The RISKS Digest
Volume 22 Issue 53

Thursday, 30th January 2003

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…


Berliner S-Bahn has computer trouble again
Debora Weber-Wulff
Too much computing could give you a blood clot
Microsoft, heal thyself!
Interaction between SQL Slammer & furnaces
Jeremy Epstein
Hacker insurance
Pete Lindstrom's parametric worm warning
Jeremy Epstein
12 U.Maryland students accused of high-tech cheating
Monty Solomon
QUALCOMM Qsec-800 Secure CDMA phone
Monty Solomon
Satellite system seen as a key life saver
Monty Solomon
REVIEW: "Absolute PC Security and Privacy", Michael Miller
Rob Slade
REVIEW: "Information Security Best Practices", George L. Stefanek
Rob Slade
Info on RISKS (comp.risks)

Berliner S-Bahn has computer trouble again

<Debora Weber-Wulff <>>
Wed, 22 Jan 2003 23:00:56 +0100

The worst problem since the last time....

RISKS readers will remember RISKS-18.55 and .60 in which the new Berlin
light-rail switching computers had themselves a little glitch when they hit
real service in 1998 — a stack overflow.

*Tagesspiegel* (
of 12 Jan 2003 reports that a little power-out at 13:35 the day before
caused all three of the switching computers governing the track between Zoo
and Ostbahnhof (the line with the most daily traffic, of course) to
crash. It took until around 16:00 to get the systems back in service.
Because this section of track is also in use by the Deutsche Bahn, many
trains were terminated at stations outside of the city.  Around 100
light-rail trainsets were stranded on open track. People were kept in the
cars for up to 90 minutes. Luckily, the electricity came back on right away,
so the heaters were on and people didn't have to freeze.

Those in charge have absolutely no explanation for the problem, etc. At
least the fail-safe worked, and all the signals went to red. I suppose we
have to be thankful for small blessings.  Further reports just noted that
there is no explanation for all of the computers (which are supposed to be
on separate power lines) crashing at the same time.

I had hoped to be able to give more information, but the papers have dropped
the topic in favor of more racy topics....

Prof. Dr. Debora Weber-Wulff, FHTW Berlin FB 4, Treskowallee 8,
10313 Berlin +49-30-5019-2320

Too much computing could give you a blood clot

<"NewsScan" <>>
Thu, 30 Jan 2003 09:29:09 -0700

A research team in New Zealand has discovered a man who developed an
almost-fatal blood clot after spending up to 18 hours a day at his computer
workstation.  The clot developed in his leg and traveled to his lungs.
Researcher Richard Beasley of the Medical Research Institute of New Zealand
said that the problem could be widespread, and advised people who spend long
periods using computers to stretch their legs frequently.  [*Globe
News*/CNet New Zealand, 30 Jan 2003; NewsScan Daily, 30 January 2003],2106,2226653a7144,00.html

  [... not to mention finger, hand, back, eye, and other problems.  PGN]

Microsoft, heal thyself!

<"NewsScan" <>>
Tue, 28 Jan 2003 08:30:32 -0700

Microsoft has been embarrassed by having to acknowledge that the SQL Slammer
virus, which infected computer servers all over the world, also contaminated
some of Microsoft's own servers, because system administrators had failed to
heed the company's own advice to install a software patch months ago to fix
a known system vulnerability. A Microsoft executive had to admit: "We, like
the rest of the industry, struggle to get 100% compliance with our patch
management. We recognize — now more than ever — that this is something we
need to work on. And, like the rest of the industry, we're working to fix
it."  [*The New York Times*, 28 Jan 2003; NewsScan Daily, 28 January 2003]


<"Peter G. Neumann" <>>
Thu, 30 Jan 2003 12:27:42 PST

Of course, Microsoft's own SQL servers were victimized because they had not
all been properly patched!  Reports that the patches were available 6 months
ago seem to be erroneous, because the patch for the Slammer exploit was
apparently released only recently before the attacks.  Although some folks
are trying to put the blame on incompetent system administrators, I have
heard that the service packs were poorly documented, and came in multiple
versions depending on which SQL server software you were running, so that
the SysAdmin burden was considerable.  The worm affected many worldwide,
including Bank of America's automatic teller machines, air-traffic control
at Houston's Bush Intercontinental Airport, Cleveland, and New Jersey,
American Express operations, and a Canadian Internet vote in
progress (which RISKS readers already know is not a great idea with respect
to security).  I had one out-of-band report that a major corporate research
intranet was hosed because port 1434 accepted random UDP packets through the

