Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
By Greg Sandoval and Robert Lemos, CNET News.com, 20 Nov 2001 Playboy.com has alerted customers that an intruder broke into its Web site and obtained some customer information, including credit card numbers. The online unit of the nearly 50-year-old men's magazine said in an e-mail to customers that it believed a hacker accessed "a portion" of Playboy.com's computer systems. In the e-mail, a copy of which was reviewed by CNET News.com, Playboy.com President Larry Lux did not disclose how many customers might have been affected. Playboy.com encouraged customers to contact their credit card companies to check for unauthorized charges. New York-based Playboy.com also said it reported the incident to law enforcement officials and hired a security expert to audit its computer systems and analyze the incident. [...] http://news.cnet.com/news/0-1007-200-7932825.html
An Irish emigrant to Spain had an unexpected windfall when his Dublin bank accidentally credited more than 300,000 euros ($264,800) — instead of 300,000 pesetas — to his new account, newspapers reported on Wednesday. (Reuters, http://news.excite.com/news/r/011121/07/odd-ireland-dc) Surely European banking software has always had to handle currency conversions? Carl Fink, Manager, Dueling Modems Computer Forum carlf@dm.net http://dm.net/
This story taken off of the newswire today: http://dailynews.yahoo.com/h/nm/20011121/od/tech_hongkong_champion_dc_1.html Concerns a signal-jamming technology being developed by a Hong Kong company to block cellphone calls in areas where they are not wanted. Not a bad idea, but the following excerpt caught my attention: "A Hong Kong company hopes to sell signal-jamming technology previously used by the military to thwart lethal missiles to block annoying cellphone calls in places such as hospitals, places of worship and restaurants." Hospitals? Now, I admit I know very little about jamming technology, but I know that, at the very least, it requires transmitting radio energy on the same frequency as the signal you are trying to jam. Presumably, it involves transmitting at a considerably higher power than that of the target signal. Now, as I understand it, hospitals' no-cellphone policy is based on the fear that the phones' radio transmissions might interfere with hospital equipment. Are we to understand, then, that they intend to combat the problem by installing a device that, by definition, must transmit on the same frequencies at the same or considerably greater power? I hope this was simply an error on the writer's part... Russell Stewart, Sandia National Laboratories russtew@sandia.gov
OK, you ask, what does that have to do with RISKS? Hold on a second! Fairfax County Virginia has one school system (unlike other counties around the US where each municipality or region has their own system). My daughter goes to a magnet high school program within the county, but not the one that would ordinarily be our "home" school (i.e., the one closest to our house). Last week she got her report card for the first quarter from the magnet school. Yesterday she got a second report card from the home school, which doesn't show any courses or grades. Luckily, it doesn't show a GPA either (I guess the programmer was smart enough not to try to average zero credit hours :-). But it does show she attended school for 40 days and was absent two days... the same number as in the magnet school. So the county obviously has one database to record absences, but the software isn't smart enough to realize she's not taking any courses at the home school and therefore shouldn't get a report card. Or maybe that's a safeguard in case the child drops all classes without telling the parents? I *hope* that when she goes to apply for college that they'll report her actual GPA, and not something silly like 0.0 since the school system obviously doesn't understand where she is! The risks of poorly designed database applications...
Back some months ago — 11 Apr 2001, in fact — a promotional mailer in the form of a folded post card (11 inches by 15 inches) was mailed out to who knows how many residences in Virginia (U.S.) by Network Solutions, a VeriSign Company, advertising Web site services. Amusingly, the advertisement listed www.squirreling.org as a sample domain name, describing a "matching e-mail address like this" with yourname@squirreling.com as their "matching e-mail address." Aside from the fact that Network Solutions mixed .ORG with .COM, apparently they didn't bother to check first to see whether Squirreling.ORG was an existing web site before they advertised it as an example. In fact I had registered the domain name on February 2'nd, 2000 and had acquired hosting shortly after that. The name "Squirreling" was doubtlessly picked because it sounds amusing and Network Solutions probably assumed that nobody would have such a domain. The risks? What if my web site had been something sinister? Network Solutions could have suffered massive embarrassment and revenue losses had my web site contained "Bonsai Kittens" or something equally stupid on it. http://groups.google.com/groups?q=+%22squirreling.org%22&hl=en&rnum=2&selm=3 ad4add5.231072131%40news.bellatlantic.net
Lotus and most other spreadsheets have another date risk, caused by trying
to maintain compatibility with Visicalc in the original Lotus and carried
over from there.
Dates are stored as the number of days since the start of 1900. That is Jan
1, 1900 is stored as 1, etc. The problem is the original programmers thought
that 1900 was a leap year.
