The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 22 Issue 2

Thursday 4 April 2002

Contents

Announcing Immunix SnackGuard
Crispin Cowan
Just because it's funny doesn't mean it isn't real
Donald A. Norman
Re: Computers to Cars
David Harmon
April Foolishness
PGN
Real News on April 1st/KaZaA "leech" network
Nicholas C. Weaver
IRS Form W-9095" -- that is NOT ISSUED by the Gov't
Jean Dugger
When is fail-safe not fail-safe?
Phil Rose
Barclays BACS payment system failure
Lindsay Marshall
Gillette's Mach3 creates sales bonanza for thieves
Monty Solomon
Yahoo Groups spam alert
John David Galt
Yahoo users fume over "spam" switch
Monty Solomon
Re: UK ATC failure
Martyn Thomas
Re: Software "glitch" changes the colour of the universe
Douglas Siebert
Re: Loosing It's Grammer Skill's
Bruce Wampler
Re: The RISK of ignoring permission letters
Edward Reid
REVIEW: "Computer Forensics", Warren G. Kruse II/Jay G. Heiser
Rob Slade
Black Hat CFP
Jack Holleran
Info on RISKS (comp.risks)

Announcing Immunix SnackGuard

<Crispin Cowan <crispin@wirex.com>>
Mon, 01 Apr 2002 08:54:41 -0800

New Product Release: SnackGuard
WireX Communications, Inc., 1 Apr 2002

  [This arrived too late for the April Fool's Issue, but
  better late than never?  (Or better never than later?)  PGN]

WireX is pleased to announce the latest addition to the Immunix family of
security tools: SnackGuard. SnackGuard effectively guards your favorite
snacks in the break room from "snack smashing" attacks: the predations of
other hungry engineers. This protection is especially vital in these trying
times of unemployment, when nomadic tribes of hunter/gatherer geeks roam the
halls of once mighty dot.com's in search of food and caffeine.

Following on StackGuard's "canary" defense, SnackGuard employs WireX's
patent-pending "turkey" defense: when SnackGuard detects the "gobbling"
noise of some turkey scarfing down your favorite pop tarts and heavily
caffeinated beverages, it issues a pink slip, halting the gobbler.

While SnackGuard is effective in defending your snacks, it is not without
costs. SnackGuard increases run time when you are running to catch the bus
or the elevator, in that successful defense of your snacks tends to increase
"programmer's butt". Excessive consumption of caffeinated beverages without
intervening bathroom breaks may also induce personal "buffer overflows".

While SnackGuard is "free speech", it is not "free beer": you may modify and
distribute this gag as you wish, but go buy your own brewskis.

Crispin Cowan, Ph.D., Chief Scientist, WireX Communications,
Inc. http://wirex.com  Security Hardened Linux Distribution http://immunix.org


Just because it's funny doesn't mean it isn't real

<"Donald A. Norman" <don@jnd.org>>
Tue, 2 Apr 2002 18:13:06 -0600

In this year's April Fool edition, RISKS-22.01, our fearless moderator
reprinted that old item that purports to be from the auto industry: if we
made cars like computers, we'd always be crashing, rebooting, upgrading, ...

In particular, item 10 stated:

10. You'd have to press the "Start" button to turn the engine off.

Just because it's funny doesn't mean it's not real.  The automobile industry
is copying all the worst features of the computer industry, ignoring all the
advances in user-interface design, and all the lessons about safety. I fear
that someone in the industry a few years ago missed the significance of the
date "April 1" in the United states. They took it seriously.

I point your attention to the new BMW Series 7 automobile. The key is simply
a personal identifier that instructs the car to adjust the seat, mirrors,
steering column, etc. to the key owner's preferences. To start the engine,
push the "Start" button. To turn the engine off? Push the same "Start"
button. That takes care of Pont number 10 in the "joke."  (To be fair, the
button is actually labeled START STOP, but then again, so too should the MS
Windows button.)

