The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 22 Issue 88

Wednesday 27 August 2003

Contents

California accepts completely unverified updates
Geoff Kuenning
BlackBerry reveals sensitive Morgan Stanley data
Mark Feit
Cingular wants me to pay negative balance
Ulf Lindqvist
'Entrepreneur' a trademarked word, court rules
Christine Van Dusen via Monty Solomon
Slammer worm hits system within Davis-Besse nuclear power plant
Fuzzy Gorilla
Sobig affects Amtrak trains, Air Canada
Marty Leisner
Some observations on e-mail phenomenology
Peter B. Ladkin
Update on Sobig stage 2
Rob Slade
Thank you for [...]
Rob Slade
Organized crime behind Sobig mess?
NewsScan
Re: Send PIF files in ZIP attachment to avoid virus detectors?
Robert de Bath
Re: Pilot fixes faulty jet
Peter B. Ladkin
Satellite photo of Eastern North America during blackout
John Oram
2004 IEEE Symposium on Security and Privacy, Call for Papers
David Wagner
Info on RISKS (comp.risks)

California accepts completely unverified updates

<<geoff@cs.hmc.edu>>
Mon, 25 Aug 2003 16:52:57 -0700 (PDT)

I own a tiny California corporation for consulting purposes.  Each year, I
am required to file a "statement by domestic stock corporation" with
information such as my address and the names of corporate officers.

This year, it is possible file electronically (a necessity for me because
the state reverted to a 5-year-old address, which is another story of
incompetence).  The Web form tends to crash browsers, but I eventually
succeeded with Mozilla.  You type in the name of the corporation, fill out
the forms, and pay your $25 via credit card.

All of this is done with NO VERIFICATION WHATSOEVER.  If I had a stolen
credit card, I could change the addresses and officers of Microsoft, Bank of
America, and a zillion other corporations.  Straightening out the mess would
probably cost the state far more than the $25 per instance that they
wouldn't be able to collect from the credit card company anyway.

Geoff Kuenning   geoff@cs.hmc.edu   http://www.cs.hmc.edu/~geoff/


BlackBerry reveals sensitive Morgan Stanley data

<Mark Feit <mfeit@notonthe.net>>
Tue, 26 Aug 2003 09:23:37 -0400

We've seen this before with hard disks.  The article goes on to point out
that this has started to happen more frequently as people are synchronizing
their mobile devices with their desktops.
  The eBay ad read "BlackBerry RIM sold AS IS!" So Eugene Sacks (not his
  real name), a Seattle computer consultant who always wanted one of the
  pager-size devices to check his e-mail, sent in a bid. For just $15.50, he
  bought the wireless device with 4 MB of memory.  The BlackBerry didn't
  come with a cable, synching station, software or a manual. But it did come
  with something even more valuable: a trove of corporate data.
  http://www.wired.com/news/print/0,1294,60052,00.html


Cingular wants me to pay negative balance

<Ulf Lindqvist <ulf@sdl.sri.com>>
Fri, 22 Aug 2003 21:24:07 -0700 (PDT)

This item seems tragically funny.  I canceled my service from Cingular
Wireless some months ago, and in the final bill it turned out that I had
paid $3.36 too much.  After some time they sent me a check, which I cashed.
After another couple of weeks, I received the e-mail below.  I hope they
keep charging late fees for a negative balance, and I hope the fees will be
negative too!

> Dear ULF LINDQVIST,
>
> Your current Cingular Wireless statement for account number [...] is
> now available for viewing on the Cingular Web Site at
> https://myaccount.cingular.com. The statement amount of $-3.36 is due and
> payable immediately. A late fee will be assessed after 07/28/2003.

Also note that the message was sent on 08/22/2003...


