The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 21 Issue 89

Tuesday 29 January 2002

Contents

Wireless technology criticized for vulnerabilities
NewsScan
Wireless bypassing the firewall
Jeremy Epstein
Free airport wireless network, and spam launcher
Mike Hogsett
Consumer beware: Are you really there?
Rob Graham
Risks of deceptive characters in URLs: Gabrilovich/Gontmakher
PGN
Water line break closes 911 center & police department
Dave Bank
New official self-service litigation system available in England & Wales
Tony Ford
Royal chat session failed
Erling Kristiansen
Risks of bouncing e-mail
Nick Brown
Stupid defaults in database conversion
Paul Wallich
Spam prevention gone too far
Jonathan Kamens
BBC News: Iceland places trust in face-scanning
Chris Leeson
Brisbane ISP in court
Peter Deighan
RSA Conference e-mail has tracking bugs
Rex Sanders
Re: Buffer overflows and other stupidities
Earl Boebert
Re: Software uncovers e-mail untruths
Russ Perry Jr
Remote mobile phone configuration changes via SMS service
S. Llabres
REVIEW: "Algebraic Aspects of Cryptography", Neal Koblitz
Rob Slade
Infowar Con 2002, call for papers
Winn Schwartau
Info on RISKS (comp.risks)

Wireless technology criticized for vulnerabilities

<"NewsScan" <newsscan@newsscan.com>>
Tue, 29 Jan 2002 08:37:15 -0700

Lawrence Livermore National Laboratory in California has banned all wireless
networks, including Microsoft's Wi-Fi, because of security concerns. Wi-Fi
supporters say the technology is secure when it's been properly installed,
but experts say that only about 10% of all users install them correctly.
(*USA Today*, 28 Jan 2002; NewsScan Daily, 29 January 2002)
  http://www.usatoday.com/life/cyber/tech/2002/01/29/wifi.htm


Wireless bypassing the firewall

<"Jeremy Epstein" <jepstein@webmethods.com>>
Fri, 25 Jan 2002 17:01:13 -0500

Wireless carriers including Sprint, Cingular, and Seven (a startup) are
putting together products that tunnel through the firewall to allow you to
access the e-mail, calendars, etc. on your desktop machine remotely from a
wireless device.  But not to worry, since it "conforms to the highest levels
of transport security".  After all, what could go wrong with a tunnel like
this?  NOT!  The risks are apparent to everyone except the vendors involved.

Full story at
  http://www.infoworld.com/articles/hn/xml/02/01/28/020128hnport.xml


Free airport wireless network, and spam launcher

<Mike Hogsett <hogsett@csl.sri.com>>
Tue, 29 Jan 2002 13:13:03 -0800

Soon business travelers passing through Minneapolis-St. Paul International
Airport will be able to access the Internet at high speeds for free.

Anyone want to send out lots of SPAM or launch attacks?  Just go to MSP.

http://www.startribune.com/stories/535/1130636.html


Consumer beware: Are you really there?

<"Rob Graham" <ceo@grahamsolutions.com>>
Mon, 28 Jan 2002 10:46:57 -0500

This potential risk was sent to me at work today.  At click glance of the
site below, you may truly feel that you viewing a drastic mistake at
microsoft.com, or the evil doings of a disgruntled employee.  I as a Web
developer and consultant quickly determined how it was done (simply passing
a username and password to the true url to display the page).  However, a
link contained within an e-mail to the unsuspecting consumer bringing them
to a site like this could be a disaster.

This false representation is an easy way to exploit information from
consumer thinking they are buying/subscribing/requesting information
from a company - when in fact, it may be a scenario like the link below:

http://www.microsoft.com&item=3Dq209354@hardware.no/nyheter/feb01/Q209354
  %20-%20HOWTO.htm


Risks of deceptive characters in URLs: Gabrilovich/Gontmakher

<"Peter G. Neumann" <neumann@csl.sri.com>>
Mon, 28 Jan 2002 22:45:21 PST

Related to Rob Graham's item in RISKS-21.89, an even more insidious URL risk
is described in an excellent column on the Inside Risks page of the February
2002 CACM:

  Evgeniy Gabrilovich and Alex Gontmakher
  The Homograph Attack
  Communications of the CACM, vol 45, no 2, inside back page

This is a WONDERFUL RISKS-relevant article.  Please read it.
For your convenience, this column is now on the Inside Risks Web site
  http://www.csl.sri.com/neumann/insiderisks.html
as
  http://www.csl.sri.com/neumann/insiderisks.html#140
The examples given use Cyrillic characters.  For example, a Russian "o"
and an English "o" look alike but can have radically different results.


