Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
[Always check the CERT Web site for updates on any CERT Advisory that
is included in RISKS. This item is a starkly abridged version of the
original Advisory 2000-04. Subsequent to the first appearance of
ILOVEYOU, there have been numerous copycat variants, and assessments
of damage on the order of many billion dollars.]
[HOWEVER, please take a look at my written testimony on ILOVEYOU and
its wider implications, which I submitted to the House Science Committee
Subcommittee on Technology on 10 May 2000, Risks in Our Information
Infrastructures: The Tip of a Titanic Iceberg Is Still All That Is
Visible --
http://www.csl.sri.com/neumann/house00.html
PGN]
CERT Advisory CA-2000-04 Love Letter Worm
Original release date: May 4, 2000
Last revised: --
Source: CERT/CC
Systems Affected
* Systems running Microsoft Windows with Windows Scripting Host enabled
Overview
The "Love Letter" worm is a malicious VBScript program which spreads
in a variety of ways. As of 2:00pm EDT(GMT-4) May 4, 2000 — the CERT
Coordination Center has received reports from more than 250 individual
sites indicating more than 300,000 individual systems are affected. In
addition, we have several reports of sites suffering considerable
network degradation as a result of mail, file, and web traffic
generated by the "Love Letter" worm.
I. Description
You can be infected with the "Love Letter" worm in a variety of ways,
including electronic mail, Windows file sharing, IRC, USENET news and
possibly via webpages. Once the worm has executed on your system, it
will take the actions described in the Impact section.
Electronic Mail
When the worm executes, it attempts to send copies of itself using
Microsoft Outlook to all the entries in all the address books. The
mail it sends has the following characteristics:
* An attachment named "LOVE-LETTER-FOR-YOU.TXT.VBS"
* A subject of "ILOVEYOU"
* A body which reads "kindly check the attached LOVELETTER coming
from me."
People who receive copies of the worm via electronic mail will most
likely recognize the sender. We encourage people to avoid executing
code, including VBScripts, received through electronic mail regardless
of the sender without firsthand prior knowledge of the origin of the
code.
Internet Relay Chat
When the worm executes, it will attempt to create a file named
script.ini in any directory that contains certain files associated
with the popular IRC client mIRC. The script file will attempt to send
a copy of the worm via DCC to other people in any IRC channel joined
by the victim. We encourage people to disable automatic reception of
files via DCC in any IRC client.
Executing Files on Shared File Systems
When the worm executes, it will search for certain types of files and
replace them with a copy of the worm (see the Impact section for more
details). Executing (double clicking) files modified by other infected
users will result in executing the worm. Files modified by the worm
may also be started automatically, for example from a startup script.
Reading USENET News
There have been reports of the worm appearing in USENET newsgroups.
The suggestions above should be applied to users reading messages in
USENET newsgroups.
II. Impact
When the worm is executed, it takes the following steps:
Replaces Files with Copies of the Worm
When the worm executes, it will search for certain types of files and
make changes to those files depending on the type of file. For files
on fixed or network drives, it will take the following steps:
* For files whose extension is vbs or vbe it will replace those
files with a copy of itself.
* For files whose extensions are js, jse, css, wsh, sct, or hta, it
will replace those files with a copy of itself and change the
extension to vbs. For example, a file named x.css will be replaced
with a file named x.vbs containing a copy of the worm.
* For files whose extension is jpg or jpeg, it will replace those
files with a copy of the worm and add a vbs extension. For
example, a file named x.jpg will be replaced by a file called
x.jpg.vbs containing a copy of the worm.
* For files whose extension is mp3 or mp2, it will create a copy of
itself in a file named with a vbs extension in the same manner as
for a jpg file. The original file is preserved, but its attributes
are changed to hidden.
Since the modified files are overwritten by the worm code rather than
being deleted, file recovery is difficult and may be impossible.
Users executing files that have been modified in this step will cause
the worm to begin executing again. If these files are on a filesystem
shared over a local area network, new users may be affected.
