The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 22 Issue 50

Saturday 18 January 2003

Contents

CLU sees a growing 'surveillance monster'
NewsScan
Michelin to embed electronic ID tags in tires
Monty Solomon
Junked hard drives yield lots of personal data
NewsScan
Girl suffers burns after laptop explodes
Monty Solomon
Cash machine error goes unchecked
Tim Storer
Exchange/Outlook being "helpful"
Pete Carah
Equifax "security"
Yakov Shkolnikov
Lexmark DMCA lawsuit temporary restraining order
Monty Solomon
DMCA vs. The Garage Door Opener
Fred von Lohmann via Declan McCullagh
Re: Sophos "more viruses" warning: grain of saakolt?
Denis Haskin
REVIEW: "Building Secure Software", John Viega/Gary McGraw
Rob Slade
REVIEW: "Network Security", Charlie Kaufman/Radia Perlman/Mike Speciner
Rob Slade
REVIEW: "Web Security, Privacy and Commerce", Garfinkel/Spafford
Rob Slade
Info on RISKS (comp.risks)

ACLU sees a growing 'surveillance monster'

<"NewsScan" <newsscan@newsscan.com>>
Thu, 16 Jan 2003 09:23:09 -0700

In a new report called "Bigger Monster, Weaker Chains," the American Civil
Liberties Union says that there is a rapidly growing "American Surveillance
Society" brought about by "a combination of lightning-fast technological
innovations and the erosion of privacy protections" threatening "to
transform Big Brother from an oft-cited but remote threat into a very real
part of American life." This "surveillance monster" includes, among other
things, cameras monitoring public spaces, proposals for databases filled
with personal information on U.S. citizens, and anti-terrorist legislation
allowing the government to demand that libraries turn over reading
histories of their patrons. Yet the report asserts that these monsters
don't even have to be real for them to be terrifying: "It is not just the
reality of government surveillance that chills free expression and the
freedom that Americans enjoy. The same negative effects come when we are
constantly forced to wonder whether we might be under observation." [AP/*USA
Today 16 Jan 2003; NewsScan Daily, 16 Jan 2003]
  http://www.usatoday.com/tech/news/2003-01-16-privacy-threats_x.htm


Michelin to embed electronic ID tags in tires

<Monty Solomon <monty@roscom.com>>
Fri, 17 Jan 2003 03:09:56 -0500

Michelin plans to embed technology in its tires that would allow the tires
to communicate wirelessly to the car, sending pressure readings, etc., to
the dashboard computer, using an antenna and an integrated circuit the size
of a match head.  Proponents of such RFID tags, which store, send and
receive data through weak radio signals, believe they will one day replace
bar codes and revolutionize the way that inventories are tracked and
consumer products are designed once their price falls far enough.
[Source: Reuters item 14 Jan 2003; PGN-ed]
  http://www.reuters.com/newsArticle.jhtml?type=technologyNews&storyID=2045403

   [Also noted by Richard M. Smith]


Junked hard drives yield lots of personal data

<"NewsScan" <newsscan@newsscan.com>>
Thu, 16 Jan 2003 09:23:09 -0700

MIT graduate students Simson Garfinkel and Abhi Shelat bought 158 hard
drives at second hand computer stores and eBay over a two-year period, and
found that more than half of those that were functional contained
recoverable files, most of which contained "significant personal
information." The data included medical correspondence, love letters,
pornography and 5,000 credit card numbers. The investigation calls into
question PC users' assumptions when they donate or junk old computers -- 51
of the 129 working drives had been reformatted, and 19 of those still
contained recoverable data. The only surefire way to erase a hard drive is
to "squeeze" it -- writing over the old information with new data,
preferably several times -- but few people go to the trouble. The findings
of the study will be published in the IEEE Security & Privacy journal
Friday. [AP 16 Jan 2003; Newsscan Daily, 16 Jan 2003
  http://apnews.excite.com/article/20030116/D7OJBBBG0.html


