The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 21 Issue 4

Monday 11 September 2000

Contents

Identity theft
PGN
Government computers at risk
NewsScan
Satellite system outage hits Associated Press
Keith A Rhodes
Puerto Rican capital without power
Doneel Edelson
New Pentium III chip recalled
NewsScan
CSX crew spots problem signal, averts collision
Chuck Weinstock
F-117 stealth fighter in near-miss with UAL jet
PGN
Fake air controllers alert in UK
Joe McCauley
Swissair 111, TWA 800, and Electromagnetic Interference
Fred Ballard
D.01: off by x100 stock prices
Bob Blakley
Western Union Web site hacked
Keith A Rhodes
FBI arrests Emulex hoax suspect in Calif.
NewsScan
Glitch at Amazon.com exposes e-mail addresses
Keith A Rhodes
Windows NT/2000 "Lock Computer" allows palm sync
Avi Rubin
1,000 system updates???
Scott Rainey
Risks of partially updated Web pages
Daniel P.B. Smith
Re: Major security hole ...
Chris Adams
Michael Loftis
Re: Your TV is talking to your bracelet
George Weaver
PFIR statement on government interception of Internet data
Lauren Weinstein
REVIEW: "Big Book of IPsec RFCs", Pete Loshin
Rob Slade
2001 IEEE Security and Privacy Symposium
Jon Millen
Info on RISKS (comp.risks)

Identity theft

<"Peter G. Neumann" <neumann@csl.sri.com>>
Mon, 28 Aug 2000 15:14:49 PDT

A news brief in the California Public Interest Research Group (CALPIRG)
Citizen Agenda, Summer 2000, p.6, is worth noting here, with the rapid
increase in identity theft.  We used to see a case or two a year.  Now
they seem to be coming in much more often, perhaps a few each month.

  Survey Details Hassles of Identity Theft

  Identity theft victims spend two years or more removing an average of
  $18,000 in fraudulent charges from their credit reports.  ``Unless
  new laws force banks, department stores and credit bureaus to clean up
  the identity theft mess, this crime is only going to get worse.'' said
  CALPIRG's Dan Jacobson -- who is urging state lawmakers to back proposals
  pending in the Legislature that would allow consumers to block access to
  their credit reports and streamline law enforcement investigation and
  victim assistance programs.

Try sending e-mail to calpirg@pirg.org to request the report.  Unfortunately
their Web site at www.calpirg.org is apparently still under construction
as I write this.


Government computers at risk

<"NewsScan" <newsscan@newsscan.com>>
Mon, 11 Sep 2000 08:33:37 -0700

A new study released by the General Accounting Office has exposed widespread
deficiencies in computer security in government agencies ranging from the
Department of Interior to the U.S. Treasury. The report comes nine months
after the President Clinton called on federal agencies to beef up security
in his "National Plan for Information System Protection." That plan proposed
that Congress boost federal spending for computer security and research by
$280 million to $2.3 billion in 2001, but agencies say they need the money
now. Government computer managers point to the tight labor market for
computer security experts and say it's difficult to retain good
personnel. The GAO report found that some agencies have failed to take even
the most rudimentary steps to increase security, such as encrypting password
files and limiting physical access to sensitive computers. In addition,
agencies have been less than diligent about blocking access for independent
contractors and former employees after they've left the government. In one
agency, 7,500 of 30,000 users were not deleted after 160 days of
inactivity. "The federal government, outside the defense area, is worse than
the private industry because good computer security is about regular
maintenance and housekeeping -- and that's not one of the government's
strong points," says Stewart Baker, a Washington, D.C.  technology
lawyer. (Los Angeles Times 11 Sep 2000; NewsScan Daily, 11 Sep 2000
http://www.latimes.com/business/20000911/t000085464.html)


Satellite system outage hits Associated Press

<"Keith A Rhodes"<rhodesk.aimd@gao.gov>>
Thu, 31 Aug 2000 07:25:30 -0400

The Associated Press reported on 29 Aug 2000 that a satellite system outage
disrupted AP services providing radio and TV stations with certain
specialized info, as well as some smaller newpapers that receive AP Basic,
beginning around 5:15 a.m. after new software was dowloaded to satellite
receivers on AP's Ku-band system.  Partial service was restored that
afternoon, but full service was estimated at taking several days.  [PGN-ed]


