The Risks Digest, Volume 22, Issue16

Peter G. Neumann

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 22: Issue 16

Sunday 21 July 2002

U.S. House approves life sentences for crackers: NewsScan
Expert says Palm Beach's new voting machines have problems: PGN
Palm Beach voters at it again: Dan Scherer
'Face testing' at Logan is found lacking: Monty Solomon
Japanese service links ATMs to cell phones: Mich Kabay
Yahoo admits changing e-mail text to block hackers: Monty Solomon
IIS Mail exploit: Matthew Byng-Maddick
E-mail content filtering may kill the medium: Derek K. Miller
"You may not have received this e-mail": Monty Solomon
Forensic programming course outline: Rob Slade
Re: EULA: Derek J. Balling
REVIEW: "The Hacker Diaries", Dan Verton: Rob Slade
REVIEW: "Hacker Attack", Richard Mansfield: Rob Slade
Info on RISKS (comp.risks)

U.S. House approves life sentences for crackers

<"NewsScan" <newsscan@newsscan.com>>

Tue, 16 Jul 2002 09:18:43 -0700


The U.S. House of Representatives has approved the Cyber Security
Enhancement Act (CSEA) by a near-unanimous vote [385-3].  Among the Act's
provisions are an expansion of police ability to conduct Internet or
telephone eavesdropping without first obtaining a court order, and the
approval of life prison sentences for malicious computer hackers (crackers)
whose acts "recklessly" put others' lives at risk.  In the case of wiretaps,
the Act would permit limited surveillance without a court order when there
is an "ongoing attack" on an Internet-connected computer or "an immediate
threat to a national security interest."  The surveillance would be limited
to collecting a suspect's telephone number, IP address, URLs or e-mail
header information -- not the content of an e-mail message or phone
conversation.  In addition, the Act would permit ISPs to disclose the
contents of e-mail messages and other electronic records to police in cases
when "an emergency involving danger or death or serious physical injury to
any person requires disclosure of the information without delay."  The Act
is not expected to meet any serious opposition in the Senate. [CNet News.com
15 Jul 2002; NewsScan Daily, 16 July 2002]
  http://news.com.com/2100-1001-944057.html?tag=fd_top

  [Declan McCullagh notes that the CSEA had been written before 11 Sep
  2001.  PGN]

Expert says Palm Beach's new voting machines have problems

Wed, 17 Jul 2002 00:34:50 -0400


Associated Press item by Jill Barton, 16 Jul 2002

The voting machines that replaced butterfly ballots and hanging chads are
checked by an "Enron-style of auditing" and don't provide voters any
assurance that their votes are being cast, an expert testified Tuesday.
Rebecca Mercuri, a computer science professor at Bryn Mawr College in
Pennsylvania, said questions remain about the $14 million machines Palm
Beach County purchased to improve its voting system because they are
designed to audit themselves.  "The problem with the self-auditing machines
is if it's broken, how can it tell you that it's broken?" Mercuri said.

Mercuri's testimony provided the latest criticism of a county still
embarrassed by the 2000 election debacle. She was called in a Tuesday
afternoon hearing to bolster a Boca Raton man's claims that he lost a City
Council election in March because the new machines malfunctioned.

Former Mayor Emil Danciu's suit seeks to have the results overturned and a
new election held.  The suit includes affidavits from eight voters who said
they had trouble casting ballots on the ATM-style machines and says voters
should be given paper receipts to confirm their vote was recorded.  It also
seeks to allow an independent review of the voting machines and related
software and security features.