Girl suffers burns after laptop explodes

<Monty Solomon <monty@roscom.com>>
Fri, 17 Jan 2003 01:14:33 -0500

A 15-year-old girl suffered second-degree burns to her hands and thighs
after the laptop she was using exploded.  [Source: Tim Richardson, *The
Register*, 16 Jan 2003 ]
  http://www.theregister.co.uk/content/54/28899.html


Cash machine error goes unchecked

<Tim Storer <tws@dcs.st-and.ac.uk>>
Thu, 16 Jan 2003 13:19:30 +0000

A story widely reported in the UK news today (Thursday 16/1/2003) e.g.
http://www.guardian.co.uk/uk_news/story/0,3604,875749,00.html
and also
http://www.telegraph.co.uk/news/main.jhtml?xml=/opinion/news/2003/01/16/ncash16

regarding a family who discovered errors in a cash machine whose software
had recently been upgraded.  They were able to obtain unlimited cash from
the machine (some 135,000 pounds) by typing in random PIN numbers.

An issue not included in all the reports was that the family allegedly
contacted the building society to report the error (this was reported in the
print edition of the Metro, a free newspaper supplied on the UKs public
transport infrastructure).  Only when the society failed to take action did
the family begin exploiting the error.

The risk here (assuming the family did indeed report the fault) would be the
failure of the society to implement remedial action when notified of a
problem, perhaps due to a lack of procedure for handling such information.
This is quite apart from the clearly inadequate testing of the software added
to the cash machine in the first place.


Exchange/Outlook being "helpful"

<Pete Carah <pete@ns.altadena.net>>
Sat, 18 Jan 2003 11:40:15 -0800 (PST)

I don't know if this has been covered before, but I have a
correspondence going with someone who uses Exchange for his mail.

I have a procmail filter that files mail containing an html tag (the opening
html identifier, not just any html tag) in a box labelled spam, which I then
peruse about weekly.  (and just discards any containing both an html and
script tag...)

1;0cHe complains that I don't answer him timely, and that he has configured his
mailer to not send html.  This appears to be the case; his messages to me
are not put in html form.

The zinger here, is that my quoted message in his reply is in html form,
identified as "converted from text/plain", (in the DTD line, I found the
conversion having been done by the exchange server) "We're Microsoft, and
we're here to help you"...

I don't know if he can suppress that one, either; perhaps by not quoting my
incoming message (which should be edited anyhow; I don't like postquotes
since they tend to grow uncontrollably).


Equifax "security"

<Yakov Shkolnikov <yshkolni@EE.Princeton.EDU>>
Sat, 18 Jan 2003 10:50:47 -0500 (EST)

I sometimes wonder why some sites use 128 bit encryption. For example: I
just ordered my credit report from Equifax (www.equifax.com).
When I completed the order, it sent me to the order confirmation page
with my username and password as clear text in the URL.  The next day
I get a e-mail confirming my order with my password in plain text.  RISKS
are obvious.


Lexmark DMCA lawsuit temporary restraining order

<"monty solomon" <monty@roscom.com>>
Thu, 9 Jan 2003 22:47:12 -0500

Lexmark lawsuit seeks to defend intellectual property rights while
preserving customers' rights to choose

As a result of a Lexmark International, Inc. lawsuit against Static Control
Components, Inc., for violation of the Copyright Act and the Digital
Millennium Copyright Act, the federal district court in Lexington, Ky.,
issued a temporary order - agreed to by Static Control - requiring Static
Control to immediately cease making, selling, or otherwise trafficking in
the "Smartek(TM)" microchip for the toner cartridges developed for the
Lexmark T520/522 and T620/622 laser printers.  The order is in effect until
Lexmark's motion for a preliminary injunction is heard by the Court.
Lexmark's complaint alleges that the Smartek(TM) microchips incorporate
infringing copies of Lexmark's copyrighted software and are being sold by
Static Control to defeat Lexmark's technological controls, thereby allowing
the unauthorized access to Lexmark's protected software programs and the
unauthorized remanufacturing of Lexmark "Prebate(TM)" toner cartridges.
[Source: PRNewswire-FirstCall, 9 Jan 2003; PGN-ed]

http://www.prnewswire.com/cgi-bin/stories.pl?ACCT=104&STORY=/www/story/01-09-2003/0001869517

