The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 21 Issue 2

Saturday 26 August 2000

Contents

Hoaxes: When will they learn?
Dave Farber
NY State's running out of fingerprint IDs
Danny Burstein
Mobile phone malware on i-mode in Japan
Kevin Connolly
Firepower via Web interface
Anatole Shaw
Sydney Airport baggage system fails for second time in five days
Stellios Keskinidis
Airline E-Ticket risks
Paul Wallich
Risks on public transit: mechanical and human failures in Toronto
Stephen van Egmond
Bangkok robot security guard
Torrey Hoffman
Professor stole 40 student SSNs and IDs to get credit cards
Joan L. Brewer
Kaiser Permanente medical e-mails go astray
Sheri Alpert
Wake up, your TV is talking to your bracelet
NewsScan
SSL Server Security Survey
Monty Solomon
*The Globe and Mail* Web site exposing search-engine log file
Esteban Gutierrez-Moguel
Blocked e-mail and Web sites
PGN
Major security hole in new online organizer service
Paul van Keep
Hackers breach Firewall-1
PGN
GAO says EPA's computer security is "riddled" with weaknesses
Declan McCullagh
Bruce Schneier's Secrets and Lies
PGN
Software Risk Management Conference ISACC
Gary McGraw
Info on RISKS (comp.risks)

Hoaxes: When will they learn?

<Dave Farber <farber@cis.upenn.edu>>
Fri, 25 Aug 2000 14:24:13 -0400

We have had the technology to do digitally signed authentication for many
years and yet still companies and people do not sign their email and look
what happens, and I mean REAL signatures not just what the Congress thinks
is digitally signed material.  Dave

Shares of the Emulex Corporation plunged more than 60 percent Friday
following the distribution of a bogus press release about the computer
network equipment maker's earnings.  Trading in the stock was halted for
about three hours after the hoax started showing up in financial news
reports. The hoax wiped more than $2 billion off the company's stock market
value, leaving it around $2 billion.

Emulex's shares finally resumed trading at 1:30 p.m. Eastern time and
recaptured most of their loss. The stock was lately trading down 6, or 5.3
percent, at 107 1/16 after earlier plunging as low as 43.

The fake press release, which appeared on the Internet around the time of
the market's opening bell, claimed that Emulex would restate it fiscal
fourth-quarter earnings as a loss. There were also headlines that the
Securities and Exchange Commission was investigating accounting
irregularities at the company and that Emulex's president and chief
executive, Paul Folino, was stepping down.

  [Source: http://www.nytimes.com/yr/mo/day/news/financial/25tsc-emulex.html
  From Dave Farber's IP list.
  See also http://cnnfn.cnn.com/2000/08/25/companies/emulex/ .  PGN]


NY State's running out of fingerprint IDs

<danny burstein <dannyb@panix.com>>
Sat, 26 Aug 2000 01:44:20 -0400 (EDT)

  In a problem officials are comparing to the Y2K scare, the state says
  it will run out of numbers to assign to the fingerprints it keeps on
  file -- and will begin recycling old ones -- next year.
  [Source: State's running out  of fingers to count IDs on,
  by Greg Wilson, *NY Daily News*, 25 Aug 2000]

The article continues by pointing out that there are only seven digits for
the ID field, meaning a total of 9,999,999 records. (I'd be a bit surprised
if they had actually started with "0000001" rather than "1000001", but since
these date from the old paper card days it's quite possible.).

With NYS's population being about 18 million (subject to whether you use the
"actual enumeration" census figures or the "statistical correction" - but
that's another Risk entirely...) and with records going back for decades,
the justice division is rapidly running out of numbers.

So, effective in August 2001, they anticipate reusing ID numbers of people
who have died or otherwise been removed from the register.

No need to worry if your ID number matches that of a serial murderer,
though. The article continues that:

   Officials offered assurances that the numbers crunch will not result
   in the misidentification of law-abiding citizens who are issued
   numbers previously assigned to criminals.

Why am I not reassured?


Mobile phone malware on i-mode in Japan

<kmc@eircom.net>
Fri, 25 Aug 2000 08:25:13 +0100

The risk is that people designing new mobile phone functions do not learn from
the mistakes in the MS Word macro "virus enabling" feature.

http://www.zdnet.co.uk/news/2000/31/ns-17205.html

"Hundreds of Japanese i-mode users were stung by a prank which
 forced phones to dial "110" -- the police emergency telephone
 number in Japan -- during an online quiz."