But it gets worse. The New 7 series BMW no longer has all those knobs and
buttons that clutter up the dashboard - you know, where each knob does one
thing that you can count on. Instead, it has a single controller located on
the center console that "functions similarly to a computer mouse." It drives
a display in the center of the dashboard. It is called the iDrive: i for
"intuitive") (Don't get me started on intuitive. You know what's intuitive?
Fear of heights. Everything else we call intuitive, such as walking or using
a pencil took years of practice. Is that what we want? A control that takes
years of practice?)

The iDrive plus display, says the sales brochure, is a "user-friendly
interface (that) offers quick access to over 700 settings, plus navigations
system maps, phone book listings, and more" One control, one display -- 700
settings? What were they thinking?

As USA Today put it: "it manages to complicate simple functions beyond
belief."  Auto review said "iDrive is not simple, no matter how clean it
looks to the naked eye. ... Our advice ... Is to ... retain basic manual
controls for functions that are used every day.")

I work in the field of usability and safely. I am appalled. I do, however,
have to keep an open mind. After all, I have not tested it. I did sit in the
front seat in a showroom, but with everything turned off.  I should drive it
down the highway -- or better, a crowded city street - and test the
iDrive. Set a new radio station, check the directions to my destination, see
how much fuel I have left, adjust the temperature of the interior -- things
I might actually do while driving.  Only then can I pass judgment.  Until
then, I'm simply delighted that I am not planning to buy one. Alas, BMW
promises that the features will migrate downward to all their autos.

Beware of April Fool jokes: they may come back to haunt you.

Don Norman, Computer Science,  Northwestern University
Nielsen Norman Group norman@nngroup.com   http://www.jnd.org


Re: Computers to Cars

<David Harmon <source@netcom.com>>
Thu, 04 Apr 2002 14:09:10 -0800

>6. The oil, water temperature, and alternator warning lights would all be
>replaced by a single "General Protection Fault" warning light.

It's labeled "Check Engine".  But opening the engine compartment and
checking ("Yup, still there.") accomplishes little; instead you need to
read some diagnostic code by plugging in a debugger that was not furnished
when you bought the car.


April Foolishness

<"Peter G. Neumann" <neumann@csl.sri.com>>
Thu, 4 Apr 2002 12:21:17 PST

Quite a few people have apparently gone to Amazon.com to order "Hacking For
Dummies" -- a bogus (i.e., nonexistent) book reviewed by Rob Slade in
RISKS-22.01.  Perhaps, not surprisingly, the ISBN bears a strange
resemblance to the ISBN for "S*x for Dummies".  We have to call a Slade a
Slade.  Perhaps his review was too subtle?  Perhaps your fearless moderator
needs to be more obvious in highlighting April Fools' items, besides putting
it up front in the issue rather than buried in its usual end-of-the-issue
position?  Aw, come on!  April Fool's Day is seemingly a worldwide
tradition, and that's part of the fun.


Real News on April Fool's Day: KaZaA "leech" network

<"Nicholas C. Weaver" <nweaver@CS.Berkeley.EDU>>
Wed, 3 Apr 2002 14:00:47 -0800 (PST)

As reported on 1 Apr 2002,
  http://news.com.com/2100-1023-873181.html
Brilliant Digital has been distributing 2 programs with KaZaA [1], one of
which allows 3D, animated banner adds (ala Flash for 3D), and the second
being the framework for what can only be described as a "leech" peer to peer
network: using unused bandwidth, storage, and processor cycles on client
machines to do tasks like banner advertisement serving, distributed
computation, and distributed storage.

The second program is not complete, but is basically a Trojan which can be
woken up to create this network.  Being on April 1st, it smelled like an
April Fool's prank, just far enough out to be believable, but not quite
right.

Unfortunately, this isn't a hoax, but is 100% true.  Firstly, an e-mail with
the reporter confirms that this was based on an interview with the CEO
(possibly a point of fraud) and the SEC filings (annual report, form 10KSB).
One could believe that the reporter was hoaxed by the CEO, but the SEC
filings are presumed to be accurate in such matters.

Reading the SEC filings
  http://biz.yahoo.com/e/020401/bde.html
confirms that this is what they are doing and HAVE been doing: the Trojan
has been and continues to be distributed as part of KaZaA "third party"
software, and they plan on creating a distributed, secure, network for
distributed storage, bandwidth, and computation using this Trojan.  And by
installing the 3rd party software, KaZaA users have already agreed to these
terms and conditions.