DMCA vs. The Garage Door Opener

<Declan McCullagh <declan@well.com>>
Wed, 15 Jan 2003 22:05:04 -0500

[I've copied the attorneys for the plaintiffs in case they wish to reply to
Fred. For their reference: Politech is a moderated discussion forum
populated by many members of the legal community, and I attempt to include
all reasonable, well-stated views. --Declan]

Date: Wed, 15 Jan 2003 18:48:21 -0800
Subject: DMCA v garage door openers
>From: Fred von Lohmann EFF <fred@eff.org>
To: Declan McCullagh <declan@well.com>

In the latest bit of DMCA lunacy, copyright guru David Nimmer turned me onto
a case that his firm is defending, where a garage door opener company (The
Chamberlain Group) has leveled a DMCA claim (among other claims) against the
maker of universal garage door remotes (Skylink).  Yet another case where
the anti-circumvention provisions of the DMCA are being used to impede
legitimate competition, similar to the Lexmark case. Not, I think, what
Congress had in mind when enacting the DMCA.

The Complaint:
  http://www.eff.org/IP/DMCA/20030113_chamberlain_v_skylink_complaint.pdf

The Amended Complaint:
http://www.eff.org/IP/DMCA/20030114_chamberlain_v_skylink_amd_complaint.pdf

The Summary Judgment Motion:
  http://www.eff.org/IP/DMCA/20030113_chamerlain_v_skylink_motion.pdf

Attorneys for Skylink are (both at the Orange County offices of Irell
& Manella, a large law firm):
  "Nobles, Kimberley" <KNobles@irell.com>
  "Greene, Andra" <AGreene@irell.com>

Fred von Lohmann, Senior Intellectual Property Attorney,
Electronic Frontier Foundation fred@eff.org  +1 (415) 436-9333 x123


Re: Sophos "more viruses" warning: grain of salt? (RISKS-22.49)

<Denis Haskin <denis@haskinferguson.net>>
Wed, 15 Jan 2003 21:16:29 -0500

Shouldn't a warning that "Computer users will be plagued with a host of
new viruses this year" be taken with a grain of salt when it comes from
a company whose business is selling anti-virus software?


REVIEW: "Building Secure Software", John Viega/Gary McGraw

<Rob Slade <rslade@sprint.ca>>
Thu, 16 Jan 2003 08:01:41 -0800

BKBUSCSW.RVW   20021124

"Building Secure Software", John Viega/Gary McGraw, 2002,
0-201-72152-X, U$54.99/C$82.50
%A   John Viega www.buildingsecuresoftware.com
%A   Gary McGraw www.buildingsecuresoftware.com
%C   P.O. Box 520, 26 Prince Andrew Place, Don Mills, Ontario  M3C 2T8
%D   2002
%G   0-201-72152-X
%I   Addison-Wesley Publishing Co.
%O   U$54.99/C$82.50 416-447-5101 fax: 416-443-0948
%O  http://www.amazon.com/exec/obidos/ASIN/020172152X/robsladesinterne
%P   493 p.
%T   "Building Secure Software: How to Avoid Security Problems the
      Right Way"

The "right way" of the subtitle is, of course, designing and building
a product correctly the first time.  The preface states that the book
is concerned with broad principles of systems development, and so does
not cover specialized topics such as code authentication and
sandboxing.  It also points out that software vendors are effectively
exempt from liability, and so have no reason to produce secure or
reliable software.

Chapter one is an introduction to software security, with an overview
of related topics and considerations.  Managing software security
risks, in chapter two, looks at good practices in the system
development life cycle, the position of the security engineer in
development, and standards.  The authors point out problems in common
security "solutions," mostly dealing with authentication, in chapter
three.  The common myths about the security of open and closed source
systems are examined in chapter four.  Instead of a checklist of
thousands of security items (that likely won't be of much use anyway),
chapter five presents ten guiding principles which will probably catch
most problems.  The list is not a panacea: the first principle is to
secure the weakest link, and it takes lots of forethought to design
this for type of factor in advance.  Auditing software, in chapter
six, is more about security assessments being conducted at various
stages in the process, for example, using attack trees at the design
stage.

