The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 20 Issue 89

Monday 29 May 2000

Contents

o Top-secret stolen UK laptop recovered
Doneel Edelson
o Nuclear reactor shuts down in California
Linda Kaplan
o Venezuela cites computer glitch, postpones elections
Declan McCullagh
o NHL Web attack
Keith A Rhodes
o A rather risky device to end high-speed chases
Serguei Patchkovskii
o Media gullibility on laser gun to stop cars
John Pettitt
o Study shows mobile phones do interfere with avionics
Kevin Connolly
o Junk-mail filters: excerpted
Gary Cattarin
o Revision control
Mike Albaugh
o Outlook "security" patch
Dave Weingart
o VBS.NewLove.A false positives
Jeremy Epstein
o Risks of virus disinfection
Tom Hayhurst
o Widespread Web-Trojan alerts
Chris Adams
o CERT Advisory CA-2000-07
CERT
o Misleading warning, failure of Netscape SSL server authentication
Kevin Fu
o I did not say that! wrt deja.com
Stephen Keeling
o Risky quotation
Zygo Blaxell
o Info on RISKS (comp.risks)

Top-secret stolen UK laptop recovered

"Edelson, Doneel" <doneel.edelson@eulergroup.com>
Mon, 22 May 2000 16:32:55 -0400
A stolen laptop computer holding details of a top secret 250-billion-pound
Anglo-US super-lethal stealth Strike fighter project has been recovered by
*The Mirror*.  The laptop was stolen from a naval intelligence officer at a
London station two weeks before.  [Source: *Mirror* article 22 May 2000
<http://www.sundaymirror.co.uk>  <http://www.people.co.uk>; PGN-ed]


Nuclear reactor shuts down in California

Queen of infinite Space)" <Linda.Kaplan@eng.sun.com ("Rainbow>
15 May 2000 11:21:49 -0700
Due to an electrical problem at 12:25 a.m. on 15 May 2000, an automated
shutdown of a Diablo Canyon Unit 1 nuclear power plant reactor released a
small amount of radioactive steam.  Everything seemed to function properly
in the triggered shutdown.  [Source: An AP item on 15 May 2000]


Venezuela cites computer glitch, postpones elections

Declan McCullagh <declan@well.com>
Fri, 26 May 2000 11:30:11 -0400
CARACAS, VENEZUELA -- Citing technical woes, Venezuela's high court on
Thursday suspended this weekend's general elections, saying fair balloting
is impossible until the problems are resolved.  Conditions for "credibility
and transparency" in Sunday's presidential, congressional and regional
elections do not exist, said Ivan Rincon of the Supreme Tribunal of Justice.
[...]  President Hugo Chavez had earlier blamed an Omaha (Neb.)-based
company for the technical problems, saying it was part of an overall plan to
"destabilize" the country's electoral process.  [Source: Citing major
computer woes, high court delays elections *Chicago Tribune*, 26 May 2000
http://www.chicagotribune.com/news/printedition/article/0,2669,SAV-0005260364,FF.html;
PGN-ed; see also:
  http://www.washingtonpost.com/wp-dyn/articles/A7231-2000May25.html
  http://www.foxnews.com/world/0523/i_ap_0523_111.sml
  http://news.bbc.co.uk/low/english/world/americas/newsid_764000/764372.stm]
    [Contrast the controversy over the recent election in Peru.  PGN]


NHL Web attack

"Keith A Rhodes" <rhodesk.aimd@gao.gov>
Fri, 26 May 2000 07:53:22 -0400
Add the National Hockey League to the long list of sites that have been
attacked.  A distributed denial of service attack on the NHL Web site took
it off the air for several days, 21 through 25 May.  The rather long period
was blamed by the NHL's Web manager on their lack of technical resources,
and chalked it up as a learning experience.  [Source: NHL Web Site Back
Online, Associated Press item, 26 May 2000]