Supervisor of Elections Theresa LePore says such a review would void the
machines' warranty and that they've been reviewed twice by labs appointed by
the federal government and also by a state worker.  She says most of the
information the plaintiffs are seeking is filed with the state Division of
Elections in Tallahassee and even if it were available, she couldn't provide
it because it includes trade secrets of Sequoia Voting Systems Inc., which
manufactures the machines.  "I'm not willing to let anyone take a machine
and take it apart," LePore said. "I don't think the taxpayers would
appreciate them taking apart a $3,500 machine and voiding the warranty."
LePore has said the only problems reported to her office following the March
election were screens temporarily freezing when voters chose between English
and Spanish, which did not prevent voting.  She said the machines further
demonstrated that they work Saturday when the county held a mock election in
supermarkets and shopping malls allowing voters to try out the machines.

Palm Beach voters at it again

<"Dan Scherer" <dans@oz.net>>

Sat, 20 Jul 2002 11:43:35 -0700


As noted in an AP news article
  http://ap.tbo.com/ap/florida/MGAIFTWBQ3D.html
and reviewed on /.
  http://slashdot.org/articles/02/07/20/0124232.shtml?tid=126
some West Palm County voters and politicians are upset that their new "ATM
style" voting machines have an internal auditing system that doesn't allow
access to the "self-auditing" side of the software.  Voters are claiming
that the machine didn't register their votes, and that an election hangs in
the balance because of the discrepancies.

The Slashdot crowd is holding this up as an example of where open source
needs to be used while the equipment manufacturer refuses to disclose their
trade secrets on the "self auditing" software.

The RISKS are obvious.

'Face testing' at Logan is found lacking

Wed, 17 Jul 2002 23:08:15 -0400


A test at Boston's Logan International Airport has found that computerized
facial-recognition systems, one of the most trumpeted new technologies in
the war on terrorism, may not be a practical tool for airport security.  The
machines were fooled when passengers turned their heads in certain
directions, and screeners became overtaxed by the burdens of having to check
passengers against a large pool of faces that closely resemble theirs.
Hiawatha Bray, *The Boston Globe*, 17 Jul 2002.

http://www.boston.com/dailyglobe2/198/metro/_Face_testing_at_Logan_is_found_lacking+.shtml

Japanese service links ATMs to cell phones

Wed, 17 Jul 2002 18:56:07 -0400


  NTT DoCoMo is set to launch the world's first service that enables cell
  phone users to withdraw cash from automated teller machines located in
  convenience stores and supermarkets. Instead of inserting a bank card into
  the designated slot, users of DoCoMo's 504i handsets would push a few
  buttons on their phones in order to complete an ATM transaction. Analysts
  said the system was certainly novel, but it's still unclear how
  user-friendly it will prove. "Younger people may be more receptive, but
  people generally already have cash cards," says on analyst at a foreign
  securities firm. DoCoMo says the new system, which it is offering in
  partnership with IY Bank, likely will launch sometime in early 2003.
  (Reuters/Yahoo, 16 July 2002)

http://story.news.yahoo.com/news?tmpl=story2&cid=581&ncid=581&e=9&u=/nm/20020716/tc_nm/financial_japan_iybank_dc_2

I think no comment is necessary on the RISKS of linking banking systems to
wireless phone systems.  It will be worth watching developments.

M. E. Kabay, PhD, CISSP, Dept CompInfoSys, Norwich University, Northfield VT
http://www2.norwich.edu/mkabay/index.htm

Yahoo admits changing e-mail text to block hackers

Wed, 17 Jul 2002 23:09:10 -0400


... Yahoo! Inc. has confirmed that its e-mail software automatically changes
certain words -- including "evaluate" -- in a bid to prevent hackers from
spreading viruses.  Although the company declined to list the words its
software had been changing, a report on the technology news Web site,
News.com, reported that the program changes "mocha" to "espresso," and the
phrase "eval" to "review."  [Article by Andrea Orr, Reuters, 17 Jul, 2002,
noting that your applications for employment may have been altered!  PGN]