The preface states that the book is divided into two parts, conceptual
and implementation, and, although there is no formal division, this is
probably the beginning of part two.  Chapter seven looks at buffers
overflows, always and still the most common software security problem.
This book, it must be assumed, is written primarily for a programming
audience, and yet the first part has presented concepts very clearly
without necessarily getting into code examples.  At this point,
however, the material is definitely written for advanced C (and
specifically UNIX) programmers, and the basic concepts are sometimes
hidden in the details.  Access control, primarily in UNIX systems,
although with some mention of special capabilities in Windows NT, is
the topic of chapter eight.  Chapter nine deals with race conditions,
including the familiar "time of check versus time of use" problem,
although most of the material is limited to file access concerns.
There is an excellent and thorough discussion of pseudo random number
generation in chapter ten.  Applying cryptography, in chapter eleven,
stresses the fact that you shouldn't "roll your own," helps out by
reviewing publicly available cryptographic code libraries, and even
examines the drawbacks of one-time pads.  Managing trust and input
validation, in chapter twelve, emphasizes input concerns to the point
that an important element is possibly buried: in the modern
environment, you not only have to trust the goodwill of an entity, but
also its ability to defend itself, so as not to become part of an
attack against you.  Password authentication, in chapter thirteen,
promotes randomly chosen passwords.  Given a work directed at
programming I suppose this is understandable, but recent research has
shown that "well chosen" passwords are as easy to remember as naive,
and as secure as random.  Chapter fourteen is an overview of the basic
aspects of database security, although it only touches on the more
advanced topics of this specialized field.  Client-side security
concentrates on copy protection and other anti-piracy measures in
chapter fifteen.  Some means of establishing a connection through a
firewall are examined in chapter sixteen.

While I can understand and sympathize with the desire to give examples
of specific code in dealing with implementation details, there are a
number of major concepts covered in the latter part of the book which
would have been more accessible to non-programmers had they been dealt
with as tutorially as in the first part.  Still, the book has a great
deal to teach programmers about security and reliability, and security
professionals about the requirements of the development process.

copyright Robert M. Slade, 2002   BKBUSCSW.RVW   20021124
rslade@vcn.bc.ca  rslade@sprint.ca  slade@victoria.tc.ca p1@canada.com
http://victoria.tc.ca/techrev    or    http://sun.soci.niu.edu/~rslade


REVIEW: "Network Security", Charlie Kaufman/Radia Perlman/Mike Speciner

<Rob Slade <rslade@sprint.ca>>
18 Jan 2003
BKNTWSEC.RVW   20021106

"Network Security", Charlie Kaufman/Radia Perlman/Mike Speciner, 2002,
0-13-046019-2, U$54.99/C$85.99
%A   Charlie Kaufman ckaufman@usibm.com
%A   Radia Perlman radia@alum.mit.edu
%A   Mike Speciner ms@alum.mit.edu
%C   One Lake St., Upper Saddle River, NJ   07458
%D   2002
%G   0-13-046019-2
%I   Prentice Hall
%O   U$54.99/C$85.99 201-236-7139 fax 201-236-7131 mfranz@prenhall.com
%O  http://www.amazon.com/exec/obidos/ASIN/0130460192/robsladesinterne
%P   713 p.
%T   "Network Security: Private Communication in a Public World, 2e"

For communications security, this is the text.  As well as solid
conceptual background of cryptography and authentication, there is
overview coverage of specific security implementations, including
Kerberos, PEM (Privacy Enhanced Mail), PGP (Pretty Good Privacy),
IPsec, SSL (Secure Sockets Layer), AES (Advanced Encryption Standard),
and a variety of proprietary systems.  Where many security texts use
only UNIX examples, this one gives tips on Lotus Notes, NetWare, and
Windows NT.

Chapter one is an introduction, with a brief primer on networking,
some reasonable content on malware, and basic security models and
concepts.

