The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 21 Issue 57

Tuesday 7 August 2001

Contents

WEP insecurity
Avi Rubin
European Union strives for openness
Stephen A. Boyd
WinXP blocks some versions of some programs
B. Elijah Griffin
Cyanide for Code Red
Jeremy
I am virus generator?
Bob Frankston
AT&T Worldnet exposes all user passwords
Una Smith
Password changes -- SIGH!
Jim Horning
The risks of online order tracking
Darryl Smith
Mixing advertising and credit-card activation
Bob Green
Techs must report child pornography
Brien Webb
Re: Dutch government and virtual child pornography
Christian Reiser
Re: Super-accurate atomic clock hates Sundays
Phil Kos
What is your area code, really?
Andrew Koenig
Online advertising: Fraud, false positives and a novel DOS attack
John O'Connor
Re: Even a fatal error can't kill it
Terry Brugger
Joe Thompson
John M. Hayes
Info on RISKS (comp.risks)

WEP insecurity

<Avi Rubin <rubin@research.att.com>>
Tue, 07 Aug 2001 05:56:27 -0400

   [Read it and WE(E)P, unless you already WEPt.  PGN]

We have a new paper:

Using the Fluhrer, Mantin, and Shamir Attack to Break WEP
by
Adam Stubblefield, John Ioannidis, and Aviel D. Rubin

We implemented an attack against WEP, the link-layer security protocol for
802.11 networks.  The attack was described in a recent paper by Fluhrer,
Mantin, and Shamir. With our implementation, and permission of the network
administrator, we were able to recover the 128-bit secret key used in a
production network, with a passive attack. The WEP standard uses RC4 IVs
improperly, and the attack exploits this design failure.  This paper
describes the attack, how we implemented it, and some optimizations to make
the attack more efficient. We conclude that 802.11 WEP is totally insecure,
and we provide some recommendations.

The paper is available at http://www.cs.rice.edu/~astubble/wep/

Avi Rubin, AT&T Labs - Research  http://avirubin.com/
White-Hat Security Arsenal:  http://white-hat.org/


European Union strives for openness

<"Stephen A. Boyd" <UncleHonus@aol.com>>
Fri, 3 Aug 2001 13:01:18 EDT

  The European Commission issued a White Paper last week that aims to
  address widespread public dissatisfaction with politics by increasing the
  openness and accountability of European Union institutions.

  "Many Europeans feel alienated from the Union's work," according to the
  White Paper, and they "no longer trust the complex system to deliver what
  they want."

  The White Paper identifies five principles that define "good governance"
  Openness, Participation, Accountability, Effectiveness, and Coherence.
  The Paper goes on to identify proposed changes in European Union policy
  derived from these principles.

  "We simply cannot go on as we are," said European Commission President
  Romano Prodi.  "The White Paper is not an instant cure for everything, but
  it is a serious attempt to address the concerns that many people have."

  To a American reader, the White Paper's diagnosis of public disenchantment
  with politics is familiar.  Its prescription, however, may seem a little
  naive in its faith that political life can be reinvigorated through
  procedural changes.  Even so, it is a refreshing reminder that political
  institutions are not simply inherited, but are also maintained and can be
  recreated by regular people.

  "European Governance -- A White Paper" was adopted by the European
  Commission on July 25 and published for public comment here:
  http://europa.eu.int/comm/governance/white_paper/index_en.htm

First, the source: This commentary was copied and pasted directly from
*Secrecy News*, a digest (but not a forum) written by Steve Aftergood, an
employee of the Federation of American Scientists (http://www.fas.org).

Second, the irony: It is ironic that, on one hand, the EU ministers would
issue statements like this, while on the other hand, they are pursuing the
ECHELON continental-wide wireless surveillance and monitoring network.  I
guess "openness", the ministers contend, must go both ways, regardless of
any privacy issues the EU's constituency may have.