http://finance.lycos.com/home/news/story.asp?story=27883602

IIS Mail exploit

Sun, 14 Jul 2002 23:50:55 +0100


The recent IIS Mail encoding bug has not yet made it into RISKS. The bug in
question was an encoding error in the mail component of IIS, but unlike a
lot of the other encoding bugs in IIS, which, as far as I understand it,
only allow the server in question to be compromised, this bug makes the
server into an open relay. What's the difference, you may ask. Spammers have
been looking at exploiting mail relays for some time in an effort to avoid
some of the audit trail used in the message (the Received: headers, inserted
by the MTAs), they've tried with buffer overflows and other such things. Now
they suddenly have a trivial way of trying to relay a message. Of course,
all that will happen is that the test should get added to a half of the
current Open Relay Blacklists (ordb, orbz etc.), but then we risk
blackholing a fair amount of the Internet, because, like it or not, large
numbers of Microsoft servers are appearing and being used.

When will it all stop?

Matthew Byng-Maddick <mbm@colondot.net> http://colondot.net/

E-mail content filtering may kill the medium

<"Derek K. Miller" <dkmiller@pobox.com>>

Wed, 17 Jul 2002 12:48:18 -0700


E-mail filtering, in an effort to stop spam, has become insidious. Used
properly -- especially by individual users -- it can be quite helpful. Used
sloppily to filter for semi-arbitrary spamlike content (as it often is by
server administrators and others), it risks killing e-mail as a useful form
of communication.

I'd highly recommend the following articles and discussion at the TidBITS
mailing list site, which cover the issue and its hazards in clear and useful
detail:

Killing the Killer App
  http://db.tidbits.com/getbits.acgi?tbart=06866

Content Filtering Exposed
  http://db.tidbits.com/getbits.acgi?tbart=06869

Various discussion threads:
  http://db.tidbits.com/getbits.acgi?tlkthrd=1679
  http://db.tidbits.com/getbits.acgi?tlkthrd=1680
  http://db.tidbits.com/getbits.acgi?tlkthrd=1681
  http://db.tidbits.com/getbits.acgi?tlkthrd=1683
  http://db.tidbits.com/getbits.acgi?tlkthrd=1684

Here's a pertinent excerpt:

> * Email is increasingly being filtered for its content;
>
> * That filtering is often being done without the knowledge or
>   consent of affected users;
>
> * Over time, inaccurate filtering will substantially reduce
>   the general utility of email.
>
> In short, we're starting to see signs that email, often hailed
> as the Internet's "killer app," is in danger of becoming an
> unreliable, arbitrarily censored medium - and there's very little
> we can do about it.

Derek K. Miller, Vancouver, BC, Canada  dkmiller@pobox.com
http://www.penmachine.com

"You may not have received this e-mail"

Wed, 17 Jul 2002 23:10:26 -0400


Web Informant #293, 9 July 2002:
You may not have received this e-mail

George Carlin once had a bit about the seven dirty words that couldn't be
said on TV: if only our email systems were as discrete and predictable about
the nature of their censorship. Indeed, I can almost guarantee that if I
include certain words in this message (such as viag--, -orn, make -oney
-ast, or any of Carlin's seven choice words), many of you won't ever get
this email.

The trouble is that spammers, virus authors (or whatever deriding term you
would like to use to call the scum that create these annoyances), and others
have become too clever at creating their garbage. And in the ever escalating
war of technology, email filtering products have become too good at cutting
off legitimate messages, just because they contain the equivalent of
Carlin's list.

The best research on this was an article that was posted to the TidBITS
mailing list this past week. If you are interested in Macs and in general
the Internet, this is a weekly series of essays that Adam Engst and other
write and distribute for free via e-mail to over 40,000 people, along with
posting it to tidbits.com and many other web sites. Geoff Duncan concludes
several trends:

http://strom.com/awards/293.html

Forensic programming course outline

Sun, 21 Jul 2002 14:15:51 -0800


I am currently teaching forensic programming, at roughly the third-year
college/university level, at BCIT, and the course will also be run in the
fall and again in the spring.  Since this is the first course of its kind
(as far as I have been able to determine), and since most of the resources
(somewhat by necessity) are online, I am beginning to put together the
course outline and resources as a set of Web pages.  This is not (so far)
anything like a full online course: for one thing, I have not (so far)
written out complete lecture notes.  However, for those interested, the
"table of contents" page is available at
  http://victoria.tc.ca/techrev/fptoc.htm or
  http://sun.soci.niu.edu/~rslade/fptoc.htm (and also
  http://cstbtech.bcit.ca/FP/index.html).