Part one deals with cryptography.  The foundational concepts are
covered in chapter one.  Symmetric encryption, in chapter three, is
presented in terms of the operations of DES (Data Encryption
Standard), IDEA (International Data Encryption Algorithm), and AES.
Chapter four details the major modes of DES.  The algorithms for a
number of hash functions and message digests are described in chapter
five.  Asymmetric algorithms, such as RSA (Rivest-Shamir-Adleman) and
Diffie-Hellman, are explained in chapter six, although one could wish
for just slightly more material, such as actual numeric computations,
that might reach a wider audience.  The number theory basis of much of
modern encryption is provided as well, in chapter seven.  More,
including a tiny bit on elliptic curves, is given in chapter eight.

Part two covers authentication.  The general problems are outlined in
chapter nine.  Chapter ten looks at the traditional means of
authenticating people: something you know, have, or are.  Various
problems in handshaking are reviewed in chapter eleven.  Chapter
twelve describes some strong protocols for passwords.

Part three examines a number of security standards.  Kerberos gets two
whole chapters, since we are provided with not only concepts but
actual packets: version 4 in thirteen and 5 in fourteen.  PKI (Public
Key Infrastructure) terms, components, and mechanisms are outlined in
chapter fifteen.  The basic problems in real-time communications
security are delineated in chapter sixteen.  Chapter seventeen
examines the authentication and encryption aspects of IPsec, while
chapter eighteen deals with key exchange packets.  SSL and TLS
(Transport Layer Security) are described in chapter nineteen.

Part four concentrates on electronic mail.  Chapter twenty lays out
the major concerns and problems.  Chapter twenty one discusses PEM and
S/MIME (Secure Multipurpose Internet Mail Extensions).  PGP is covered
in chapter twenty two.

Part five contains miscellaneous topics.  Chapter twenty three looks
at firewalls, twenty four at a variety of specific security systems,
and twenty five at Web issues.  Folklore, in chapter twenty six,
briefly lists a number of simple "best practices" that aren't
generally part of formal security literature.

The explanations are thorough and well written, with a humour that
illuminates the material rather than obscuring it.  The organization
of the book may be a bit odd at times (the explanation of number
theory comes only after the discussion of encryption that it
supports), but generally makes sense.  (It is, sometimes, evident that
later text has created chapters that are slightly out of place.)  The
end of chapter "homework" problems are well thought out, and much
better than the usual reading completion test.  If there is a major
weakness in the book, it is that the level of detail seems to vary
arbitrarily, and readers may find this frustrating.  Overall, though,
this work provides a solid introduction and reference for network
security related topics and technologies.

copyright Robert M. Slade, 1996, 2002   BKNTWSEC.RVW   20021106
rslade@vcn.bc.ca  rslade@sprint.ca  slade@victoria.tc.ca p1@canada.com
http://victoria.tc.ca/techrev    or    http://sun.soci.niu.edu/~rslade


REVIEW: "Web Security, Privacy and Commerce", Garfinkel/Spafford

<Rob Slade <rslade@sprint.ca>>
Wed, 15 Jan 2003 08:03:00 -0800

BKWBSPCM.RVW   20021106

"Web Security, Privacy and Commerce", Simson Garfinkel/Gene Spafford,
2002, 0-596-00045-6, U$44.95/C$67.95
%A   Simson Garfinkel simsong@aol.com
%A   Gene Spafford spaf@cs.purdue.edu
%C   103 Morris Street, Suite A, Sebastopol, CA   95472
%D   2002
%G   0-596-00045-6
%I   O'Reilly & Associates, Inc.
%O   U$44.95/C$67.95 800-998-9938 707-829-0515 nuts@ora.com
%O  http://www.amazon.com/exec/obidos/ASIN/0596000456/robsladesinterne
%P   756 p.
%T   "Web Security, Privacy and Commerce"

Anyone who does not know the names Spafford and Garfinkel simply does
not know the field of data security.  The authors, therefore, are well
aware that data security becomes more complex with each passing week.
This is, after all, the second edition of what was originally
published under the title "Web Security and Commerce," and, while it
is still recognizable as such, the work is essentially completely re-
written.  The authors note, in the Preface, that the book cannot hope
to cover all aspects of Web security, and therefore they concentrate
on those topics that are absolutely central to the concept, and/or not
widely available elsewhere.  Works on related issues are suggested
both at the beginning and end of the book.