Third, the RISK: I believe this veil of purported openness is a valid RISK,
since it seems the EU chiefs are making a push for pulling the wool over
their constituents eyes.  The issue Mr. Aftergood astutely mentions of
"public disenchantment" is not only reinforced, it seems, but gives
Americans no more confidence in our own government with respect to privacy
and auto-accountability issues, since the same game is being played here.
I'm all for good government and a solid nation, but only when the members of
those governments are accountable to their bosses (i.e., the People).

Stephen


WinXP blocks some versions of some programs

<"B. Elijah Griffin" <eli@panix.com>>
Thu, 2 Aug 2001 16:33:13 -0400 (EDT)

*The Register* reports that WinXP 'Release Candidate 2' has a driver block
that will prevent a number of programs from running.  Some people are
apparently worried that MS might become too bossy about what software their
OS can run.

The full story:
http://www.theregister.co.uk/content/4/20805.html

Elijah


Cyanide for Code Red

<"Jeremy" <jeremy@electrosilk.net>>
Mon, 6 Aug 2001 10:55:07 +0800

Code Red may or may not be the major disaster that CERT predicted.  It is
certainly present and apparently mutating already.

What does not seem to have happened is the production of an effective
stopper for the Code Red.  Present prophylactic activities involve getting
as many systems as possible updated with 'the fix'.  This of course will not
work as a large number of systems are run out of the box by people with
little to no technical training.  They won't even know how to recognise they
have the worm, let alone fix it.

One simple fix is a passive worm that sits on a target machine and when a
Code Red attack arrives, infects the attacker using the same technique that
Code-Red uses (by definition, an attacking machine must be vulnerable to the
attack).  The passive worm could disinfect the attacker, and then sit
waiting for further attacks on the original machine plus on the newly
disinfected attacker.  The rate of spread of the passive worm would be
directly proportional to the spread of Code-Red.  The passive worm cannot
spread at all unless Code-Red is operating.

The passive worm would almost certainly disable the IIS service, in fact it
might be a good idea to have it produce a default web page stating so,
together with instructions on how to download the security fix.  An improved
version may even apply the fix itself.

The question arises as to whether a passive worm is illegal in any way.

The arguments for a passive worm are that the system it is defending is
under attack and it is taking steps to stop that attack.  As a by-product,
the attacker is unable to attack any other systems.  The attacker does not
suffer any damage as a result of the disinfection.

The argument against it is that the defender places and executes code on the
hostile machine.  This may well breach any number of anti-virus laws.

The real test of the argument will be when a very dangerous worm, say like
Code-Red but 100 times as potent, is unleashed.  The various Governments
will be left in the serious dilemma as to whether to allow a vital national
resource be destroyed, or to unleash a probably illegal antidote.

The time scale to make such a decision could be a matter of hours from first
discovery to Internet meltdown.  Governments (and Microsoft) must have a
contingency plan in place.  I wonder what it is?

Jeremy


I am virus generator?

<"Bob Frankston" <RMFx18@Bobf.Frankston.com>>
Fri, 3 Aug 2001 14:50:28 -0400

Norton Anti-Virus 2001 has decided that the script I use to backup my
files is a virus. It says "Unable to repair this file OK" (no option for
"Not OK")! In trying NAV2002 (beta) I found that it seems to label all
scripts as viruses but, at least, it gives me an option of enabling them
one by one by one. The trend to treat programming as a criminal act and
put the onus on me to prove each action is not a crime is very
worrisome. Outlook has the same attitude towards attachments, even URLs.
It doesn't even deign to let me decide -- it just hides them.

I guess it goes along with viewing PEDs as terrorist devices. (For those who
haven't been following the issue in RISKS -- Personal Electronic Devices
seem to be viewed as too dangerous to allow on airplanes, at least during
safety-critical portions of a flight such as taxiing to the terminal.)