And once again, the payload on this worm was relatively benign compared with
the damage it could have done.  The fact that so many different exploits
keep recurring suggests that something is fundamentally wrong with the
software development and operational processes.  As I said at the Homeland
Security Town Meeting panel in San Diego on 28 Jan 2003, the chickens of
neglect are coming home to roost.  The folks who should be developing sound
systems seem to have chickened out.  Especially the non-bantam roost-ers who
crow about their perfect security.

Interaction between SQL Slammer & furnaces

<Jeremy Epstein <>>
Wed, 29 Jan 2003 11:55:42 -0800

With all the noise about SQL Slammer, I gave instructions on Monday to my
staff to verify that all systems in our lab that run SQL Server were at the
latest patch level.  Not surprisingly, a few weren't, and so upgrades began.
Several of the systems ended up dead, and we naturally blamed the patch
install process, which is notoriously error prone.

In this case, though, there was another explanation.  Midway through the
install process, the fuses on one of the furnaces in the building blew (the
outside temperature has been much below usual in Virginia for the past few
weeks).  This apparently sent enough of an electrical spike into the
computers that we ended up with file system corruption in a way that wasn't
resolved by an ordinary reboot, despite our UPSs & surge protectors.  It
also caused the temperature in the building to drop to a point where we were
uncomfortable and having difficulty thinking carefully, especially given the
obvious explanation of a failed patch.  We don't quite know how it happened,
but the file system corruption was both on Windows & Solaris boxes, so we're
sure it had nothing to do with the patch installation, and the electrical
malfunction seems the most likely explanation.

The RISK is assuming that a system failure which occurs in temporal
proximity to a security patch is in fact caused by the security patch!

Hacker insurance

<"NewsScan" <>>
Wed, 29 Jan 2003 10:25:22 -0700

The latest cyber attack (last weekend's SQL Slammer virus, which infected
thousands of computer servers throughout the world) has given a new boost to
"network risk insurance" (AKA "hacker insurance"), which is expected to grow
from the $100 million industry it is now to a $2.5 billion industry by
2005. Bruce Schneier, the chief technology officer for Internet security at
Counterpane, thinks that insurance is every bit as important as prevention:
"I believe that within a few years hacking insurance will be ubiquitous.
The notion that you must rely on prevention is just as stupid as building a
brick wall around your house. That notion is just wrong." But getting
"hacker insurance" is not as easy as one might think, because insurers
typically require a third-party assessment of the insurance applicant's
security system, which might cost as much as $50,000.  [Reuters/*USA Today*,
28 Jan 2003; NewsScan Daily, 29 Jan 2003]

Pete Lindstrom's parametric worm warning

<Jeremy Epstein <>>
Thu, 30 Jan 2003 10:07:53 -0800

  [From Pete Lindstrom, Spire Security,]

*<Adjective> Computer Worm <verb> Internet*

In the wee hours of <date>, a <adjective> computer worm spread <adverb>
throughout the Internet. Dubbed <silly name> because <ridiculous reason
that doesn't explain anything about how it works>, and also known as
<another random name> and <another random name>, the worm has infected
an estimated <number> systems within <length of time>. Experts are
calling this worm the most <adjective> since <date in the past>.

The worm exploits a hole in <Microsoft product name> that was first
identified <number> months ago by <security company name>. In an attempt
to secure the planet, <same company> released detailed information about
the vulnerability and how to exploit it. They also mentioned how to fix
it, but apparently <noun> listened. Coincidentally, the worm that
exploited this hole was also first identified by <same company>. Even
more coincidentally, they make a product to protect against <noun>.

"Actually, it's not really a <noun>, it's a <noun>," said <Pete
Lindstrom, or some other person seeking publicity>. " A true <noun>
works by <random filler that nobody will read>."

The worm's payload <verb> every system by <verb ending in -ing> the
<noun>. Comparatively speaking, this is much worse than <another worm>
but not as bad as <another worm>. The computers of <place> were hit the
hardest. Current damage is estimated at <dollar figure more than the GNP
of two-thirds of the world's nations>. " This worm has the potential to
<something or other>," said <Pete Lindstrom, or some other person trying
hard to come up with something interesting to say ;-)>. " It just goes
to show you that <another something or other>."

