Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
A stolen laptop computer holding details of a top secret 250-billion-pound Anglo-US super-lethal stealth Strike fighter project has been recovered by *The Mirror*. The laptop was stolen from a naval intelligence officer at a London station two weeks before. [Source: *Mirror* article 22 May 2000 <http://www.sundaymirror.co.uk> <http://www.people.co.uk>; PGN-ed]
Due to an electrical problem at 12:25 a.m. on 15 May 2000, an automated shutdown of a Diablo Canyon Unit 1 nuclear power plant reactor released a small amount of radioactive steam. Everything seemed to function properly in the triggered shutdown. [Source: An AP item on 15 May 2000]
CARACAS, VENEZUELA — Citing technical woes, Venezuela's high court on
Thursday suspended this weekend's general elections, saying fair balloting
is impossible until the problems are resolved. Conditions for "credibility
and transparency" in Sunday's presidential, congressional and regional
elections do not exist, said Ivan Rincon of the Supreme Tribunal of Justice.
[...] President Hugo Chavez had earlier blamed an Omaha (Neb.)-based
company for the technical problems, saying it was part of an overall plan to
"destabilize" the country's electoral process. [Source: Citing major
computer woes, high court delays elections *Chicago Tribune*, 26 May 2000
http://www.chicagotribune.com/news/printedition/article/0,2669,SAV-0005260364,FF.html;
PGN-ed; see also:
http://www.washingtonpost.com/wp-dyn/articles/A7231-2000May25.html
http://www.foxnews.com/world/0523/i_ap_0523_111.sml
http://news.bbc.co.uk/low/english/world/americas/newsid_764000/764372.stm]
[Contrast the controversy over the recent election in Peru. PGN]
Add the National Hockey League to the long list of sites that have been attacked. A distributed denial of service attack on the NHL Web site took it off the air for several days, 21 through 25 May. The rather long period was blamed by the NHL's Web manager on their lack of technical resources, and chalked it up as a learning experience. [Source: NHL Web Site Back Online, Associated Press item, 26 May 2000]
High-speed police chases have been a rather hot topic in Canadian media recently. Larry Martens, a 22-year veteran former Mountie (RCMP), has a patent on a radio device that would allow police to stop the engine of any fleeing vehicle at the push of a button. Every vehicle would require a $150 receiver. [Source: Device could end high-speed chases, by Scott Crowson, *Calgary Herald*, city section, 14 May 2000; PGN-ed] Sounds like a worthwhile addition to "1000 ways of having fun with a police scanner" to me. [SP] home page: http://www.cobalt.chem.ucalgary.ca/ps/
After a recent car chase that ended with the fugitive jumping off the Golden Gate Bridge there was an item on the TV (NBC national news) about a new device being promoted to enable police to stop any car using a "laser gun". This caught my attention, mostly because it didn't sound reasonable. Indeed the secret was revealed at the end of the story when the reporter said that for the device to work all cars would need to be fitted with an "inexpensive receiver". There is so much wrong with this idea it's hard to know where to start; even if the system was designed well enough that only "real" guns would work (very unlikely IMHO) a stolen "gun" could create total gridlock in a city. Perhaps the biggest risk here is that NBC actually ran the item without stopping to notice how silly the idea was. John
See http://www.newscientist.com/nsplus/insight/phones/dangersignals.html The study showed that mobiles caused problems for older generation avionics during tests in a parked jet. "interference levels that exceed demonstrated susceptibility levels for aircraft equipment approved against earlier standards" Kevin Connolly
[NOTE: Entire item in RISKS-20.89x. See below. PGN]
This I'm sure has been covered before, but here's an interesting example of
filters gone awry.
I recently upgraded (?) to MS Office 2000, which, among other things, lets
you have more than 8 e-mail filters active at once. In my glee I started
turning things on, including junk mail filtering. Surprise! I found 8-10
important messages — all replies to a query I sent out to a personal mailing
list — all dumped into the Junk Mail folder.