'Entrepreneur' a trademarked word, court rules

<Monty Solomon <monty@roscom.com>>
Mon, 25 Aug 2003 09:48:11 -0400

Be careful if you use the word "entrepreneur." You might get sued.
Christine Van Dusen, *The Atlanta Journal-Constitution*, 25 Aug 2003

A federal judge recently ruled that the owner of Entrepreneur Magazine, a
small-business publication with about 2 million readers nationwide, has dibs
on the term.  Entrepreneur Media, based in California, trademarked the word
after starting its magazine in 1978. And that, according to the court's
decision, means the firm has "exclusive right to use the mark in commerce."
  http://www.ajc.com/business/content/business/0803/20entrepreneur.html


Slammer worm hits system within Davis-Besse nuclear power plant

<"Fuzzy Gorilla" <fuzzygorilla@euroseek.com>>
Fri, 22 Aug 2003 17:53:25 -0400

*The Register* (and other sites) are reporting that a PC associated with the
safety monitoring system at Davis-Besse nuclear power plant in Ohio.

This happened in January 2003, and there was no safety hazard because the
plant was offline and "the monitoring system, called a Safety Parameter
Display System, had a redundant analog backup that was unaffected by the
worm" but helps to illustrate the risks of having "a crunchy shell around a
soft, chewy center."

The plant had a firewall but...

"The Slammer worm entered the Davis-Besse plant through a circuitous route.
It began by penetrating the unsecured network of an unnamed Davis-Besse
contractor, then squirmed through a T1 line bridging that network and
Davis-Besse's corporate network.  The T1 line, investigators later found,
was one of multiple ingresses into Davis-Besse's business network that
completely bypassed the plant's firewall, which was programmed to block the
port Slammer used to spread."

http://www.theregister.co.uk/content/56/32425.html

  [H. Ludwig Hausen noted this as well:
    http://www.securityfocus.com/news/6767]


Sobig affects Amtrak trains, Air Canada

<Marty Leisner <leisner@rochester.rr.com>>
Sat, 23 Aug 2003 13:36:34 -0400

Read about the impacts of Sobig on Amtrak and Air Canada!!

In the *Wall Street Journal*, 21 Aug 2003, there was an article
"Computer Viruses Disrupt Railroad and Air Traffic"

It said: "A variant of the Blaster virus on Tuesday affected about half of
Air Canada's phone-reservation capacity and some of its airport check-in
operations, said spokesman John Rebel. In general, the virus simply slowed
the process of taking reservations, but in a small number of cases, the
problems caused flights to be delayed or canceled altogether, he said.
Service was returned to normal by Wednesday."

It also said: "Dan Murphy, a spokesman for CSX, said the company noticed
Wednesday at about 1:15 a.m. that a variant of the Blaster virus was
interfering with its train operations and dispatching system. The company
curtailed rail service throughout the CSX network while its technicians
tried to fix the problem. CSX operates about 1,600 freight, Amtrak and
commuter trains a day on its 23,000-mile route network east of the
Mississippi River."

The first case I just consider business stupidity -- the second case I
consider much more serious -- it affected the signaling on rails.  I find it
hard to understand why general purpose computers are used in such
specialized applications -- and ones that are easily compromised.  I have to
wonder what the requirements for these systems are (assuming they have
requirements!!)

  [Air Canada case also noted by Amos Shapir and Fuzzy Gorilla.  PGN]


Some observations on e-mail phenomenology

<"Peter B. Ladkin" <ladkin@rvs.uni-bielefeld.de>>
Wed, 27 Aug 2003 11:48:22 +0200

I have seen many technical proposals arising from the changing phenomenology
of e-mail (e.g., Garfinkel, Anti-spam technology, RISKS-19.24, Tripoli in
RISKS-22.83), and increasingly many political proposals (e.g., Lincoln,
RISKS-22.86). In order to evaluate the social worth of any of these, it is
necessary to understand the changing phenomenology of e-mail, just as
political scientists must base their analyses and projections on concrete
data. In contrast to technical and political proposals, I have seen
relatively few public comments on the phenomenology (qualitative assessment)
and phenomenography (quantitative assessment) of e-mail traffic.

A look at the RISKS archives may serve as a sample. Peter Neumann was
already talking about the situation being "out of hand" six years ago (a
June 1997 example of phenomenology in his editorial comment on Garfinkel,
RISKS-19.24). Mike Hogsett's recent server data (RISKS-22.87) contributes to
the phenomenography.

