down the source of the infection and eradicate the virus from all its systems. Paul Taylor (Reuters) wrote, "the attack is regarded as one of the most damaging seen in Europe." In addition to the lost production time, the incident damaged customer relations, with some customers complaining about the delay in delivery of their systems. M. E. Kabay, PhD, CISSP / Director of Education R&D Group, ICSA Labs <http://www.icsa.net> [Subsequent added note: Limerick City, not Cork? PGN]
The highway I use in my commute to work has been under construction for
several months. The construction people were kind enough to park a portable
sign unit (LCD display, 3 lines of 8 chars, readable from the car) a couple
miles before the construction site. Normally, this sign warns of things
like blasting, change in traffic patterns, etc. However, this morning, the
sign read:
BATTERYS
NEED
CHARGING
The risk? That a generation will grow up thinking that "batteries" is
spelled with a Y...
Geoff Speare <geoff@igcn.com>
To summarise Eircom Ireland main teleco had a major failure last Friday afternoon. An upgrade which took place either Thursday night or Friday morning failed. When they switched to backup systems these also failure due to some embedded "software bugs" as described on the radio. The collapse of the first exchange caused a domino effect on exchanges in the centre of Dublin and businesses were left without a service from about 2.30 p.m to 6.00 p.m. Some 80,000 land-lines were effected initially, but this rose significantly as other exchanges were hit. People making calls to numbers in the affected areas were unable to reach them. To compound the problem Eircoms Cell phone customers in the same area where left without service due to an independant problem. The countrys other mobile network Esat was unaffected. A few interesting points, why do people insist on upgrading during the working week when the risks are obvious. The second is this was Eircoms first big test for disaster recovery and it didn't come out very well. The Irish Telecoms Users Group has questioned Eircoms Y2K preparedness based on this incident. An Eircom spokesperson said that they were Y2K ready (£ 25 million project, 70 dedicated staff over a number of years) but admitted there were likely to be "glitches" in the system. see the Irish Times Archive for text of a story covering the incident. http://www.ireland.com/scripts/search/highlight.plx?TextRes=eircom&Path=/new spaper/finance/1999/1120/fin50.htm
This past Tuesday's *Montreal Gazette* reports a fire that caused $500,000 damage to a local fire station. The fire started when one of the firemen left french fries cooking when responding to an alarm. The breaker system designed to cut off power to the stove when this occurs had been disconnected ... because it was incompatible with the new Y2K compatible computer system recently installed!!! In addition to the irony of a fire destroying the fire station and a safety system being disconnected because it's incompatible to the new computer system, the station had recently been the object of a successful community effort to save the historic old building from destruction during a development project. According to a city official a patch is required to make the power cut off system compatible with the new system. No details were given regarding the hardware or software for either the new Y2K system or the power cut off system. Ah, the risks of avoiding risks! Kevin Whelan <kwhelan@mail.aei.ca>
I originally caught this on CEEFAX teletext service in the UK, but (naturally) it's also on the web: http://news.bbc.co.uk/hi/english/business/newsid_538000/538285.stm Summary: The Halifax (a UK bank) has suspended its online share dealing service after a serious security flaw was found. The flaw made it possible for customers to not only see other customers' accounts, but also to buy and sell shares from them. Dr. Nigel Cole postmaster@zebekia.demon.co.uk [also noted by David Stringer-Calvert in the *Yorkshire Evening Press*, 27 Nov 1999]
On 9 Oct 1999, someone breached security on the Staples Web site and redirected browsers to the Web site of Office Depot, the victim's major competitor. On 30 Nov 1999, Staples announced on that it filed a federal "John Doe" lawsuit against its assailant(s) claiming damages for lost business and for the recovery effort. Staples and Office Depot both said they doubted that Office Depot was in any way responsible for the attack. M. E. Kabay, PhD, CISSP / Director of Education R&D Group, ICSA Labs <http://www.icsa.net>
Someone sent a bomb threat from an account from an account named shadowmega@hotmail.com. The police contacted Hotmail, and found that the Hotmail account had been accessed at a particular date and time, using an IP address owned by America Online. Using the AOL information, police identified exactly who was using that IP address at that time and were able to trace the sender to his apartment in Brooklyn. Full story: http://www.zdnet.com/zdtv/cybercrime/news/story/0,3700,2324068,00.html Moral: Don't assume that your anonymous e-mail account is anonymous. Bruce Schneier, CTO, Counterpane Internet Security, Inc. Ph: 612-823-1098 3031 Tisch Way, 100 Plaza East, San Jose, CA 95128 Fax: 612-823-1590
According to the AP, a company which acted both as an ISP and a bookseller would use its position in the chain of e-mail to intercept e-mail messages between Amazon and customers who had accounts at the ISP. The ISP apparently used the information to try to gain a competitive advantage as it entered the business. New management settled for a fine of $250,000. There was no mention if the ISP maintained the ability to turn its rack of servers into 40-bit crypto crackers.