A rather risky device to end high-speed chases

"Serguei Patchkovskii" <patchkov@ucalgary.ca>
Sun, 14 May 2000 9:54:14 MDT
High-speed police chases have been a rather hot topic in Canadian media
recently.  Larry Martens, a 22-year veteran former Mountie (RCMP), has a
patent on a radio device that would allow police to stop the engine of any
fleeing vehicle at the push of a button.  Every vehicle would require a $150
receiver.  [Source: Device could end high-speed chases, by Scott Crowson,
*Calgary Herald*, city section, 14 May 2000; PGN-ed]

Sounds like a worthwhile addition to "1000 ways of having fun with a
police scanner" to me.  [SP]

home page: http://www.cobalt.chem.ucalgary.ca/ps/


Media gullibility on laser gun to stop cars

John Pettitt <jpp@cloudview.com>
Thu, 18 May 2000 23:11:25 -0700
After a recent car chase that ended with the fugitive jumping off the
Golden Gate Bridge there was an item on the TV (NBC national news) about a
new device being promoted to enable police to stop any car using a "laser
gun".   This caught my attention, mostly because it didn't sound
reasonable.   Indeed the secret was revealed at the end of the story when
the reporter said that for the device to work all cars would need to be
fitted with an "inexpensive receiver".

There is so much wrong with this idea it's hard to know where to start;
even if the system was designed well enough that only "real" guns would
work (very unlikely IMHO) a stolen "gun" could create total gridlock in a
city.

Perhaps the biggest risk here is that NBC actually ran the item without
stopping to notice how silly the idea was.

John


Study shows mobile phones do interfere with avionics

Kevin Connolly <Kevin.Connolly@ck.cit.alcatel.fr>
Mon, 29 May 2000 09:14:13 +0100
See http://www.newscientist.com/nsplus/insight/phones/dangersignals.html

The study showed that mobiles caused problems for older generation
avionics during tests in a parked jet.

  "interference levels that exceed demonstrated susceptibility
   levels for aircraft equipment approved against earlier standards"

Kevin Connolly


Junk-mail filters

"Gary Cattarin" <gcattari@nortelnetworks.com>
Fri, 19 May 2000 11:41:41 -0700
  [NOTE: Entire item in RISKS-20.89x.  See below.  PGN]

This I'm sure has been covered before, but here's an interesting example of
filters gone awry.

I recently upgraded (?) to MS Office 2000, which, among other things, lets
you have more than 8 e-mail filters active at once.  In my glee I started
turning things on, including junk mail filtering.  Surprise!  I found 8-10
important messages -- all replies to a query I sent out to a personal mailing
list -- all dumped into the Junk Mail folder.

What was it?  I'm riding in a charity bicycle ride, and I needed to tell my
pledge-ees that I needed their money now.  So I sent them an e-mail updating
my training status and asking them to send their checks.  Obviously, this
message had at least one dollar sign "$" in it -- and because I'm an
excitable guy it had at least one multiple exclamation mark "!!", and since,
at the end, I chided my manager to make good on my exaggerated version of
his pledge:

    <> Mark, didn't you promise $5,000 or something like that?

...we also hit the magic phrase ",000".

Now, the fine folks in Redmond have determined that if these three elements
converge, you have received Spam.  The actual rule (from their web site) is:

    Body contains ",000" AND Body contains "!!" AND Body contains "$"

Who'd have guessed?  In fact, even looking at their filter list, it took me
a long time to figure out which rule I'd hit.  (OK, I'm slow sometimes.)

I guess the rule is (a) don't get too excited ! -- one "!" at a time!  (b)
specify your currency as "USD", and (c) use European periods ("5.000")
instead of North American commas in large numbers.  OK, that's silly.  But
just as silly is the fact that any spammer can read the list of rules and
tailor their e-mail to avoid them.

Of course, you might never read this, because if you have junk e-mail
filtering turned on, Outlook will catch THIS message and do with it as
you've requested for junk mail.