As others have remarked, e-mail traffic has markedly increased in recent
weeks, due apparently to proliferation of the Sobig virus and the e-mail it
generates. It seems certain that significant changes will be made at many
organisations because of it. Some phenomenological comments are in order.

Like many contributors to RISKS, I have been using e-mail as a major
professional tool for twenty years, and have been running my own server for
the last nine. In this time, we have made three substantial technical
changes. Two of those were to accommodate client facilities, namely a change
to POP to accommodate portables, and a change to IMAP to accommodate PDAs +
mobile phones.

Until recently, I accommodated the changing phenomenology of e-mail by
changing my working practices. However, our third major change, just over a
year ago, was the introduction of heavy filtering, because the level of spam
and resulting cost in time and connect charges precluded continued use of my
Nokia Communicator to read e-mail on the road.

Sobig is something else. We are a Unix/Linux shop, so we don't contribute
ourselves to the proliferation. The phenomenon will cause us to make
changes, but because of the observations that follow, it is not clear yet
what they will be.

My personal e-mail traffic has increased by up to an order of magnitude in
the last weeks. My wanted e-mail has been 2-5% of the total, contrasted with
the previous (estimated) 20%. All of the increase is unwanted mail
generated by Sobig. The surprise is how it has been generated. The extra
traffic is of five kinds:

1. Instances of Sobig-generated e-mail;
2. Bounce messages from e-mail servers unable to deliver an
    instance of a Sobig-generated mail and which reply to the
    address on the From header line;
3. Bounce messages from e-mail servers which have detected
    instances of Sobig with my e-mail address on the From header line;
4. Sobig-generated messages whose contents have been modified
    by our university computer center filter;
5. Personal inquiries by genuine correspondents who have
    received a message of type 3 with my e-mail address on
    the From header line.

We don't filter for Sobig. We haven't needed to - I can accommcoodate
messages of type 1 under my normal working practice (a guarded thank you
to everybody else!). Servers generating messages of type 2 don't filter,
either. Messages of types 3 and 4 are causing the most traffic, and the
greatest difficulty.

The general phenomenology of Sobig-generated e-mails has been
known for a while. Relevant are
i. The e-mails, header and content, are entirely automatically
    generated; there is no piggy-backing on genuine e-mail;
ii. The sender address is falsified, and ultimately derived
    from address-book entries on some infected machine;
iii. There are technically easily-recognisable distinguishing
    syntactic features of these virally-generated e-mails.

Effective counters (programs which recognise the features in
iii) have been known for a while, and details have been published
in sources of record for at least a week, e.g., in German,
http://www.heise.de/security/news/meldung/39589

Because of feature i, there is no disadvantage to anyone if a
server deletes Sobig-generated e-mails. Because of feature ii,
there is neither advantage nor necessity in informing either
falsified "sender" or receiver. I would have thought that
these observations would have been obvious to any system
administrator.

But if they were uniformly (rationally) acted on, I would be receiving
no mails of types 3 and 4, whereas mails of these types are causing
me by far the biggest problem. If this observation generalises,
then the major problem would appear to be generated not by the
virus itself, but by the reactions of e-mail-server administrators.

I would have thought that e-mail service providers would be motivated to
minimise the traffic generated by malware. This is apparently not so. Major
ISPs such as AOL have been responsible for many messages of type 3.

I conclude that some work needs to be done to attempt to understand the
organisational motivations and behavior of system administration, and to
devise ways of preventing the collective behavior of professional
administrators from making problems a lot worse than they otherwise would
be.

Peter B. Ladkin, University of Bielefeld, Germany
http://www.rvs.uni-bielefeld.de


Update on Sobig stage 2

<Rob Slade <rslade@sprint.ca>>
Fri, 22 Aug 2003 13:08:18 -0800

About 4 hours before it was due to trigger, F-Secure found an encrypted
section of code in the Sobig virus that indicated an unsuspected payload.
At 1900H UTC (noon, PDT) on Friday, infected computers would try to connect
to a number of servers, download a program, and run it.