Creates an mIRC Script
While the worm is examining files as described in the previous
section, it may take additional steps to create a mIRC script file. If
the file name being examined is mirc32.exe, mlink32.exe, mirc.ini,
script.ini or mirc.hlp, the worm will create a file named script.ini
in the same folder. The script.ini file will contain:
[script]
n0=on 1:JOIN:#:{
n1= /if ( $nick == $me ) { halt }
n2= /.dcc send $nick DIRSYSTEM\LOVE-LETTER-FOR-YOU.HTM
n3=}
where DIRSYSTEM varies based on the platform where the worm is
executed. If the file script.ini already exists, no changes occur.
This code appears to define a script such that whenever the user joins
a channel in IRC, a copy of the worm will be sent to others on the
channel via DCC. The script.ini file is created only once per folder
processed by the worm.
Modifies the Internet Explorer Start Page
If the file <DIRSYSTEM>\WinFAT32.exe exists, the worm sets the
Internet Explorer Start page to one of four randomly selected URLs.
These URLs all refer to a file named WIN-BUGSFIX.exe, which presumably
contains malicious code. The worm checks for this file in the Internet
Explorer downloads directory, and if found, it is added to the list of
programs to run at reboot. The Internet Explorer Start page is then
reset to "about:blank". Information about the impact of running
WIN-BUGSFIX.exe will be added to this document as soon as it is
available.
Send Copies of Itself via E-mail
The worm will attempt to use Microsoft Outlook to send copies of
itself to all entries in all address books as described in the
Description section.
Other Modified Registry Keys
In addition to other changes, the worm updates the following registry
keys:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\MSKernel32
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\Win32DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\WIN-BUGSFIX
HKCU\Software\Microsoft\Windows Scripting Host\Settings\Timeout
HKCU\Software\Microsoft\Internet Explorer\Main\Start Page
HKCU\Software\Microsoft\WAB\*
III. Solution
Update Your Anti-Virus Product [...]
Disable Windows Scripting Host [...]
Disable Active Scripting in Internet Explorer [...]
Disable Auto-DCC Reception in IRC Clients [...]
Filter Virus in E-Mail [...]
Sendmail [...]
PostFix [...]
Procmail [...]
Exercise Caution When Opening Attachments [...]
Appendix A. Anti-Virus Vendor Information [...]
[The full Advisory as updated is available from:
http://www.cert.org/advisories/CA-2000-04.html]
CERT/CC Contact Information
E-mail: cert@cert.org
Phone: +1 412-268-7090 (24-hour hotline)
Fax: +1 412-268-6989
Postal address:
CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh PA 15213-3890
U.S.A.
CERT personnel answer the hotline 08:00-20:00 EST(GMT-5) / EDT(GMT-4)
Monday through Friday; they are on call for emergencies during other
hours, on U.S. holidays, and on weekends.
Conditions for use, disclaimers, and sponsorship information [...]
Copyright 2000 Carnegie Mellon University.
[PGN-ed for RISKS.]
In the flurry of news about the LoveBug virus, this article stands out: http://news.bbc.co.uk/low/english/sci/tech/newsid_737000/737396.stm. It represents one of the first mainstream media pieces to note that the problem with computer viruses is enabled by Microsoft's designs and wouldn't exist without them. ``Peter Sommer... told BBC News Online that Microsoft created these by building in to their software the tools needed to customize applications. Microsoft customers are going to have to ask the company to review very carefully the level of functionality that they are putting into their systems. [...] One has got to ask why products are put out which contain these programming languages, which may be of use to perhaps only 3 to 4% of the customers but for everyone else presents a considerable threat. [...] These features are also very difficult to turn off. The lesson from Love Bug is that people must be able to kill off this programming functionality within applications programs." Other experts from virus companies are quoted as deflecting the blame from Microsoft, but their business interests depend on there being viruses to stop. If the Windows security model made it very difficult for viruses to propagate, these companies would probably not exist any more.