Water line break closes 911 center & police department

<Dirk the Daring <dirk@psicorps.org>>
Thu, 24 Jan 2002 17:19:08 -0500 (EST)

  http://www.newsobserver.com/ncwire/news/Story/903276p-902507c.html

In Durham, NC (USA), a waterpipe break on early Saturday (12-Jan-2002)
morning forced the closure of the city police department building and 911
center. The water flooded a subbasement and took out the electrical
equipment and backup power generators. Callers to 911 got busy signals or
disconnects (I suppose that's better than hold muzak) until the temporary
location (at Duke University) was online about 12 hours later, with
dispatchers taking call information on paper (no computers).

RISKS:

    1) Putting all the eggs, police dept and 911 center, in one building

    2) Putting critical electrical equipment in a place where it can
        be easily flooded out and in the same building

    3) Not having 911 services "roll-over" to somewhere else (for example,
        Cary, NC - about 20 miles from Durham - has an agreement with
        the Wake County 911 center that if Cary becomes unable to take a
        given 911 call, it automatically rolls over to Wake's 911
        center) - a (*gasp*) backup

Dave Bank  aka Dirk the Daring  dirk at psicorps dot org


New official self-service litigation system available in England & Wales

<Tony Ford <tony.ford@net.ntl.com>>
Sat, 26 Jan 2002 15:43:09 +0000

Today's Daily Telegraph (a quality UK broadsheet newspaper) carries a
*potentially* disturbing report describing a new service, "Money Claim
Online", whereby individuals and law firms (solicitors) can issue most
simple legal proceedings (where a sum less than UK pounds 100,000 is
claimed, = USD 140K)) and enforce judgments via a Web browser.  The new
service has been set up without publicity by the Lord Chancellor's
Department, which runs the courts system in England and Wales.  It seems
that the system is accessible to the public now, although it has not been
officially launched.

People using the service are (oddly) referred to as "customers" .... and
there is a Customer Help Desk ...

The newspaper report is also viewable at this Daily Telegraph link on-line:
http://www.telegraph.co.uk/news/main.jhtml?xml=/news/2002/01/26/nsue26.xml&sSheet=/news/2002/01/26/ixhome.html

The service can be seen on-line at:
https://www.moneyclaim.gov.uk/csmco/index.html

No details are apparent of what measures are taken to validate the identity
of the claiming party or prevent other gross miscarriages of justice ....
but it would appear that the potential exists for significant trouble ....
even though the site warns that "vexatious litigants" are not allowed to us
it (these are people who have abused the litigation system in the past to
such an extent that they have been declared "vexatious litigants",
restricting their ability freely to issue legal proceedings).

PS: I am a lawyer myself, although I don't practise in this area .. but do
work in-house for a large IT company ... these comments are offered purely
in a personal capacity.

Tony Ford, Guildford, Surrey, UK <tony.ford@net.ntl.com>


Royal chat session failed

<Erling Kristiansen <ekristia@xs4all.nl>>
Wed, 23 Jan 2002 21:20:45 +0100

A public chat session was scheduled yesterday between, on one hand, the
Dutch Crown Prince Willem Alexander and his fiancee Maxima Zorreguieta and,
on the other hand 100 selected citizens. The session was made available for
everybody to watch on a Web site.

The server failed after a few minutes and did not come up again, so the rest
of the session was canceled.

According to several news sources (radio and TV news, printed press), KPN,
who provided the server, says that the crash was caused by "sabotage", and
that the site, that was designed for "tens of thousands" of users, received
3 billion (Yes, 3,000,000,000) hits.