Kevin Connolly


Firepower via Web interface

<Anatole Shaw <anatole@mindspring.com>>
Thu, 17 Aug 2000 19:44:36 -0400 (EDT)

http://www.bangkokpost.net/today/170800_News03.html

The Thailand Research Fund has unveiled a new robot, resembling a giant
ladybug with a couple of extra limbs.  The unit is equipped with
visible-spectrum and thermal vision, and a gun.  According to Prof.
Pitikhet Suraksa, its shooting habits can be automated, or controlled "from
anywhere through the Internet" with a password.  The risks of both modes are
obvious, but the latter is new to this arena.  Police robots of this ilk
have been around for a long time, but are generally radio-controlled.  The
apparent goal here is to make remote firepower available on-the-spot from
around the Internet, which means insecure clients everywhere.  How long will
it take for one of these passwords to be leaked via a keyboard capture, or a
browser bug?  Slowly, we're bringing the risks of online banking to
projectile weaponry.


Sydney Airport baggage system fails for second time in five days

<stellios keskinidis <stellios@ozemail.com.au>>
Sun, 20 Aug 2000 19:07:17 +1000 (EST)

As a result of an hour-long computer glitch during the integration of the
security system with the main baggage-handling system, Sydney airport's new
$43 million baggage system failed on 20 Aug 2000 for the second time in five
days (with the Olympic Games a month away).  (The previous problem was in
the new checked bag screening system.)  [Source: PGN-ed from
http://news.ninemsn.com.au/01_national/story_8815.asp, 20 Aug 2000]

  [Same article also noted by Steve Gillanders.  PGN]


Airline E-Ticket risks

<Paul Wallich <pw@panix.com>>
Tue, 1 Aug 2000 16:39:31 -0400

Continental Airlines has installed a very efficient new system for travelers
whose tickets exist only in computerized form: swipe a credit card or other
means of ID, tell the touch screen how many bags you have to check and
answer the usual security questions about who packed them and whether
they've been out of your sight, and it prints out a boarding pass.  You can
also change your seat and (possibly) other aspects of your itinerary on the
spot.

The machines are supposed to be tended by agents who check your luggage
(should you have any to check) and look at a photo ID to make sure you're
who your credit card says you are.  But in some busy airports (say, for
example, Detroit last weekend) the machines appear to function unmonitored.

There's a long list of risks here relating both to terrorism and to
theft, and I don't see any obvious way of fixing them in the context
of the current system, except perhaps to require an ID check
somewhere downstream of the boarding pass issuance.

(Of course it doesn't make me any happier to note that with the endemic
delays in today's air transport system you also have passengers leaving
aircraft and then reboarding with no verifiable checks on either identity or
luggage.)

Paul Wallich						pw@panix.com


Risks on public transit: mechanical and human failures in Toronto

<Stephen van Egmond <svanegmond@bang.dhs.org>>
Wed, 16 Aug 2000 21:47:07 -0400

http://www.ttc.ca/postings/gso-comrpt/documents/report/f910/_conv.htm
This URL gives an interesting report the Toronto Transit Commission
describing an alarming situation on a revenue train.  It provides a lot
more detail than you might find in a media article.

The sequence of mechanical and human failures that contributed to the
dangerous situation is interesting, as is the TTC's response, which
includes:

* training (i.e., pounding on the table and saying "don't do that")
* reducing training (i.e., not teaching operators how to do a dangerous
  procedure)
* physical hacks

For background, the TTC runs trains in sets of six cars composed of three
mated pairs.  Each car has an operator's cab where motion and doors can be
controlled, and a window which, when opened, reveals door control buttons.

Stephen van Egmond  http://bang.dhs.org/


Bangkok robot security guard

<Torrey Hoffman <torrey.hoffman@myrio.com>>
Thu, 17 Aug 2000 09:49:24 -0700

I think that even long-time RISKS readers will find this to be a bad idea of
prize-winning magnitude. (Perhaps RISKS should give out yearly awards for
the worst (most risky) ideas implemented in software systems.  Outlook VBS
scripting comes to mind...)

  The world's first armed robot security guard that can open fire on
  intruders while controlled through the Internet was unveiled in Bangkok
  yesterday.  It is one of five Thai-made hi-tech robots revealed by the
  Thailand Research Fund.