Though there is no way to protect against this particular bug, experts
recommend trying <longshot one> or <longshot two>, neither of which
matter, since nobody will do it anyway.

12 U.Maryland students accused of high-tech cheating

<Monty Solomon <>>
Sun, 26 Jan 2003 21:24:58 -0500

By Stephanie Hanes, Sun Staff, 26 Jan 2003

Twelve University of Maryland undergraduates have been accused of using
Web-equipped cell phones or handheld organizers to cheat on a business
school final exam last month, according to the school's student-run Honor
Council.  Six of them have admitted to misconduct during that same test, the
council said.  The allegations prompted Provost William W. Destler to issue
a warning to faculty members about the potential misuse of cell phones and
other common handheld electronics, said J. Andrew Cantor, a 20-year-old
senior and chairman of the Honor Council.  ...,0,3792093.story

QUALCOMM Qsec-800 Secure CDMA phone

<Monty Solomon <>>
Wed, 29 Jan 2003 17:57:00 -0500

 QUALCOMM's CDMA Technology Enhances Security Measures at Super Bowl XXXVII

Regional Homeland Security Agencies and Technology Partners Teamed Up To
Provide Security Assistance for the Super Bowl -

    SAN DIEGO, Jan. 29 /PRNewswire-FirstCall/ --
QUALCOMM Incorporated (NASDAQ:QCOM), pioneer and world leader of Code
Division Multiple Access (CDMA) digital wireless technology, joined forces
with regional homeland security agencies and technology partners to augment
existing security measures for Super Bowl XXXVII.  QUALCOMM, in partnership
with the San Diego Regional Network on Homeland Security (RNHS) and other
technology companies, assisted the San Diego Police Department (SDPD) with
security preparations for Super Bowl XXXVII by providing technology and
products based on CDMA technology.
    QUALCOMM provided wireless phones capable of carrying government-
classified information over commercial cellular networks to federal law
enforcement agencies and federal task force entities.  These phones, referred
to as the Qsec-800(R), are National Security Agency certified cellular phones
developed through a U.S. Government contract with QUALCOMM.  The phones
represent a first step in securing the nation's cellular communications using
the extensive CDMA network that is commercially available.
    In addition to the secure wireless handsets, QUALCOMM had worked out an
architecture that allowed the SDPD to access data, such as real time video as
supplied by cameras, using digital technology from cVideo, at QUALCOMM
Stadium, over commercial CDMA2000 1X networks.  QUALCOMM's expertise in
security ensured these data capabilities met the high standards set by the
United States Department of Justice and local law enforcement.  ...

Satellite system seen as a key life saver

<Monty Solomon <>>
Mon, 27 Jan 2003 08:30:51 -0500

Tracking device crucial in rescues: Environmental satellites with
search-and-rescue tracking capability helped save 171 sailors, hikers,
downed pilots, and others across the country last year, including 15 people
in five incidents off the New England coast.

The Coast Guard requires all commercial fishing vessels and merchant ships
to carry an Emergency Position Indicating Radio Beacon, which sends out a
distress signal that NOAA satellites pick up and relay to the appropriate
emergency response agency.  Since it was launched in 1982, the satellite
system is estimated to have saved 4,500 lives in the United States, said
NOAA administrator Conrad C. Lautenbacher.  ...
  [Source: Jim Geraghty, States News Service, 26 Jan 2003; PGN-ed]

REVIEW: "Absolute PC Security and Privacy", Michael Miller

<Rob Slade <>>
Thu, 30 Jan 2003 08:05:48 -0800

BKAPCSPR.RVW   20021216

"Absolute PC Security and Privacy", Michael Miller, 2002,
0-7821-4127-7, U$34.99/C$55.95/UK#25.99
%A   Michael Miller
%C   1151 Marina Village Parkway, Alameda, CA   94501
%D   2002
%G   0-7821-4127-7
%I   Sybex Computer Books
%O   U$34.99/C$55.95/UK#25.99 800-227-2346
%P   530 p.
%T   "Absolute PC Security and Privacy: Defend Your Computer Against
      Outside Intruders"

Miller never knew much about viruses, or took them seriously, until a
friend got infected and it turned out to be more of a nuisance than he
thought.  So he decided to write a book about them.  And also about
spam, since he was annoyed by that, too.

