The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 20 Issue 79

Tuesday 15 February 2000

Contents

o Distributed denial-of-service attacks
PGN
o PFIR Statement on Recent Internet Denial of Service Attacks
Lauren Weinstein
o Risks of bouncing messages from closed e-mail lists
Mich Kabay
o My.MP3.com and the Beam-it protocol
Dan Wallach
o Re: Organisms don't adapt????
Bob Blakley
Gordon Foreman
o More risks with MS Outlook
kclemson
o Review of "Database Nation"
Gene Spafford
o Info on RISKS (comp.risks)

Distributed denial-of-service attacks

"Peter G. Neumann" <neumann@csl.sri.com>
Mon, 14 Feb 2000 08:17:12 PST
The previous week saw three days of distributed denial-of-service (DDoS)
attacks, disabling Yahoo, Amazon, eBay, CNN.com, Buy.com, ZDNet, E*Trade,
and Excite.com for a few hours each.  The flooding attacks were triggered
from a variety of unknowing intermediate zombie systems that had been
penetrated, although the launched DDoS attacks required no penetrations
of their target systems.

The events should be no surprise to RISKS readers.  The likelihood of such
attacks has been discussed for a long time, and scripts (such as Trinoo,
Tribal Flood Network TFN and TFN2K, and Stacheldraht -- German for barbed
wire) have been available as well.  It may seem unnecessary for me to note
here that our information infrastructures are riddled with vulnerabilities
that made these attacks easy to carry out, but that is simply the way it is.

The media had a field day with talking heads, soundbites, one-line quotes,
speculations, and very little hard information on what techniques were used
and who was responsible.

I have just finished my April 2000 Inside Risks column for the Communication
of the ACM on this subject, although it is clearly not an April Fool's joke.
The column will appear on my Website shortly before 1 April, but I won't
replicate it here.

The following note from Lauren Weinstein was distributed to the PFIR mailing
list.  In general, RISKS will not reproduce PFIR messages, to avoid
undesired duplication for readers of both lists.  However, this particular
message saves me the trouble of trying to PGN-ed-itorialize on all of the
recent media reports in what is still an ongoing saga.  Besides, RISKS-20.79
has been pending for too long already.


PFIR Statement on Recent Internet Denial of Service Attacks

PFIR - People For Internet Responsibility <pfir@pfir.org>
Wed, 9 Feb 2000 21:34:09 -0800 (PST)
          PFIR Statement on Recent Internet Denial of Service Attacks
                   (http://www.pfir.org/statements/02.09.00)
    PFIR - People For Internet Responsibility - http://www.pfir.org

Greetings.  The recent rash of "Denial of Service" (DoS) attacks on major
Internet sites such as Yahoo!, E-Bay, CNN, and others, has caused outcries of
surprise and consternation in many quarters, and has become the lead story
for many newscasts.  But these attacks come as no surprise to many of us,
who have long predicted that these sorts of events would come to pass.

It's basically easy to understand.  Imagine a small firm with two phone
lines.  Now have 10,000 people at pay phones scattered around the world all
trying to call that company at once, and hanging up as soon as there is an
answer.  Few (if any) customer calls will get through, and finding the
perpetrators will be problematic at best.

A variety of software tools are available for launching effectively
anonymous DoS attacks on the Internet, which in many cases may involve
otherwise innocent computers "hijacked" for this purpose.  While some of the
simpler attack methods may be repelled to a degree by "filtering" to block
some of the offending data, the fundamental structure of the existing
Internet makes complete solutions essentially impossible.  We can expect to
see a rapid evolution in the sophistication of such attacks and their
relative invulnerability to quick eradication.  There will not be simple
answers of any lasting value.

There are a number of very important lessons to be learned from these
events.  It seems apparent that the rush to move all manner of important or
even critical commercial, medical, government, and other applications onto
the Internet and Web has far outstripped the underlying reality of the
existing Internet infrastructure.

Compared with the overall robustness of the U.S. telephone system, the
Internet is a second-class citizen when it comes to these kinds of
vulnerabilities.  Nor will simply throwing money at the Internet necessarily
do much good in this regard.  More bandwidth, additional servers, and faster
routers--they'd still be open to sophisticated (and even not so
sophisticated) attacks which could be triggered from one PC anywhere in the
world.

In the long run, major alterations will be needed in the fundamental
structure of the Internet to even begin to get a handle on these sorts of
problems, and a practical path to that goal still remains fuzzy at this time.