  Asst Prof Pitikhet Suraksa, of the King Mongkut Institute of Technology's
  Lat Krabang campus, said his roboguard was developed from an unarmed
  "telerobot" built in Australia in 1994.  "The robot is equipped with a
  camera and sensors that track movement and heat. It is armed with a pistol
  that can be programmed to shoot automatically or wait for a fire order
  delivered with a password from anywhere through the Internet.  With
  further development the technology could be applied to building robot
  guards for important places, including museums that house precious
  artifacts."  [Was at http://www.bangkokpost.net/today/170800_News03.html]

Deployment of this could lead to all sorts of interesting scenarios.  The
first time it perforates one of the cleaning staff, will the owners blame it
on a "programming glitch"?  [... potential puns about loose cannons ...]

Torrey Hoffman <Torrey.Hoffman@myrio.com>

  [With no human in the loop, this would be really terrible.  However, even
  with a human in the loop, it is another egregious example of security
  supposedly enforced by passwords floating sniffably unencrypted around the
  Internet!  And with a little IP spoofing, a penetrator might even be
  untraceable.  Perhaps Prof Suraksa needs an effrontal robotomy.  As the
  old joke goes, this may be a case in which you can always telerobot, but
  you can't tell it much.  PGN]


Professor stole 40 student SSNs and IDs to get credit cards

<"Pegasus" <pegasus@transport.com>>
Thu, 17 Aug 2000 17:19:05 -0700

  According to prosecutors, Cadello got names and Social Security numbers of
  unwitting students from the school computer and named them as "parents" of
  fictitious children whose Massachusetts birth certificates he forged. He
  then obtained new Social Security numbers with those names and used them
  to obtain various sets of ID and apply for credit cards (40 sets).  The
  incident has cost the university thousands of dollars for a new computer
  system that lists students without using their Social Security numbers.
  [http://seattletimes.nwsource.com/news/local/html98/altprof17m_20000817.html
  Central Washington professor sentenced in fraud, Mike Carter, *Seattle
  Times*, 17 Aug 2000]

Here is the really weird part.  When he was arrested the students protested
and gave him support (?).  Well at least someone found a flaw in their
database.  Perhaps other colleges can learn from this one. ;-)

Joan L. Brewer BS CSE -- retired...


Kaiser Permanente medical e-mails go astray

<Sheri Alpert <salpert@gmu.edu>>
Thu, 10 Aug 2000 02:18:59 -0400 (EDT)

Beginning on 2 Aug 2000, Kaiser Permanente accidentally sent 858 e-mail
messages from nurses and pharmacists (some including sensitive medical
information) to the wrong people.  Blame was placed on "human error" and a
"technological glitch" in upgrading their Web site.  Kaiser spokesperson
Beverly Hayon said Kaiser has "fixed the problem.  We have changed protocols
for sending out e-mails.  We feel safe saying this particular problem will
never happen again."  [Source: article by Bill Brubaker, *The Washington
Post*, 10 Aug 2000 E01]


Wake up, your TV is talking to your bracelet

<"NewsScan" <newsscan@newsscan.com>>
Wed, 16 Aug 2000 09:51:39 -0700

A new system called Whispercode, designed by a New Jersey company for
monitoring the effectiveness of TV advertising, will involve the encoding of
commercials with inaudible, identifying signals that can be picked up by a
small device worn by a participant (perhaps in a bracelet or keychain) and
relayed to a nearby recording box that records the fact that the wearer was
in the room when the commercial was broadcast. [It should be noted, though,
the system can't detect whether the participant is awake, attentive, and not
bored to death.]  The company's chief executive officer says, "With
Whispercode, we will finally be providing our clients with a true accounting
of where their advertising money is going."  (*The New York Times*, 15 Aug 2000
http://partners.nytimes.com/library/financial/columns/081600tv-adcol.html;
NewsScan Daily, 16 August 2000


SSL Server Security Survey

<Monty Solomon <monty@roscom.com>>
Sun, 13 Aug 2000 23:05:14 -0400

SSL Server Security Survey, Eric Murray, ericm@lne.com  31 Jul 2000

A random sample of 8081 different secure Web servers running the SSL
protocol in active use on the Internet shows that 32% are dangerously weak.
These weak servers either support only the flawed SSL v2 protocol, use
too-small key sizes ("40 bit" encryption), or have expired or self-signed
certificates.  Data exchanges with all types of weak servers are vulnerable
to attack.

http://www.meer.net/~ericm/papers/ssl_servers.html


*The Globe and Mail* Web site exposing search-engine log file

<Esteban Gutierrez-Moguel <esteban@ce.net.mx>>
Thu, 17 Aug 2000 01:59:33 -0500 (CDT)

The Web site of the Canadian newspaper *The Globe and Mail* seems to have a
badly configured access policy of a log file. The log file is a standard Web
server log file that contains browser information, requested data, and the
IP address of each visitor who performs a search from the online edition of
the newspaper.