Puerto Rican capital without power

<"Edelson, Doneel" <doneel.edelson@eulergroup.com>>
Thu, 7 Sep 2000 11:11:35 -0400

A break in a 231,000-volt line carrying power over the mountains left the
Puerto Rican capital of San Juan without power Thursday morning, trapping
dozens of people in elevators, slowing rush-hour traffic when traffic lights
failed, knocking out air conditioning, and forcing many businesses to close.
About 500,000 customers were affected for most of the day.  A helicopter
crew was sent out to do the repair.  [Source: AP item, 7 Sep 2000; PGN-ed]

Doneel Edelson, Information Technology, EULER American Credit Indemnity
  1-410-554-0797  doneel.edelson@eulergroup.com


New Pentium III chip recalled

<"NewsScan" <newsscan@newsscan.com>>
Tue, 29 Aug 2000 09:45:34 -0700

Intel is recalling its 1.3 gigahertz Pentium III chip, which it has sold
to only "a handful" of "power users" running advanced applications, because
a certain combination of data, voltage, and temperature conditions may
cause the chip to fail. The chip is expected to be back on the market in a
couple of months. (Reuters/*The Washington Post*, 29 Aug 2000
http://www.washingtonpost.com/wp-dyn/articles/A40772-2000Aug29.html
NewsScan Daily, 29 August 2000)


CSX crew spots problem signal, averts collision

<Chuck Weinstock <weinstock@sei.cmu.edu>>
Tue, 29 Aug 2000 23:14:26 -0400

An alert CSX crew (in Fredericksburg VA) noticed an erroneous proceed-signal
indication on a parallel track on 8 Aug 2000.  By contacting the dispatchers
(in Jacksonville FL), they prevented a collision between Amtrak's Auto Train
and a Virginia Railway Express commuter train.  The incident prompted the
inspection of the insulation of a certain type of old (TC Green, 1948 to
1962) signal wiring that may be still in use in thousands of signals
nationwide.  [Source: *Trains Magazine*, http://www.trains.com, commenting
on an article by Don Phillips in *The Washington Post*, 17 Aug 2000; PGN-ed]


F-117 stealth fighter in near-miss with UAL jet

<"Peter G. Neumann" <neumann@csl.sri.com>>
Mon, 11 Sep 2000 08:13:11 PDT

An F-117 on a training flight on 7 Sep 2000 flew quite close to United
Airlines flight 174 from LAX to Boston.  The UAL's TCAS system apparently
detected the incoming fighter (the fighter was broadcasting its position),
and triggered a scramble to avoid a possible collision.  This opens up a lot
of questions, such as why was the stealth flying at 500 feet vertical
separation from the UAL flight at 10,800 feet (and .6 mile horizontal when
detected), in the LAX take-off corridor?  Was the fighter under proper
air-traffic control?  There have been enough Air Force incidents lately that
more caution would seem to be in order.  Besides, there is always the risk
with TCAS that both planes try responsive maneuvers that make things worse
-- especially at high closing speeds, perhaps something less than 5 seconds
in this case.  Preliminary reports seem to indicate controller error, which
is not surprising given the ever increasing stresses on an already stressed
and archaic operational environment.


Fake air controllers alert in UK

<Joe McCauley <mccauley@davesworld.net>>
Tue, 29 Aug 2000 10:22:16 -0500

Britain's Civil Aviation Authority has noted various cases in which "radio
hackers" have commandeered air-traffic control communications, giving false
instructions or fake distress calls.  The number has risen from 3 in 1988 to
18 in 1999, and 20 thus far in 2000.  A case at Washington's Reagan
International in April 1999 was also noted.  [RISKS has reported a few such
cases years ago, including a Miami masquerader, the Roanoake Phantom -- and
the Manchester (UK) spoofer in 1996.]

http://dailynews.yahoo.com/h/ap/20000827/wl/britain_fake_air_controllers_1.html
http://abcnews.go.com/sections/us/DailyNews/FakeAirTraffic000829.html

Joe McCauley [contributed by others as well.  PGN]


Swissair 111, TWA 800, and Electromagnetic Interference

<Fred Ballard <fred.e.ballard@abbott.com>>
Wed, 6 Sep 2000 13:22:13 -0500

Until I read Elaine Scarry's "Swissair 111, TWA 800, and Electromagnetic
Interference" in the September 26, 2000 issue of the New York Review of Books
at http://www.nybooks.com/nyrev/WWWfeatdisplay.cgi?20000921092F, I had no
idea that both flights took off from JFK airport at 8:19 p.m. on a Wednesday
night, but that's only the beginning.  It seems the role of electromagnetic
interference in the downing of both flights has yet to be fully explored.