Enter 60 into a date-formatted cell. Many spreadsheets will display it as
Feb 29, 1900!
Microsoft Multiplan handles this by making Jan 1, 1900 store as 2 rather
than 1. But that means dates in it won't match dates in other spreadsheets
if they are before March 1, 1900.
There's no good solution anymore due to the spread of this "misfeature" thru
spreadsheets across the world. All you can do is double check *any* date
info from before 1900-03-01 that has passed thru (or may have passed thru) a
spreadsheet.
Leonard Erickson (aka shadow{G}) shadow@krypton.rain.com
We have fallen into the accidental misconfiguration trap a few times for some of these cases — the primary reason it happened to us is that routes advertised using "classless" IP address ranges do not get treated properly by a router that doesn't have 'ip classless' set (in Cisco-speak). This is the Classless-InterDomain Routing (CIDR) system that replaced the old Class-A, class-B, class-C hierarchy. The cable modem and military people tend to populate parts of old class-A blocks - this is any IP address that starts with a number less than 128. In our case what happened was we had a "specialty" internet provider that only provided access to certain networks which they advertised to us via the BGP protocol, and they filtered out any traffic coming from us that didn't match that list of networks. But it turned out that some of the networks they advertised were small portions of these old class-A networks, and we naively did not have "classless" routing turned on, so our router thought the ENTIRE class-A had to be routed through them. So traffic between us and any address in that class-A block not passed through by our provider was blocked. One reason we didn't have classless routing turned on was some previous bad experience where one of our partners' router's memory had been filled with spurious /32 routes (routes with only a single address) due to the use of classless routing, the fact that we did not have all possible routes to our own address space properly advertised to one another, and the malicious actions of some printer software that tried to scan every single address in our (class-B) address space, looking for printers. In short, it's very easy, if you do not have much background in IP networking, to misconfigure your routers to have this sort of thing happen - and it's a little hard to spot since the network connections are generally working fine otherwise - nobody may ever complain!
According to a well-placed friend within Apple, the failure was a bit more complex than described. He says that the bug in the script was actually discovered prior to the software being posted, but that the corrected version somehow did not end up being posted (classic version management issue.) Furthermore, the fact that broken script had been posted was discovered in the middle of the night, but the folks responsible for the server did not pull it down until hours later, thus increasing the collateral damage (classic people management issue.)
And of course no self-respecting non-US anti-virus firm is going to put a signature into their product that will detect and report on this trojan? Somehow the first time it is detected by anyone it will get into F-Prot, F-Secure, AVP and a number of other non-US products that are widely used even in the US, and then what? If the AV product vendors ignore this software, they are in for attack from their customers, and if they detect it they are in for attack from the FBI? Which would you choose were it your corporation? This type of program and its detection is too much of a risk for the FBI for them to widely disseminate it, and ignoring such a program is too much of a risk for the AV product vendors to accept, since alienating their clients will unfortunately result in a major downturn in their corporate viability, once it becomes known, which will be almost immediately.
> The FBI is working on software that could insert a computer virus ... First off, nothing about this program indicates that it is a virus. There is nothing about reproduction in the description. In any case, a virus would be a fairly imprecise way of delivering a security breaking package (although steps could be taken in that regard). > suspect's computer capable of reading encrypted data. As the later material shows, the program is not capable of reading encrypted data, it simply steals passwords. Fairly common activity for trojans in past years. > The software, known as "Magic Lantern," installs "keylogging" software > that can capture keystrokes typed on a computer. The virus can be sent > via e-mail. As Peter notes, Microsoft Outlook is somewhat susceptible to this type of thing, but in pretty much every other case you'd have to convince the target to run an attachment. That might be a little trickier. "The attached Microsoft Word document contains an application form for our special Kali cartel `frequent pusher' discount, good for an extra 10% off on shipments of 100 kilos or more." "Run this hilarious screensaver with inspirational (secret) messages from our beloved leader Osama, along with detailed instructions on the construction of truck bombs." [But this seemed to happen all the time with IL*V*Y**, etc. PGN] The targeting of PGP is interesting. Does this mean that the US government is still ticked over its creation, or that they are finally (tacitly) admitting that open-source software really *is* more secure? > ... possible to observe every keystroke typed by the suspect, even if a > court order specified only encryption keys. It would certainly be easier to collect information, particularly for ephemeral data, such as e-mail. On the other hand, how are the authorities supposed to get at the data? I suppose sending out only the passphrase would be less suspicious if someone was keeping track of traffic. (On the other hand, if anyone was logging port activity it would be fairly easy to scan for Magic Lantern in the same way that people scan for Back Orifice, SubSeven, Bionet, and other RATs.) > [Insertion by e-mail probably works well for Microsoft software, which is > prone to that kind of attack. Various reports suggest that Magic Lantern > can also plant itself by penetrating systems. Penetrating how? I would hope that the RISKS audience is somewhat less suggestible, along these lines, than the general public. [You must be kidding! PGN] > Penetrability of supposedly secure systems has long been noted here ... True, but the penetration is still probably going to happen on a case by case basis. Viruses would be a good way to break confidentiality (just look at Sircam), but are rather a blunt instrument, tending to drown signal with noise (look at Noped). rslade@vcn.bc.ca rslade@sprint.ca slade@victoria.tc.ca p1@canada.com http://victoria.tc.ca/techrev or http://sun.soci.niu.edu/~rslade
RISKS-21.77 contained a string naming a recent virus "IL*V*Y**". Some of you apparently have filters that are so lame they cannot tell the difference between that spelled out in text and the actual virus. Overzealous filtering is rapidly becoming a bad joke.