What are the RISKS, let me count the ways:

1) Serious news being released on 1 Apr.  This is actually a pretty BIG
deal: this story should have real legs, the implications are pretty
astounding.  But apart from being posted on slashdot (and being largely
dismissed as April 1st), and being mirrored on MSN, it doesn't seem to have
spread beyond that.

2) Trojans being "legitimately" installed as part of various applications.
And if this forms a distributed network upon activation, this is another
huge security risk.  [2]

3) That some company thinks it can do "secure" content delivery using
untrusted clients (not just untrusted, but rater hostilly acquired).  Secure
storage is reasonable (encrypt everything, distributed copies) but still
hard.  Secure distributed computation is very hard (an open research area,
outside some very select problems), and secure distribution of bandwidth
(say, for add serving) is a total crack-pipe dream.

4) The unwavering acceptance of license agreements on the part of users (who
are so conditioned to click "OK").

[1] KaZaA's business model is "we give the program free, but charge
people to bundle mandatory/voluntary programs with our download".

[2] Peer To Peer networks are hideously vulnerable to both active
worms (which can spread quickly using the inherent topology) and
contagion worms (which masquerade as "normal" traffic).  Be Afraid.
Be Very Afraid.

Nicholas C. Weaver <nweaver@cs.berkeley.edu>


<Adam Shand (via Lindsay Marshall)>
Fri, 29 Mar 2002 00:29 -0000
Subject: IRS Form W-9095" -- that is NOT ISSUED by the Gov't

Given the source of who sent this to me this is almost certainly legit.
Just be aware.

Adam.

 - --------- Forwarded message ----------
Date: Thu, 28 Mar 2002 17:52:30 -0500
Subject: "IRS Form W-9095" - that is NOT ISSUED by the Gov't

FYI....

I personally know the person who posted this information and she does work
for the USSS.  I have not seen the document yet so if you have any questions
direct them to Jean Dugger directly.

-----Original Message-----
Sent: Thursday, March 28, 2002 3:57 PM
To: METROTECH-L@LISTSERV.CC.EMORY.EDU
Subject: "IRS Form W-9095" - that is NOT ISSUED by the Gov't

To - ALL METRO TECH MEMBERS (PARTICULAR INTEREST - BANK SECURITY)
Fm - Jean Dugger, U S Secret Service
SUBJ - IRS Form - not from the Government....

Just when you think you've heard it all....you find out you haven't!!

Today, we were notified by a bank security good friend of the USSS that
a form "W-9095" is circulating - which was accompanied by a letter,
looking much like an official letterhead of the bank, requesting their
customer to complete the form and fax it back to phone #914-470-9245.

I'm sure you'll be surprised to learn that the form requested all kinds
of personal identifier information - ie, name, DOB, SSN, address, phone,
parents' names and mother's maiden name - just about everything you
would need to set up shop doing identity fraud!!

Luckily, a customer of the bank brought the form into a branch, to turn
it in, and bank security was alerted.

The form, called an "Application Form For Certificate Status/Ownership
For Withholding Tax", is quite a work of art - and I feel sure that it
has been widely distributed - my concern is that it could be VERY
widespread - perhaps by some former employee(s) who could gain access to
bank customer records base - and send out such a thing!

The form, official looking as it is, claims to be a "Department of the
Treasury Internal Revenue Service" form - which it is NOT.  I have
forwarded this info to IRS Internal investigations to see if they would
take a look at it.

I will bring copies to share at MetroPol Fraud next week!  My thought is
that someone worked way too hard on this form to limit it's distribution
to even one bank's customers!  BE AWARE!

The bank letter is signed "Monique Meeuws" - and smells a lot like a
"419" letter scam!!

Please notify the U S Secret Service - me or Chad Laub, 404-331-6111, if
you identify these forms circulating to your customers!!

For the info of credit union organizations - please feel free to post
this message on your systems as well.