Two other interesting points:

(1) In the adult filters you'll find these two:
    Subject contains " sex"
    Subject contains "free" AND Subject contains "sex"
The first is set up with a leading space to only accept the *word* "sex", so
those of us who live here in Middlesex county don't lose any local-related
mail.  But the writer of the second wasn't so careful -- what if the
Middlesex News offers free subscriptions?  That's Spam, yes, but not porn (I
guess that's why that newspaper changed its name...).

(2) Don't address your dear friend as such -- note the rule:
    Body contains "Dear friend"
My golly!  I can't send some good old-fashioned heartfelt feelings to my
dear friends!!  (oops, double "!!" -- I got excited!)

This stuff can be very dangerous...

The entire list is at
http://officeupdate.microsoft.com/Articles/newfilters.htm
I included it here, but the moderator may choose to cut it from the journal
in the interest of space.

  [Your moderator chose to create a supplemental issue,
     RISKS-20.89x
  that contains the complete original submission.  I would have
  included it here, but it is likely to have greatly increased the
  likelihood that the entire RISKS issue would be bounced by many filtering
  programs.  As it is, I frequently get porn-bounce or spam-bounce notices
  on seemingly harmless issues of RISKS.  PGN]


Revision control

Mike Albaugh <albaugh@agames.com>
Thu, 25 May 2000 11:03:35 -0700 (PDT)
When I heard that Microsoft was considering action against the person[s]
responsible for the "Weenie" security hole, "_If they can be found_", my
first thought was along the lines of "These guys don't even have
revision-control on _security_ software?!?", but yesterday morning my
clock-radio woke me up to even more startling news. In a story about the
egregious expansion of search-and-seizure that was added to the new
"Bankruptcy Reform" bill, was the news that the Senate apparently did not
_know_ who had inserted the language, but believed it was the work of a
staffer in Orin Hatch's office. Now, maybe I was still too groggy, but my
reaction to this was "These guys don't even have revision-control on
_laws_?!?". I wish I could add a :-), but the consequences are potentially
far worse than one more bug in software well known for security
weaknesses. The fact that the suspect language was apparently "included by
reference" from an un-related bill is yet another example of the hazards of
abstraction. IMHO, we as a society place entirely too much trust in
un-trustworthy components and agents.

Note also the parallels to the debate on Open Source.  _In Principle_, every
congressperson would read (and understand) every word of every bill (and
follow/verify references). In practice, only by chance do these alterations
become known.

Mike  albaugh@agames.com


Outlook "security" patch

Dave Weingart <dave.weingart@us.randstad.com>
Thu, 18 May 2000 11:15:50 -0400
Microsoft has decided that since the scripting behavior of Outlook is
unsafe, they're going to disable the ability to actually get many file
attachments (it's not entirely clear if the file will be saved or simply
trashed -- it seems to imply that you can't access the attachments within
Outlook 98 and Outlook 2000 only.  If the file is completely trashed, a
whole new RISK is created by people assuming that an e-mailed attachment got
through).

http://www.officeupdate.com/2000/articles/Out2ksecarticle.htm has
Microsoft's official word on the update.

Dave Weingart, Randstad North America  dave.weingart@us.randstad.com
1-516-682-1470


VBS.NewLove.A false positives

"Jeremy Epstein" <jepstein@webmethods.com>
Fri, 19 May 2000 17:58:53 -0400
As everyone knows, VBS.NewLove.A is sweeping the world.  Or is it?  Norton
AntiVirus, using the latest set of definition files (5/18/00) is giving
false positives on a range of files.  On my system, it's complaining about
some pure HTML files (i.e., with no scripting or anything else remotely
malicious).  Their web page doesn't give any details, and I haven't been
able to find anything out, but their technicians did admit to false
positives, and they're working on a new version.

In fairness to Symantec, they're trying to rush out patches as fast as they
can to a rapidly proliferating virus.  However, it's obvious that they
didn't do a very good job of getting the pattern match correct.

--Jeremy


Risks of virus disinfection

"Tom Hayhurst" <aserinsky@hotmail.com>
Thu, 25 May 2000 15:51:33 GMT
In the aftermath of the Love Bug, all e-mail inboxes at my place of
employment have been scanned for suspect attachments. Apparently, a
home-grown perl script (run as root) was used to delete or modify tainted
e-mails. Unfortunately, a side-effect of this was to make all files in the
mail spool directory world-readable about ten days ago. This has only just
been noticed and rectified.