This is very much a work in progress, and will be updated and expanded
frequently in the coming weeks.

rslade@vcn.bc.ca  rslade@sprint.ca  slade@victoria.tc.ca p1@canada.com
http://victoria.tc.ca/techrev    or    http://sun.soci.niu.edu/~rslade

Re: EULA

<"Derek J. Balling" <dredd@megacity.org>>

Mon, 15 Jul 2002 10:58:08 -0400


Something which occurred to me, working in the healthcare industry
these days, is that I'm not sure - given HIPAA compliancy regulations
and the like - that I *can* agree to allow companies permission "to
install random software on random machines without any notice or
confirmation".

As security concerns, especially in terms of personal information protection
and such, get more and more codified into law, the chance that a business
will run afoul of the "Choose between obeying the law and obeying the EULA"
dilemma are going to be on the increase. Given certain Pacific Northwest
companies' love for deep-pockets litigation to enforce EULA's after the
fact, whichever choice is made is certain to be costly in one manner or
another.

I've already pointed out to the head our IT department that from my cursory,
non-lawyer, reading of the WinXP EULA, we have to move it from the "we don't
support this" category to the "this is explicitly forbidden from our
machines" category.

Derek J. Balling <dredd@megacity.org>  www.megacity.org/blog/

REVIEW: "The Hacker Diaries", Dan Verton

Mon, 15 Jul 2002 07:59:32 -0800


BKHCKDRY.RVW   20020519

"The Hacker Diaries", Dan Verton, 2002, 0-07-222364-2, U$24.99
%A   Dan Verton
%C   300 Water Street, Whitby, Ontario   L1N 9B6
%D   2002
%G   0-07-222364-2
%I   McGraw-Hill Ryerson/Osborne
%O   U$24.99 905-430-5000 +1-800-565-5758 fax: 905-430-5020
%P   219 p.
%T   "The Hacker Diaries: Confessions of Teenage Hackers"

Teenaged hackers are misunderstood.  Definitions are for lamers,
morality is a "bogus" concept.  These noble idealists are questers
after the Holy Grail of knowledge: problem solvers who are attempting
to enlighten the masses.  Given a little dedication, you too can,
inside of six months, go from being a technopeasant to "knowing
everything there [is] to know" about computers.  Thus it is written in
the Gospel of Verton.

(While we are at it, I have this nice bridge you might want to purchase ...)

Even if you ignore questions about the definition of what "hacking" actually
is, and even if you leave aside the author's biased sympathy for
rebels-without-a-clue, the introduction alone points out that Verton has not
performed the research one would think minimal to such a project: reading
the "popular" literature on the subject, never mind the more serious
analyses by researchers like Denning and Gordon.  How else can he make the
statement that this book is the first ever to try and penetrate the veil of
secrecy surrounding the computer vandal community, an assertion that must
come as a bit of a shock to authors like Levy ("Hackers," cf. BKHACKRS.RVW),
Sterling ("Hacker Crackdown," cf. BKHKRCRK.RVW), Taylor ("Hackers,"
cf. BKHAKERS.RVW), Dreyfus ("Underground," cf. BKNDRGND.RVW), and a host of
others.  It is, therefore, no surprise that this author gets basic factual
information wrong, such as the confusion of the infamous Operation Sundevil
with more successful prosecutions of computer crime.