We are looking into this and trying to develop more information.  Please
call me if you have info.  More details to follow!

Jean, USSS


When is fail-safe not fail-safe?

<"Phil Rose" <pvrose@tality.com>>
Thu, 4 Apr 2002 11:40:16 +0100

Authorities are trying to restore order at a maximum security jail after an
electrical storm led to the failure of cell locks.
<http://news.bbc.co.uk/go/em/-/hi/english/uk/scotland/newsid_1910000/1910131.stm>

A lightning strike destroyed an electricity sub-station supplying power to
Shotts prison in Central Scotland, and the cell locks defaulted to what
should be the fail-safe for electronic door locks - open. However should
that be the case in a prison? Luckily for us who live close by the main
prison security is still mechanical.

The risks - fail-safe modes must be carefully designed for the system
application: don't rely on the component default fail-safe mode.


Barclays BACS payment system failure

<"Lindsay Marshall" <Lindsay.Marshall@newcastle.ac.uk>>
Sun, 31 Mar 2002 21:31:27 +0100

Barclays BACS payment system failed last week, and a large number of people
did not get their pay check in their bank account. Normally this would not
be a huge problem, but because it is Easter and so has two bank holidays
leading up to the last day of the month it is a huge disaster. I don't know
the details of the software problem at all, but arrangements were made with
banks to extend credit and Barclay's said they would pay any bank charges
that anyone incurred because of not being paid. I am astonished that Pete
Mellor hasn't sent you details. If you have a look on any of the UK
newspapre sites for last week you will find something about it.


Gillette's Mach3 creates sales bonanza for thieves

<Monty Solomon <monty@roscom.com>>
Sun, 31 Mar 2002 14:38:09 -0500

Razor burn:
Runaway popularity of Gillette's Mach3 creates a sales bonanza for thieves

Gillette is taking steps to stem the flow of stolen Mach3 products.  Perhaps
the most important, Szynal said, is a pioneering antitheft technology
consortium at the Massachusetts Institute of Technology sponsored by
Gillette, Procter and Gamble, and other large consumer-products companies.
The MIT scientists are developing a microchip that, once embedded in the
packaging of the Mach3 and other products, would allow the product to be
tracked from factory to warehouse to retailer and everywhere in between. The
chip, which began a one-year field test in Oklahoma in October, will allow
Gillette security officials to scan products for sale at a flea market and
determine where they came from.  [Excerpt]
  http://www.boston.com/dailyglobe2/089/business/Razor_burn+.shtml


Yahoo Groups spam alert

<John David Galt <jdg@diogenes.sacramento.ca.us>>
Sun, 31 Mar 2002 15:27:51 -0800

Yahoo has apparently made a sneaky change to the "Marketing Preferences" of
all subscribers to mailing lists on yahoogroups.com, changing all their
"No's" to "Yes".  The result will be not only a load of spam, but also junk
mail and even junk phone calls if your address or phone number are on file
with Yahoo.

To change them back: Go to Yahoo Groups (http://groups.yahoo.com) and sign
in.  Go to My Groups and click on Account Info, verify your password if it
asks you to, and your Yahoo ID card comes up.  Click on 'Edit your Marketing
Preferences' and change all those Yes's back to No's.  Click Save Changes.


Yahoo users fume over "spam" switch

<Monty Solomon <monty@roscom.com>>
Sat, 30 Mar 2002 00:44:39 -0500

Yahoo users fume over "spam" switch, By Jim Hu, CNET News.com, 29 Mar 2002

Some Yahoo members on Friday reacted angrily to changes in the Web portal's
e-mail marketing practices, comparing the company's revised policy to an
open invitation to spam.

"I never received any notification about this from Yahoo," one annoyed
reader wrote in an e-mail to CNET News.com. "I was merely lucky enough to
have a friend warn me about it."

