The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 22 Issue 01

Monday 1 April 2002

Contents

ATF Takes Responsibility for Federal Software Policy Enforcement
ATFS Director
REVIEW: "Hacking for Dummies", Bill Murray III/Gene Spafford
Rob Slade
Computers to Cars
unknown source via PGN
Surprise Settlement Evenly Splits Microsoft
unknown source via Gene Spafford
Big security leak in Internet s*xshop
Paul van Keep
Web site leaks customers address, offers extra discounts
Ron Gut
Hackers find new way to bilk eBay users
Monty Solomon
BT is publishing confidential ex-directory telephone numbers
Clive Jones
Risks of using anti-spam blacklists
Eric Murray
The smart highway
Raphael Lewis via Monty Solomon
E-mail subscriptions, windows 2000 patches and photocopiers
Alistair McDonald
Re: Out with pilots, in with pibots
Robert Woodhead
Info on RISKS (comp.risks)

ATF Takes Responsibility for Federal Software Policy Enforcement

<Director@ATFS.gov>
Mon, 1 Apr 2002 00:30:00 ET

WASHINGTON (Reuters) - The Department of the Treasury announced today that
responsibility for enforcement of new federal regulations of the software
industry will fall under the jurisdiction of the Bureau of Alcohol, Tobacco
and Firearms (ATF).  As the regulations come into effect, the bureau will be
renamed to be the Bureau of Alcohol, Tobacco, Firearms, and Software (ATFS).

The new regulations have been taken by most observers as a key indication of
the Federal Government's serious concern over the software production
scandal gripping the nation.  The final verdict of the grand jury
investigation into the dangers of unregulated software production was
praised as a major victory by software leaders in Redmond last month.

The grand jury investigation centered on the disturbing trend that key
portions of the nation's critical infrastructure are being entrusted to a
software product for which the secret inner workings (known as `source
code') are becoming as prevalent as pornography on the Internet.

The Director of the ATF's 5,000-strong team of agents has pledged his full
support to enforce the new regulations, under which all software development
must take place only in licensed facilities by trained induhviduals.  He was
joined at a press conference this morning by the Director of the National
Infrastructure Protection Center, who said, "It's about time the ATF took the
entire software industry into its jurisdiction."  He continued, "We would
never consider laying the blueprints for our critical assets out for all to
see.  I applaud the new regulations for bringing sanity to a long unchecked
industry."

The public will have until 1 Jun 2002 to dispose of all unregulated software
products they may own.  Possession of unlicensed software products can
result in penalties up to 20 years in jail and multi-million dollar fines.
Currently, only Smallsoft of Redmond, Washington, has achieved the necessary
regulatory status to produce software in compliance with the new
regulations.

An underground group of activists using the moniker ``the Electronic
Frontier Foundation'' (EFF) has been strongly critical of the Federal
Government's position throughout.  Police have indicated the violent clashes
are expected between supporters of the EFF and US Presidential nominee Billy
Doors, the major proponent of the regulations, as he addresses business
leaders in Winnemucca, Nevada, this afternoon.

  [I suppose we can understand why they chose the acronym
  ATFS, given alternatives such as FATS, AFTS, FAST, etc.  PGN]


REVIEW: "Hacking for Dummies", Bill Murray III/Gene Spafford

<"Rob, grandpa of Ryan, Trevor, Devon & Hannah" <rslade@sprint.ca>>
Mon, 1 Apr 2002 07:19:57 -0800

BKHAKDUM.RVW   20020401

"Hacking for Dummies", William Hugh Murray III/Eugene Spafford, 1802,
076455302X, U$21.99/C$437.84
%A   William Hugh Murray III whmurray3@spryguy.com
%A   Eugene Spafford spif@serious.purdue.edu
%C   155 Divet Road, Suite 310, San Mateo, CA   94402
%D   1902
%G   076455302X
%I   International Data Group (IDG Books)
%O   U$21.99/C$411.95 415-312-0650 fax: 415-286-2740
%P   166 p.
%S   for Dummies
%T   "Hacking for Dummies"

As regular RISKS readers will note, I always enjoy a new addition to the
"for Dummies" series.  This time the imprint has outdone itself with a
lighthearted romp through network naughtiness, by two of the least known,
but most accomplished, practitioners of the field.