> Imagine my surprise to find that the original (bounced) message had > been spam, apparently sent from me! That "original message" was never sent. The "bounce notification message" was forged by the spammer. And it worked — you paid close attention to it.
> The best folks prefer product engineering (aka 'development'). I don't believe this is true at all. I believe that the vast majority of employees, and many managers, in the computer field regard product engineering as the "senior" department, the superior order amongst technical professionals. [That upper management often considers sales to outrank all technical groups takes a while to discover....] The result is that other technical departments, such as QA and IT, are often staffed largely with junior engineers biding their time and acquiring years of experience to try to get into product engineering. Naturally, they're not very good at what they're currently being paid to do -- they'd much prefer to be in product engineering — but they're not necessarily any better at *it*. On the counter side, there *are* a few excellent, committed QA and IT and Tech Support folks around — "the best" in these realms — and often that is intimately tied to their discovery of a personal preference for one of these "ancillary" roles. I would say that the *majority* prefer product engineering — and that this is linked, chicken-and-egg fashion, to other branches being under-appreciated and staffed largely by inexperienced, uninterested, and (as a consequence) ineffective personnel. The consequences? We read about them on the RISKS Digest every week. David Gillett
According to the Dec 2001 issue of *Consumer Reports*, your problems with toasters are not unique, and they were able to get better toast from some simpler toasters (that is, without all the sensors). However, the risk of toasters not turning off until they have popped has been addressed in the US. There is now a Consumer Product Safety Commission standard requiring toasters to turn off when the cycle is over, whether or not the "pop" has occurred. It takes effect for toasters manufactured after November 2001, but many toasters are now compliant (and some actually give some indication of this compliance on the box).
In RISKS-21.76, we read about (800)555-1212 re-directing information calls. Those familiar with the history of the telephone system may recall that Almon P. Strowger, generally regarded as the inventor of automatic telephone switching apparatus (at least in the U.S.A. :-) was an undertaker, who produced his invention because he was tired of the telephone operator in his town "accidentally connecting" his calls to his competitor, said operator's husband. Of course, all those helpful Web "directory" sites have been doing this for years, and "Smart-Links" threatens to move the betrayal right to your PC. (Yes, I know, not _right_ now, yet...) We also read about: > Subject: Re: Another SRI-wide power outage (Rowland, RISKS-21.74) > > [...] The Xerox tech would decide that the the pair of side by side tops of > the controllers made an excellent surface for him to flop his huge folder of > tech charts onto, toggling the power switches on both modems off. Which reminded me of the result of using the oh-so-convenient top of the IBM 1401's Core-memory extension to set down 7-track mag-tapes temporarily, until we figured out why we where getting so many errors... (We put a two-drawer steel card-file on top, and added a notice _under_ that file explaining the issue and saying "Put it back")
Brett Glass's story on operator-assisted dialing that resulted in customer hijacking would probably have shocked Almon Strowger, the funeral parlor manager who, as the story is told, invented the Strowger switch, which as we all know would become the backbone for the electromechanical direct-dial apparatus in place for many decades. (As the story is told, Strowger [STRO-jer] suspected the local telephone exchanges of routing potential customers [well, I suspose the families of potential customers!] for his funeral parlor to his competitors' parlors. Paranoia was the mother of Strowger's invention.) As long as callers leave the recipient-to-number translation in the hands of others, for convenience of any other reason, this problem will likely persist. Rob Bailey, wm8s@pobox.com
The risk was not properly identified. While this is certainly an issue; IMHO Bret has the risk all wrong. This is a classic case of 'Never attribute to malice what can be explained by stupidity'. I'm sure AT&T (I'm assuming here, since they're the biggest user of TellMe) made NO deliberate attempt to 'hijack' the hotel's number (what possible benefit would ANYONE receive from rerouting a caller looking for a hotel to a furniture store). What's much more likely is that the TellMe VR software made a mistake; or, that it doesn't handle duplicate names very well.