Bob Frankston  http://www.Frankston.com <http://www.frankston.com/>


AT&T Worldnet exposes all user passwords

<Una Smith <una@lanl.gov>>
Fri, 3 Aug 2001 17:27:59 -0600

I called AT&T Worldnet customer support to ask a question about my bill.  My
question was entirely impersonal but nonetheless I was required to identify
myself.  I gave my name and current telephone number.  The service rep then
asked me for the number I had when I signed up; when I hesitated, she
volunteered it.  Then she asked for my e-mail password.  When I refused she
informed me my password is not a secret, and that *all passwords* connected
to my Worldnet account (a Worldnet account can have up to 6 e-mail accounts)
are *visible* on her screen.

Una Smith, Los Alamos National Laboratory MS K-710, Los Alamos, NM 87545


Password changes -- SIGH!

<Jim Horning <horning@intertrust.com>>
Fri, 3 Aug 2001 12:12:52 -0700

> From: 	<HR Department>
> Sent:	Friday, August 03, 2001 10:12 AM
> To:	<US Employees>
> Subject:	IMPORTANT <HR Database> INFORMATION - PLEASE READ
>
> We want to make you aware that <HR Database> will be unavailable from 6pm
> (PT) on Friday, August 3 to 11:59pm (PT) on Sunday, August 5 due to server
> upgrades.  During this time, you will not be able to access the website.
> In <Outsourced supplier>'s ongoing effort to improve site performance,
> these upgrades are occurring to load balance and increase site stability.
> Part of this site upgrade includes a password change.  ALL USERS WILL HAVE
> A PASSWORD OF "change123" as of 12:01am PT Monday, August 6th, 2001.  Once
> you enter the system for the first time on or after August 6th, you will
> be required to change your password and answer a secret question.  In the
> future, you will be able to use the answer to the question to reset your
> own password.
> If you experience problems, please contact the whereiwork help desk at
> support@<Outsourced supplier>.


The risks of online order tracking

<"Darryl Smith" <darryl@radio-active.net.au>>
Mon, 30 Jul 2001 17:51:49 +1000

I have just purchased a computer from Dell Computer. My experiences are
interesting.

1. When I entered the 'E Code' to select the right configuration and price,
the price given did not include the $500 discount that I should have
received. I ordered by phone and got the substantial discount.

RISK: Paying $500 more on line.

2. Knowing that I might have problems with my credit (debit card) I
specifically asked the credit union what my limit was per day. They told me
that it was whatever my balance was. When I went to purchase this computer
the purchase was declined. When I contacted the credit union by phone they
informed me about a $1000 per day limit unless it is up-ed but ONLY for the
period that it was needed. I was to ring back as soon as the transaction was
completed.

RISK: Not having access to my money.

3. When I contacted DELL to let them know that the transaction could go
ahead I was told that it would be a while for the transaction to occour - in
other words they could not immediately process the transaction but it would
be hours.

RISK: There was increased potential for fraud because my account limit was
upped for longer than I would have liked.

4. Sydney is 10 hours ahead of GMT at the moment, meaning that most parts of
the world are behind us. When I logged onto the tracking WWW site at 7AM I
was told that what the status was at 8PM that day, or 13 hours ahead. But
that night I checked it at 5PM and was told that the status was at 4AM that
day, or 11 hours behind.

This does not make sense, unless the time is 11 hours behind at all times,
and that the WWW site is reporting the clients day and the server time.

RISK: Times and Dates should be based on either the clients date and time,
or the servers, but not a combination of the two.

5. The tracking WWW site notes that computer is in 'Delivery Prep' and has
been for about 5 days and about to be shipped. When I checked up with DELL
the computer had been shipped to Australia, and was at the Sydney warehouse
for final delivery.

RISK: When relying on online order status systems, work out what the results
mean before relying on them

Darryl Smith, VK2TDS   POBox 169 Ingleburn NSW 2565 Australia
Mobile Number 0412 929 634 [+61 4 12 929 634 International]


Mixing advertising and credit-card activation

<Bob Green <rgreen@etnus.com>>
Mon, 30 Jul 2001 21:39:07 -0400

I recently received a new AT&T Universal Card Visa Card.  The card came with
a security callback activation feature where you call an 800 number and
enter your card number.  If you are calling from home (and presumably have
not blocked the caller ID feature), this call activates the card.