Some may question the need for such a work, but the authors maintain that
they are performing a valuable service to corporations and society at large.
"A vital system security penetration community is important," they state in
the introduction.  "It thins the herd of security practitioners.  We have a
moral responsibility to ensure that those who, not having the authority to
fire people who insist on using Outlook, get blamed when major events happen
and are forced to look for work in other fields."

In a switch from the standard format, the "Part of Tens" comes first,
pointing out how to knock holes in each of the ten domains of the security
common body of knowledge.  This sets up a series of helpful icons used to
point out specific attacks that can be mounted against each domain.
(Security management attacks tend to get a bit repetitive after a while:
there are only so many ways of rewording the advice to pretend to be the
CEO's secretary.)

Some common and handy attacks (such as the ubiquitous brute force denial-of-
service attack, featuring a sledgehammer) are listed, but there are a number
of little-known tricks, like the means of attacking a computer that has been
sealed in a lead-lined vault, surrounded by armed guards, and cast in
concrete.  Dorothy Denning's sidebar on starting wars by manipulating e-mail
systems is particularly interesting.  Security professionals are not
ignored: in an interesting display of fair-mindedness, the authors suggest
that incident-response team members prepare by ensuring they always have
plenty of sugar in their gas tanks for extra energy on late-night calls.

Critical reaction to the tome has been spirited but mixed.  Winn Schwartau,
in the foreword, asks "is it moral, is it ethical" to provide such
information to the general public, before concluding, "Who cares?  Nobody
has time for this."  Phil Zimmermann has roundly condemned the section on
anonymous communications, stating that the government has a legitimate need
for access to private communications, while Fred Cohen is upset that the
authors suggest viruses could be used for beneficial purposes.  Richard
Stallman is reported to be disturbed by the position that software
development can take place in the kind of anarchic environment promoted by
the book, and has launched a campaign to ensure that everyone has valid
licenses for Microsoft products.  Bruce Schneier, on the other hand, points
out that the information in the book presents no danger to the public.  "As
long as you've got a strong crypto algorithm and good technical solutions,
it doesn't matter about implementation and people."

copyright Robert M. Slade, 2002   BKHAKDUM.RVW   17020401
rslade@vcn.bc.ca  rslade@sprint.ca  slade@victoria.tc.ca p1@canada.com
http://victoria.tc.ca/techrev    or    http://sun.soci.niu.edu/~rslade


Computers to Cars (unknown source)

<Peter Neumann <risks@sri.com>>
Mon, 1 Apr 2002

  [I have had several requests for including this item in RISKS from those
  who have not yet seen it, even though it has been circulating for a while.
  I have no idea who originally created it, but I am grateful to the author
  for his or her incisive observations.  PGN]

For all of us who feel only the deepest love and affection for the way
computers have enhanced our lives:

At a recent computer exposition (COMDEX), Bill Gates reportedly compared the
computer industry with the auto industry and stated: "If General Motors had
kept up with the technology like the computer industry has, we would all be
driving $25.00 cars that got 1,000 miles to the gallon."

In response to Bill's comments, GM issued a press release stating: "If
General Motors had developed technology like Microsoft, we would all be
driving cars with the following characteristics:

1. For no reason whatsoever, your car would crash twice a day.

2. Every time they repainted the lines in the road, you would have to buy a
new car.

3. Occasionally your car would die on the freeway for no reason. You would
have to pull over to the side of the road, close all of the windows, shut
off the car, restart it, and reopen the windows before you could
continue. For some reason, you would simply accept this.

4. Occasionally, executing a maneuver such as a left turn would cause your
car to shut down and refuse to restart, in which case you would have to
reinstall the engine.