Of particular interest to RISKS readers is that Swissair 111 may have been
unable to detect a problem until it was too late because of the plane's
ability to reconfigure its electrical systems in the event of problems:

     Swissair 111 was an MD-11, a type of plane made by McDonnell-Douglas
     and derived from the DC-10. When the MD-11 first appeared in the 1990s,
     its "design philosophy" was widely celebrated: 1,500 software engineers
     (working in consultation with pilots from thirty-seven airlines) had
     created a plane that could fly smoothly while carrying out tremendous
     feats of self-repair.

This contrasts the design of a submarine, where everything is exposed in an
effort to show failure as soon as possible, with the design of a commercial
airliner, where everything is hidden to always make the flight appear as
smooth as possible to the passengers.  I hadn't realized this smoothness may
now extend to the airliner crew as well.

At any rate, it's a dramatic story that's worth reading.

Fred Ballard


D.01: Off by x100

<George_Robert_Blakley_III@tivoli.com>
Mon, 28 Aug 2000 16:46:44 -0500

I notice that both SmartMoney.com's "Map of the Market" and CNNfn's intraday
chart have gotten confused by decimalization of stock prices.  If you check
out a decimalized stock (like Gateway (GTW), for example) at either of these
sites:

     http://www.quicken.com/investments/charts/?symbol=GTW
or
     http://www.smartmoney.com/marketmap/

          (and look at the largest block in the "Technology" sector)

you'll see that both sites think that Gateway's per-share valuation today
(8/28) is $6655.00, instead of $66.55.

Bob Blakley, Chief Scientist, Tivoli SecureWay Business Unit


Western Union Web site hacked

<"Keith A Rhodes"<rhodesk.aimd@gao.gov>>
Mon, 11 Sep 2000 08:18:04 -0400

Western Union warned thousands of online customers on 9 Sep 2000 that
hackers had broken into the company's Web site.  Although no fraudulent
transactions or breaches of personal information had been discovered, the
penetration could have affected on-line users.  More than 10,000 customers
were being alerted, suggesting they cancel their credit and debit cards.
The Web site was out of service that evening, and was expected to remain
that way for several days.  [Source: AP item, 10 Sep 2000; PGN-ed]


FBI arrests Emulex hoax suspect in Calif. (Re: Hoaxes, RISKS-21.02)

<"NewsScan" <newsscan@newsscan.com>>
Fri, 01 Sep 2000 09:10:12 -0700

A former employee of online press release distributor Internet Wire was
arrested on 31 Aug 2000 and charged with securities and wire fraud in
connection with the distribution of a phony press release that sent a tech
company's stock price plummeting on 25 Aug.  Shares of Emulex, a maker of
fiber-optic equipment, lost up to 60% of their value, most of it during one
15-minute freefall, after some financial news services, including Dow Jones
and Bloomberg, ran stories based on the release. The bogus release claimed
the company had issued a profits warning, that it was being investigated by
securities regulators, and that its CEO had stepped down. The stock
eventually recovered most of its value after the company denied the
reports. The suspect, 23-year-old Mark Jakob, allegedly used a computer at
El Camino Community College to construct and send the release, and then
initiated a series of trades that netted him profits of $240,000.
(AP/*Investors Business Daily*, 1 Sep 2000; NewsScan Daily, 1 September 2000
http://www.investors.com/editorial/tech05.asp)


Glitch at Amazon.com exposes e-mail addresses

<"Keith A Rhodes"<rhodesk.aimd@gao.gov>>
Mon, 11 Sep 2000 08:16:49 -0400

Amazon.com apparently inadvertently released e-mail addresses of customers to
Associates Program customers.  It seems to be a Web script glitch.
(Source: Item by Linda Rosencrance, 8 Sep 2000, Cable News Network, PGN-ed)
[This followed shortly after Amazon announced a revision of its privacy
policy that appears to have less protection for individual data.]