For now, it might be advisable for everyone to remember that the Internet,
for all its wonders, is in many ways very fragile.  We must not allow
ourselves to get into a position where being cut off from a site for a few
hours--or even longer--puts people or property at risk.  Our lives should
not revolve around guaranteed 24/7 access to E-Bay, or Yahoo!, or *any* site
on the public Internet, regardless of its importance.  The need for
alternative access methods for critical systems, and the potential
recklessness of eliminating older systems in exchange for 100% Internet
dependence, cannot be overstated.

The current attacks are sure to be but the beginning.  Many even more
attractive targets are likely to be appearing that will draw ever more
sophisticated fire.  Imagine what a concerted denial of service attack might
do to an election with Internet/Web-based voting--a technology being pushed
on a fast track in many quarters.

It's time to get past the "dot com" hype and to start considering carefully
the realities, and limits, of the technology on which we're trying to base
so much, so very fast.  If we continue to plow ahead without heeding these
lessons, it will be at our extreme peril.

Lauren Weinstein <lauren@vortex.com>
Co-Founder, PFIR: People for Internet Responsibility - http://www.pfir.org
Moderator, PRIVACY Forum - http://www.vortex.com
Member, ACM Committee on Computers and Public Policy


Risks of bouncing messages from closed e-mail lists

Mich Kabay <mkabay@compuserve.com>
Mon, 14 Feb 2000 12:27:57 -0500
I have noticed that a junk e-mailer has taken to using a closed mailing-list
server as a relay for his unauthorized messages.

The scam works like this:

1) Criminal locates a closed mailing list that responds to unauthorized
postings by sending back an automated rejection notice that includes the
original message.

2) Criminal sends junk e-mail to the closed list using the desired
_target's_ e-mail addresses in forged header.

3) Closed list obligingly bounces the original message back to the target's
address.

Authorized users of the closed list do not need to receive a message
informing them that their messages have not been accepted (presumably due to
some oversight or glitch) because they will likely note the absence of their
message on the list anyway.

Unauthorized users of the list do not need to see the text of their message
at all in their electronic rejection note -- a stock reply explaining how to
gain admission to the list is more relevant.

Therefore I recommend that at the very least, administrators for closed
e-mail lists prevent their listserv from sending the _complete text_ of a
bounced message back to the supposed originator.

However, there is a more serious vulnerability here: infinite loops between
two or more closed lists.

If an attacker forges the originating address of a closed list that sends
back automated rejection notes to another closed list that sends back
automated rejection notes, then each forged message will generate a
mailstorm as a function of the speed of the servers in sending bounce
messages to each other.  The chain can be extended to multiple closed-list
servers, causing even more useless traffic and potentially contributing to
denial of service for the legitimate users of the closed lists.

RECOMMENDATIONS:

A) Turn off automated notification of rejection altogether on all closed
lists; or if you feel that the notification messages are important, then

B) Configure the listserv to send back only the title of a rejected message,
not the complete text; or if you feel like addressing the potential
vulnerability head-on,

C) Design a check of a log file so that the listserv for a closed list can
quickly identify a mailstorm and stop it by turning off automated
notification of rejection when it is being abused.

M. E. Kabay, PhD, CISSP, Security Leader, Information Security Group
Adario, Inc., 255 Flood Road, Barre, VT 05641-4060  +1.802.479.7937

  [NOTE the push-pull duality between a mailstorm and a maelstrom.
  A mailstorm pushes things in, whereas a maelstrom pulls them in.  PGN]


My.MP3.com and the Beam-it protocol

Dan Wallach <dwallach@cs.rice.edu>
Fri, 11 Feb 2000 15:59:01 -0600
Last week, MP3.com released a version of its Beam-it system for Linux.  This
is a system meant to allow you to "beam" your audio CDs to the MP3.com
server, which would then provide them back to you as streaming MP3 files.
Because only a small amount of data is actually transmitted during the
protocol, this is touted as an efficient and novel network service.  MP3.com
already has the music on its servers.  "Beaming" is really proving you own a
CD, and thus MP3.com feels safe putting a reference to it in your online
account.

The RIAA (Recording Industry Association of America) has other thoughts on
the matter, and is currently engaged in some testy litigation with MP3.com.
Meanwhile, the service continues to run.