Verton decries the blind and ignorant stereotyping of loners who are more
comfortable with computers than with their peers, but he is, himself, guilty
of promoting the same kind of confusion.  The group targeted after the
Columbine shootings was not the computer community but the Goths, who share
almost no characteristics with hackers except for a slightly obsessive
interest in an esoteric topic and a position outside the mainstream.  (Well,
possibly also an aversion to sunlight ...)  Verton has attempted to include
"representative" examples of both maladjusted criminals and ethical hackers,
but draws no distinctions between them and, indeed, seems to be trying to
lump them all together.

No, I've changed my mind.  Let's not leave aside the question of a
definition of hacking.  Like too many authors, Verton also wants to continue
the confusion of the original idea of a hacker as a skilled technologist
with the more recent concept of the vandals of computer systems.  But he
also immediately destroys his position by pointing out that a cracker cannot
change his "handle," the (usually offensive) nickname used to achieve both
identity and anonymity online.  If an underground "hacker" changes his
handle, he loses his status and becomes just another wannabe.  Verton does
not seem to realize the import of this statement.  A cracker's credibility
is tied to his nickname, since he is only as good as his "rep," the record
of defacements or intrusions he is able to boast about.  There is no actual
skill set behind such a reputation.  In opposition, if true hackers like
Richard Stallman or Eric Raymond were to change their names, and were then
to write new programs and release them to the world, those programs would
still be useful and of good quality.  (Top programmers would, in fact,
probably be able to identify the authors of emacs and fetchmail by
programming excellence and style.)

Verton's writing seems clear and readable unless you start to think about
it.  A story will say that A happened, then B happened, then C happened,
then B happened, then D happened, then B happened.  Times are quite
indefinite, but since the narrative is unclear even about simple sequences
it is not any real shock to find out that the author does not know larger
items of technical history, such as that UNIX predates VMS.  Likewise,
Verton isn't interested in having consistency get in the way of a good
story, even if the story doesn't make any sense.  Directions and motivations
change suddenly and without apparent reason: reading between the lines
indicates that there is a lot that we aren't being told.  Probably the
author wasn't told, either.  It sounds like he didn't even ask.  (The
interview subjects seem to have realized that they were dealing with a
credulous author: Verton retails stories out of common urban legends and
jokes without seeming to have identified them as such.  Despite his
credentials as a reporter for a computer trade magazine Verton's technical
knowledge is questionable--he doesn't know a denial of service attack from a
reformat nor that the Macintosh doesn't have a Windows Registry.)

Despite tidbits of trivia, ultimately the book is boring.  One can only read
so many times that Amanda (or Betty or Cathy) accidentally touched a
computer on her seventh birthday and thereafter became obsessed with
re-writing the CP/M kernel before one loses interest.  The names may change,
the hacks may change, the outcomes and choices of whether or not to be
useful or messed up may change, but in the end, the lessons are the same:
non-existent.

copyright Robert M. Slade, 2002   BKHCKDRY.RVW   20020519
rslade@vcn.bc.ca  rslade@sprint.ca  slade@victoria.tc.ca p1@canada.com
http://victoria.tc.ca/techrev    or    http://sun.soci.niu.edu/~rslade

REVIEW: "Hacker Attack", Richard Mansfield

Thu, 18 Jul 2002 15:30:41 -0800


BKHCKATK.RVW   20020519

"Hacker Attack", Richard Mansfield, 2000, 0-7821-2830-0,
U$29.99/C$44.95/UK#19.99
%A   Richard Mansfield earth@worldnet.att.net
%C   1151 Marina Village Parkway, Alameda, CA   94501
%D   2000
%G   0-7821-2830-0
%I   Sybex Computer Books
%O   U$29.99/C$44.95/UK#19.99 510-523-8233 Fax: 510-523-2373
%P   293 p.
%T   "Hacker Attack: Shield Your Computer from Internet Crime"

"FACT: It's unlikely that you'll ever personally experience a computer
virus in your home computer."  Ah, those glowing, carefree days of
yore when ... wait a minute.  This book wasn't published all THAT long
ago ...