Peacefire has discovered a security hole in all versions of Eudora mail for
Windows, that can allow a hacker to execute code on a user's machine, by
sending the user e-mail and having them click on a link:
http://www.peacefire.org/security/stealthattach/
(For example, a Eudora user would see this message with the URL above made
into a hyperlink so that you can click on it and load it into your browser.
Using the "stealth attachment" security exploit, you can force code to run
on the user's machine when they click on the link. Don't worry, *this*
message is safe :-) But you can go to the above URL and request a
"demonstration mail" to be sent to you.)
Security holes that allow you to run code on a remote user's machine just by
sending them e-mail, are extremely dangerous — a hacker could use this to
steal or erase any classified data on a remote user's hard drive, even if
that user were behind a corporate firewall and had anti-virus software
running. A virus writer could use the exploit to write a virus that could
spread to almost all Eudora users — numbering in the millions — and
potentially do hundreds of millions of dollars' worth of damage. (Unlike
most such tricks, this exploit does not require the user to do anything
"naive", like run an .exe that is sent to them as an attachment.) USA Today
reported last year on the "BubbleBoy" virus, which similarly used a security
hole in Microsoft Outlook to cause code to run on a user's machine, simply
by reading an e-mail message:
http://www.usatoday.com/life/cyber/tech/ctg633.htm
Unfortunately, unlike the security hole that Peacefire discovered last
week:
http://www.peacefire.org/security/jscookies/
http://news.cnet.com/news/0-1005-200-1717169.html
http://www.zdnet.com/zdnn/stories/news/0,4586,2553337,00.html
http://www.ntsecurity.net/go/load.asp?iD=/security/netscape2.htm
this security hole doesn't involve any cool industry buzzwords like
"javascript" or "cookies". This one just involves — *YAWN* --
e-mail. That is, like, *so* 20th-century. Sorry if this is inconvenient
for journalists writing about this stuff :-)
bennett@peacefire.org (425) 649 9024 http://www.peacefire.org
CERT Advisory CA-2000-05
Netscape Navigator Improperly Validates SSL Sessions
Original release date: May 12, 2000
Source: ACROS, CERT/CC [...]
Systems Affected
* Systems running Netscape Navigator 4.72, 4.61, and 4.07. Other
versions less than 4.72 are likely to be affected as well.
Overview
The ACROS Security Team of Slovenia has discovered a flaw in the way
Netscape Navigator validates SSL sessions.
[The complete CERT Advisory is available from:
http://www.cert.org/advisories/CA-2000-05.html
PGN-ed for RISKS]
http://www.wired.com/news/print/0,1294,36310,00.html The FBI's Interstate Identification Index database system crashed on 11 May, preventing background checks of some 100,000 would-be gun purchasers who have to be vetted by the National Instant Check System. The crash also prevented use of the Integrated Automated Fingerprint Identification System associated with the National Crime Information Center NCIC 2000. Service expected to return on 14 May. [The U.S. General Accounting Office notes that NICS was offline for 215 hours from November 1998 to November 1999. [PGN-ed]
President Clinton announced today that the US government will no longer use
its "Selective Availability" feature to degrade the precision of
measurements possible with civilian (and non-US government) Global
Positioning System (GPS) receivers. One of the concerns cited in the
announcement is the ability to use GPS for emergency response and other
critical, civilian uses.
It is also stated that one of the reasons the US is comfortable making this
change is that it has "demonstrated the capability to selectively deny GPS
signals on a regional basis when our national security is threatened."
The risks: Will this lead to more dependence on a system that may be made
unavailable at any time? For example pilots, outdoor enthusiasts, and
rescue services all use GPS for routine navigation. If that signal was
suddenly made unavailable, would these people still have the necessary
skills to navigate using non-GPS techniques such as map and compass and
terrestrial radio beacons? What about fail-over in automatic computer
systems (such as autopilots) that depend on GPS?