I left my resume at JobUniverse http://www.idg.es/JobUniverse/curriculum.asp, a Spanish job search site. The site claims to keep personal data safe and to have registered with the Spanish Personal Data Agency (See my post on RISKS-20.65 http://catless.ncl.ac.uk/Risks/20.65.html#subj15 ) On 30 Nov 1999, I received e-mail reminding me of updating the resume. It was politely signed by some Javier Nieto, director of IDG.ES. It included my e-mail address and the password I used. This is a risk but not very high. The problem comes when they sent to some addresses (not all) another message including in To: field lots of e-mail addresses (I printed one and it covers 4 pages). In the body, the reminder text including the e-mail address _and_password_ of lots of subscribers. I haven't counted them but the message weighs 170-190 KB (57 pages). And better, they sent this message several times. I received 12, others 182 or 48 copies. After several hours, they removed the resume service from the web. So privacy breach + plaintext passwords + denial of service. I haven't heard about viruses... yet. David Mediavilla Ezquibela <davidme.forum@bigfootNOSPAM.com>
Last night, I encountered the newsgroup spam message quoted in full below. As soon as it is viewed, it causes my browser, Netscape Communicator 4.7, to load an unwanted web page — even though I have preferences set to disable Java and JavaScript in news and mail messages. (The ">" I have added on each line disables this "feature.") This behavior, of course, opens one's system to all the kinds of mischief a hostile web page can do, from giving spammers your e-mail address to running mischievous Java applets or viruses on your machine. Yet when I complained of this on Netscape's forum (the netscape.communicator newsgroup hosted at secnews.netscape.com), it was laughed off and they appear to have no intention of doing anything about it. No browser has any business ever loading a URL unless the user requests it! John David Galt > Message-ID: <3841D1F1.C01EAA5D@softcom.net> > Date: Sun, 28 Nov 1999 17:08:01 -0800 > From: "Jonathan H. Ballard" <cybertronix@softcom.net> > Organization: Cybertronix > X-Mailer: Mozilla 4.51 [en] (X11; I; FreeBSD 3.2-RELEASE i386) > X-Accept-Language: en > MIME-Version: 1.0 > Newsgroups: ca.test, ca.driving, ca.earthquakes, ca.environment, ca.general > Subject: HOPE > Content-Type: text/html; charset=UTF-8 > Content-Transfer-Encoding: 7bit > NNTP-Posting-Host: 209.160.172.191 > X-Trace: 30 Nov 1999 17:06:02 -0800, 209.160.172.191 > Lines: 12 > Path: news-west.eli.net!sdd.hp.com!enews.sgi.com!news.idt.net!howland.erols.net!newsfeed.fast.net!uunet!ffx.uu.net!news.sac.bfp.net!209.160.172.191 > Xref: news-west.eli.net ca.test:900 ca.driving:6671 ca.earthquakes:1464 ca.environment:3407 ca.general:17258 > > > -- > cybertronix@softcom.net jon.ballard@usa.net > http://www.softcom.net/users/cybertronix > Save a Tree -> Know How to eMail > ;) CopyRight Ballard
Re: http://www.ntsecurity.net/go/load.asp?iD=/security/tasksched.htm What this article will demonstrate is that installing a web browser from Microsoft changes the topology of the underlying operating system - even on Windows NT. Ken Thompson used to say, "keep your hands off the drivers." With all the ridiculous crashes IE4 and IE5 have been guilty of, it's obvious Microsoft has never heeded that good advice. Instead, they now muck about with the innards of your operating system when all they're really supposed to do is install a user mode application. The mind boggles. RA Downes, Radsoft Laboratories http://www.radsoft.net
I am speechless. Totally speechless. And for reasons which might become
clearer later, I have a lump in my throat. This is not funny anymore.