A greatly expanded part one introduces the topic, and the various
factors involved in Web security.  Chapter one is a very brief
overview of Web security considerations and requirements, with some
material on general security concepts and risk analysis.  The
underlying architecture of the Web is examined in chapter two,
although this is basically limited to Internet structures.  (While the
material is quite informative, perhaps some examples of HTTP
[HyperText Transfer Protocol] would add value.)  Cryptography is
explained reasonably well in chapter three: there is no in-depth
discussion of cryptographic algorithms, but these details can be
readily found in other works.  Chapter four deals with cryptographic
uses, and also with legal restrictions.  The concepts and limitations
of SSL (Secure Sockets Layer) and TLS (Transport Layer Security) are
given in chapter five, although the operational details are not
covered.  Chapter six starts out with a general discussion of
identification and authentication,but then gets bogged down in the
details of using PGP (Pretty Good Privacy).  The coverage of digital
certificates, in chapter seven, is likewise constricted by a
dependence upon system technicalities.

Part two concerns the user.

Chapter two looks at the various possible problems with browsers, not
all of which are related to Web page programming.  Chapter eight looks
analytically at the possible invasions of privacy that can occur on
the Web.  Some non-technical techniques of protecting your privacy,
such as good password choice, are described in chapter nine, with
various technical means listed in chapter ten.  Chapter eleven reviews
backups and some physical protection systems.  ActiveX and the
limitations of authentication certificates, as well as plugins and
Visual Basic, are thoroughly explored in chapter twelve.  Java
security is only marginally understood by many "experts," and not at
all by users, so the coverage in chapter thirteen is careful to point
out the difference between safety, security, and the kind of security
risks that can occur even if the sandbox *is* secure.

Part three details technical aspects of securing Web servers.  Chapter
fourteen looks at physical security and disaster recovery measures.
Traditional host security weaknesses are reviewed in chapter fifteen.
Rules for secure CGI (Common Gateway Interface) and API (Application
Programmer Interface) programming are promulgated in chapter sixteen,
along with tips for various languages.  More details on the server-
side use of SSL is given in chapter seventeen.  Chapter eighteen looks
at specific strengthening measures for Web servers.  You legal options
for prosecuting a computer crime is reviewed in chapter nineteen.

Commercial and societal concerns in regard to content are major areas
in Web security, so part six reviews a number of topics related to
commerce, as well as other social factors.  Chapter twenty discusses a
number of technical access control technologies, by system.  Obtaining
a client-side certificate is described in chapter twenty one.
Microsoft's Authenticode system is reviewed yet again in chapter
twenty two.  Censorship and site blocking are carefully examined in
chapter twenty three.  Privacy policies, systems, and legislation are
reviewed in chapter twenty four.  Chapter twenty five looks at current
non-cash payment systems, and the various existing, and proposed,
digital payment systems for online commerce.  Having already studied
criminal problems earlier, the book now turns to civil and
intellectual property issues, such as copyright, in chapter twenty
six.

Although it has almost nothing to do with Web security as such, I very
much enjoyed Appendix A, Garfinkel's recounting of the lessons learned
in setting up a small ISP (Internet Service Provider).  (I suppose
that this could be considered valid coverage of Web commerce.)  The
other appendices are more directly related to the topic, including the
SSL protocol, the PICS (Platform for Internet Content Selection)
specification, and references.

Although the material has been valuably expanded and updated, some of
the new content is less worthwhile.  The extensive space given to
specific products will probably date quickly, although the surrounding
conceptual text will continue to provide helpful guidance.  Certainly
for anyone dealing with Web servers or running ISPs, this is a
reference to consider seriously.

copyright Robert M. Slade, 1998, 2002   BKWBSPCM.RVW   20021106
rslade@vcn.bc.ca  rslade@sprint.ca  slade@victoria.tc.ca p1@canada.com
http://victoria.tc.ca/techrev    or    http://sun.soci.niu.edu/~rslade

Please report problems with the web pages to the maintainer

Top