The story does not look very plausible to me. To deliver 3,000,000,000 IP
packets, even short ones, in a few minutes takes something like a 10
Gbits/sec connection into the server, and would require quite a powerful
attacking machine with a comparable network connection, or a concerted
attack by tens of thousands of home PC's on modem lines.

I also had a look at
  http://internettrafficreport.com
Such a volume of traffic in a short time should cause some slowdown of other
Internet traffic in the networks concerned. I saw no noticeable performance
degradation in any of the Dutch routers monitored by this site, nor anywhere
else, around the time of the event.

Speculation in the media now goes that the site simply received more genuine
hits than it was designed for, but not billions (Holland has 16 million
inhabitants), and could not cope, and that KPN is reluctant to admit their
mis-estimation of the traffic.

Does anybody have more information about what really happened?


Risks of bouncing e-mail

<BROWN Nick <Nick.BROWN@coe.int>>
Thu, 24 Jan 2002 08:50:21 +0100

The Strasbourg newspaper "Dernières Nouvelles d'Alsace" reports (in French)
an interesting case of e-mail forgery.  The exact circumstances are not yet
clear, but it appears that:

- An e-mail was sent from the account of the mayor, telling members of a
city commission to vote in favour of a plan to extend a local hypermarket.
The official, public policy of the city council and the mayor is to oppose
this extension.
- The mail to one member of the commission bounced, because the recipient's
name was incorrectly spelled.
- An assistant to mayor Fabienne Keller, who has access to her mailbox,
noticed the "undeliverable" reply and determined that the mail had been sent
at a time when the mayor could not have sent it.
- The general manager of the hypermarket is under police investigation for
illegal entry into a computer system, forgery, use of forged documents, and
attempted fraud.

Original texts in French for those interested:

> http://www.dna.fr/cgi/dna/motk/idxlist_light?a=art&aaaammjj=200201&num=180
> 41610&m1=keller&m2=mairie&m3=
http://www.dna.fr/cgi/dna/motk/idxlist_light?a=art&aaaammjj=200201&num=19049
910&m1=keller&m2=mairie&m3=

I suppose the RISK is that if you're going to pretend to be someone else,
make sure you can spell !

Nick Brown, Strasbourg, France


Stupid defaults in database conversion

<Paul Wallich <pw@panix.com>>
Fri, 25 Jan 2002 17:20:05 -0500

Even in the sticks there are risks:

Last autumn, the propane company that fills our tank (for stove, hot water
and drier) was taken over by another propane company. We learned last night,
when all of our gas-fired appliances stopped working, that "some customers
fell through the cracks" during the acquisition, to wit, the new company
wasn't refilling their tanks and was apparently relying on calls like ours
to let it know whom it had forgotten. They promised a delivery "first thing"
in the morning. So about noon we called, and learned a few additional
tidbits: apparently customers scheduled for regular deliveries from the old
company had been silently changed to "will call" status by the new one, and
no, the new company didn't believe it had any liability for interrupted
service.

The risk of mistranslating fields in an acquired database should be obvious,
as should the rule that any untranslatable values get flagged and/or at
least converted to the least-damaging equivalent in the new system. (There's
also the obvious financial risk that customers won't want a company that
careless involved in delivering a commodity know to blow folks to bits when
mishandled.)


Spam prevention gone too far

<Jonathan Kamens <jik@kamens.brookline.ma.us>>
Thu, 24 Jan 2002 16:23:17 -0500

I recently attempted to send E-mail to the author of a RISKS submission.
Since my DSL line was down when I sent the E-mail, and since outbound SMTP
connections are blocked from the dial-up accounts provided by my ISP, I had
to send my E-mail through my ISP's mail server.  It bounced as follows (the
identify of the intended recipient has been masked):

  <RECIPIENT@RECIPIENT-HOST>:
  Connected to RECIPIENT-HOST-IP but sender was rejected.
  Remote host said: 571 <jik@kamens.brookline.ma.us>... Return address  jik@kamens.brookline.ma.us  does not match sending computer  mail11.speakeasy.net  -- check your configuration. http://www.RECIPIENT-HOST/mail/571_2.html for details.

