The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 22 Issue 71

Saturday 3 May 2003


OpenBSD release protects against buffer-overflow attacks
SANS via Monty Solomon
Prescription error
Monty Solomon
Spelling checker renames Amritsar to AmriCzar
David J. Aronson
Kellogg's American Airlines online sweepstakes swept away
Pilots fail exams
Jill Treu
Inside Cisco's eavesdropping apparatus
Declan McCullagh via Monty Solomon
Internet fraud complaints triple
Bogus Internet domain-name renewal offers
Network Solutions via PGN
Spammers use viruses to hijack computers
Breastfeeding mothers, avoid Continental
Meng Weng Wong via Dave Farber
Re: NCIC database accuracy requirements
John Beattie
Re: Friendly Fire
Jan C. Vorbrueggen
REVIEW: "Firewalls and Internet Security", Cheswick/Bellovin/Rubin
Rob Slade
REVIEW: "Inside the Security Mind", Kevin Day
Rob Slade
Info on RISKS (comp.risks)

OpenBSD release protects against buffer-overflow attacks (SANS)

<Monty Solomon <>>
Sun, 20 Apr 2003 22:28:52 -0400

Excerpt from
	SANS NewsBites April 16, 2003 Vol. 5, Num. 15

The most recent release of OpenBSD should eliminate buffer overflows,
according to the group's project leader. The group took three approaches to
hardening the software. First, the location of the stack in memory is
randomized. Second, the team added a tag to the memory structure that will
detect address modifications. Finally, they managed to divide the main
memory into two sections: writable and executable; the pieces of data and
programs, called "pages", would be stored in one or the other section,
ensuring that no page is writable and executable at the same time.

[Editor's Note (Gene Schultz): Many kudos are in order here.  If what the
OpenBSD people are doing really works, they will put considerable pressure
on other vendors and developers to do the same.  Buffer overflow problems
continue to plague operating systems and applications. Eliminating this
category of vulnerabilities would be a major victory for the information
security arena.

(Schneier): It's great to see this kind of approach to buffer
overflows. This is an example of building in security instead of trying to
patch it afterwards.

(Ranum): It's GREAT to see that at least a few people are smart enough to
try to attack problems like this systemically, rather than keeping stuck in
the fruitless "penetrate and patch" while loop. This is how to make progress
in security: fundamental protections.

(Shpantzer): Initiatives like this should be taught as case studies
in computer science courses at the undergraduate level.

Prescription error

<Monty Solomon <>>
Tue, 8 Apr 2003 02:57:07 -0400

I recently had a prescription filled that was written for 60 pills with 4
refills.  The pharmacist made a data-entry mistake, and the prescription was
entered for 60 pills with 60 refills!

Because prescriptions are valid for a year, the pharmacy computer could have
detected the error and alerted the pharmacist.  But, in this case, the
prescription was printed by my doctor's computer so the issue of reading the
doctor's handwriting was not an issue.

The pharmacist may be used to finding the number of refills in a specific
place on the prescription and the computer generated prescription might have
the number of refills and quantity of pills in unusual places.  The
prescription was laser printed in the corner of a standard 8.5" x 11" piece
of paper so the form factor of the prescription was also non-standard.

  [I suppose Monty was lucky the fields were not transposed.
  Imagine having a prescription for 60 refills of 4 pills each.  PGN]

Spelling checker renames Amritsar to AmriCzar

<"David J. Aronson" <>>
Tue, 29 Apr 2003 11:53:15 -0400

A Reuters news story written yesterday ("Revenge Behind Air India Bombing,
Court Told", by Allan Dowd) included mention of "the Golden Temple in the
city of AmriCzar".  Google-ing AmriCzar revealed eight hits, compared to the
about 141,000 of the correct spelling.  (That, as you may have guessed, is
Amritsar.)  The six shown (two other similar hits were omitted) are: articles/A58594-2003Mar7.html asia/itemsonconflict.htm

(Note that some of these are quoting Reuters articles!)

At a guess, the cause seems to have been blind string-matching without
regard for context, including whether the string was part of a larger word.

The RISK?  Fortunately, just mild embarrassment in this case, and even that
is assuming that the IT folks at Reuters ever catch wind of this.  However,
we've seen worse consequences reported here before due to similar "help",
even when the "correction" is limited to spelling....

David J. Aronson, Software Engineer for hire in Washington DC area.
See for online resume, references, etc.