Windows NT/2000 "Lock Computer" allows palm sync

<rubin@research.att.com (Avi Rubin)>
Fri, 8 Sep 2000 15:03:39 GMT

In Windows NT and 2000, you can hit Alt-Ctr-Del, and one of the options is
to lock the computer. Then, a password is required to unlock it. A reboot
also requires a password to log in, so it would seem that this is a pretty
safe state to leave your computer in when stepping away from your desk.

The other day, I pushed the button to sync my palm pilot, and it worked.
Then I realized that I had locked my computer. I did some testing on Windows
NT and 2000, and apparently, the Palm synchronization always works when the
computer is locked.

There are several risks/attacks:

- I take a blank palm pilot to your computer, which is locked, and I
  sync with it and copy all of your palm pilot data. Many people keep
  a master list of accounts and passwords on their pilot, among other
  valuable/sensitive data.

- In a more malicious version of the previous attack, I sync all your
  palm data. Then, I zero out the contents of each record in every database.
  Then I sync again. The result is very likely that I will delete all of the
  data on the PC, and that the next time you sync, all of the data will
  be deleted on the palm. I know of a case where this "attack" worked in
  practice, by accident.

- I write a palm hack that does whatever I want it to do to your data. I then
  sync with your PC, and the hack gets copied to your pilot desktop. The next
  time you sync, the hack is installed on the palm.

I am sure there are other attacks that I haven't thought of.  Anyway, I think
that if Windows NT/2000 is going to have an option to lock the computer, it
must make access to something as important as all of the Palm Pilot
databases inaccessible. Perhaps turn off access to the serial port, USB,
port, etc, and not just the keyboard.

Avi   http://avirubin.com/


1,000 system updates???

<Scott Rainey <scottr@hevanet.com>>
Mon, 28 Aug 2000 15:58:58 -0700

This just in:

Microsoft Oregon Channel Update - September 2000
   Date:          Mon, 28 Aug 2000 13:22:05 -0700
   From:          Jennifer Kern <jennik@MICROSOFT.com>

<snip>

IMPORTANT NEWS OF THE DAY

Microsoft Windows Update Corporate Website Launched Today!
This site features more than 1,000 system updates and drivers for the
Windows 2000 platform that can be distributed over a corporate network. It
is a one-stop location for Windows Update content and Microsoft Windows
Hardware Quality Lab logo device drivers. The site provides criteria-based
searching based on vendor, operating system and device type.
http://corporate.windowsupdate.microsoft.com/en/default.asp


Risks of partially updated Web pages

<"Daniel P.B. Smith" <dpbsmith@bellatlantic.net>>
Sun, 27 Aug 2000 07:36:00 -0400

eBay presents each auction on a bookmarkable Web page which shows the item
description, the time remaining before the auction ends, the current high
bid, and the eBay identity of the high bidder.  On repeated access, the
"time left" field decrements in near-real time, eventually changing to
"Auction has ended."

The seller's guide notes that "Going, going, gone! When your auction ends,
you and the high bidder will get e-mails."  This breezy remark is the only
thing the seller's guide says about these e-mails, and it is easy to assume
that they are just reminders. In contrast, eBay is very emphatic about the
importance of buyer and seller contacting each other "within 3 days" after
the auction ends.

Formerly, confirmation e-mails were sent within a few hours of the close
of the auction, but lately they have been very slow, taking, in some
cases, several days to arrive.

I listed a cheap item on which I expected few bids and got single bid for my
minimum price within a few hours after the auction started.  Day by day the
"time left" counted down, and eventually read "Auction has ended."  The page
still showed a single bid and the ID of the original bidder.  Two days after
close of auction I had not received any e-mail, so I contacted the bidder
shown on the Web page to initiate the transaction.

Needless to say, the next day a confirmation e-mail arrived showing that a
second bidder with a higher bid had won the auction.  The Web page for the
auction, which formerly showed "Auction has ended, 1 bid, $5.00" now showed
"Auction has ended, 2 bids, $12.50."