On 4 Feb 2000, MP3.com posted a Linux version of their Beam-it client
software and took the unusual step of releasing *most* of it as free source,
with a small closed source pre-compiled component.  In addition to some
posters on Slashdot, we reverse engineered this module and studied the
protocol.  MP3.com did a reasonable job.  It's unlikely you'll successfully
"beam" a music CD to them unless you are physically holding the CD (or a
bit-for-bit copy of it).  Aside from this, there are still some privacy
concerns about their system.  It's also completely trivial for users to
share accounts (which might be a concern for the RIAA).

For those interested in more details:
  http://www.cs.rice.edu/~dwallach/pub/beam-it.html

Dan Wallach, Rice University


Re: Organisms don't adapt???? (Frankston, RISKS-20.78)

"Bob Blakley" <bob_blakley@hotmail.com>
Wed, 09 Feb 2000 17:19:24 CST
Sorry to be difficult, but organisms clearly do adapt to their environment,
both behaviorally (build houses, e.g.) and physically (e.g. grow thicker fur
in the winter, suntan, etc...).

But this isn't the basis of evolution of species - which is due to
*populations* adapting to their environment by virtue of well-adapted
individuals reproducing at differentially higher rates than poorly adapted
individuals.

Bob Blakley, Chief Scientist,  Tivoli SecureWay Business Unit


Re: Organisms don't adapt???? (Frankston, RISKS-20.78)

Gordon Foreman <gforeman@lanl.gov>
Mon, 07 Feb 2000 17:04:11 -0700
I think you meant the opposite!

In nature (to personify emergent behavior) systems only function in riskful
dynamic states.  The static state for an organism or other ecosystem is
called death.  The conversion of necessities into luxuries is most natural.
Skin, for example, is no longer an option.

I think you meant to say the conversion of luxuries into necessities is
most natural, as yesterday's luxuries are nearly always today's necessities.

Gordon Foreman, Los Alamos National Laboratory  505-667-3368 phone


More risks with MS Outlook (Axley, RISKS-20.78)

<kclemson@my-deja.com>
Wed, 09 Feb 2000 21:05:48 GMT
I just tried it with netscape and OE and got the same result. The bug is
with pine -- it returns multipart/alternative and should have returned
multipart/mixed.

The multipart/alternative means that the sending client is guaranteeing that
the body portions are exactly equivalent, and so clients that understand the
higher level text (html), are free to throw away the downlevel text (plain
text). But since pine edited the text/plain part, it made the body parts
unequivalent but other clients that follow the RFC throw away the part they
don't need.

Neither outlook nor any other HTML aware client should ever show an
attachment for the plain text body part on a multipart/alternative message -
that would defeat part of the purpose of that content type.

I will report the bug to the pine authors. Next time you should be more
careful when pointing fingers.

  [ZDNet.com/zdnn/stories/news reports that Windows 2000 apparently has
  about 63,000 defects, although later comments suggest under half of
  those are significant.  PGN]


Review of "Database Nation"

Gene Spafford <spaf@cerias.purdue.edu>
Mon, 7 Feb 2000 08:10:58 -0500
"Database Nation: The Death of Privacy in the 21st Century"
by Simson Garfinkel
O'Reilly & Associates, 2000
ISBN 1-56592-653-6
<http://www.databasenation.com>

First, of all, I should disclose what is probably a conflict of interest.
Simson and I have been friends for years, and we have collaborated on a
number of projects, including 3 books.  As such, some people (who don't know
me well) might suspect that I wouldn't provide an objective review.  So, if
you think that might be the case, then discount my recommendation by half --
and still buy and read this book.  Simson has done an outstanding job
documenting and describing a set of issues that a great many people --
myself included -- believe will influence computing, e-commerce, law and
public policy in the next decade.  They also impact every person in modern
society.

This book describes -- well, and with numerous citations -- how our privacy
as individuals and members of groups has been eroding.  Unfortunately, that
erosion is accelerating, and those of us involved with information
technology are a significant factor in that trend.  Credit bureaus
accumulate information on our spending, governments record the minutiae of
their citizens' lives, health insurance organizations record everything
about us that might prove useful to deny our claims, and merchants suck up
every bit of information they can find so as to target us for more
marketing.  In each case, there is a seemingly valid reason, but the
accumulated weight of all this record-keeping -- especially when coupled
with the sale and interchange of the data -- is frightening.  Simson
provides numerous examples and case studies showing how our privacy is
incrementally disappearing as more data is captured in databases large and
small.