Part one is about viruses, and other stuff.  There are so many errors
in the introduction, chapter one, that I don't know where to start.
Since this book is obviously not written for professionals, is it
important that it was Fred Cohen, and not Len Adleman, who did the
first academic research on viruses?  No.  Is it important that the
book constantly contradicts itself (for example, promoting the idea
that virus writers are technically competent, and then pointing out
that virus creation kits require no expertise at all)?  Possibly not,
but it doesn't inspire any confidence.  Is it important that policies
to prevent 95% of current viruses are dismissed in a single paragraph,
buried in 150 pages of procedures (like the old "use only commercial
software" myth--and the book also notes that commercial software has
been distributed in an infected state) that might help protect you
from some of the remaining 5%?  Yeah, that could turn out to be
significant.  Chapter two talks about some high risk activities, but
the relevant points are hidden in a mass of relatively low peril
particulars.  Boot sector and file infectors are discussed in chapter
three, but aren't important to users any more.  Chapter four talks
about macro viruses, but the suggested actions, such as manually
deleting macros, are mostly ineffective.  The material on script
viruses, in chapter five, is quite confused: ActiveX is *not* a
scripting system, and it is pushing the facts to say that Internet
Explorer is a safe browser.  (The procedures for disabling Windows
Script Host could be useful.)  The definitions, and particularly
examples, of trojans, viruses, and worms are very confused in chapter
six.  Chapter seven examines e-mail and IRC (Internet Relay Chat)
viruses, but concentrate on minor dangers and issues.  Chapter eight
warns against virus hoaxes, but does not tell how to identify them.
The discussion of antiviral software in chapter nine deals *only* with
scanning, and does not properly advise on limitations and weaknesses
(such as the fact that real time, on-access, or firewall-based
scanning may be 20% less effective than manual scanning).  The other
forms of antiviral software are mentioned in chapter ten, but so
briefly as to be useless.  "Preventing Virus Attacks," in chapter
eleven, repeats earlier content.  The suggested responses to a virus
infestation, in chapter twelve, are seriously overblown.

Part two is concerned with Internet attacks.  Given the preceding
material, it is surprising that chapter thirteen provides reasonably
good background on intrusion.  But, given the tone and audience of the
book, the attacks described are not relevant to the readership: most
home users would not be able to do anything about the offensives
described.  The assaults listed in chapter fourteen are different, but
the mentions are too terse to provide any means of defence.  Chapter
fifteen suggests some good precautions, but does not explain the
implications of following them.  Chapter sixteen says that peer-to-
peer systems are dangerous, but is quite reserved given the level of
the threat and the scare tactics used elsewhere.  Network protection
systems are briefly listed in chapter seventeen.  "Choosing a
Firewall," in chapter eighteen, describes the various types too poorly
for the user to make an informed choice.  Chapter nineteen's advice on
dealing with an attack is too short to provide identification of a
real incident, and the response advice is unhelpful.

Part three supposedly deals with theft of privacy.  Chapter twenty's
overview of threats against privacy is not bad, although it does
confuse cookies, packet sniffing, and keystroke logging in the course
of a single paragraph.  A discussion of online fraud, in chapter
twenty one, is mostly about eBay, and mostly generic advice.  A
reasonable, if not extensive, set of explanations of harassment,
spyware, and cookies are given in chapters twenty two, twenty three,
and twenty four, respectively.  However, the background and
suggestions in regard to passwords and encryption, in chapter twenty
five, are weak.  The section finishes with anonymous surfing, in
chapter twenty six.

Part four covers spam.  Chapter twenty seven presents a good overview
of the basic concepts, but betrays a very weak technical understanding
of the subject.  The recommended actions for protection and prevention
are not very effective.  A more serious look at anti-spam activities
is in chapter twenty eight, but it boils down to a recommendation not
to tell anyone your e-mail address: a suggestion that the book itself
admits is not completely effective since spammers regularly generate
random addresses to try.  In addition, the information about tracking
down and fighting against spammers is too brief to be of any use.
Chapter twenty nine recommends against forwarding chain letters, but
probably should have more information about items such as the
technical impossibility of the messages that supposedly reward you for
the number of missives you forward, and the variations on "advance
fee" (aka "419" or "Nigerian scam") frauds.