The full announcement is available at the following URL:
http://www.igeb.gov/sa/potus.txt
Mike Fisk, RADIANT Team, Network Engineering Group, Los Alamos National Lab
See http://home.lanl.gov/mfisk/ for contact information
Alison Mckenzie, of Peterhead, in Aberdeenshire, phoned a 24-hour environmental services helpline after a chorizo sausage she had bought turned out to be green. As a result of a British Telecom system fault, the call was automatically forwarded to police service voicebanks, but also in text form to every BT pager number beginning with 01426. [Not green with envy, and certainly not environmentally green. Mayhaps it was an Irish chorizo? As usual, the wurst is yet to come. PGN-ed from Ian's sources, http://news2.thls.bbc.co.uk/hi/english/uk/scotland/newsid%5F735000/735531.stm http://www.thisisnorthscotland.co.uk/scripts/edarticle-p.asp? section=National+news&ID=29726&source=NAT]
A friend of mine works for [Huge Corporation], where security is frequently announced as being imperative. The operating system of choice is Windows NT, and much work is shared on a networked "drive" type share. This "drive" has a trashcan icon on it. Fishing in said network trashcan results in the discovery of all sorts of information, including Word documents with draft policies, the home addresses of top executives, financial information, etc. The RISK here is that people expect something that looks like a trashcan to behave like one, and behave accordingly. The Memory Hole has become a security hole. -- Conrad Heiney conrad@fringehead.org http://fringehead.org/ [Ah, yes, that is just like your home trashcans. Publically available. You have no idea what dumpster diving can go on after you put something in it. Don't forget all the deleted stuff still in the Word file. You need a bit shredder. Cryptography? Still maybe not enough, but closer. PGN]
Of late, there has been a surge in interest in networking domestic appliances. Electrolux and Whirlpool plan ScreenFridges, where you can see recipes and order food. Ariston has a washing machine with a built-in modem which can telephone automatically for software upgrades for the programme controller. And now there's BT, with: http://www.telegraph.co.uk/et?ac=000111464113065&pg=/et/00/5/7/ntac07.html where domestic appliances are chipped and authorised for use by a home management centre phoning your insurance company. The failure modes here are legion. Move house, and discover that your appliances no longer work while you enter a protracted discussion with your insurance company to authorise your home management centre in its new location (no doubt necessary to prevent the home management centre from being stolen). Have your home management centre crash [Ariston has proposed its kitchen centre be run on Windows CE], and watch it take out your entire kitchen, denying you service in the process. Not so much white goods ideas, as white jacket ideas. It's a recipe for disaster. plumb and play. hah. <L.Wood@surrey.ac.uk>PGP<http://www.ee.surrey.ac.uk/Personal/L.Wood/>
The "Terms and Conditions" you must accept to use the "free" NetZero service include giving up your privacy among other "minor" things: 1) obligation on your part to fill out with real information all questionnaires and survey forms they send; 2) allowing NetZero to learn your browsing habits by tracking all the websites you visit and compile, sell and USE that information. They say personal identifying info won't be disclosed but just the simple fact that they store it on their system where is available to anybody who could lawfully or not access it, is a problem. Let alone they don't exclude themselves from using it so it is possible for them to target you directly. 3) you cannot disable cookies, bypass their ad program (meaning that you can't install firewalling software that would block the ad stream) 4) you allow them to alter your e-mail messages by adding advertising which you cannot remove or obscure (not unusual); 5) the most ridiculous note is that the whole agreement can be changed at any time by posting them on their website, and require you to check them every time before you "use the service", and not use it if you don't agree. Let alone the impossibility of this (how can you browse their website without already being connected, thus using the service), it puts an unreasonable burden on the user. How many will remember the original contract and check the new one for differences, I doubt they would post a "diff" file there :-) Laurentiu Badea
