Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
I own a tiny California corporation for consulting purposes. Each year, I am required to file a "statement by domestic stock corporation" with information such as my address and the names of corporate officers. This year, it is possible file electronically (a necessity for me because the state reverted to a 5-year-old address, which is another story of incompetence). The Web form tends to crash browsers, but I eventually succeeded with Mozilla. You type in the name of the corporation, fill out the forms, and pay your $25 via credit card. All of this is done with NO VERIFICATION WHATSOEVER. If I had a stolen credit card, I could change the addresses and officers of Microsoft, Bank of America, and a zillion other corporations. Straightening out the mess would probably cost the state far more than the $25 per instance that they wouldn't be able to collect from the credit card company anyway. Geoff Kuenning geoff@cs.hmc.edu http://www.cs.hmc.edu/~geoff/
We've seen this before with hard disks. The article goes on to point out that this has started to happen more frequently as people are synchronizing their mobile devices with their desktops. The eBay ad read "BlackBerry RIM sold AS IS!" So Eugene Sacks (not his real name), a Seattle computer consultant who always wanted one of the pager-size devices to check his e-mail, sent in a bid. For just $15.50, he bought the wireless device with 4 MB of memory. The BlackBerry didn't come with a cable, synching station, software or a manual. But it did come with something even more valuable: a trove of corporate data. http://www.wired.com/news/print/0,1294,60052,00.html
This item seems tragically funny. I canceled my service from Cingular Wireless some months ago, and in the final bill it turned out that I had paid $3.36 too much. After some time they sent me a check, which I cashed. After another couple of weeks, I received the e-mail below. I hope they keep charging late fees for a negative balance, and I hope the fees will be negative too! > Dear ULF LINDQVIST, > > Your current Cingular Wireless statement for account number [...] is > now available for viewing on the Cingular Web Site at > https://myaccount.cingular.com. The statement amount of $-3.36 is due and > payable immediately. A late fee will be assessed after 07/28/2003. Also note that the message was sent on 08/22/2003...
Be careful if you use the word "entrepreneur." You might get sued. Christine Van Dusen, *The Atlanta Journal-Constitution*, 25 Aug 2003 A federal judge recently ruled that the owner of Entrepreneur Magazine, a small-business publication with about 2 million readers nationwide, has dibs on the term. Entrepreneur Media, based in California, trademarked the word after starting its magazine in 1978. And that, according to the court's decision, means the firm has "exclusive right to use the mark in commerce." http://www.ajc.com/business/content/business/0803/20entrepreneur.html
*The Register* (and other sites) are reporting that a PC associated with the
safety monitoring system at Davis-Besse nuclear power plant in Ohio.
This happened in January 2003, and there was no safety hazard because the
plant was offline and "the monitoring system, called a Safety Parameter
Display System, had a redundant analog backup that was unaffected by the
worm" but helps to illustrate the risks of having "a crunchy shell around a
soft, chewy center."
The plant had a firewall but...
"The Slammer worm entered the Davis-Besse plant through a circuitous route.
It began by penetrating the unsecured network of an unnamed Davis-Besse
contractor, then squirmed through a T1 line bridging that network and
Davis-Besse's corporate network. The T1 line, investigators later found,
was one of multiple ingresses into Davis-Besse's business network that
completely bypassed the plant's firewall, which was programmed to block the
port Slammer used to spread."