Within that four hour period, F-Secure, possibly with the assistance of
other institutions, was able to contact the ISPs for these machines, and
have them all shut down.  (One remains up.  Presumably it has been turned
into a honeypot, a form of trap for the people who intended to use it for
the attack.)

At this time, we do not know what the intention of the so-called "Stage 2"
payload was, but the plan shows evidence of very careful planning, and,
given the extreme number of Sobig infections, it could have been very
serious.

http://www.f-secure.com/news/items/news_2003082200.shtml
http://www.f-secure.com/v-descs/sobig_f.shtml

rslade@vcn.bc.ca      slade@victoria.tc.ca      rslade@sun.soci.niu.edu
http://victoria.tc.ca/techrev    or    http://sun.soci.niu.edu/~rslade


Thank you for [...]

<Rob Slade <rslade@sprint.ca>>
Mon, 25 Aug 2003 13:01:06 -0800

Thank you for the details about that movie regarding my application for
the approved wicked screensaver!

Given that Sobig.F seems to have subsided from its weekend peak (from my
numbers, it was doubling every day last week up until Sunday and then
suddenly dropped off--to a rate that is still roughly as high as Klez at its
worst) and that "Stage 2" seems to have been averted, a few thoughts.

Blaster, a worm, infected relatively few machines but inconvenienced (and in
some cases worse) companies, so it gets it's name in the paper.  Sobig
surpasses all records in terms of number of e-mail messages generated, and
almost nobody (outside of our little security circle) is paying attention.

Spoofing of e-mail headers in virus messages goes back to Hybris or before.
Most of the successful e-mail viruses have used some form of spoofing.  Yet
antivirus companies, in their mail server based products, are continuing to
generate bounce messages to the nominal sender, probably in an attempt to
market their products.

I got a lot of bounced Sobig over the past week.  None, of course, had been
sent from me.  What these bounces are actually doing is aiding the virus:
the bounce messages send the virus (a full copy of the original message is
often included) to yet another machine.  Spammers have also been using
spoofed e-mail addresses for some time.  Bounced spam is therefore also
helping spammers to spread their messages.  Two spam for the price of one,
thanks to bounces.  (Occasionally I hear of a server being inundated by a
faked sender address on spam, but this seems to be rare.  Which would seem
to indicate that spammers are deliberately using random addresses, possibly
for reasons of multiplication through bounces.)

One of the interesting points to come out the height of the Sobig numbers on
Saturday, was that I saw relatively *few* bounces, in proportion to what one
might have thought was the case.  My address is obviously on enough infected
machines for me to get huge numbers of infected messages: due to the way the
virus spoofs addresses, a large number of the Sobig messages would have been
sent "from" me.  Given that the majority of server based antiviral packages
do bounce messages, the penetration of server based virus scanning would
therefore seem to be quite low.  (Interesting, the indirect things you can
learn in the aftermath of an attack.  Consider the subject line of this
message a test of content scanners still doing simplistic subject line
rejections.)

I have been warning about the type of convergence of malware technologies
involved in the "stage 2" situation for a few years now.  Will it be taken
seriously after Sobig?  (Listen to the sound of me *not* holding my breath.)
Sobig seems to have been planned and designed with much greater care than is
usually the case with viruses and malware.  Up until now, we have been
spared what viruses *could* do primarily by the fact that we have been
facing a bunch of disorganized amateurs.  A number of comments about Sobig
have raised the possibility of an involvement with spammers and/or organized
crime.  (We already know that "red guest" groups in China are much more
organized and disciplined than traditional blackhats.)  Sobig may simply be
the result of an isolated creative mind, but relying on that supposition as
fact is dangerous security planning.