Obvious Risk: immediate, disruptive threats can divert attention away from
safe, well-known procedures.

Tom Hayhurst <aserinsky@hotmail.com>


Widespread Web-Trojan alerts

Chris Adams <chris@improbable.org>
Mon, 15 May 2000 08:17:29 -0700
The people at Zope found a problem with their admin interface
(http://www.zope.org/Members/jim/ZopeSecurity/ClientSideTrojan) that also
applied to just about any web-based admin tool. Basically, an attacker could
create a page that redirected to site's admin interface or a form that
submitted to it (possibly using JavaScript for automatic submission); in any
case, the effect was that any use who was logged in as a site administrator
could have an attacker execute arbitrary commands in their security context
merely by following a link. If this was carefully set up using JavaScript
and frames, it's more than possible that the admin would never notice what
had happened. This attack would be particularly effective against online
news sites and anyone else for whom it is common to receive many URLs every
day as submissions.

This story was picked up by LWN (http://www.lwn.net/2000/features/
Redirect.phtml) and spread rapidly to the usual security forums.

There's a very simple fix that prevents this attack from working in any of
the cases reported. The problem is that the form parameters can all be
guessed by the attacker, allowing them to generate a URL easily. Putting in
a random parameter prevents this from being true. Given that you need to
have a random identifier that is not leaked to third parties for meaningful
session management, an obvious step is to put in a parameter in the form
that must match the user's session ID (e.g. Confirm=346593045 instead of
Confirm=true).

(This is still vulnerable if the browser has a security hole which allows an
unrelated site to capture cookies. However, such a bug is really a separate
issue as it would allow an attacker to easily hijack the session directly. A
browser that buggy should not be used.)

What I've found disturbing is that there have been several people attempting
to get the news out since the original wave of reports (~5/10) about having
such a fix that will defang this entire class of attack in a single line of
code. These efforts don't seem to have achieved anything like the visibility
given to the original reports. There's a great deal of speculation about
convoluted, partial means of stopping such attacks and even suggestions
about disabling web-based admin interfaces entirely but, thus far, very
little word about what has to be one of the easiest fixes in the history of
computer security.

The risks? Besides the obvious security concerns, there's the risk that
people will do something rash or remain vulnerable despite the fact that,
contrary to some of the reports, there is a fix and it's quite simple. A
casual observer could easily get the impression that this problem is a major
threat.


CERT Advisory CA-2000-07 [Abridged for RISKS]

CERT Advisory <cert-advisory@cert.org>
Wed, 24 May 2000 15:54:49 -0400 (EDT)
CERT Advisory CA-2000-07 Microsoft Office 2000 UA ActiveX Control
Incorrectly Marked "Safe for Scripting"

[The full Advisory is at
   http://www.cert.org/advisories/CA-2000-07.html
PGN]

Systems Affected

     * Systems with Internet Explorer and Microsoft Office 2000
       components, including

     * Word 2000
     * Excel 2000
     * PowerPoint 2000
     * Access 2000
     * Photodraw 2000
     * FrontPage 2000
     * Project 2000
     * Outlook 2000
     * Publisher 2000
     * Works 2000 Suite

Overview

   The Microsoft Office 2000 UA ActiveX control is incorrectly marked as
   "safe for scripting". This vulnerability may allow an intruder to
   disable macro warnings in Office products and, subsequently, execute
   arbitrary code. This vulnerability may be exploited by viewing an HTML
   document via a web page, newsgroup posting, or e-mail message.

I. Description

   Microsoft and L0pht Research Labs have recently published advisories
   describing a vulnerability in the Microsoft Office 2000 UA ActiveX
   control. Due to the severity of this vulnerability, we are issuing a
   CERT advisory to help reach as broad an audience as possible.