The ire stems from changes in Yahoo's "marketing preferences" page, which
the company uses to secure permission to send service promotions. Along with
other changes to the page, Yahoo said it had reset the default preferences
for all members in a way that would require them to manually request that
the company block the messages in the future--even if they had declined to
accept such e-mail in the past.  ...

http://news.com.com/2100-1023-871730.html


Re: UK ATC failure

<"Martyn Thomas" <martyn@thomas-associates.co.uk>>
Fri, 29 Mar 2002 20:59:10 -0000

> ... this computer was not connected with the computers at... Swanwick ATC
>  ["connected with" is of course ambiguous in this context.  PGN-ed]

The failing system was the National Airspace System, NAS, according to press
reports. This provides Flight Data Processing for Swanwick. "Connected to",
rather than "connected with"?

Martyn Thomas, Holly Lawn, Prospect Place, Bath BA2 4QP  01225 335649


Re: Software "glitch" changes the colour of the universe

<dsiebert@excisethis.khamsin.net (Douglas Siebert)>
Sat, 30 Mar 2002 20:19:21 +0000 (UTC)
  (Mellor, RISKS-21.98)

And since then they have announced that they weren't calculating it
correctly (an algorithm error, as opposed to a software glitch) and that it
is in fact salmon.  I think its safe to say that these guys really have no
idea what color the universe is.  Looks mostly black to me, maybe I'm
looking in the wrong direction :)

Douglas Siebert                          dsiebert@excisethis.khamsin.net


Re: Loosing It's Grammer Skill's (RISKS-21.94-96)

<Bruce Wampler <bruce@objectcentral.com>>
Fri, 29 Mar 2002 14:06:13 -0700

The current discussion on Spelling/Grammar prompts me to add some comments
from my personal, first-hand perspective on the issue. I was the original
developer of one of the first successful commercial grammar checkers -
Grammatik.  The major development of grammar checkers was at its peak in the
late 1980's and early 1990's.

One of the most distressing things to me is the fact that the quality of
both spelling and grammar checking software available today is no better
than it was almost 10 years ago. How did this happen?

It may be hard to remember, but as recently as 1993 or 1994, you still had a
real choice of what word processor you used. Today, Microsoft has a virtual
monopoly with Word.  In 1992, Microsoft decided that the state of grammar
checking had gotten both good and essential enough that one should be
integrated with Word. This decision has had many effects on the state of
grammar checking.

In 1992, there were at least four grammar checkers available that could be
considered state of the art, or nearly so. Microsoft chose one, and
WordPerfect followed their lead by acquiring my company. The other companies
faded into oblivion, with the ultimate result that, after a couple of years,
there was no major new R&D going on with English grammar checking (to the
best of my knowledge).

Because of this chain of events, the grammar checker you get today in Word
is not significantly better than the grammar checker you might have used
almost 10 years ago. This is really sad because we were making great
improvements in the quality and accuracy of the software, and had the
development continued, there is little doubt that many of deficiencies of
grammar checking would have been overcome.

Unfortunately, as long as Microsoft considers the current grammar checking
good enough, and as long as Word remains the dominant word processor, there
will be little or no incentive for anyone to independently develop better
grammar checkers. The RISK in this? Monopoly and complacency.

(This note has been spell checked, but not grammar checked. No grammar
checking available for my e-mail software...)

Bruce E. Wampler, Ph.D., Author of the V C++ GUI Framework
bruce@objectcentral.com  http://www.objectcentral.com


Re: The RISK of ignoring permission letters (Blaak, RISKS-21.98)

<Edward Reid <edward@paleo.org>>
Sun, 31 Mar 2002 10:06:44 -0500

> Does this not have direct precedence with snail mail? I am imagining CD
> clubs here. You can't be legally obligated by anything that you receive in
> the mail and just throw away.

However, at least in the US it took legislation to establish the
principle that receipt of unsolicited merchandise incurs no obligation
on the recipient. I think this occurred roughly 40 years ago, but I
don't have a reference and a quick search on "unsolicited merchandise"
makes it apparent that there are now many relevant laws.

Before such legislation was enacted, some merchants sent merchandise
unsolicited and then dunned the unwilling recipients for payment unless
they paid for return shipping. I don't know whether such merchants
could actually collect in the face of determined opposition, but in
most cases the individual recipient simply didn't have the resources to
contest the bill.