5. Macintosh would make a car that was powered by the sun, was reliable,
five times as fast and twice as easy to drive -- but would run on only five
percent of the roads.

6. The oil, water temperature, and alternator warning lights would all be
replaced by a single "General Protection Fault" warning light.

7. The airbag system would ask "Are you sure?" before deploying.

8. Occasionally, for no reason whatsoever, your car would lock you out and
refuse to let you in until you simultaneously lifted the door handle, turned
the key and grabbed hold of the radio antenna.

9. Every time GM introduced a new car, car buyers would have to learn to
drive all over again because none of the controls would operate in the same
manner as the old car.

10. You'd have to press the "Start" button to turn the engine off.


Surprise Settlement Evenly Splits Microsoft (unknown source)

<Gene Spafford <spaf@cerias.purdue.edu>>
Mon, 21 Jan 2002 23:07:30 -0500

[From SatireWire, via various intermediaries.  Reprised for the occasion.  PGN]

Decision Keeps Redmond from Monopolizing Massive Microsoft Patch Industry

Surprise Settlement Evenly Splits Microsoft; One Firm To Make Software,
Other To Make Patches

Redmond, Wash.  In a surprise settlement today with nine U.S. states,
Microsoft agreed to be split into two independent companies -- one that will
continue to make Microsoft operating systems, browsers, and server software,
and another, potentially larger company that will make patches for Microsoft
operating systems, browsers, and server software.

Critics immediately charged that the settlement -- which overrides a
previous agreement with the U.S. Department of Justice -- does nothing to
diminish Microsoft's standing as the world's most powerful software company.
But industry analysts argued that providing patches for security holes in
Microsoft programs is a major, untapped growth industry, and applauded the
states for not allowing Redmond to control it.

"Just consider, Microsoft can make an operating system, such as Windows XP,
and sell 200 million copies, but each one of those copies is going to need
at least five patches to fix security holes, so that's 1 billion patches,"
said Gartner Group analyst Mitch Fershing. "That is an enormous, undeveloped
market."

Microsoft employees seem to agree, as sources in Redmond described a "mad
scramble" among staffers to position themselves for spots at the new
company, called Patchsoft.  Asked why people would want to leave Microsoft
for a startup, the source said the answer was "really quite simple."

"Everyone here is asking themselves, 'Do I want to be part of the problem,
or part of the solution?'" he said.

But J.P. Morgan analyst Sherill Walk suspects another motive.  "Considering
the sheer number of patches we're talking about, I think the new company
will become another monopoly, and I believe the people who've jumped ship
very well know that."

"Nonsense.  It's really all about consumer choice," responded Patchsoft's
new co-CEOs, Bill Gates and Steve Ballmer.

But how will Patchsoft make money? Currently, Microsoft issues free patches
for problems in Windows XP, SQL Server, Internet Explorer, Outlook, Windows
2000, Flight Simulator, Front Page, Windows Me, Media Player, Passport, NT
Server, Windows 98, LAN Manager (for a complete list of MS software needing
patches, see www.support.microsoft.com). Under the agreement, Microsoft will
no longer issue patches, which Gates said explains the recent five-day
outage at Microsoft's upgrade site.  "That was planned," he said.  "It was a
test of the Microsoft No Patch Access system.  Went perfectly.  No one was
able to download anything."

At a press conference to outline the settlement, Connecticut Attorney
General Richard Blumenthal pledged to keep a close eye on Patchsoft to
ensure it would not overcharge for its services.  He also expressed hope
that other firms would soon become Certified Microsoft Patch Developers
(CMPDs) and challenge the spin-off.  Asked if Patchsoft, with so many former
Microsoft employees, will have an advantage over potential competitors in
the Microsoft patch market, Blumenthal said the settlement prohibits
collaboration.

"Patchsoft developers will not have any foreknowledge of bugs or security
holes before software is released.  They'll just have to be surprised," he
said.