The part of the procedure that surprised me was that after typing in my card
number, the voice response system:

  - cautioned me to stay on the line until I heard a confirmation that my
    card was activated

  - launched in to 30 second advertisement for a form of disability
    insurance. The insurance is sold with a 3 month trial period after which
    the insurance is automatically charged to your card.

  - asked me to type "1" to purchase the insurance or "2" to not purchase
    the insurance

  - asked me a second time to to type "1" to purchase the insurance!

  - finally, after two "2" responses, the voice confirmed activating my card

Besides being quite annoyed at being solicited in this manner, I had a
moment of panic at the first question. Voice response systems that ask you
to enter "1" to confirm a request are very common. Was this confirmation
request to activate the card or to purchase the insurance? It took a moment
of reflection to assure myself that I was saying no to the insurance.

The risks are that one might

 - accidentally purchase insurance they don't want
 - feel forced to buy insurance in order to activate the card
 - hang up too soon and not activate the card

Given the confusion that is often intentionally introduced by creative
marketing, mixing advertising and a security procedure seems a very poor
practice.

-Bob Green


Techs must report child pornography

<"Brien Webb" <bwebb@apexvoice.com>>
Mon, 30 Jul 2001 20:00:02 -0700

Source: Associated Press
  http://www.washingtonpost.com/wp-srv/aponline/20010727/aponline203146_000.htm

In South Carolina, a new law on education standards for day-care workers has
a requirement that private technicians tell police if they find child
pornography when servicing computers.

Think of the possibilities.  You're servicing computers, and you get the
idea to have some fun.  You take a client's computer, roll the date back,
access some child pornography web site(s), reset the date, and call the
cops.

Carrying it one step further, imagine that this as a political "dirty
trick".  It might just be the mayor or some legislative representative who
gets victimized.

Who would believe any protestations of innocence?

--Brien Webb


Re: Dutch government and virtual child pornography (Dinwiddie, R-21.47)

<Christian Reiser <C.Reiser@internet-security.at>>
Mon, 30 Jul 2001 11:53:16 +0200

A comment to a quite old posting, but it might still be interesting:

George Dinwiddie brought up the issue, how difficult it is, to guess a
person's age.  This is a problem, when the definition of child pornography
depends on the age of the person on the picture.

In Austrian legislation the definition of child pornography does not depend
on the age of the person, but something is child pornography, when one or
more persons involved in pornography look as if they were under 14. This
solves the problem of finding out the age, but obviously raises some others.

Christian Reiser, ASSIST, 1190 Wien, Nussdorfer Laende 29-33
C.Reiser@internet-security.at,  priv: Christian@Reiser.at  +43 1 370 94 40


Re: Super-accurate atomic clock hates Sundays (Knowlton, RISKS-21.55)

<Phil Kos <PhilK@solthree.com>>
Tue, 31 Jul 2001 17:28:53 -0700

Ironically enough, when I went to *The NYTimes* online to check out the
article on AT&T's new speech synthesis software (also mentioned in
RISKS-21.55), I noticed an article on a new type of atomic clock currently
under development at NIST. The article quotes Dr. Alan Madej of the National
Research Council, Ottawa, as saying "It certainly is a very big advance for
atomic clocks."

Presumably the display problems can be fixed now that MS has (finally, after
at least three years) fixed the 4/1 DST bug. Or do you suppose the NRC's
display software had their very own equivalent to MS's mis-implementation of
DST? After all, any error that can be made once can be made again and again
(buffer overruns are a good example).


What is your area code, really?

<Andrew Koenig <ark@research.att.com>>
Sun, 29 Jul 2001 20:00:15 -0400 (EDT)

This evening, I wanted to connect a laptop to the Internet to download
updated virus definition files.  I tried placing a call, then realized that
didn't know whether the machine was set up correctly for my present
location, so I cancelled the call.  After checking the machine, I thought it
looked reasonable, so I tried again.