It's extremely important to clarify this "Netscape engineers are weenies!" story. For a variety of reasons, one of which being my own quotes in the original *Wall Street Journal* article on this issue, the public has been overly warned against an extremely limited threat... while the real threat from the dvwssr.dll has been largely ignored by the media. First, clarification of the "secret backdoor password" threat. The possibility that the string above could be used to access the source of Active Server Page (.asp) web files, or configuration files known as .asa, is entirely dependent on the permissions configured on an IIS web server. By default, no access can be gained. If permissions are mis-configured, allowing anonymous read access to the files (they should be permissioned for anonymous *execute*, not read), then there is a way that the obfuscation could permit access. It should be noted that with such a mis-configured system, numerous other access methods would be available also. The important story overlooked was a discovery by CORE-SDI later in the evening after the backdoor story had run virtually everywhere. CORE-SDI, not more than 8 hours after first looking at the dvwssr.dll, was able to published details on a buffer overrun in that .dll that could permit a DoS of IIS boxes. By some other machinations (including moving the file to a directory where it would not normally be found), they were able to execute arbitrary code on the attacked box. Everyone, RFP (who's advisory caused the original stir), CORE-SDI, and Microsoft advised that the dvwssr.dll simply be deleted (from all of its locations) in order to remedy the potential problem(s). While this particular program had minimal use in its lifetime, the fact that a static password (used for obfuscation, not entry) was even present should not be understated. This program has survived numerous Q&A cycles and, if we believe that source code for NT has been available at some 30+ U.S. Universities for years, numerous code reviews. Of interest to RISKS readers should be the fact that MS was, presumably, unaware that it was using obfuscation for security in that program. Russ - NTBugtraq Editor "dot-age" (as in "we're in the dot-age") = senility (source Webster's)
On Wed, 05 Apr 2000, "NewsScan" wrote: > A federal appeals court in Ohio has ruled that encryption software code is > protected by the First Amendment because such code is a means of > communication between computer programmers. For those who want to read the court's opinion itself, it's online at the Sixth Circuit Court of Appeals website. The URL is <http://pacer.ca6.uscourts.gov/cgi-bin/getopn.pl?OPINION=00a0117p.06>; a PDF-formatted file (in two-up form intended for publication as a slip opinion, so the pagination may look odd to you) is at <http://pacer.ca6.uscourts.gov/opinions.pdf/00a0117p-06.pdf>. The citation is Junger v. Daley, No. 98-4045 (6th Cir. Apr. 4, 2000). The opinion is only 8 pages long, most of which simply relates the facts, discusses the standard of appellate review, or states the restates resulting order. The analysis of source code as speech is remarkably short, on page 7, the gist of which is: The Supreme Court has expressed the versatile scope of the First Amendment by labeling as "unquestionably shielded" the artwork of Jackson Pollack, the music of Arnold Schoenberg, or the Jabberwocky verse of Lewis Carroll. ... Though unquestionably expressive, these things identified by the Court are not traditional speech. Particularly, a musical score cannot be read by the majority of the public but can be used as a means of communication among musicians. Likewise, computer source code, though unintelligible to many, is the preferred method of communication among computer programers [sic]. Because computer source code is an expressive means for the exchange of information and ideas about computer programming, we hold that it is protected by the First Amendment. Terry Carroll, Santa Clara, CA <carroll@tjc.com> "The United States is located in the District of Columbia." Uniform Commercial Code s. 9-307(h)
>The proof of adult status required? A credit card number. >1) I refuse to give my credit card number for a non-purchase reason. You may well find that your credit card Terms and Conditions forbid you from giving your credit-card number to anyone for any reason other than making a purchase. Mine do. Jon Ribbens / jon@oaktree.co.uk
Danny Burstein writes: > Permit me to point out that the famous letter, from Virginia O'Hanlon, was > first printed in the *New York Sun* of 21 September 1897. And in the letter, Virginia quotes her father as saying "if you see it in the Sun, it's so". The New York Sun is also the paper where a series of six articles in August 1835 told how astronomer John Herschel, using a great telescope of new (and in fact impossible) design in South Africa, had observed amazing geological formations and a great variety of life-forms on (and flying above) the surface of the Moon... Of course, this message is off-topic. Questions such as how to determine which information source to trust have no Risks relevance whatever. :-) Mark Brader "Never trust anybody who says 'trust me.' Toronto Except just this once, of course." John Varley, "Steel Beach"
Please report problems with the web pages to the maintainer