"So it will be just like it was when they were at Microsoft," he added.

One Reuters reporter, meanwhile, questioned the long-term viability of
Patchsoft.  "This seems like a logical split right now, but what if
Microsoft's products improve to the extent that patches are needed less
frequently, or perhaps not at all?"  she asked.

"I'm sorry, I can only respond to serious questions," Blumenthal answered.


Big security leak in Internet s*xshop

<Paul van Keep <paul@sumatra.nl>>
Fri, 22 Mar 2002 21:56:08 +0100

Christine Le Duc, a dutch chain of s*xshops, and also a mail & Internet
order company, suffered a major embarrassment last weekend. A journalist who
was searching for information on the company found a link on Google that
took him to a page on the Web site with a past order for a CLD customer. He
used the link in a story for online newspaper nu.nl. The full order
information including name and shipping address was available for public
viewing. To make things even worse it turned out that the classic URL
twiddling trick, a risk we've seen over and over again, allowed access to
ALL orders for all customers from 2001 and 2002.  The company did the only
decent thing as soon as they were informed of the problem and took down the
whole site.  http://nu.nl/document?n=53855


Web site leaks customers address, offers extra discounts

<Ron Gut <rgut@aware.com>>
Thu, 14 Mar 2002 18:43:34 -0500

Saab USA embarked on a direct-mail marketing campaign to sell its cars.  To
past and potential customers it sent postcards with a web site address and
an ID number, promising a $50 savings bond for test driving a new car or a
$500 discount on the purchase of one.

The ID numbers run consecutively, starting at 1 (though Saab's personnel
took care to pad the numbers out with leading zeros to a certain length,
which does not present a difficulty if one already has an ID number in
hand).  The web site asks for the ID and presents the surfer with the ID
holder's address and the choice of the two incentives.  Once the surfer
chooses which incentive to receive the web site presents a JPEG image which
needs to be printed, brought to a dealer and stamped by a sales person for
Saab to honor it.

Problem number one: it is very easy to print out both types of coupons, and
receive more discounts on a new car than Saab likely intended (a financial
RISK here).

Problem number two: as was already hinted at above, it is very easy to enter
other valid IDs at the web site, and therefore collect the addresses of
people Saab thinks are likely to want a new car (both a privacy RISK to the
unwitting customers and financial and PR RISKs to Saab).

Problem number three: since those IDs have already been sent out, Saab
cannot change them!  The web site can be changed to request the customer's
name, as printed on the post card, in addition to the ID.  The state or
municipality should not be relied upon, as it appears Saab assigned IDs to
customers sequentially after sorting the list geographically, making that
field easier to guess.  RISK here -- fixing this problem in the design stage
would have been simpler, cheaper and less embarrassing than after release.

Problem number four: I decided to be a good netizen and report this to the
Saab webmasters.  Alas, I was foiled by their very fancy web site.  The
"Contact Saab" web page presents a form, but in Netscape 4.7 on X Windows
the only field that I can actually edit is the "Subject" field -- I can't
actually report this problem (thus compounding all of the above RISKS).  The
same version of Netscape on Windows displays the form just fine, as does IE.
What is the source of the RISK here?  Non-conformance to standards?  I doubt
conformance to web standards will solve every instance of such a problem
since most of the popular browsers do not fully comply with those standards
(Netscape 4.7 certainly does not).


Hackers find new way to bilk eBay users

<Monty Solomon <monty@roscom.com>>
Mon, 25 Mar 2002 22:26:02 -0500

Source: Troy Wolverton, CNET News.com, 25 Mar 2002

Someone other than Gloria Geary had access to the Washington artist's eBay
account last week.  Using Geary's user ID, the person set up an auction for
an Intel Pentium computer chip. Not only that, but the person changed
Geary's password so she could no longer access her own account--or cancel
the bogus auction.  Geary, who discovered the auction Friday, was able to
convince eBay to pull down the auction over the weekend, but not before
suffering through a stressful day of worrying about how the auction would
affect her legitimate listings.

http://news.com.com/2100-1017-868278.html


BT is publishing confidential ex-directory telephone numbers

<clive-nospam-risks@nsict.org (Clive Jones)>
Thu, 21 Mar 2002 14:56:40 GMT

British Telecom offers, in the UK, a range of discounted telephone services
to domestic subscribers under the name "BT Together". One of their
exclusions under some such schemes is calls to ISPs.