This work is intended to address three issues: intrusions, privacy,
and viruses.  The author hopes that it will be as much fun to read as
it was to write.  Given the unrealistic assessment of risk levels, the
almost random choice of topics, and the lighthearted approach, I did
not start out feeling confident of the chances of finding useful
information herein.

(While we may agree that script kiddies and such cracker wannabes are
grubs and insects, the security community does *not* refer to them as
"larvae.")

Part one is entitled "Hackers, Crackers, and Whackers."  Chapter one is a
generic warning about the fact that some people may be trying to probe you.
Some information (such as directions on turning file and print sharing off)
are useful, others (such as the need to share IP addresses--assuming you
even know them--with friends for chatting and instant messages) are either
wrong or not very useful.  Port scanning gets mentioned, and, aside from the
fact that there are more reliable ways of determining open ports, the
specific example of an open port used isn't terribly handy since we are told
neither what it is nor how to turn it off.  Phone phreaks are discussed in
chapter two--without mention of the fact that in-band signalling is now
obsolete.  Hackers are academics studying decryption, viruses can harvest
your passwords, and munging your e-mail address is an effective tool against
spam, or so we are told in chapter three.  Chapter four gives names to some
really silly cracking techniques.  Some equally silly defences are suggested
in chapter five.  Chapter six does say that there are better protections
available, but doesn't talk about how to implement them.  High-speed
connections are said to be security risks (the real culprit being static IP
addresses) in chapter seven.  A variety of URLs are given for the ZoneAlarm
product, and instructions for getting warnings about cookies from one
version of the Internet Explorer browser are provided in chapter eight.

Part two is supposed to deal with privacy.  Chapter nine does, with a
rapid race through a number of related issues.  Chapters ten through
thirteen, however, examine a number of encryption technologies that
are no longer used.  The algorithm central to DES (Data Encryption
Standard) is used as an example of a symmetric encryption system in
chapter fourteen.  Chapter fifteen explains the use of prime numbers
to create asymmetric (public key) systems.  Both of these chapters are
remarkably unhelpful in terms of the actual use of encryption.
Chapter sixteen explains digital signatures, but very briefly.  The
dialogue boxes involved in using the Encrypting File System of Windows
2000 are displayed in chapter seventeen.  Chapter eighteen speculates
on quantum computers.  Source code for a random number generator for a
one-time pad is given in chapter nineteen.

Part three looks at viruses.  (Ready?)  Chapter twenty gives a brief
account of the Internet/Morris/UNIX Worm of 1988, informing us that
viruses had been used for years for network administration (untrue)
and failing to explain what defrauding your girlfriend has to do with
the worm.  Some basics of virus structure are correct in chapter
twenty one, but there is also confusion of pranks and trojans, and the
discussion of virus functions applies only to boot sector infectors.
Chapter twenty two provides an overview of Melissa and Loveletter.
Useless means of defending against Microsoft Word macro viruses (known
to have been bypassed long before this book was written) are given in
chapter twenty three.  Chapter twenty four tells us that viruses are
mainly hype.

Well, there are a few tips in this work that might help you to prevent
intrusions, protect your privacy, and avoid viruses.  Very few.  The
material is scant, and is padded out to book length with random
insertions only nominally related to the topics at hand.  Although not
stated, it is fairly clear that the volume is intended for the average
computer user rather than the security specialist.  In terms of that
general audience, the text is nowhere near detailed enough in those
areas that the typical user can address.  The material on network
intrusions has some points, but many gaps.  The section on
cryptography might be interesting to a few, but is of little practical
use.  The opining on viruses is too often flatly wrong.

copyright Robert M. Slade, 2002   BKHCKATK.RVW   20020519
rslade@vcn.bc.ca  rslade@sprint.ca  slade@victoria.tc.ca p1@canada.com
http://victoria.tc.ca/techrev    or    http://sun.soci.niu.edu/~rslade

Report problems with the web pages to the maintainer