The book includes chapters on a wide range of privacy-related issues,
including medical information privacy, purchasing patterns and affinity
programs, on-line monitoring, credit bureaus, genetic testing, government
record-keeping and regulation, terrorism and law enforcement monitoring,
biometrics and identification, ownership of personal information, and
AI-based information modeling and collection.  The 270 pages of text present
a sweeping view of the various assaults on our privacy in day-to-day life.
Each instance is documented as a case where someone has a reasonable cause
to collect and use the information, whether for law enforcement, medical
research, or government cost-saving.  Unfortunately, the reality is that
most of those scenarios are then extended to where the information is
misused, misapplied, or combined with other information to create unexpected
and unwanted intrusions.

Despite my overall enthusiasm, I was a little disappointed in a few minor
respects with the book.  Although Simson concludes the book with an
interesting agenda of issues that should be pursued in the interests of
privacy protection, he misses a number of opportunities to provide the
reader with information on how to better his or her own control over
personal information.  For instance, he describes the opt-out program for
direct marketing, but doesn't provide the details of how the reader can do
this; Simson recounts that people are able to get their credit records or
medical records from MIB, but then doesn't provide any information on how to
get them or who to contact; and although he sets forth a legislative agenda
for government, he fails to note realistic steps that the reader can take to
help move that agenda forward.  I suspect that many people will finish
reading this book with a strong sense of wanting to *do* something, but they
will not have any guidance as to where to go or who to talk with.

The book has over 20 pages of comprehensive endnotes and WWW references for
the reader interested in further details.  These URLs do include pointers to
many important sources of information on privacy and law, but with a few
puzzling omissions: I didn't see references to resources such as EPIC or
Lauren Weinstein's Privacy Digest outside of the fine print in the endnotes.
I also didn't note references to ACM's Computers, Freedom and Privacy
conferences, the USACM, or a number of other useful venues and supporters of
privacy and advocacy.  Robert Ellis Smith's "Privacy Journal" is mentioned
in the text, but there is no information given as to how to subscribe it it.
And so on.

I also noted that the book doesn't really discuss much of the international
privacy scene, including issues of law and culture that complicate our
domestic solutions.  However, the book is intended for a U.S. audience, so
this is somewhat understandable.  A few other topics -- such as workplace
monitoring -- are similarly given more abbreviated coverage than every
reader might wish.  Overall, I recognized few of those.

On the plus side, the book is very readable, with great examples and
anecdotes, and a clear sense of urgency.  Although it is obvious that Simson
is not an impartial party on these topics, he does present many of the
conflicting viewpoints to illustrate the complexity of the issues.  For
instance, he presents data on the need for wiretaps and criminal
investigation, along with accounts and descriptions of bioterrorism,
including interviews with FBI officials, to illustrate why there are people
of good faith who want to be able to monitor telephone conversations and
e-mail.  If anything, this increases the impact of the book -- it is not an
account of bad people with evil intent, but a description of what happens
when ideas reasonable to a small group have consequences beyond their
imagining -- or immediate concern.  The death of privacy is one of a
thousand cuts, each one small and seemingly made for a good reason.

Simson has committed to adding important information to the WWW site for the
book.  Many (or most) of the items I have noted above will likely be
addressed at the WWW site before long.  Simson also has informed me that the
publisher will be making corrections and some additions to future editions
of the book if he deems them important.  This is great news for those of us
who will use the book as an classroom text, or if we recommend the book to
policy makers on an on-going basis.  Those of us with older copies will need
to keep the URL on our bookmark list.

Overall, I was very pleased with the book.  I read it all in one sitting, on
a flight cross-country, and found it an easy read.  I have long been
interested in (and involved in) activities in protection of privacy, so I
have seen and read most of the sources Simson references.  Still, I learned
a number of things from reading the book that I didn't already know --
Simson has done a fine job of presenting historical and ancillary context to
his narrative without appearing overly pedantic.

This is a book I intend to recommend to all of my graduate students and
colleagues.  I wish only there was some way to get all of our elected
officials to read it, too.  I believe that everyone who values some sense of
private life should be aware of these issues, and this book is a great way
to learn about them.  I suggest you go out and buy a copy -- but pay in cash
instead of with a credit card, take mass transit to the store instead of
your personal auto, and don't look directly into the video cameras behind
the checkout counter.  Once you read the book, you'll be glad you did.

Please report problems with the web pages to the maintainer

Top