What was it? I'm riding in a charity bicycle ride, and I needed to tell my
pledge-ees that I needed their money now. So I sent them an e-mail updating
my training status and asking them to send their checks. Obviously, this
message had at least one dollar sign "$" in it — and because I'm an
excitable guy it had at least one multiple exclamation mark "!!", and since,
at the end, I chided my manager to make good on my exaggerated version of
his pledge:
<> Mark, didn't you promise $5,000 or something like that?
...we also hit the magic phrase ",000".
Now, the fine folks in Redmond have determined that if these three elements
converge, you have received Spam. The actual rule (from their web site) is:
Body contains ",000" AND Body contains "!!" AND Body contains "$"
Who'd have guessed? In fact, even looking at their filter list, it took me
a long time to figure out which rule I'd hit. (OK, I'm slow sometimes.)
I guess the rule is (a) don't get too excited ! — one "!" at a time! (b)
specify your currency as "USD", and (c) use European periods ("5.000")
instead of North American commas in large numbers. OK, that's silly. But
just as silly is the fact that any spammer can read the list of rules and
tailor their e-mail to avoid them.
Of course, you might never read this, because if you have junk e-mail
filtering turned on, Outlook will catch THIS message and do with it as
you've requested for junk mail.
Two other interesting points:
(1) In the adult filters you'll find these two:
Subject contains " sex"
Subject contains "free" AND Subject contains "sex"
The first is set up with a leading space to only accept the *word* "sex", so
those of us who live here in Middlesex county don't lose any local-related
mail. But the writer of the second wasn't so careful — what if the
Middlesex News offers free subscriptions? That's Spam, yes, but not porn (I
guess that's why that newspaper changed its name...).
(2) Don't address your dear friend as such — note the rule:
Body contains "Dear friend"
My golly! I can't send some good old-fashioned heartfelt feelings to my
dear friends!! (oops, double "!!" — I got excited!)
This stuff can be very dangerous...
The entire list is at
http://officeupdate.microsoft.com/Articles/newfilters.htm
I included it here, but the moderator may choose to cut it from the journal
in the interest of space.
[Your moderator chose to create a supplemental issue,
RISKS-20.89x
that contains the complete original submission. I would have
included it here, but it is likely to have greatly increased the
likelihood that the entire RISKS issue would be bounced by many filtering
programs. As it is, I frequently get porn-bounce or spam-bounce notices
on seemingly harmless issues of RISKS. PGN]
When I heard that Microsoft was considering action against the person[s] responsible for the "Weenie" security hole, "_If they can be found_", my first thought was along the lines of "These guys don't even have revision-control on _security_ software?!?", but yesterday morning my clock-radio woke me up to even more startling news. In a story about the egregious expansion of search-and-seizure that was added to the new "Bankruptcy Reform" bill, was the news that the Senate apparently did not _know_ who had inserted the language, but believed it was the work of a staffer in Orin Hatch's office. Now, maybe I was still too groggy, but my reaction to this was "These guys don't even have revision-control on _laws_?!?". I wish I could add a :-), but the consequences are potentially far worse than one more bug in software well known for security weaknesses. The fact that the suspect language was apparently "included by reference" from an un-related bill is yet another example of the hazards of abstraction. IMHO, we as a society place entirely too much trust in un-trustworthy components and agents. Note also the parallels to the debate on Open Source. _In Principle_, every congressperson would read (and understand) every word of every bill (and follow/verify references). In practice, only by chance do these alterations become known. Mike albaugh@agames.com
Microsoft has decided that since the scripting behavior of Outlook is unsafe, they're going to disable the ability to actually get many file attachments (it's not entirely clear if the file will be saved or simply trashed — it seems to imply that you can't access the attachments within Outlook 98 and Outlook 2000 only. If the file is completely trashed, a whole new RISK is created by people assuming that an e-mailed attachment got through). http://www.officeupdate.com/2000/articles/Out2ksecarticle.htm has Microsoft's official word on the update. Dave Weingart, Randstad North America dave.weingart@us.randstad.com 1-516-682-1470