http://www.theregister.co.uk/content/56/32425.html
[H. Ludwig Hausen noted this as well:
http://www.securityfocus.com/news/6767]
Read about the impacts of Sobig on Amtrak and Air Canada!! In the *Wall Street Journal*, 21 Aug 2003, there was an article "Computer Viruses Disrupt Railroad and Air Traffic" It said: "A variant of the Blaster virus on Tuesday affected about half of Air Canada's phone-reservation capacity and some of its airport check-in operations, said spokesman John Rebel. In general, the virus simply slowed the process of taking reservations, but in a small number of cases, the problems caused flights to be delayed or canceled altogether, he said. Service was returned to normal by Wednesday." It also said: "Dan Murphy, a spokesman for CSX, said the company noticed Wednesday at about 1:15 a.m. that a variant of the Blaster virus was interfering with its train operations and dispatching system. The company curtailed rail service throughout the CSX network while its technicians tried to fix the problem. CSX operates about 1,600 freight, Amtrak and commuter trains a day on its 23,000-mile route network east of the Mississippi River." The first case I just consider business stupidity — the second case I consider much more serious — it affected the signaling on rails. I find it hard to understand why general purpose computers are used in such specialized applications — and ones that are easily compromised. I have to wonder what the requirements for these systems are (assuming they have requirements!!) [Air Canada case also noted by Amos Shapir and Fuzzy Gorilla. PGN]
I have seen many technical proposals arising from the changing phenomenology
of e-mail (e.g., Garfinkel, Anti-spam technology, RISKS-19.24, Tripoli in
RISKS-22.83), and increasingly many political proposals (e.g., Lincoln,
RISKS-22.86). In order to evaluate the social worth of any of these, it is
necessary to understand the changing phenomenology of e-mail, just as
political scientists must base their analyses and projections on concrete
data. In contrast to technical and political proposals, I have seen
relatively few public comments on the phenomenology (qualitative assessment)
and phenomenography (quantitative assessment) of e-mail traffic.
A look at the RISKS archives may serve as a sample. Peter Neumann was
already talking about the situation being "out of hand" six years ago (a
June 1997 example of phenomenology in his editorial comment on Garfinkel,
RISKS-19.24). Mike Hogsett's recent server data (RISKS-22.87) contributes to
the phenomenography.
As others have remarked, e-mail traffic has markedly increased in recent
weeks, due apparently to proliferation of the Sobig virus and the e-mail it
generates. It seems certain that significant changes will be made at many
organisations because of it. Some phenomenological comments are in order.
Like many contributors to RISKS, I have been using e-mail as a major
professional tool for twenty years, and have been running my own server for
the last nine. In this time, we have made three substantial technical
changes. Two of those were to accommodate client facilities, namely a change
to POP to accommodate portables, and a change to IMAP to accommodate PDAs +
mobile phones.
Until recently, I accommodated the changing phenomenology of e-mail by
changing my working practices. However, our third major change, just over a
year ago, was the introduction of heavy filtering, because the level of spam
and resulting cost in time and connect charges precluded continued use of my
Nokia Communicator to read e-mail on the road.
Sobig is something else. We are a Unix/Linux shop, so we don't contribute
ourselves to the proliferation. The phenomenon will cause us to make
changes, but because of the observations that follow, it is not clear yet
what they will be.
My personal e-mail traffic has increased by up to an order of magnitude in
the last weeks. My wanted e-mail has been 2-5% of the total, contrasted with
the previous (estimated) 20%. All of the increase is unwanted mail
generated by Sobig. The surprise is how it has been generated. The extra
traffic is of five kinds:
1. Instances of Sobig-generated e-mail;
2. Bounce messages from e-mail servers unable to deliver an
instance of a Sobig-generated mail and which reply to the
address on the From header line;
3. Bounce messages from e-mail servers which have detected
instances of Sobig with my e-mail address on the From header line;
4. Sobig-generated messages whose contents have been modified
by our university computer center filter;
5. Personal inquiries by genuine correspondents who have
received a message of type 3 with my e-mail address on
the From header line.
We don't filter for Sobig. We haven't needed to - I can accommcoodate
messages of type 1 under my normal working practice (a guarded thank you
to everybody else!). Servers generating messages of type 2 don't filter,
either. Messages of types 3 and 4 are causing the most traffic, and the
greatest difficulty.
The general phenomenology of Sobig-generated e-mails has been
known for a while. Relevant are
i. The e-mails, header and content, are entirely automatically
generated; there is no piggy-backing on genuine e-mail;
ii. The sender address is falsified, and ultimately derived
from address-book entries on some infected machine;
iii. There are technically easily-recognisable distinguishing
syntactic features of these virally-generated e-mails.