If you visit the URL referenced above, you discover that this site's system
administrators have decided to block all E-mail for which the host name in
the envelope address can't be matched up obviously (using a simple string
comparison) with the host name of the mail server sending the message.  In
other words, if you have your own domain name, but you send E-mail through
your ISP's mail server, you simply can't send E-mail to this site.
Supposedly, they check their logs for such bounces "as we have time" and add
messages that should have gone through to an exception list, but who knows
when/if they'll ever get around to doing that in any particular case.
Furthermore, they provide no mechanism for contacting them by E-mail or Web
to ask to be excepted -- all they give on the Web page is a long-distance
telephone number.

Fortunately for me, or so I thought, I *do* send outbound mail through my
own mail server when my DSL line is up, and it was fixed yesterday, so I
decided to attempt to resend my message.  It bounced again, with a different
error:

  RECIPIENT@RECIPIENT-HOST
      (reason: 550 We do not accept mail from the spam-relay machine:  jik-0.dsl.speakeasy.net.. http://www.RECIPIENT-HOST/mail/571_1.html for details.)

If you visit *that* URL, you see that they're claiming that my machine is a
spam relayer.  It isn't and never has been.  I've never sent spam and I
block all third-party relaying through my machine.  I can't find an entry
for either my IP address or my subnet in any of the black-lists checked by
  <URL:http://relays2.osirusoft.com/cgi-bin/rbcheck.cgi>.

Of course, they don't bother to say *why* they think my machine is a
spam-relay machine, so who knows where they got that charming idea?  And, as
mentioned above, they don't provide any way to contact them on-line to
complain about it.  For example, many sites which enforce restrictions this
draconian provide an address which is exempt from the restrictions to which
people can complain; the spammers don't ever bother complaining, so it
really isn't particularly burdensome to do this.  Unless, of course, you
really don't care if people can't send legitimate E-mail to your site.

I understand the desire to block spam, but there are ways to do it which
don't also block legitimate E-mail, or at the very least which provide an
on-line mechanism people can use for getting themselves unblocked.  This is
just really excessive; I would even go so far as to say that I question the
legitimacy of allowing RISKS submissions from people who make it impossible
for people to send them E-mail responses to their submissions.

  jik


BBC News: Iceland places trust in face-scanning

<"LEESON, Chris" <CHRIS.LEESON@london.sema.slb.com>>
Fri, 25 Jan 2002 09:40:31 -0000

According to the BBC News Web Site, Iceland's main airport is introducing
"face recognition technology" to identify "any hijackers on wanted lists".

http://news.bbc.co.uk/hi/english/sci/tech/newsid_1780000/1780150.stm

The article notes that a similar system was tried in Florida, and abandoned
after two months. The article notes:

  "'In my opinion, had this system been installed at airports in North
  America last summer, it would have increased the chances of catching those
  criminals who hijacked the planes,' said Keflavik airport police
  commissioner, Johann Benediktsson.  [...]  A recent report by the America
  Civil Liberties Union showed that over a two-month period, the software
  failed to identify a single person photographed in the department's
  criminal database.  Instead, the software produced many false
  identifications, said the ACLU report.  [...]

  "For Jonina Bjartmortz, a member of the foreign affairs committee in the
  Icelandic parliament, the system has become a sure way of reassuring
  nervous passengers.  'We are at the western most tip of Europe and a
  gateway to America.  We only have one airline and we felt it was very
  necessary to invest in the technology,' she said.  It seems to have
  worked. Flights coming and going from Keflavik airport are generally full
  and passengers appear happy."

One is tempted to say "The Usual Risks":
  - False Positives and False Negatives
  - Customers (and Management) with a potentially false sense of security
  - It will only pick up "known" faces. What if your hijacker not "known"?

That said, we can hope that the existing security precautions will pick up
the "unknown" hijackers.  At least the risk is no greater unless security
staff come to rely on the system.