I'm not going to comment on national ID cards directly, but only upon Adam Shostack's reasoning. Every web page (instruction, datum, etc.) is accessed a first time, as well, but caches still work pretty darn well on a statistical basis. Screening will always be a statistics game, but we need to attach wildly different costs to various kinds of screening misses. Clearly, 20 box cutters can ruin a lot of days. The IBM 360/30 didn't execute a "divide" instruction or a "convert to decimal" instruction very often, but when it did, they was so slow that they often dominated instruction trace timings. So the next generation of 360's improved the execution speed of those particular instructions. However, much of the improvement in computer execution speeds over the past twenty years is the result of tuning to more broadly valid statistical data, rather than focusing only on rare but costly instructions. Similarly, we need to continue to make _flying as a whole_ safer, rather than focus only on the threat of terrorism, as the recent NYC crash sadly proves.
> If you create user accounts, by default, they will have an account type of > Administrator with no password." This is probably a result of aggressive product management. Some years ago I worked for Mitsubishi Consumer Electronics in their software department, and was tasked to write the code to implement parental lock on a (now long defunct) chassis of TV set. I'd implemented it so that all the settings would remain as parents locked and unlocked the TV, so that parents could set all their settings for each channel once and allow or deny TV viewing according to those settings as they liked. Much of that logic had to be re-implemented for a different behavior: unlocking the TV caused ALL of the information about which channels or times were or were not permissible to be erased, requiring that they be re-entered next time. The reason for this was that apparently support telephone calls on the issue of parental lock nearly never asked the question "Why can't I lock my kids out of the television?" and instead nearly always asked "My kids have locked me out of the television. What do I do?" Since those calls cost money to support a product for which the company had already been paid, they were to be minimized. The product had to be easy to unlock and hard to lock. I suspect this behavior in Windows XP is a similar matter.
Re: Porn spam being sent in my name (Sanders, RISKS-21.76) Here's how much worse it can get: In the past couple of years, I've opened up e-mail accounts on three different systems: Yahoo Mail, HotMail, and MyRealBox.com. These accounts were used ONLY for testing internet e-mail gateways on new e-mail systems that we set up for clients They have never been used for posting to a list, responding to an ad, and/or have never been entered into any Web site. - Within two months of opening the Yahoo! Mail account, it started receiving spam, none of it from Yahoo. - Within three days of opening the HotMail account, it started receiving spam, in amounts far larger than the Yahoo account. In both of the above cases, I had specifically selected to NOT be listed in either of the systems' directories, and to NOT receive e-mail offers from any of their "marketing partners". Neither of these accounts were ever used to respond to offers, entered into Web sites, or published anywhere. They were only used to send and receive test e-mail messages to and from new e-mail servers. Either Yahoo Mail and HotMail are lying about not publishing or selling addresses, or someone's harvesting e-mail addresses by sniffing packets. (Hence the subject of this message.) As much as I'd like to bash the vendors ... I strongly suspect the answer is that someone's found a way to harvest e-mail addresses. (Keep reading.) I next opened up a third test account, on MyRealBox.com. This is a demonstration mail service operated by Novell, Inc., to show off its NIMS product, and having met people from the NIMS team at various Novell functions, I had been informed that they specifically do NOT sell the MyRealBox accounts, nor use them for marketing purposes of any kind. For about six months, I received no spam of any kind on the MyRealBox account. Suddenly, I was flooded with everything from "failed delivery" messages to angry missives threatening me with bodily harm for spamming them. Some of the missives included the complete message, which was a piece of spam generated with my MyRealBox account name in the "From" and "Reply-To" fields! The messages did NOT originate from MyRealBox, however, nor did they pass through any "traceable" intermediate mail servers (only IP addresses were shown in the headers). This raises the question: if the MyRealBox account name wasn't sold (and I believe it wasn't), then how on earth did the spammers "harvest" my specific MyRealBox account name to use to send spam with? (And are there any steps one can take to prevent it from happening again?) This also brings to mind the risk of using a "free" internet e-mail account, or any type of outsourced e-mail server over which one has no legal or authoritative control.
Please report problems with the web pages to the maintainer