Five minutes later, two police officers showed up at my door, saying
that they had received a 911 (emergency) call from my home.

It took me a while to piece together what had happened:

   1. Because I wanted to update the virus definition files, I called
      from "Administrator" rather than from my own account.

   2. The last time I dialed out on that machine as "Administrator" was
      from a hotel room in San Antonio.

   3. On the other hand, the phone number to dial for the ISP had since
      been changed to back home in New Jersey.

   4. The default area code for a dial-up connection is 1, which
      happens to be the same as the country code for USA.  Therefore,
      when setting the ISP's phone number, I had mistakenly assumed
      that the area code would go along with the phone number and
      specified an area code of 1 (which I thought was the (correct)
      country code of 1) and a phone number if 908 yyy yyyy (instead
      of yyy yyyy as it should have been).

   5. The network dialer, which still thought I was in a hotel room,
      dialed 9 (for an outside line), 1 (for a toll call), 1 again
      (for what it thought was the area code), and then 908 yyy yyyy
      (which was ignored).

I suppose the risks are obvious...

Andrew Koenig <ark@research.att.com>


Online advertising: Fraud, false positives and a novel DOS attack

<"John O'Connor" <jpoc@hotmail.com>>
Fri, 27 Jul 2001 11:49:15

There has been some comment, in recent editions of risks, on the subject of
online advertising as seen from the perspective of a Web surfer.

From the viewpoint of a Webmaster seeking ad income, there are some
interesting aspects including what seems to be a novel form of DOS attack.

I'll focus on one particular advertising model known as Cost Per Click or
CPC.

In this mechanism, a Web site will display a banner for an advertiser and,
when a surfer clicks on the banner, the advertiser will pay a small sum to
the publisher of the Web site. Thus the publisher will receive an income
dependent on the CPC multiplied by the Click Through Ratio or CTR.

A simple click may cost an advertiser somewhere between two and fifty US
cents and there is normally an agency of some sort between the two parties
to see fair play, count the clicks, handle payments etc.

One fairly obvious risk is that an advertiser who wants brand awareness and
not clicks can get free advertising by running ads that will not get clicked
but which will enhance brand recognition.

From the advertisers viewpoint, fraud is the main risk. A Web site owner may
use an automated system to generate bogus clicks to claim money that was not
properly earned. There are thousands of http proxy servers that suffer from
the same weakness that allows spam e-mail to exploit open smtp relays. Using
these, a Web site owner bent on fraud can generate thousands of bogus mouse
clicks.

Of course, advertisers or, more commonly, the agencies with whom they deal
take whatever steps they can to combat such fraud. One route used by many is
just to have a cut off point for the CTR and say that a Web site with a high
CTR will be automatically barred for fraud. Clearly this leads to the normal
risk of false positives where a legitimate site with a high CTR is excluded.
Interestingly, the false positives will here work to exclude the sites which
are the best ones for the advertiser to use. For example, suppose that a
dating agency, specialising in women from Russia seeking men from the West,
uses an agency to run its banner ads on the Web sites represented by the
agency. Most of the time, such ads will attract a CTR of about 0.2%. But
what if one of the sites in the ad agency network happens to specialise in
advice on exactly this topic? (Fiancee visas, how to address a letter to a
country the uses the Cyrillic alphabet etc.) That site may see a CTR of over
5% which will rapidly earn it exclusion for fraud. Of couse, that is exactly
the site on which the advertiser would like to run its ads.

And the novel DOS attack?

Recent reports on the Web publisher forums at geekvillage.com have focussed
on another problem. Suppose that two sites are in competition as they cover
the same subject area and target the same pool of surfers and advertisers.
Site A runs banner ads and site B would like to get those ads for itself and
perhaps even close down site A and get the surfers too. The operator of site
B could set up a click-bot to cause open proxy servers to send thousands of
clearly false clicks to the advertiser: seemingly on behalf of site A. Site
A will soon be flagged for fraud and will lose its advertising income and
may well close.