A simple test of this problem is searching for some know text (for example:
"Hello World") using http://www.theglobeandmail.com (Globe 7-day Search) and
few seconds later you will find an entry in
http://archives.theglobeandmail.com/generated/Fragments/access containing
the string "Hello+World".


Blocked e-mail Web sites

<"Peter G. Neumann" <neumann@csl.sri.com>>
Tue, 22 Aug 2000 12:14:06 PDT

Lately, we have had another flurry of reports of perfectly reasonable Web
sites and e-mail being blocked for the usual stupidities of overzealous
filtering.  But this one is somewhat different:

The U.S. Air Force Space Command blocked the San Francisco Exploratorium
Yahoo site because it describes making a mixture out of baking soda and
vinegar that would blow up a Ziploc bag.  Elementary fizz-ics, my dear
What's-on?  [Source: http://www.exploratorium.edu/pr/bubble_bomb.html]


Major security hole in new online organizer service

<Paul van Keep <paul@sumatra.nl>>
Wed, 16 Aug 2000 19:57:27 +0200

The recently opened online organizer service annapa.com (Anna, your Personal
Assistant) suffered from a major security hole last week. The site has a
security statement prominently displayed on its homepage with the usual
statements about how they value their customers' data and that everything
had been audited by Arthur Andersen.

Despite this, compromising other users' data was almost trivial: after
logging in with the valid userid/password combo, all that had to be done was
to twiddle with the URL which conveniently encodes your customer id. This
simple operation gives access to all essential data from other users and
allows changing of that data including blocking access by changing that
user's password.  The company behind annapa.com, IntraSites, issued a
statement on its website in which it tried to belittle the issue. A
translation of the part of the statement currently on their homepage: "[...]
updating some program modules on the site disabled one security
mechanism. This made it possible for an IT-specialist (consequently not for
a normal user), to access random and limited user data on the screen".

If all of that is true, what value does the security audit that AA performed
have? Shouldn't AA review every update before installation?  Is an
IT-specialist not a 'normal' user? Aren't all crackers IT-specialists?
Wouldn't a smart user be able to do the same?  Was the hole only present for
a couple of days? I sincerely doubt it.

The URL twiddling trick seems to be a common security problem. Two months
ago I encountered almost the same hole in the customer information portal
for Exact Software (www.exactsoftware.com). The whole portal was removed
from the site within an hour after I informed their CEO about the problem.

Paul van Keep  http://www.sumatra.nl


Hackers breach Firewall-1

<"Peter G. Neumann" <neumann@csl.sri.com>>
Sun, 13 Aug 2000 19:52:47 PDT

[Source: David Raikow, Sm@rt Partner, 2 Aug 2000
http://www.zdnet.com/zdnn/stories/news/0,4586,2610719,00.html]

An audience of several hundred network security professionals watched with
rapt attention last week as a trio of hackers repeatedly penetrated one of
the industry's most trusted and popular firewall products -- Checkpoint
Software's Firewall-1. The demonstration, presented at the "Black Hat"
security conference in Las Vegas, challenged the widely accepted notion that
firewalls are largely immune to direct attack.

The panel -- John McDonald and Thomas Lopatic of German security firm Data
Protect GmbH and Dug Song of the University of Michigan -- identified three
general categories of firewall attacks. They began by demonstrating a number
of relatively simple techniques by which an attacker could impersonate an
authorized administrator, and thus gain access to the firewall application
itself.

A second type of attack tricked the firewall into believing an unauthorized
Internet connection was actually an authorized virtual private network
connection. Finally, the panel exploited a number of errors in the process
used to examine traffic passing through the firewall to sneak in dangerous
commands.

While their presentation focussed on a single commercial firewall product,
panel members repeatedly emphasized that most firewalls are vulnerable to
the types of attacks demonstrated.  "The problem is not just with
[Firewall-1]," said Song. "The real problem is the blind trust most people
place in their firewalls."

Greg Smith, Checkpoint's director of product marketing for Firewall-1,
pointed out that many of the attacks demonstrated relied on improper
firewall configuration, and he asserted that they presented little practical
threat. "Not a single customer has reported a problem with any of these
issues."

Nevertheless, Checkpoint worked with McDonald, Lopatic and Song in
developing defenses against the attacks, which they released as part of
Firewall-1 Service Pack 2 immediately following the demonstration.
Checkpoint emphasized that the service pack should prevent all of the
attacks discussed, even those dependent on misconfiguration.