Go to the following part of their Web site:
  http://www.bt.com/together/isp_exclusion.jsp
...and follow the "click here to view the full list" link.

This purports to be a list of telephone numbers for ISPs. However, it has
been very crudely assembled, and includes several (possibly many) telephone
numbers that are actually confidential ex-directory dial-in numbers for
various organisations. When I looked, the list contained 4960 numbers in
total.

The potential for abuse (especially denial of service) is obvious.
I.T. managers in the UK should check whether their dial-in numbers appear on
the list. If they do, they should urgently consider having the telephone
number changed.


Risks of using anti-spam blacklists

<Eric Murray <ericm@lne.com>>
Fri, 22 Mar 2002 11:43:17 -0800

In the last week I have run up against two different RISKS related to
anti-spam blacklists.  These lists have grown from the old MAPS RBL system
and are now run by a number of people.  ORDB lists 15 different blacklists
run by 12 different people or organizations.

Background: I run a small network that supports my consulting business and a
few mailing lists.  I've been a Unix geek since 1985, I've run some very
large networks, and I've been active in network security since 1991.  I've
used RBL and I distribute my own anti-spam freeware.  I hate spam.

Last week I got some bounced mail from one of my lists-- the recipient
system was rejecting it as "spam" and the error message pointed me to
ORDB.org.  I was surprised to see this since I'm not running an open relay
and there's never been spam sent from my network.

At ORDB.org I discovered that while my network was not actually listed by
ORDB itself, it was listed by blackholes.five-ten-sg.com which is somehow
linked to ORDB.  I followed their web sites' process for getting off the
list, which is to send e-mail to the maintainer.  He reported that my
network range is within a block "owned" by Verio, and he was blocking all of
Verio because of a particular spammer that Verio hasn't gotten rid of.  I
replied "all of Verio for one spammer?  What about everyone else who's not a
spammer?  Couldn't you be more accurate with your list and not list the
netblock I'm in (in reality owned by Meer, not Verio)?"  His answer: "Too
bad for you, you should move".

The RISK here is that in using a blacklist or a service that checks many
blacklists, one might be blocking a lot more than spammers.  Blacklists
might not be following the policy that you think they are following, and may
be blocking address ranges out of spite or laziness, not because of actual
spam.

Yesterday I started getting bounces from another list subscriber, the error
messages said that I was an "insecure site" according to ORBZ, another
blacklist service.  ORBZ was taken off the net yesterday due to legal
threats.  Evidently the software that makes the check treats ORBZ as a
whitelist, and since it's not answering, is rejecting mail that it shouldn't
reject.  (the site in question doesn't have aliases for postmaster, admin or
root, so I can't even notify them of their problem).

The RISK?  Poorly written checks of blacklists can produce unintended
results when the list fails.

The temptation to go all out to kill spam needs to be tempered with the
realization that communication is what makes the Internet work.  If you
don't care how much real mail you reject in your drive to block spam, then
simply turn off your mailer and you won't get any spam at all.


The smart highway

<Monty Solomon <monty@roscom.com>>
Sun, 24 Mar 2002 18:28:57 -0500

Over budget, behind schedule, the big brain would allow instant
communication between controllers and drivers - if and when it works

[...]  Called the Integrated Project Control System, or IPCS, the Central
Artery's electronic monitoring mechanism will constitute the nation's
largest, most sophisticated, and most expensive system, allowing highway
operators and engineers to respond in real-time to collisions, car fires,
and traffic jams, with plenty of help from computers that will do much of
the thinking for them.  [...]  Beneath the pavement, 1,500 magnetic ''loop
detectors'' will monitor the progress of each vehicle passing above to gauge
traffic flow, determine if a car has suddenly stopped or dramatically slowed
- which could mean there has been an accident - and provide traffic counts
to aid in planning. While the loop detectors could easily detect a speeder,
project officials insist that state troopers will not have access to the
data.  [...]