As everyone knows, VBS.NewLove.A is sweeping the world. Or is it? Norton AntiVirus, using the latest set of definition files (5/18/00) is giving false positives on a range of files. On my system, it's complaining about some pure HTML files (i.e., with no scripting or anything else remotely malicious). Their web page doesn't give any details, and I haven't been able to find anything out, but their technicians did admit to false positives, and they're working on a new version. In fairness to Symantec, they're trying to rush out patches as fast as they can to a rapidly proliferating virus. However, it's obvious that they didn't do a very good job of getting the pattern match correct. --Jeremy
In the aftermath of the Love Bug, all e-mail inboxes at my place of employment have been scanned for suspect attachments. Apparently, a home-grown perl script (run as root) was used to delete or modify tainted e-mails. Unfortunately, a side-effect of this was to make all files in the mail spool directory world-readable about ten days ago. This has only just been noticed and rectified. Obvious Risk: immediate, disruptive threats can divert attention away from safe, well-known procedures. Tom Hayhurst <aserinsky@hotmail.com>
The people at Zope found a problem with their admin interface (http://www.zope.org/Members/jim/ZopeSecurity/ClientSideTrojan) that also applied to just about any web-based admin tool. Basically, an attacker could create a page that redirected to site's admin interface or a form that submitted to it (possibly using JavaScript for automatic submission); in any case, the effect was that any use who was logged in as a site administrator could have an attacker execute arbitrary commands in their security context merely by following a link. If this was carefully set up using JavaScript and frames, it's more than possible that the admin would never notice what had happened. This attack would be particularly effective against online news sites and anyone else for whom it is common to receive many URLs every day as submissions. This story was picked up by LWN (http://www.lwn.net/2000/features/ Redirect.phtml) and spread rapidly to the usual security forums. There's a very simple fix that prevents this attack from working in any of the cases reported. The problem is that the form parameters can all be guessed by the attacker, allowing them to generate a URL easily. Putting in a random parameter prevents this from being true. Given that you need to have a random identifier that is not leaked to third parties for meaningful session management, an obvious step is to put in a parameter in the form that must match the user's session ID (e.g. Confirm=346593045 instead of Confirm=true). (This is still vulnerable if the browser has a security hole which allows an unrelated site to capture cookies. However, such a bug is really a separate issue as it would allow an attacker to easily hijack the session directly. A browser that buggy should not be used.) What I've found disturbing is that there have been several people attempting to get the news out since the original wave of reports (~5/10) about having such a fix that will defang this entire class of attack in a single line of code. These efforts don't seem to have achieved anything like the visibility given to the original reports. There's a great deal of speculation about convoluted, partial means of stopping such attacks and even suggestions about disabling web-based admin interfaces entirely but, thus far, very little word about what has to be one of the easiest fixes in the history of computer security. The risks? Besides the obvious security concerns, there's the risk that people will do something rash or remain vulnerable despite the fact that, contrary to some of the reports, there is a fix and it's quite simple. A casual observer could easily get the impression that this problem is a major threat.
CERT Advisory CA-2000-07 Microsoft Office 2000 UA ActiveX Control
Incorrectly Marked "Safe for Scripting"
[The full Advisory is at
http://www.cert.org/advisories/CA-2000-07.html
PGN]
Systems Affected
* Systems with Internet Explorer and Microsoft Office 2000
components, including
* Word 2000
* Excel 2000
* PowerPoint 2000
* Access 2000
* Photodraw 2000
* FrontPage 2000
* Project 2000
* Outlook 2000
* Publisher 2000
* Works 2000 Suite
Overview
The Microsoft Office 2000 UA ActiveX control is incorrectly marked as
"safe for scripting". This vulnerability may allow an intruder to
disable macro warnings in Office products and, subsequently, execute
arbitrary code. This vulnerability may be exploited by viewing an HTML
document via a web page, newsgroup posting, or e-mail message.