Microsoft has published a security bulletin, an FAQ, and a knowledgebase
article describing this vulnerability. These documents are available from
Microsoft's web site:
   http://microsoft.com/technet/security/bulletin/ms00-034.asp
          http://microsoft.com/technet/security/bulletin/fq00-034.asp
          http://microsoft.com/technet/support/kb.asp?ID=262767

The CERT Coordination Center thanks L0pht Research Labs and @Stake for
initially discovering and reporting this vulnerability. We also thank the
Microsoft Security Team for their assistance in preparing this advisory.


Misleading warning, failure of Netscape SSL server authentication

Kevin Fu <fubob@MIT.EDU>
Fri, 26 May 2000 09:51:05 EDT
Here is an example where improper caching and poor GUI design can render a
particular implementation of SSL server authentication insecure.

Within one Netscape session, if a user clicks on "continue" in response to a
"hostname does not match name in certificate," then that certificate is
incorrectly validated for future use in the Netscape session, REGARDLESS of
the hostname or IP address of other servers that use the certificate.

It seems that the "Certificate Name Check" warning will cache a certificate
as valid for any hostname or IP address in the future.  In this way, if an
adversary tricks a user into accepting an invalid certificate at a seemingly
benign site, then the user can then be tricked if he/she ever visits a
malicious site using the same certificate.  A "continue" click on a
seemingly benign SSL web server might end up taking away server
authentication from visiting
https://www.a-site-that-you-give-private-info.com/ that has poisoned DNS.

Since this is a risks post, there has to be a lesson:

* Be explicit.  Netscape's security warning does not indicate
  clearly what will result by clicking "continue."

* Even if the design is good, an implementation can go wrong.
  Netscape invented SSL, but it has a hard time using it correctly.
  Does this scare you?  It should.  If a company who designs
  an accepted security protocol cannot use it correctly, then
  think about the companies implementing homebrew security...

* Implementation bugs are not unique to Netscape.  PGP has a
  relatively good but absolutely dangerous user interface that can
  mislead users.  See the "Why Johnny Can't Encrypt" paper by Alma
  Whitten for an excellent analysis.   [SEE NOTE]

For a full report, see
http://snafu.fooworld.org/~fubob/netscape-ssl.html or
http://www.cert.org/advisories/CA-2000-08.html

Kevin E. Fu (fubob@mit.edu)

  [NOTE: The paper must be Whitten in Inwisible Ink.  PGN-Enquipped]


I did not say that! wrt deja.com

"s. keeling" <keeling@spots.ab.ca>
Wed, 24 May 2000 01:01:12 -0600
I don't know if this is a problem or if I'm over reacting.  I just did
a search on my user id and chanced across a misquoted (by some usenet
newbie) news article that attributes statements I never said to me.

http://x69.deja.com/[ST_rn=fs]/getdoc.xp?AN=624428330&CONTEXT=959150860.1906835472&hitnum=6

Do people take deja/usenet with a grain of salt, or should I worry
about what anyone can say I said?

keelingNO@SPAM.spots.ab.ca (Stephen) TopQuark Software & Serv.

  [Misinformation has a horrible way of propagating.  If I were you, I would
  put a note on your Web site disowning something like that and perhaps
  putting in a thoughtful item on the risks of being misquoted.  PGN]


Risky quotation

Zygo Blaxell <uryse0d5@umail.furryterror.org>
22 May 2000 23:25:38 -0400
While at a bookstore the other day, my spouse was presented with a credit
card signature slip printed by an Interac point-of-sale terminal.  It was
just like any other credit signature slip, except that the usual "customer
signature" line was printed twice, one on top of the other, with ample
space for the signature in both places--a harmless glitch, probably
due to an obvious and simple programming error.

We pointed the error out to the cashier, who was probably barely old
enough to be legally employed, and her response, if she speaks for her
generation, was ominous, even terrifying:

    "It does that because ... because it's a computer."

An entire generation is growing up believing that the current sorry state
of affairs in information technology could ever be accepted as _normal_!

Please report problems with the web pages to the maintainer

Top