It is unclear why "Web-Based Intrusions" could not have been covered
elsewhere without creating a part five.  Chapter thirty deals sensibly
with pop-up ads, although I am not sure why disabling JavaScript is
considered an extreme action, particularly in view of some of the
other recommendations in the book.  The advice about the use of the
hosts file, though, could be very helpful.  Inappropriate content and
filtering, in chapter thirty one, is handled rationally (if curtly),
but does not mention the hidden agendae that filtering software or
organizations may have.

Although some of the points in the book can be good, a great deal of
the material is either too short to be really useful, or questionable,
or wrong.  In terms of security guides for the average user, Crume's
"Inside Internet Security" (cf. BKININSC.RVW) is much better, and so
is "Access Denied" (cf. BKACCDEN.RVW) by Cronkhite and McCullough,
even though the latter is directed at managers.

copyright Robert M. Slade, 2002   BKAPCSPR.RVW   20021216    or

REVIEW: "Information Security Best Practices", George L. Stefanek

<Rob Slade <>>
Wed, 29 Jan 2003 08:24:09 -0800

BKISBPBR.RVW   20021215

"Information Security Best Practices", George L. Stefanek, 2002,
%A   George L. Stefanek
%C   225 Wildwood Street, Woburn, MA  01801
%D   2002
%G   1-878707-96-5
%I   Butterworth-Heinemann/CRC Press/Digital Press
%O   800-366-BOOK fax: 1-617-933-6333
%P   194 p. + CD-ROM
%T   "Information Security Best Practices: 205 Basic Rules"

The preface states that this book contains rules for a, possibly
novice, system administrator and manager to provide a basic level of
security for an organization.

Chapter one lists a few (well, eleven) attacks on information systems.
These are rather simple; the virus definition is quite old (there is
no mention of macro or e-mail viruses) and worms are depicted in terms
of memory exhaustion; and it is difficult to see what purpose they
serve.  The generic structure of an attack or intrusion is described
in chapter two.  The initial discussion of policy, in chapter three,
is limited to the advice that you have one.  This recommendation is
expanded in chapter four, which does provide some reasonable points on
creating a policy.

A few of the "rules" have been given in the earlier chapters, but
chapter five, on network architecture and design, begins what is
obviously the body of the book.  Some of the advice is questionable,
such as the commandment to limit firewall selection to those products
that carry the NCSA stamp of approval.  (The NCSA approval has some
value, but is far from definitive, and, in any case, the group morphed
into the ICSA many years ago, and is now TruSecure.)  By and large the
material, and that which follows, is reasonable and would help to
improve the security of any enterprise, although it is quite limited.
The remaining chapters cover physical security, PCs (tersely),
Internet security, application development, software validation,
configuration management, network monitoring, maintenance and
troubleshooting, and training.  The advice about hardware selection
(in chapter six), is restricted to "motherhood" type rules which are
vague and would be hard to follow.  The chapters on network hardware
(eight) and operating systems (nine) both recommend that there be a C2
level rating for routers and servers, although the "orange book"
specifications are no longer considered standards (and in spite of the
fact that Windows NT 3.51 got a C2 rating--on condition that it was
not connected to a network).  Encryption, in chapter fourteen, is
supposed to be "strong," although there is little information on how
to measure strength.  (In fact, a key length of 128 bits is mandated,
despite the fact that this is far too short for asymmetric systems,
and longer than triple DES [Data Encryption Standard].)  The suggested
actions in case of attack, in chapter nineteen, are rather drastic:
spam should be addressed by killing e-mail service, and a denial of
service attack should be responded to by disconnecting from the net.

Overall, this does have value as a "quick and dirty" set of guidelines for
administrators who do not have formal security training and experience.  The
book is short, and thus easily readable for busy people.  While security
professionals may cringe at the simplistic nature of some recommendations,
the rules can help improve the security of a system that would otherwise
have none ... as long as the reader does not gain a false sense that he
has implemented proper security.

copyright Robert M. Slade, 2002   BKISBPBR.RVW   20021215    or

Please report problems with the web pages to the maintainer