Source: Raphael Lewis, *The Boston Globe*, 24 Mar 2002
  http://www.boston.com/dailyglobe2/083/metro/The_smart_highway+.shtml


E-mail subscriptions, windows 2000 patches and photocopiers

<Alistair McDonald <alistair@inrevo.com>>
Mon, 18 Mar 2002 21:54:55 +0000

E-mail subscriptions

I was working on-site for a client and a manager forwarded an e-mail
newsletter, pointing a virus warning out to us. At the bottom of the
message was a lint to a web page to manage his subscription. I accidentally
clicked the link, and was surprised that I had full control, without
password, of his personal details and newsletter preferences (English,
French, German, plain text or HTML). Maybe a confirmation e-mail would be
sent to him about changes, I didn't try, but even being able to view the
information should be forbidden without authentication.

Windows 2000 bugs

One of the items in a newsletter I received recently was this Microsoft
knowledgebase article listing all the knowledgebase articles (bug reports,
clarifications, and similar) about windows 2000 since the release of service
pack 2 (released late 2001). There are currently 663 articles. No, make that
714, more have been added in the last 6 hours. Not all are bugs, but some
are, and some are pretty serious too, for example Q265296: "Toshiba PC Card
Controller May Power 3.3-Volt R2 PC Card at 5 Volts."

http://support.microsoft.com/default.aspx?scid=%2Fsupport%2Fservicepacks%2Fwindows%2F2000%2Fwin2000%5Fpost%2Dsp2%5Fhotfixes%2Easp,
  [Apparently requires IE.  PGN]

Photocopier stores document for later printing

While on-site at a client, I needed to copy a confidential document. I
placed the document in the copier, and it complained about not having enough
paper. I saw that another tray was full, so rotated my document (a lot of
copiers auto-detect size and orientation) and tried again -- no joy.  I
filched some paper from a nearby laser printer, but instead of getting the
two copies I ordered, I got six -- two from my first attempt, two from the
second with the wrong orientation, and the last two once I'd rotated my
document and tried again.

On investigation, the machine scans in a job even though there is no paper
to fulfill it, and holds the documents in memory until there is. If I'd
walked away to another photocopier, my confidential document would have been
output whenever some kind-hearted soul replenished the paper, and when I was
nowhere around.

1: Learn how to use all the tools you use, properly.
2: Assumptions don't carry from one device to the next, no matter how
   similar they seem.

Alistair McDonald       Inrevo Ltd      http://www.inrevo.com/


Re: Out with pilots, in with pibots (Kristiansen, RISKS-21.96)

<Robert Woodhead <trebor@animeigo.com>>
Fri, 15 Mar 2002 09:18:47 -0500

>   [Gives me a nightmarish vision of a cloud of little unmanned aircraft all
>   heading for the same place, trying to avoid each other, ...

You see this happening every day.  It is called a flock of birds, and the
flocking algorithm is both very simple and works exceptionally well.  They
flow around obstructions like water.

In a proper flocking algorithm (which IIRC is basically "try to stay close
to the center of the flock, but not too close to nearby birds") a foreign
object passing through the flock would generate evasive maneuvers by nearby
planes but the effects on more distant planes would be more and more
diluted.

The reason a flock scatters is that the foreign object is often trying to
eat a bird, at which point algorithm #2 ("It's every bird for himself") is
activated.

Nevertheless, such innovations must be carefully scrutinized, as the
possibility of a serious flockup is always present.

Please report problems with the web pages to the maintainer