Dammit, it is not. I am mad.
The morning mailbox contained a newsletter on NT security, and this
newsletter had an article about an attack on the Microsoft Rich Edit
(RTF) controls. The URL given is:
http://www.ntsecurity.net/go/load.asp?iD=/security/richedit1.htm
As there are a few discrepancies in the RTF code reproduced there, I
made the mistake of assuming that this was a limited problem. But after
disconnecting and thinking about the matter a bit (thinking still does
have its advantages, even in this age when, thanks to Microsoft,
information is at your fingertips) I realized it was "easy peasy" to
crash any of Microsoft's Rich Edit (RTF) controls any time I wanted, and
set about doing so.
But let's make sure everyone is up to speed before we continue.
RTF is a Microsoft invention (or so they claim) for formatting text. RTF
stands for "Rich Text Format", thereof the description "Rich Edit" often
used to describe this "technology". Microsoft encapsulates this
"technology" all over the place, in their Office suite, in FrontPage,
and in two resident system DLLs, RICHED32.DLL and RICHED20.DLL. Again,
the attack works on _any_ version of the DLL, and not just one or the
other as the article at the above URL implies.
RTF consists of a number of "tokens" all introduced with the (you
guessed it) backslash. An RTF file is always enclosed in braces (what
good this does no one knows, next question please) and after the initial
opening brace the token "\rtf1" should follow immediately. (The article
online at the URL above incorrectly gives this token as "\rtf" - the '1'
on the end, to the best of my knowledge, is necessary.)
As the article states, the buffer used for interpreting RTF tokens seems
to be 36 bytes. This is such a ridiculous magic number it's not funny. I
can't get past this one at all. The backslash is regarded as part of the
token in this context: thus any character sequence beginning with a
backslash and continuing with at least 35 characters before the next
token will send the control south.
Also, RTF tokens are considered to conform to the American alphabet: any
non American alphabetic character in a token will in effect break the
token and avoid the attack.
Another tidbit that might prove beneficial to readers: the initial MS
Rich Edit control, Riched32.DLL, was written in C, the follow up,
Riched20.DLL (sic) is written in C++, and Microsoft probably regards
this latter DLL as a vast improvement, which it is not. But as this
attack works on all generations of the control it can be concluded that
the same brain dead code snippet is in effect here in all cases.
The buffer for parsing an RTF token is 36 bytes (including backslash
character) - and no checks are used in the code to make sure the buffer
does not overflow.
There is evidence in the disassembly of a character pointer being
incremented with the postfix ++ operator - that the loop not check that
this pointer is within bounds really and truly boggles the mind.
I can think of hundreds, thousands, hundreds of thousands of loops I
have written and seen over the years, everyone of course having a bounds
check built in. I mean, this is very _basic_ programming, isn't it?
for (cp = buf; cp < buf + BUFSIZE; cp++)
/* * */
I mean, this is all really very _elementary_, isn't it? Tell me I'm
wrong! Please, someone, _anyone_, tell me I'm wrong!!!!
I used to think so. But now that "Redmond RuleZ", who knows what goes
anymore? The real pity is that in a week, as everyone becomes aware of
this issue and what is behind it, that people will just end up
_accepting_ it. Crimenee!!!!
This RTF control in all its generations is one of the most used controls
from the Microsoft arsenal. That this control be subject to the
kindergarten programming practices of Redmond is more than at least this
author can stomach.