Buried in the investigations into Sobig.F, you will find reference to the
fact that it stops reproducing after September 10th.  I'm afraid it took my
wife pointing it out to make me realize that this is one day before
September 11th.  Sobig.G, anyone?

rslade@vcn.bc.ca      slade@victoria.tc.ca      rslade@sun.soci.niu.edu
http://victoria.tc.ca/techrev    or    http://sun.soci.niu.edu/~rslade


Organized crime behind Sobig mess?

<"NewsScan" <newsscan@newsscan.com>>
Tue, 26 Aug 2003 08:28:20 -0700

Antivirus specialist Peter Simpson warns that the Sobig.F virus is the
latest in a series of attempts on the part of organized crime to shift some
of their illicit activities online. "Sobig smashed all the records in terms
of pure numbers, but that's not nearly the whole story. This is the sixth in
a series of controlled experiments. This isn't about some kiddy writing
viruses in his bedroom -- this is really a very sophisticated example of
organized crime," says Simpson, a manager at Clearswift's ThreatLab.
Simpson explained that the purpose of a virus such as Sobig isn't to cause
damage, but to gain control of the machine in order to access information
such as financial details for the purpose of fraud. It also comes in handy
for disguising the source of spam by hijacking the victim's machine and
identity. "The real question here has to be about the motives of the virus
writer. This isn't just about writing a virus that will spread rapidly and
break records; the motives here are very different and are clearly
criminal. It's all about the hidden agenda."  [ZDNet/Silicon.com 25 Aug
2003; NewsScan Daily, 26 August 2003]
  http://zdnet.com.com/2100-1105_2-5067494.html


Re: Send PIF files in ZIP attachment to avoid virus detectors?

<Robert de Bath <robert$@mayday.cix.co.uk>>
Sat, 23 Aug 2003 08:00:26 +0100 (BST)

> How long until a virus sends itself in a ZIP file attachment [...]

Already done, I recently had a copy of 'W32/Mimail.A@mm' on the 15th in my
linux mailbox (virus are normally filtered like other junk) and it's even
worse than you think.

The outer message was from the sysadmin of _my_ domain, there was a zip that
contained an html file. The html file was a mis-labeled file containing a
MIME content type at the start and a PE executable at the end so IE would
(presumably) run the executable ...

Hmm, I need to check that my "html cleaner" will (at least!) break one
of those files.

PIFs are some weird windows hack yes, as for file extensions, personally
I _always_ do a websearch if I intend to use an unusual extension in
a program on any OS. Just suppose you choose an extension that's also
used by the "super dooper porn hunter" for your "work control system" :)

Robert de Bath <robert$ @ debath.co.uk> <http://www.cix.co.uk/~mayday>

  [Also commented on by Steve VanDevender.  PGN]


Re: Pilot fixes faulty jet (Wienstock, Risks 22.85)

<"Peter B. Ladkin" <ladkin@rvs.uni-bielefeld.de>>
Mon, 25 Aug 2003 09:48:32 +0200

This incident was reported on-line also by the BBC, citing
The Times, at http://news.bbc.co.uk/1/low/world/europe/3143237.stm
Thanks to Harold Thimbleby for pointing it out to me.

It is important to get things right, and these news reports, from
what are supposedly the best of British journalism, fail to do so.

The Times apparently suggested a bug in the computer providing a false
indication:

  The incident occurred on 8 Aug 2003 after a Boeing 757 run by British tour
  operator MyTravel was found to have a faulty onboard computer that
  insisted the aircraft was airborne when it was in fact parked on the
  tarmac.  Covered in oil after resetting a sensor in the aircraft's
  nosewheel, the pilot [asked passengers......]  [RISKS 22.85, PGN-ing The
  Times].

The BBC suggests a "faulty warning light":

  The tourists had waited ... while the pilot fixed a faulty warning light
  ... The light had indicated the plane was airborne when it was still on
  the ground.  After repairing it, the plane's captain [asked the
  passengers]

  [A company spokesperson said] " He (the pilot) was confident that it was
  simply an indication error ......