Chris Leeson


Brisbane ISP in court

<Peter Deighan <deighanp@ozemail.com.au>>
Thu, 24 Jan 2002 21:17:40 +1100

The following is the entirety of a story printed in *Australian Financial
Review* 21 Jan 2002, attributed to Australian Associated Press:

"Dataline in court"
"The ACCC has begun legal action against Brisbane-based Internet
provider Dataline.net.au, its managing director, Mr John Russell, and
associated companies Australis Internet and World Publishing Systems.
Dataline allegedly intercepted e-mails and debited consumers' credit
cards without authority."

ACCC stands for Australian Competition and Consumer Commission, or in
tabloid-ese "The consumer watchdog".

Other contributors to RISKS have mentioned packet sniffing and electronic
"dumpster diving" to extract credit-card numbers.  This looks to be much
simpler.  If the ACCC is correct, this seems a good reason to become an ISP.
Is this a new risk?  Probably not.

The full and more worrying set of allegations is at ACCC's Web site:
  http://www.accc.gov.au/media/mediar.htm
then click on
  18 January 2002 ACCC Takes Action Against Internet Service Provider

Peter Deighan <deighanp@ozemail.com.au>


RSA Conference e-mail has tracking bugs

<Rex Sanders <rsanders@usgs.gov>>
Thu, 24 Jan 2002 17:10:14 -0800

Today I received the "RSA Conference 2002 eNewsletter, Volume 2".  Much to
my dismay, this HTML-ized e-mail had several hidden tracking features,
including the classic 1x1 pixel GIF with a unique identifier encoded in the
URL pointing to a company I've never heard of.

RISK: assuming you can trust e-mail from a conference and a company (RSA
Security, Inc. sponsors the conference) which emphasizes security and
privacy.

-- Rex Sanders, USGS


Re: Buffer overflows and other stupidities (RISKS-21.87)

<Earl Boebert <boebert@swcp.com>>
Wed, 23 Jan 2002 07:56:09 -0700

 [Earl Boebert's message in RISKS-21.87 provoked many responses that are not
  included in this issue of RISKS, but to which Earl offered the following
  generic response.  PGN]

Well, I'm glad I provoked at least some discussion of the issue.
Unfortunately, many of the responses, including some from people who should
have known better, exhibited a depressing degree of ignorance about the role
of processor architecture in implementing protection mechanisms. To respond
to these in detail would involve the moral equivalent of a course in the
subject, which I do not currently have either the time or the inclination to
do. I would refer interested parties to Dick Kain's book [1], which (along
with some of the more informative replies) shows that there are more things
in heaven and earth than dreamt of in the x86 philosophies.  I suppose a
final note would be: Relying on any one element of an integrated
hardware-software system for protection from hostile code is
dangerous. Currently popular processor architectures contain such
stupidities that they place an impossible burden on software and programmer
discipline. Yes, these things can shoulder the burden in theory, but the
historical evidence is that they fail consistently in practice.

[1] If you don't know this reference, you probably shouldn't be in this
business.


Re: Software uncovers e-mail untruths (NewsScan, RISKS-21.88)

<Russ Perry Jr <slapdash@enteract.com>>
Tue, 22 Jan 2002 22:24:14 -0600

> SAS Institute has developed software that it says can sift through
> e-mails and other electronic text to discern falsehoods.

It would be interesting to take a press release or privacy statement
regarding this product and run them THROUGH said product, ne?

Russ Perry Jr   2175 S Tonne Dr #114   Arlington Hts IL 60005
847-952-9729    slapdash@enteract.com


Remote mobile phone configuration changes via SMS service

<Llabres <sllabres@baden-online.de>>
Fri, 25 Jan 2002 01:40:36 +0100

The German publishing house "Heise" reports in its online news about a
remote configuration change of mobile phones via the short message service
(SMS) which is available in GMS networks:
  http://www.heise.de/newsticker/data/pmz-24.01.02-000/

The Swiss telco Swisscom has confirmed that it has sent to selected
customers special SMS messages that deleted roaming information on the SIM
cards of the customers' mobile phones.  Swisscom says that the purpose for
the messages is to test for the introduction of new services in the Swisscom
mobile phone network.  The customers have not been informed about the
change. The SMS appeared as empty messages sent from the phone number
"0800".