Obviously--in retrospect--the "time left" field is generated by some simple
process that does not required database updating (since the end of the
auction is constant).  The rest of the page requires database access and is
probably subject to the same delays as the process that sends the e-mail
confirmations.

But it is natural to assume that if part of a dynamically generated Web page
has been updated, the rest of it has, too.  Stupid, to be sure--but natural.


Re: Major security hole ... (van Keep, RISKS-21.02)

<"Chris Adams" <chris@improbable.org>>
Sun, 27 Aug 2000 12:14:16 -0700

> If all of that is true, what value does the security audit that AA
> performed have? [...]

If they're like the other big consulting firms, the security audits are
designed solely to give upper management something to brag about. We had a
client site which got audited once by another big-name consulting
firm. Since it was before the site launch, I was somewhat worried about this
as the site was hosted on an NT box and I had yet to do my final security
checks to verify that we'd closed all of the default wide-open security
settings. After I had to explain some basic security concepts to the auditor
when he didn't understand some of my questions about the sort of things they
checked, I become rather less worried.

We passed with flying colors ("That's the most secure NT box we've ever seen
- most of them are trivial to break into") and, having watched the server
logs, all they looked for were some old security holes (e.g.  ::$DATA and a
couple of microsoft sample security holes); their software engineering test
appears to have been seeing whether your queries break when someone places a
' into a form. No attempts were made to do things like check for weak
passwords or even test services other than WWW/FTP, much less anything
resembling a serious attempt by a knowledgeable intruder.

Things like the URL editing attacks are something I use to show our greener
new hires why they should always use a session libraries. The Annapa site
appears to be using ASP and, while I have numerous complaints about ASP, a
lack of built-in session support isn't one of them[1]. What this means is
that whoever developed the site wasn't even at what I'd consider the "ASP
for Dummies" level, which is deeply disturbing. The real irony, of course,
is that it was more work for them to do things the way they did than it
would have been to do it the right way.

Chris Adams

[1] Of the platforms we deal with, ASP and ColdFusion have adequate
session libraries and PHP has an excellent one (this relationship holds
true for almost everything else). In all cases, sessions trivial to
setup and use for basic tasks like the ones mentioned and even
inexperienced developers will be up and running quickly.


Re: Major security hole ... (van Keep, RISKS-21.02)

<zop12@mindless.com>
Sun, 3 Sep 2000 18:30:05 -0700

The reason why this happens so much is that programmers are coming from a
centralised approach where the client side can be at least slightly trusted
to an Internet based approach where everything is out in the open.  I'll
admit that I have to think really hard about how to perform my actions in
such a way so as to keep everything in a session.  Web programming is a
different beast that many programmers are just not prepared to deal with.

They post information inside of hidden fields thinking it's safe.  The only
safe place is inside of a session object on your side, keyed by a random
piece of garbage that you trail the client with (a session cookie) -- MD5
sums are great for this because they are a rather large keyspace, plus upon
isnert intot he db you can check to make sure it's unique, and if not try to
generate another session key.

The key itself cannot contain any data, but merely reference an internal
data space, this is where many programmers go wrong.  The key is made to be
the data!  This is utterly wrong and opens you to a host of problems.  I
even go so far as to drop into the local data what form entries *should* be
if they are say modifying an existing record, I'll record little tuples of
information that will allow me to later make sure that they aren't trying to
sneak a change into another record ID.  An yes this can be done in such a
way so as to allow multiple browser windows.  Yes it is complicated, but it
must be doen in order to maintain security.

Michael Loftis


Re: Your TV is talking to your bracelet (NewsScan, RISKS-21.02)

<George Weaver <weaver@gabriel.nso.psu.edu>>
Wed, 30 Aug 2000 18:13:13 -0400

In RISKS-21.02 we heard about Whispercode technology, which adds sub-audible
coded signals to commercials that activate personal "hit" counters for
measuring how many and perhaps which commercials a person has been exposed
to.  Hoping to increase the accuracy of measuring the effectiveness of TV
advertising, Whispercode's CEO is quoted as saying "With Whispercode, we
will finally be providing our clients with a true accounting of where their
advertising money is going."