In these brief reports there are three mutually incompatible hypotheses
concerning the origin of the problem: a "faulty warning light", an
ill-adjusted nosewheel sensor, and a "faulty onboard computer". The Times
contradicts itself concerning the origin of the fault (citing two of the
three above) and the BBC, supposedly reporting on The Times, contradicts
both of The Times's hypotheses.

The BBC includes reader opinions on its news page. One may notice how ready
people are to express opinions on the appropriateness of the captain's
action, without having enough information to judge it. For the
appropriateness of hisher gesture depends crucially on what was said,
cf. the following two examples (for speech 2, I choose one of the three
hypothesised causes and make some assumptions. This should not be
taken to mean that I judge that this was the most likely interpretation of
events. For I do not know).

1. "The airplane thinks it's in the air when it's on the ground. We think
   we've fixed what we guess the problem might be. We're going to risk it.
   Who wants to come with us?";

2. "We are getting a false air/ground indication. The consequences of that
    are that two of our three braking systems might not operate as intended
    on landing. The aircraft will stop safely on the runway with just wheel
    brakes; indeed the manufacturer had to prove that it would do so, and
    provide us with the performance figures, before we could fly anyone in
    the airplane. So the worst case outcome would be that we take a little
    longer to stop when we arrive at the destination.

    I have tried to find the source of the problem. I checked the nosewheel
   sensor, which determines whether the nosewheel is in full contact with
   the ground. It was clearly out of adjustment, and that alone would have
   caused the problem we have been seeing. I have adjusted the sensor so
   that it now operates correctly. After checking everything else that we
   can, I assume that that is the only problem. Theoretically there could be
   a second problem, but I think that is unlikely enough that I shall ignore
   it, while remaining alert to potential signs of it when we fly. I am
   content to fly this airplane. Remember that my health and safety is
   on the line every bit as much as yours and I have family too. I recommend
   you be content to fly in this airplane also. But I wish to give those of
   you who think differently from us a choice."

Peter B. Ladkin, University of Bielefeld, Germany
http://www.rvs.uni-bielefeld.de


Satellite photo of Eastern North America during blackout

<"John Oram" <risks@oram.com>>
Thu, 21 Aug 2003 17:37:37 -0700 (PDT)

The NOAA posted a few satellite photos of Northeastern North America
before and after last week's blackout.

http://www.noaanews.noaa.gov/stories/s2015.htm
http://www.noaanews.noaa.gov/nightlights/blackout081403-20hrsbefore-text.jpg
http://www.noaanews.noaa.gov/nightlights/blackout081503-7hrsafter-text.jpg

The first photo seems a little supersaturated to me (and a little
misaligned, making for a poor flip-back-and-forth...) but clearly show
great swaths of New York, Ontario, Ohio and Michigan in the dark.

However, there is a surprising amount of light still on, especially in New
York and Long Island, in line with the NYT article quoted by Andrew Greene
in 22.87.  Other major urban areas (Toronto, Detroit, Cleveland) seem much
darker in comparison.  Maybe more cars and generators in NYC and thus more
ambient light?

  [Clearly, some places were either better prepared or lucky (or both)
  than others.  PGN]


2004 IEEE Symposium on Security and Privacy, Call for Papers

<David Wagner <daw@cs.berkeley.edu>>
Sun, 24 Aug 2003 17:26:28 -0700 (PDT)

2004 IEEE Symposium on Security and Privacy
9-12 May 2004, The Claremont Resort, Oakland, California, USA
  sponsored by
IEEE Computer Society Technical Committee on Security and Privacy
  in cooperation with
The International Association for Cryptologic Research (IACR)

Paper submissions due:   5 Nov 2003
For submission guidelines see
  http://www.cs.berkeley.edu/~daw/oakland04-cfp.html
For questions, please contact the program chairs:
  oakland-pcchairs04@zurich.ibm.com

Symposium Committee:
General Chair: Lee Badger (DARPA)
Vice Chair: Steve Tate (University of North Texas)
Program Co-Chairs:
David A. Wagner (University of California, Berkeley, USA)
Michael Waidner (IBM Zurich Research Lab, Switzerland)

Please report problems with the web pages to the maintainer