Effective counters (programs which recognise the features in
iii) have been known for a while, and details have been published
in sources of record for at least a week, e.g., in German,
http://www.heise.de/security/news/meldung/39589
Because of feature i, there is no disadvantage to anyone if a
server deletes Sobig-generated e-mails. Because of feature ii,
there is neither advantage nor necessity in informing either
falsified "sender" or receiver. I would have thought that
these observations would have been obvious to any system
administrator.
But if they were uniformly (rationally) acted on, I would be receiving
no mails of types 3 and 4, whereas mails of these types are causing
me by far the biggest problem. If this observation generalises,
then the major problem would appear to be generated not by the
virus itself, but by the reactions of e-mail-server administrators.
I would have thought that e-mail service providers would be motivated to
minimise the traffic generated by malware. This is apparently not so. Major
ISPs such as AOL have been responsible for many messages of type 3.
I conclude that some work needs to be done to attempt to understand the
organisational motivations and behavior of system administration, and to
devise ways of preventing the collective behavior of professional
administrators from making problems a lot worse than they otherwise would
be.
Peter B. Ladkin, University of Bielefeld, Germany
http://www.rvs.uni-bielefeld.de
About 4 hours before it was due to trigger, F-Secure found an encrypted section of code in the Sobig virus that indicated an unsuspected payload. At 1900H UTC (noon, PDT) on Friday, infected computers would try to connect to a number of servers, download a program, and run it. Within that four hour period, F-Secure, possibly with the assistance of other institutions, was able to contact the ISPs for these machines, and have them all shut down. (One remains up. Presumably it has been turned into a honeypot, a form of trap for the people who intended to use it for the attack.) At this time, we do not know what the intention of the so-called "Stage 2" payload was, but the plan shows evidence of very careful planning, and, given the extreme number of Sobig infections, it could have been very serious. http://www.f-secure.com/news/items/news_2003082200.shtml http://www.f-secure.com/v-descs/sobig_f.shtml rslade@vcn.bc.ca slade@victoria.tc.ca rslade@sun.soci.niu.edu http://victoria.tc.ca/techrev or http://sun.soci.niu.edu/~rslade
Thank you for the details about that movie regarding my application for the approved wicked screensaver! Given that Sobig.F seems to have subsided from its weekend peak (from my numbers, it was doubling every day last week up until Sunday and then suddenly dropped off--to a rate that is still roughly as high as Klez at its worst) and that "Stage 2" seems to have been averted, a few thoughts. Blaster, a worm, infected relatively few machines but inconvenienced (and in some cases worse) companies, so it gets it's name in the paper. Sobig surpasses all records in terms of number of e-mail messages generated, and almost nobody (outside of our little security circle) is paying attention. Spoofing of e-mail headers in virus messages goes back to Hybris or before. Most of the successful e-mail viruses have used some form of spoofing. Yet antivirus companies, in their mail server based products, are continuing to generate bounce messages to the nominal sender, probably in an attempt to market their products. I got a lot of bounced Sobig over the past week. None, of course, had been sent from me. What these bounces are actually doing is aiding the virus: the bounce messages send the virus (a full copy of the original message is often included) to yet another machine. Spammers have also been using spoofed e-mail addresses for some time. Bounced spam is therefore also helping spammers to spread their messages. Two spam for the price of one, thanks to bounces. (Occasionally I hear of a server being inundated by a faked sender address on spam, but this seems to be rare. Which would seem to indicate that spammers are deliberately using random addresses, possibly for reasons of multiplication through bounces.) One of the interesting points to come out the height of the Sobig numbers on Saturday, was that I saw relatively *few* bounces, in proportion to what one might have thought was the case. My address is obviously on enough infected machines for me to get huge numbers of infected messages: due to the way the virus spoofs addresses, a large