This is absolutely horrendous. I feel literally physically sick. This is
not funny any more.
RA Downes
PS. As this affects almost everyone using any kind of PC program
anywhere, I guess I'll just have to devote the rest of this day to
writing a wrapper to protect us. The idea is simple: send all references
to RTF editors to the wrapper instead, which will first parse the file
for evidence of malignant tokens, and then pass the file on to the
target editor if all is in order - or otherwise issue a warning and drop
the matter entirely. Drop me a line if you have any ideas. As Microsoft
will probably handle this "issue" as so many others - i.e. ignore it -
and as I rather trust my own code at this point far more than I trust
Microsoft's (nil trust there to be honest) I think we have to take
matters into our own hands.
RA Downes, Radsoft Laboratories http://www.radsoft.net
The scheme to protect DVDs has been broken. There are now freeware programs on the net that remove the copy protection on DVDs, allowing them to be played, edited, and copied without restriction. This should be no surprise to anyone, least of all to the entertainment industry. The protection scheme is seriously flawed in several ways. Each DVD is encrypted with something called Content Scrambling System (CCS). It has a 40-bit key. (I have no idea why. The NSA and the FBI shouldn't care about DVD encryption. There aren't any encrypted terrorist movies they need to watch.) It's not even a very good algorithm. But even if the encryption were triple-DES, this scheme would be flawed. Every DVD player, including hardware consoles that plug into your television and software players that you can download to your computer, has its own unique unlock key. (Actually, each has several. I don't know why.) This key is used to unlock the decryption key on each DVD. A DVD has 400 copies of the same unique decryption key, each encrypted with every unlock code. Note the global secret: if you manage to get one unlock key for one player, you can decrypt every DVD. But even if this were all perfect, the scheme could never work. The flaw is in the security model. The software player eventually gets the decryption key, decrypts the DVD, and displays it on the screen. That decrypted DVD data is on the computer. It has to be; there's no other way to display it on the screen. No matter how good the encryption scheme is, the DVD data is available in plaintext to anyone who can write a computer program to take it. And so is the decryption key. The computer has to decrypt the DVD. The decryption key has to be in the computer. So the decryption key is available, in the clear, to anyone who knows where to look. It's protected by an unlock key, but the reader has to unlock it. The DVD software manufacturers were supposed to disguise the decryption program, and possibly the playing program, using some sort of software obfuscation techniques. These techniques have never worked for very long; they only seem to force hackers to spend a couple of extra weeks figuring out how the software works. I've written about this previously in relation to software copy protection; you can't obfuscate software. It might be a bitter pill for the entertainment industry to swallow, but software content protection does not work. It cannot work. You can distribute encrypted content, but in order for it to be read, viewed, or listened to, it must be turned into plaintext. If it must be turned into plaintext, the computer must have a copy of the key and the algorithm to turn it into plaintext. A clever enough hacker with good enough debugging tools will always be able to reverse-engineer the algorithm, get the key, or just capture the plaintext after decryption. And he can write a software program that allows others to do it automatically. This cannot be stopped. If you assume secure hardware, the scheme works. (In fact, the industry wants to extend the system all the way to the monitor, and eventually do the decryption there.) The attack works because the hacker can run a debugger and other programming tools. If the decryption device and the viewing device (it must be both) is inside a tamperproof piece of hardware, the hacker is stuck. He can't reverse-engineer anything. But tamperproof hardware is largely a myth, so in reality this would just be another barrier that someone will eventually overcome. Digital content protection just doesn't work; ask anyone who tried software copy protection. One more lesson and an observation. The lesson: This is yet another example of an industry meeting in secret and designing a proprietary encryption algorithm and protocol that ends up being embarrassingly weak. I never understand why people don't use open, published, trusted encryption algorithms and protocols. They're always better. The observation: The "solution" that the entertainment industry has been pushing for is to make reverse-engineering illegal. They managed in the United States: the Digital Millennium Copyright Act includes provisions to this effect, despite the protests of the scientific and civil rights communities. (Yes, you can go to jail for possessing a debugger.) They got a similar law passed in the UK. They're working on the EU. This "solution" does not work and makes no sense. First, unless reverse-engineering is illegal everywhere on the planet, [and UCITA would like to do that; PGN] someone will be able to do it somewhere. And one person is all you need; he can write software that everyone else uses. Second, the reverse-engineer can — as in this case — work anonymously. Laws wouldn't have helped in this case. And third, laws can't put the cat back into the bag. Even if you could catch and prosecute the hackers who did this, it wouldn't affect the hacker tools that have already been, and continue to be, written. What the entertainment industry can do, and what they have done in this case, is use legal threats to slow the spread of these tools. So far the industry has threatened legal actions against people who have put these software tools on their Web sites. The result will be that these tools will exist on hacker Web sites, but will never be in public-domain software -- Linux, for example. The fatal flaw is that the entertainment industry is lazy, and is attempting to find a technological solution to what is a legal problem. It is illegal to steal copyrights and trademarks, whether it is a DVD movie, a magazine image, a Ralph Lauren shirt, or a Louis Vitton handbag. This legal protection still exists, and is still strong. For some reason the entertainment industry has decided that it has a legal right to the protection of its technology, and that makes no sense. Moreover, they are badgering legislatures into passing laws that prop up this flawed technological protection. In the US and UK (and possibly soon in the EU), it is illegal to circumvent their technology, even when you never use it to violate a copyright. It is illegal to engage in scientific research about the encryption used in these systems. It is illegal to peek under the hood of this thing you have legally bought. So not only does this system not work, it creates a black market where there was none before, while doing no social good in the process. This DVD break is a good thing. It served no one's interests for the entertainment industry to put their faith in a bad security system. It is good research, illustrating how bad the encryption algorithm is and how poorly thought out the security model is. What is learned here can be applied to making future systems stronger. http://www.wired.com/news/technology/0,1282,32263,00.html http://www.ntk.net/index.cgi?back=archive99/now1029.txt Summary of the DVD encryption scheme: http://crypto.gq.nu Geek stuff: http://livid.on.openprojects.net/pipermail/livid-dev/1999-October/000548.html http://livid.on.openprojects.net/pipermail/livid-dev/1999-October/000589.html http://livid.on.openprojects.net/pipermail/livid-dev/1999-October/000609.html http://livid.on.openprojects.net/pipermail/livid-dev/1999-October/000671.html My essay on software copy protection: http://www.counterpane.com/crypto-gram-9811.html#copy My comments on the Digital Millennium Copyright Act: http://www.zdnet.com/pcweek/news/0622/22wipo.html New Intel software obfuscation techniques that, I predict, will be broken soon: http://www.intel.com/pressroom/archive/releases/in110999.htm (This originally appeared in the November issue of Crypto-Gram. To subscribe, visit http://www.counterpane.com/crypto-gram.html or send a blank message to crypto-gram-subscribe@chaparraltree.com.) Bruce Schneier, CTO, Counterpane Internet Security, Inc. Ph: 612-823-1098 3031 Tisch Way, 100 Plaza East, San Jose, CA 95128 Fax: 612-823-1590
Computer virus tears through companies SAN FRANCISCO (AP) - A computer virus rampaged through corporate systems, devouring files, crippling e-mail systems and affecting thousands of computers Tuesday, according to anti-virus experts. The Mini-Zip virus, related to one that caused a serious outbreak in June, was expected to renew its assault Wednesday morning as unsuspecting users checked their e-mail inboxes. Sal Viveros, a marketing manager for Santa Clara-based Network Associates, which makes the McAfee anti-virus software, said some 20 large corporations had been affected by Tuesday evening. Dan Schrader, vice president of new technology at Trend Micro in Cupertino, said he fielded complaints of significant problems from four Fortune 500 companies and scores of smaller companies. http://www.infobeat.com/stories/cgi/story.cgi?id=2562345881-19a
Please report problems with the web pages to the maintainer