The panel also recommended a number of additional steps for "hardening"
firewalls, including use of strong authentication protocols, "anti-spoofing"
mechanisms and highly restrictive access rules.  At the same time, they called
on the IT community to abandon the "single firewall" model of network security
and implement multiple lines of defense.

However, one observer of the session, employed by a network switch
manufacturer, thinks Checkpoint lost some credibility over its products.
"Some of the exploited areas were because of dumb programming mistakes in
the code for the firewall itself.  If the [firewall] programmers can't get
it right, what other problems may still be lurking?" he pondered.


GAO says EPA's computer security is "riddled" with weaknesses

<Declan McCullagh <declan@well.com>>
Sat, 12 Aug 2000 11:22:30 -0400

Exact URL is:
  http://com-notes.house.gov/ai00215.pdf

Press release:

Bliley Releases GAO's Findings on Computer Security At EPA

Report Calls EPA's Computer Network  "Riddled With Security Weaknesses"

Washington(August 11) --Ineffective, inadequate, and riddled with weaknesses.
This is how the General Accounting Office (GAO) described the Environmental
Protection Agency's (EPA) agency-wide information security program.

Commerce Chairman Tom Bliley (R-VA), who in August 1999 requested the GAO
audit of EPA's system as part of his review of the computer security
policies and programs of certain Federal agencies within the Committee's
jurisdiction, released the report today.

"The GAO report, coupled with the Committee's other recent oversight in this
area, shows that, despite the tough rhetoric, the Clinton-Gore
Administration's cyber-security policy amounts to little more than paper
pushing," Bliley said today in releasing the GAO Report.

In February of this year, after GAO's preliminary review of EPA's system
found "serious and pervasive problems," Chairman Bliley requested that EPA
take down its computer systems and initiate a major overhaul of its computer
network security. The EPA reluctantly complied.

"It is unfortunate," Bliley said, "that years of gross mismanagement at the
Agency have left these sensitive systems and data at such serious risk for
so long.  But it is even more unfortunate that it took this Committee's
oversight and public pressure to motivate the Agency to undertake
responsible steps to ensure its computer systems provide adequate protection
for sensitive Agency data.

"EPA, while shocking in degree, is not alone when it comes to poor
management of cyber security.  GAO and Committee oversight of other Federal
agencies continues to reveal that, rather than being a model for the private
sector to follow -- as the President has claimed he wants it to be -- the
Federal government appears instead to be a model of what not to do when it
comes to managing information security.

"In today's world, information security is crucial. It is disturbing that
government agencies with critical computer systems have paid so little
attention to this issue, and are so vulnerable to attacks.  It also reflects
a lack of leadership from the White House, which under current law should be
coordinating agency efforts to improve cyber security, but isn't.

"I will continue my review of agency information systems in an effort to
improve the Federal government's weak computer security practices."

In late July 2000, Bliley requested the GAO complete a similar audit of the
Commerce Department's cyber security program.  Bliley also recently launched
a review of the Food and Drug Administration's (FDA) information management
policies and practices, requesting records detailing the agency's computer
security practices and any hacker attacks against FDA.

a copy of the GAO Report is available at: www.house.gov/commerce


Bruce Schneier's Secrets and Lies

<"Peter G. Neumann" <neumann@csl.sri.com>>
Tue, 22 Aug 2000 12:14:06 PDT

Bruce's new book, *Secrets and Lies: Digital Security in a Networked World*
(Wiley), concludes that cryptography alone cannot protect business networks.
This a fine counterpoint to the mistaken belief that cryptography is the
ultimate answer to security.

  "Protecting information has become increasingly difficult in the digital
  world.  Teen-aged hackers have compromised the security of the U.S. State
  Department's web site and, in so doing, have proven that gaining access to
  personal passwords and other `secure' information is far easier than many
  could have ever anticipated."

The book website is
  http://www.counterpane.com/sandl.html
and is discussed in
  http://www.counterpane.com/crypto-gram-0008.html#1


Software Risk Management Conference ISACC

<Gary McGraw <gem@rstcorp.com>>
Fri, 18 Aug 2000 14:09:13 -0400

Reliable Software Technologies encourages all people interested in making
software behave to attend ISACC, the Software Risk Management conference
(http://www.isacc.com).  We'll be discussing many of the topics RISKS
readers are fond of: security, reliability, and safety.  And just to spice
things up, how about software certification as a controversial issue?! Hope
to see you there.

Gary McGraw, Ph.D    gem@rstcorp.com, Vice President, Corporate Technology
Reliable Software Technologies, Dulles, VA  <http://www.rstcorp.com/~gem>

Please report problems with the web pages to the maintainer

Top