number of the Sobig messages would have been sent "from" me. Given that the majority of server based antiviral packages do bounce messages, the penetration of server based virus scanning would therefore seem to be quite low. (Interesting, the indirect things you can learn in the aftermath of an attack. Consider the subject line of this message a test of content scanners still doing simplistic subject line rejections.) I have been warning about the type of convergence of malware technologies involved in the "stage 2" situation for a few years now. Will it be taken seriously after Sobig? (Listen to the sound of me *not* holding my breath.) Sobig seems to have been planned and designed with much greater care than is usually the case with viruses and malware. Up until now, we have been spared what viruses *could* do primarily by the fact that we have been facing a bunch of disorganized amateurs. A number of comments about Sobig have raised the possibility of an involvement with spammers and/or organized crime. (We already know that "red guest" groups in China are much more organized and disciplined than traditional blackhats.) Sobig may simply be the result of an isolated creative mind, but relying on that supposition as fact is dangerous security planning. Buried in the investigations into Sobig.F, you will find reference to the fact that it stops reproducing after September 10th. I'm afraid it took my wife pointing it out to make me realize that this is one day before September 11th. Sobig.G, anyone? rslade@vcn.bc.ca slade@victoria.tc.ca rslade@sun.soci.niu.edu http://victoria.tc.ca/techrev or http://sun.soci.niu.edu/~rslade
Antivirus specialist Peter Simpson warns that the Sobig.F virus is the latest in a series of attempts on the part of organized crime to shift some of their illicit activities online. "Sobig smashed all the records in terms of pure numbers, but that's not nearly the whole story. This is the sixth in a series of controlled experiments. This isn't about some kiddy writing viruses in his bedroom — this is really a very sophisticated example of organized crime," says Simpson, a manager at Clearswift's ThreatLab. Simpson explained that the purpose of a virus such as Sobig isn't to cause damage, but to gain control of the machine in order to access information such as financial details for the purpose of fraud. It also comes in handy for disguising the source of spam by hijacking the victim's machine and identity. "The real question here has to be about the motives of the virus writer. This isn't just about writing a virus that will spread rapidly and break records; the motives here are very different and are clearly criminal. It's all about the hidden agenda." [ZDNet/Silicon.com 25 Aug 2003; NewsScan Daily, 26 August 2003] http://zdnet.com.com/2100-1105_2-5067494.html
> How long until a virus sends itself in a ZIP file attachment [...] Already done, I recently had a copy of 'W32/Mimail.A@mm' on the 15th in my linux mailbox (virus are normally filtered like other junk) and it's even worse than you think. The outer message was from the sysadmin of _my_ domain, there was a zip that contained an html file. The html file was a mis-labeled file containing a MIME content type at the start and a PE executable at the end so IE would (presumably) run the executable ... Hmm, I need to check that my "html cleaner" will (at least!) break one of those files. PIFs are some weird windows hack yes, as for file extensions, personally I _always_ do a websearch if I intend to use an unusual extension in a program on any OS. Just suppose you choose an extension that's also used by the "super dooper porn hunter" for your "work control system" :) Robert de Bath <robert$ @ debath.co.uk> <http://www.cix.co.uk/~mayday> [Also commented on by Steve VanDevender. PGN]
This incident was reported on-line also by the BBC, citing
The Times, at http://news.bbc.co.uk/1/low/world/europe/3143237.stm
Thanks to Harold Thimbleby for pointing it out to me.
It is important to get things right, and these news reports, from
what are supposedly the best of British journalism, fail to do so.
The Times apparently suggested a bug in the computer providing a false
indication:
The incident occurred on 8 Aug 2003 after a Boeing 757 run by British tour
operator MyTravel was found to have a faulty onboard computer that
insisted the aircraft was airborne when it was in fact parked on the
tarmac. Covered in oil after resetting a sensor in the aircraft's
nosewheel, the pilot [asked passengers......] [RISKS 22.85, PGN-ing The
Times].