The magazine also reported that insiders believe that the modification of
the roaming information was to direct traffic to networks owned by Vodafone
-- which acquired a 25% share of Swisscom on april last year.

Customers have to re-enter the information to their phones manually.

It would be interesting:
* If there is any security mechanism protecting anyone from sending
  such "special" messages.
* Which setting on the mobile phone can be changed (or probably
  retrieved from the phone) without knowledge to the customer.
* If the network provider must implement such features, I do not
  understand why this must happen unperceived by the customer.
  Why not send a message telling people what will happen?

S.Llabres


REVIEW: "Algebraic Aspects of Cryptography", Neal Koblitz

<Rob Slade <rslade@sprint.ca>>
Mon, 28 Jan 2002 07:37:01 -0800

BKALASCR.RVW   20011122

"Algebraic Aspects of Cryptography", Neal Koblitz, 2001,
3-540-63446-0, U$64.99
%A   Neal Koblitz koblitz@math.washington.edu
%C   175 Fifth Ave., New York, NY   10010
%D   1998
%G   3-540-63446-0
%I   Springer-Verlag
%O   U$64.95 212-460-1500 800-777-4643
%P   206 p.
%T   "Algebraic Aspects of Cryptography"

When certain technical people find out that I am involved in data security,
they assert an interest in cryptography, and an intention to write a
cryptographic program sometime.  While I not wish to disparage this goal,
questioning of the individual's background in mathematics tends to point out
that the task is harder than they might have foreseen.  The magic phrase
"number theory" is usually the dividing line.  For those who make it past
that limit, I am going to recommend that they get Koblitz's work.  Not that
I am implying that this book is more demanding than it needs to be: only
that the topic itself is a difficult one.

This is the heart of cryptology: the underlying foundations that make it
work.  The material presented does not address specific programs, standards,
or even algorithms, but deals with the basic mathematical theory that can be
used to construct algorithms, or test their strength.

Chapter one is something of an overview, touching on many fields of
cryptography and introducing an appropriate and exemplar equation for each.
Theories related to the strength of cryptographic algorithms are given in
chapter two.  Basic algebra associated with primes are discussed in chapter
three, underlying the more common asymmetric (public key) systems such as
RSA.  Chapter four outlines an illustrative history of the development,
cracking, and improvement of one particular algorithm, demonstrating the
mathematical work necessary to each step.  Knapsack type problems and
theories are explained in chapter five.  Chapter six deals with the
currently very highly regarded elliptic curve algorithms, and is backed up
with an even more extensive appendix on hyper-elliptic curves.

This is not an introduction.  It is intended as a text for graduate (or
possibly advanced undergraduate) work, and requires a solid background in
mathematics or engineering.  For those seriously interested in cryptography,
though, it is worth the work.

copyright Robert M. Slade, 2001   BKALASCR.RVW   20011122
rslade@vcn.bc.ca  rslade@sprint.ca  slade@victoria.tc.ca p1@canada.com
http://victoria.tc.ca/techrev    or    http://sun.soci.niu.edu/~rslade


Infowar Con 2002, call for papers

<Winn Schwartau <winns@gte.net>>
Wed, 23 Jan 2002 09:24:27 -0500

Homeland Defense & CyberTerrorism:
Dealing With Harsh New Realities
3-6 Sep 2002, Washington, DC
http://www.misti.com/

Your Sponsors:
Winn Schwartau, Interpact, Inc. - www.interpactinc.com
MIS Training Institute - www.misti.com
White Wolf Consulting  www.whitewolfconsulting.com

We are soliciting creative analytic, interoperable real-world opinions and
solutions that will function in:
* Countering the threats of Global and National Cyberterrorism
* National and Municipal Critical Infrastructure Protection
* Military and Government Information Operations (Defense and Offense)

Submission Deadline: February March 11, 2002 [sic.  one or the other? PGN]
For inquiry or discussion on submissions, please contact Winn Schwartau at
1-727-393-6600, or InfowarCon@Earthlink.Com or winns@gte.net.
Winn Schwartau, President, Interpact, Inc. www.security-aware.com

Please report problems with the web pages to the maintainer

Top