  [Roto-reuters strike again.  PGN]

Kellogg's American Airlines online sweepstakes swept away

<"Peter G. Neumann" <>>
Wed, 30 Apr 2003 16:07:58 PDT

The Kellogg Company ("cereal giant") began a two-month sweepstake intended
to give away one grand prize of 25,000 American Airlines' AAdvantage miles
each day for 60 days.  Unfortunately, due to a "computer glitch", several
thousand people were erroneously notified by e-mail that they were winners
-- and then later notified that the earlier e-mail was in error but that
they would receive 500 miles as a goodwill gesture.  [Source: AP item, 29
Apr 2003; PGN-ed]

Pilots fail exams

<"Treu, Jill" <>>
Wed, 23 Apr 2003 11:10:42 -0400

  [For those readers who wonder about why this item is relevant to RISKS,
  please remember that technology usually depends on a lot of people.  PGN]

The pilots couldn't pass the psychological and physical tests to be allowed
to carry a firearm --- but flying huge planes full of people is OK.  Oh, this
makes so much sense! The risks should be obvious.

  Four pilots did not finish gun training.  Four of the 48 veteran airline
  pilots who began the government's first training course for pilots wishing
  to carry guns in the cockpit were rejected after they failed at least one
  of the battery of required background checks, psychological exams and
  firearms tests.  Officials said the four rejections showed that the
  government was serious about providing guns only to pilots who were
  psychologically and physically fit to carry firearms in flight and defend
  their planes against attackers.  The bill permitting airline pilots to
  carry guns was passed by Congress last year, a legacy of the hijackings on
  11 Sep 2001, over the serious objections of senior members of the Bush
  administration and some members of Congress.  [Source: *The New York
  Times*, 22 Apr 2003]

Inside Cisco's eavesdropping apparatus (from Declan McCullagh)

<Monty Solomon <>>
Tue, 22 Apr 2003 02:26:16 -0400

By Declan McCullagh, 21 Apr 2003

Cisco Systems has created a more efficient and targeted way for police and
intelligence agencies to eavesdrop on people whose Internet service provider
uses their company's routers.

The company recently published a proposal that describes how it plans to
embed "lawful interception" capability into its products. Among the
highlights: Eavesdropping "must be undetectable," and multiple apolice
agencies conducting simultaneous wiretaps must not learn of one another. If
an Internet provider uses encryption to preserve its customers' privacy and
has access to the encryption keys, it must turn over the intercepted
communications to police in a descrambled form.

Cisco's decision to begin offering "lawful interception" capability as an
option to its customers could turn out to be either good or bad news for

Because Cisco's routers currently aren't designed to target an individual,
it's easy for an Internet service provider (ISP) to comply with a police
request today by turning over all the traffic that flows through a router or
switch. Cisco's "lawful interception" capability thus might help limit the
amount of data that gets scooped up in the process.

On the other hand, the argument that it hinders privacy goes like this: By
making wiretapping more efficient, Cisco will permit governments in other
countries -- where court oversight of police eavesdropping is even more
limited than in the United States -- snoop on far more communications than
they could have otherwise.

Marc Rotenberg, head of the Electronic Privacy Information Center, says: "I
don't see why the technical community should hardwire surveillance standards
and not also hardwire accountability standards like audit logs and public
reporting. The laws that permit 'lawful interception' typically incorporate
both components -- the (interception) authority and the means of
oversight -- but the (Cisco) implementation seems to have only the
surveillance component. That is no guarantee that the authority will be used
in a 'lawful' manner."

U.S. history provides many examples of government and police agencies
conducting illegal wiretaps. The FBI unlawfully spied on Eleanor Roosevelt,
Martin Luther King Jr., feminists, gay rights leaders and Catholic
priests. During its dark days, the bureau used secret files and hidden
microphones to blackmail the Kennedy brothers, sway the Supreme Court and
influence presidential elections. Cisco's Internet draft may be titled
"lawful interception," but there's no guarantee that the capability will
always be used legally.

Still, if you don't like Cisco's decision, remember that they're not the
ones doing the snooping. Cisco is responding to its customers' requests, and
if they don't, other hardware vendors will.

If you're looking for someone to blame, consider Attorney General John
Ashcroft, who asked for and received sweeping surveillance powers in the USA
Patriot Act, along with your elected representatives in Congress, who gave
those powers to him with virtually no debate.

I talked with Fred Baker, a Cisco fellow and former chairman of the Internet
Engineering Task Force (IETF), about his work on the "lawful interception"
draft.  ...