The BBC suggests a "faulty warning light":
The tourists had waited ... while the pilot fixed a faulty warning light
... The light had indicated the plane was airborne when it was still on
the ground. After repairing it, the plane's captain [asked the
passengers]
[A company spokesperson said] " He (the pilot) was confident that it was
simply an indication error ......
In these brief reports there are three mutually incompatible hypotheses
concerning the origin of the problem: a "faulty warning light", an
ill-adjusted nosewheel sensor, and a "faulty onboard computer". The Times
contradicts itself concerning the origin of the fault (citing two of the
three above) and the BBC, supposedly reporting on The Times, contradicts
both of The Times's hypotheses.
The BBC includes reader opinions on its news page. One may notice how ready
people are to express opinions on the appropriateness of the captain's
action, without having enough information to judge it. For the
appropriateness of hisher gesture depends crucially on what was said,
cf. the following two examples (for speech 2, I choose one of the three
hypothesised causes and make some assumptions. This should not be
taken to mean that I judge that this was the most likely interpretation of
events. For I do not know).
1. "The airplane thinks it's in the air when it's on the ground. We think
we've fixed what we guess the problem might be. We're going to risk it.
Who wants to come with us?";
2. "We are getting a false air/ground indication. The consequences of that
are that two of our three braking systems might not operate as intended
on landing. The aircraft will stop safely on the runway with just wheel
brakes; indeed the manufacturer had to prove that it would do so, and
provide us with the performance figures, before we could fly anyone in
the airplane. So the worst case outcome would be that we take a little
longer to stop when we arrive at the destination.
I have tried to find the source of the problem. I checked the nosewheel
sensor, which determines whether the nosewheel is in full contact with
the ground. It was clearly out of adjustment, and that alone would have
caused the problem we have been seeing. I have adjusted the sensor so
that it now operates correctly. After checking everything else that we
can, I assume that that is the only problem. Theoretically there could be
a second problem, but I think that is unlikely enough that I shall ignore
it, while remaining alert to potential signs of it when we fly. I am
content to fly this airplane. Remember that my health and safety is
on the line every bit as much as yours and I have family too. I recommend
you be content to fly in this airplane also. But I wish to give those of
you who think differently from us a choice."
Peter B. Ladkin, University of Bielefeld, Germany
http://www.rvs.uni-bielefeld.de
The NOAA posted a few satellite photos of Northeastern North America before and after last week's blackout. http://www.noaanews.noaa.gov/stories/s2015.htm http://www.noaanews.noaa.gov/nightlights/blackout081403-20hrsbefore-text.jpg http://www.noaanews.noaa.gov/nightlights/blackout081503-7hrsafter-text.jpg The first photo seems a little supersaturated to me (and a little misaligned, making for a poor flip-back-and-forth...) but clearly show great swaths of New York, Ontario, Ohio and Michigan in the dark. However, there is a surprising amount of light still on, especially in New York and Long Island, in line with the NYT article quoted by Andrew Greene in 22.87. Other major urban areas (Toronto, Detroit, Cleveland) seem much darker in comparison. Maybe more cars and generators in NYC and thus more ambient light? [Clearly, some places were either better prepared or lucky (or both) than others. PGN]
2004 IEEE Symposium on Security and Privacy 9-12 May 2004, The Claremont Resort, Oakland, California, USA sponsored by IEEE Computer Society Technical Committee on Security and Privacy in cooperation with The International Association for Cryptologic Research (IACR) Paper submissions due: 5 Nov 2003 For submission guidelines see http://www.cs.berkeley.edu/~daw/oakland04-cfp.html For questions, please contact the program chairs: oakland-pcchairs04@zurich.ibm.com Symposium Committee: General Chair: Lee Badger (DARPA) Vice Chair: Steve Tate (University of North Texas) Program Co-Chairs: David A. Wagner (University of California, Berkeley, USA) Michael Waidner (IBM Zurich Research Lab, Switzerland)
Please report problems with the web pages to the maintainer