I. Description
Microsoft and L0pht Research Labs have recently published advisories
describing a vulnerability in the Microsoft Office 2000 UA ActiveX
control. Due to the severity of this vulnerability, we are issuing a
CERT advisory to help reach as broad an audience as possible.
Microsoft has published a security bulletin, an FAQ, and a knowledgebase
article describing this vulnerability. These documents are available from
Microsoft's web site:
http://microsoft.com/technet/security/bulletin/ms00-034.asp
http://microsoft.com/technet/security/bulletin/fq00-034.asp
http://microsoft.com/technet/support/kb.asp?ID=262767
The CERT Coordination Center thanks L0pht Research Labs and @Stake for
initially discovering and reporting this vulnerability. We also thank the
Microsoft Security Team for their assistance in preparing this advisory.
Here is an example where improper caching and poor GUI design can render a particular implementation of SSL server authentication insecure. Within one Netscape session, if a user clicks on "continue" in response to a "hostname does not match name in certificate," then that certificate is incorrectly validated for future use in the Netscape session, REGARDLESS of the hostname or IP address of other servers that use the certificate. It seems that the "Certificate Name Check" warning will cache a certificate as valid for any hostname or IP address in the future. In this way, if an adversary tricks a user into accepting an invalid certificate at a seemingly benign site, then the user can then be tricked if he/she ever visits a malicious site using the same certificate. A "continue" click on a seemingly benign SSL web server might end up taking away server authentication from visiting https://www.a-site-that-you-give-private-info.com/ that has poisoned DNS. Since this is a risks post, there has to be a lesson: * Be explicit. Netscape's security warning does not indicate clearly what will result by clicking "continue." * Even if the design is good, an implementation can go wrong. Netscape invented SSL, but it has a hard time using it correctly. Does this scare you? It should. If a company who designs an accepted security protocol cannot use it correctly, then think about the companies implementing homebrew security... * Implementation bugs are not unique to Netscape. PGP has a relatively good but absolutely dangerous user interface that can mislead users. See the "Why Johnny Can't Encrypt" paper by Alma Whitten for an excellent analysis. [SEE NOTE] For a full report, see http://snafu.fooworld.org/~fubob/netscape-ssl.html or http://www.cert.org/advisories/CA-2000-08.html Kevin E. Fu (fubob@mit.edu) [NOTE: The paper must be Whitten in Inwisible Ink. PGN-Enquipped]
I don't know if this is a problem or if I'm over reacting. I just did a search on my user id and chanced across a misquoted (by some usenet newbie) news article that attributes statements I never said to me. http://x69.deja.com/[ST_rn=fs]/getdoc.xp?AN=624428330&CONTEXT=959150860.1906835472&hitnum=6 Do people take deja/usenet with a grain of salt, or should I worry about what anyone can say I said? keelingNO@SPAM.spots.ab.ca (Stephen) TopQuark Software & Serv. [Misinformation has a horrible way of propagating. If I were you, I would put a note on your Web site disowning something like that and perhaps putting in a thoughtful item on the risks of being misquoted. PGN]
While at a bookstore the other day, my spouse was presented with a credit
card signature slip printed by an Interac point-of-sale terminal. It was
just like any other credit signature slip, except that the usual "customer
signature" line was printed twice, one on top of the other, with ample
space for the signature in both places--a harmless glitch, probably
due to an obvious and simple programming error.
We pointed the error out to the cashier, who was probably barely old
enough to be legally employed, and her response, if she speaks for her
generation, was ominous, even terrifying:
"It does that because ... because it's a computer."
An entire generation is growing up believing that the current sorry state
of affairs in information technology could ever be accepted as _normal_!
Please report problems with the web pages to the maintainer