Internet fraud complaints triple

<"NewsScan" <>>
Thu, 10 Apr 2003 08:15:43 -0700

Complaints about fraudulent schemes perpetrated over the Internet tripled in
2002 from the previous year, with the most common grievance being auction
fraud, followed by non-delivery of promised merchandise, credit card fraud
and fake investments. According to a report from the Internet Fraud
Complaint Center, which is run by the FBI and the National White Collar
Crime Center, the 48,252 complaints referred for prosecution in 2002
represent only a fraction of the crimes authorities believe are occurring.
The center also received almost 37,000 other complaints that did not
constitute fraud, but involved such things as spam, illegal child
pornography and computer intrusions. The report says 80% of known fraud
perpetrators and about 71% of complainants are male. Fraud complaints
originated in all parts of the country, with a third coming from California,
Florida, Texas and New York. One of the most persistent scams described in
the report is the infamous "Nigerian letter," which urges victims to pay an
upfront fee (characterized as a bribe to the government) in order to receive
non-existent funds from the "Government of Nigeria."  There were 16,000
complaints related to that scam in 2002, up from 2,600 in 2001. [AP, 9 Apr
2003; NewsScan Daily, 10 Apr 2003]

Bogus Internet domain-name renewal offers

Wed 23 Apr 2003

The following CUSTOMER SERVICE ANNOUNCEMENT warns of bogus e-mail offering
domain renewals.

> Date: Tue, 22 Apr 2003 19:51:59 -0400
> From: "Network Solutions, Inc." [...]
> Subject: Customer Renewal Warning

> Dear Network Solutions(R) Customer,

> We recently learned that our customers are receiving domain name renewal
> notices from companies falsely representing themselves as Network
> Solutions.  These notices inform customers that their domain name
> registration is due to expire and provides instructions on how to renew.

> If you receive a renewal notice you do not believe is from Network
> Solutions or if you have an unauthorized vendor listed on your credit card
> statement for 'domain name renewal,' please contact us immediately [...].

Spammers use viruses to hijack computers

<"NewsScan" <>>
Wed, 30 Apr 2003 08:46:57 -0700

As efforts to tackle junk e-mail ramp up, unscrupulous spammers increasingly
are hiding their identities by taking over innocent users' accounts using
e-mail messages that resemble computer viruses. Like many other viruses,
these programs exploit weaknesses in Microsoft's popular Outlook e-mail
package. One of the first hijacking programs to emerge was called "Jeem,"
which contained a hidden e-mail engine that enabled it to route messages via
the infected computer. Another, called Proxy-Guzu, comes as a spam message
with an attachment. When the unsuspecting recipient clicks on the
attachment, the computer contacts a Hotmail account and transmits
information about the infected machine, making it possible to route e-mail
through that machine. "Spammers are beginning to use virus-like techniques
to cover themselves," says Larry Bridwell, content security programs manager
at ICSA Labs. "Spam is one of the two things that the security industry is
going to be asked to deal with. The other is adware or spyware." [BBC News
30 Apr 2003; NewsScan Daily, 30 Apr 2003]

Breastfeeding mothers, avoid Continental (via Dave Farber's IP)

<Meng Weng Wong <>>
Tue, 22 Apr 2003 10:50:54 -0400

Deborah Wolfe, a Canadian citizen who was just breast-feeding her son and
changing his diaper while en route between Houston and Vancouver, says her
"subversive" actions led to her being threatened with detainment, RCMP
involvement and legal charges for terrorist action against a U.S. citizen in
international airspace while on an American flight during a time of war.
...  Wolfe says she refused a flight attendant's offer of an airline blanket
to hide herself because it hadn't been sealed and, given the SARS scare,
she'd rather use her own things. Thus, unbeknownst to her, a "Level 1" crew
complaint was filed.  ...  She says the flight attendants also began to call
her and her travelling party "foreign nationals in international airspace on
an international flight during a time of war." And she was informed both of
the complaint and that it could be upgraded to a Level 3, which meant
possible mandatory detainment by U.S. authorities for 24 hours, RCMP
involvement and criminal charges for an act of war upon an American.

IP archives at:

Re: NCIC database accuracy requirements

<John Beattie <>>
Mon, 21 Apr 2003 11:01:55 +0100

As reported in RISKS-22.65, etc., the accuracy requirements for the FBI's
National Crime Information Center have been reduced or eliminated.  Also
discussed in the April 2003 Cryptogram:

At first sight this is bad. But the other point of view may be worth noting:
a widely used database which is "accurate" but has a high false positive
rate may provide a useful widespread learning experience. Most users of
databases regard "the computer" as infallible.  A 100-to-1 false positive
rate would be salutary!  :-)

It isn't enough that engineers and computer scientists understand accuracy
requirements; the end-users, as represented by lawyers, have to have a
feeling for it as well. Bad databases already do damage -- it may be that
what is needed is a really high-profile failure.