By "tagging" commercials like this, Whispercode may have inadvertently
provided what has historically been carefully avoided by the television
industry - a signal that distinguishes commercials from "content".  The
availability of this information will make it trivial to develop the much
sought "commercial killer" box.  This may produce the further unintended
effect of proving beyond a doubt where advertisers' money is going -
straight down the drain.


PFIR statement on government interception of Internet data

<Lauren Weinstein <lauren@vortex.com>>
Thu, 7 Sep 2000 17:49:37 -0700 (PDT)

The PFIR (People For Internet Responsibility) statement dated September 7,
2000, entitled:

   "PFIR Statement on Government Interception of Internet Data"

is available at:

   http://www.pfir.org/statements/interception

Lauren Weinstein
lauren@pfir.org or lauren@vortex.com or lauren@privacyforum.org
Co-Founder, PFIR - People For Internet Responsibility - http://www.pfir.org
Moderator, PRIVACY Forum - http://www.vortex.com


REVIEW: "Big Book of IPsec RFCs", Pete Loshin

<Rob Slade <rslade@sprint.ca>>
Mon, 11 Sep 2000 11:23:13 -0800

BKBBIPSR.RVW   20000614

"Big Book of IPsec RFCs", Pete Loshin, 2000, 0-12-455839-9,
U$34.95/C$48.95
%E   Pete Loshin pete@loshin.com
%C   340 Pine Street, 6th Floor, San Francisco, CA   94104-3205
%D   2000
%G   0-12-455839-9
%I   Morgan Kaufmann Publishers
%O   U$34.95/C$48.95 415-392-2665 fax: 415-982-2665 mkp@mkp.com
%T   "Big Book of IPsec RFCs: Internet Security Architecture"

RFC (Request For Comments) documents are the standard references of the
Internet.  (Not that all of them are standards as such: some are discussion
papers or even opinion pieces.  RFC 1796 has an interesting take on this
fact.)  IPsec is that group of articles dealing with security.  The RFCs are
important materials.  They are also available online, for free.  Why, then,
would you pay for a collection of them?

Fortunately for the ease of my review, Loshin asks this question, and gives
a detailed answer, in the introduction.  In the first place, you'll probably
want to print out the documents at some time, and this is probably one of
the cheapest ways to do it.  (Certainly one of the most convenient.)  Also,
this is a collection of the IPsec standards, and therefore the compilation
work has been done for you.  Finally, Loshin has provided an extensive
index, which greatly increases the value of the text.  (Original formatting
has been retained, and the individual manuscripts preserve their page
numbering: the index can be used to point to items in the RFCs even for
those referring to the online forms.)

Twenty three RFCs are included in the book.  Fortunately for Loshin's
effort, one of the documents provides an overview of net security and
another presents a structure for the RFCs themselves.  Each contains its own
definitions of terminology, although an aggregated glossary would have been
helpful.  The items are listed in numerical order, as is suitable for a
reference work: RFC 2401, on security architecture, is possibly the best
starting point for newcomers, but is roughly in the middle of the book, and
RFC 2411, describing the relationships among the RFCs, comes near the end.

Topics include the MD4 and MD5 digest algorithms, using MD5 for IP
authentication, ESP (Encapsulating Security Payload) encryption, RC5
encryption, hashed message authentication code (HMAC), the CAST-128
algorithm, test cases for message digests, RC2 encryption, security
architecture, the authentication header, Internet Security Association and
Key Management Protocol (ISAKMP), security associations, Internet Key
Exchange (IKE), NULL encryption, a document roadmap, OAKLEY key
determination, and the Diffie-Hellman key agreement method.

For those needing, or even wanting, to know about IPsec, this is the
reference.

copyright Robert M. Slade, 2000   BKBBIPSR.RVW   20000614
rslade@vcn.bc.ca  rslade@sprint.ca  slade@victoria.tc.ca p1@canada.com
http://victoria.tc.ca/techrev    or    http://sun.soci.niu.edu/~rslade


2001 IEEE Security and Privacy Symposium

<Jon Millen <millen@csl.sri.com>>
Mon, 28 Aug 2000 13:52:35 -0700

The announcement and call for papers are at:

  http://www.ieee-security.org/TC/sp2001.html

Please report problems with the web pages to the maintainer

Top