John O'Connor  http://www.jpoc.net


Re: Even a fatal error can't kill it (Haynes, RISKS-21.53)

<Terry Brugger <zow@torii.bruggerink.com>>
Sun, 22 Jul 2001 10:45:38 -0700

I recently had a similar experience with Ticketmaster's on-line ordering
system. I was buying a ticket to a show by my favourite artist as soon as
the tickets went on sale (I wanted a good seat). Unfortunately, the group
has MANY other fans in the Bay Area, so the system was quite sluggish and
timed out frequently. I selected the seat I wanted, entered in all my info
and submitted it. After waiting a minute or two it came back with an error
message to the effect of, "Unable to confirm your order - hit the back
button and resubmit it." When I did so I was informed that my session timed
out and that I should try again from the beginning. So I did, five times
before the order went through and was confirmed. Everyone knows what
happened next: I ended up with five tickets. Ticketmaster was nice enough
about it, but I was still left with the task of mailing them the unwanted
tickets in order to receive my refund.

The risk: If you're going to build a system with the primary task of selling
tickets to popular events:

1. Make sure it can handle the load when those events go on sale and
2. Make sure it correctly reports on the completion of transactions.

"Zow" Terry Brugger <zow@acm.org>   http://bruggerink.com/~zow


Re: Even a fatal error can't kill it (RISKS 21.53)

<Joe Thompson <joe@orion-com.com>>
Thu, 19 Jul 2001 23:45:44 -0400

jhaynes@alumni.uark.edu noted in RISKS 21.53:

> No doubt there are other systems out there which have the possibility of
> completing a transaction and then telling the user that there has been a
> fatal error.  Maybe a whole lot of them.

I recently had just such an incident with my bank (Chevy Chase Bank, based
in Maryland).  I used the online banking tools to transfer some funds from
one account into another.  Later that day I had a need to stop payment on
a check, so again I logged on and transferred enough money back into the
first account to cover the stop-payment fee.

Later that night I withdrew some funds from the second account at an ATM,
and my receipt showed the correct balance.  The next night I did the same
(total withdrawals $60.00 for the 2 transactions).  The following day at
lunch I tried to make a withdrawal at an ATM and was denied -- with the
receipt showing a balance of approximately -$60.00 in the second account!

You guessed it -- the online transfers I made had disappeared from the
system, and my balances had "snapped back" to what they would have been had
they never happened.

Chevy Chase customer support, fortunately, believed me (in part because
it's impossible to have a negative balance in a savings account without
some really odd goings-on), and later that week it turned out to be a good
thing because the chaos of those few days resulted in two checks that were
currently going through the system "bouncing".  CC refunded my insufficient-
funds fees -- and the payees never knew because the two payments were made
via Chevy Chase online payment, which sends the equivalent of a cashier's
check (it can't bounce).

The RISK, of course, is the old story: adding new systems adds complexity
and can have entirely unexpected results. -- Joe


Re: Even a fatal error can't kill it

<"John M. Hayes" <john.hayes@marconi.com>>
Fri, 20 Jul 2001 10:59:35 -0400

The software that prevents duplicate transactions can be a problem in and of
itself.  I recently attempted to make hotel reservations through an online
travel agency. On this particular site, there was no provision for reserving
multiple rooms. So after making the first reservation, I went back and
attempted to reserve a second room.  The watchdog software would not allow
me to reserve a second room in my name. I ended up having to use a different
name in order to make a reservation for the second room.  Eventually, this
website does allow you to consolidate multiple reservations, but that was
not at all clear as I struggled with their system.

Note: For the trip home, I decided to just phone the hotel directly and talk
to an operator in order to make similar reservations. It was MUCH easier.

John Hayes (john.hayes@marconi.com)

Please report problems with the web pages to the maintainer

Top