If there's a lesson to be learned from the parallel between snail mail
and e-mail, it's that individuals often need to be empowered by
legislation to effectively resist commercial abuse.


REVIEW: "Computer Forensics", Warren G. Kruse II/Jay G. Heiser

<Rob Slade <rslade@sprint.ca>>
Tue, 26 Mar 2002 07:45:49 -0800

BKCMPFRN.RVW   20020221

"Computer Forensics", Warren G. Kruse II/Jay G. Heiser, 2001,
0-201-70719-5, U$39.99/C$59.95
%A   Warren G. Kruse II wkruse@monmouth.com
%A   Jay G. Heiser
%C   P.O. Box 520, 26 Prince Andrew Place, Don Mills, Ontario M3C 2T8
%D   2002
%G   0-201-70719-5
%I   Addison-Wesley Publishing Co.
%O   U$39.99/C$59.95 416-447-5101 fax: 416-443-0948 bkexpress@aw.com
%P   392 p.
%T   "Computer Forensics: Incident Response Essentials"

I'm still disappointed that authors seem to think computer forensics is
limited to data recovery, but this work at least has utility value going for
it.

Chapter one is a rough outline of data recovery, with an emphasis on
documentation and the chain of evidence.  Basic information about IP
addressing, for the purpose of tracing intruders, is given in chapter two:
it is useful and does not drown the reader in inconsequential details.
(There is an oddly vitriolic dismissal of the story of the origin of the
term for Packet INternet Groper.)  A valuable discussion of e-mail headers,
and a very terse outline of intrusion detection systems (IDS) are also
included.  Hard drive basics and concepts are given in chapter three.  The
material is generally good, but some points on imaging and connecting are
passed over rather quickly.  Chapter four has a reasonable high-level
overview of encryption abstractions, but it is difficult to see the
immediate relevance of the material to forensics.  "Data Hiding," chapter
five, contains some meandering topics that range from password cracking to
NTFS (NT File System) streams to steganography.  A few tools for dealing
with these problems are listed.  The description of hostile code, in chapter
six, matches that of weeds in gardening: anything you don't want.  It is,
therefore, unsurprising to find that the content, while basically sound, is
not particularly structured or helpful.

A list of software (and some hardware) tools are described in chapter seven.
Chapter eight explains a number of points about the Windows operating system
that might affect data recovery and forensics.  (The material discussed is
not, unfortunately, exhaustive, although it is very useful as far as it
goes.)  The introduction to UNIX, in chapter nine, is more structured and
detailed, although it examines fewer specific tools.  Chapter ten's general
overview of an attack on a UNIX system is fairly standard, although there is
a useful table of commonly compromised system utilities.  A wide variety of
tools and commands for collecting information from and about UNIX systems is
given briefly in chapter eleven.

Chapter twelve is a short introduction to general concepts in the (US) law
enforcement system.  The last chapter is a rather abrupt finish to the book.
There are seven appendices, the most useful of which is a handy point form
overview of incident response activities.

Computer forensics books are starting to come out of the woodwork, and most
offer such sage advice as "gather evidence" and "don't mess up the chain of
custody."  This book does tend to follow the same style and tone, but also
has very valuable tips for practical work.  It won't help you much in
analysis, but it will help you become better at collecting data that will
stand up in court.

copyright Robert M. Slade, 2002   BKCMPFRN.RVW   20020221
rslade@vcn.bc.ca  rslade@sprint.ca  slade@victoria.tc.ca p1@canada.com
http://victoria.tc.ca/techrev    or    http://sun.soci.niu.edu/~rslade


Black Hat CFP

<Jack Holleran <Holleran@severnapark.com>>
Wed, 3 Apr 2002 13:17:21 -0500

Papers and presentations are now being accepted for the Black Hat Briefings
2002 conference. The conference is held from July 31-August 1, 2002 at the
Caesars Palace Hotel and Resort in Las Vegas, NV, USA. Papers and requests
to speak will be received and reviewed until May 1, 2002.

Please read the full announcement at:
http://www.blackhat.com/html/bh-usa-02/bh-usa-02-cfp.html

Please report problems with the web pages to the maintainer

Top