You can argue probabilities as much as you like; the thing will only hit
home when almost everyone who's had contact with the database has actual
knowledge of a failure.

  [Perhaps if a few Senators, Representatives, Justice Department folks,
  and other government officials were mistakenly apprehended, that might
  help.  PGN]

Re: Friendly Fire (Ladkin, RISKS-22.68)

<"Jan C. =?iso-8859-1?Q?Vorbr=FCggen?=" <>>
Mon, 28 Apr 2003 15:58:19 +0200

I believe a technical contribution to this organizational problem was the
fact that Aegis computed/computes the first and second derivatives of
measured target height to derive sink/climb rate and acceleration. These
values, derived as they are from noisy measurements, are notoriously
unreliable. The crew seems to have treated these "measurements" at face
value, deriving a threat from the fact that they indicated a high sink rate
directed at the Vincennes, when in reality the aircraft was flying level. So
in this case the misinterpretation (at least in part) resulted in the
ability of computers to provide processed but unreliable data, very likely
without an indication of its unreliability (ever seen error bars on such

Jan Vorbrüggen - MediaSec Technologies, Berliner Platz 6-8, D-45127 Essen
Research & Development  - Tel. +49 201 437 52 52

REVIEW: "Firewalls and Internet Security", Cheswick/Bellovin/Rubin

<Rob Slade <>>
Fri, 25 Apr 2003 08:36:55 -0800

BKFRINSC.RVW  20030321

"Firewalls and Internet Security", William R. Cheswick/Steven M.
Bellovin/Aviel D. Rubin, 2003, 0-201-63466-X, U$49.99/C$77.99
%A   William R. Cheswick
%A   Steven M. Bellovin
%A   Aviel D. Rubin
%C   P.O. Box 520, 26 Prince Andrew Place, Don Mills, Ontario  M3C 2T8
%D   2003
%G   0-201-63466-X
%I   Addison-Wesley Publishing Company
%O   U$49.99/C$77.99 416-447-5101 fax: 416-443-0948
%P   433 p.
%T   "Firewalls and Internet Security: Repelling the Wily Hacker,
      Second Edition"

As the first work to deal seriously and completely with the topic, the first
edition of "Firewalls and Internet Security" was one of those classics that
get known only by the last names of the authors, so as not to leave any
possibility of confusion with books whose titles may be similar.

When such a long time has elapsed between editions of a work such as this,
it is more than possible that the field has moved on far enough that a minor
updating of the material is simply not feasible.  The authors are quite well
aware of the new territory: where useful, the original structure has been
retained, but otherwise, the book has essentially been rewritten.  A huge
undertaking, but the only practical course, in the circumstances.

Part one establishes a starting point.  Chapter one, an introduction,
presents a number of basic, but worthwhile, security concepts.  The
operations of various components of the TCP/IP protocol suite are discussed,
with the most serious security vulnerabilities helpfully highlighted, in
chapters two (lower layers) and three (upper layers).  The authors' thoughts
on the security of the Web are amply expressed in the title of chapter four:
"The Web: Threat or Menace?"

Part two outlines the threats to networked machines.  Chapter five describes
a number of different types of attacks.  A variety of tools for determining
security weaknesses are listed in chapter six, alongside discussions of the
relative costs/benefits of disclosure versus security by obscurity.

Part three details security tools and utilities.  Chapter seven reviews
authentication concepts and techniques.  Various network security systems
are described in chapter eight.

Part four gets us to firewalls and virtual private networks (VPNs)
themselves.  Chapter nine outlines the different types of firewalls.  Basic
filtering concepts are examined in chapter ten.  Considerations for
constructing and tuning your firewall are in chapter eleven.  Tunnelling and
VPNs are discussed in chapter twelve.

Part five extends the isolated technology of firewalls into the application
of protecting an organization.  Network layout, and the implications
thereof, is reviewed in chapter thirteen.  Chapter fourteen deals with
hardening of hosts.  Chapter fifteen is a rather terse look at intrusion

Part six is entitled "Lessons Learned."  The detection and tracing of
"berferd" is described in chapter sixteen, along with the taking of the
"CLARK" machine in chapter seventeen.  In chapter eighteen, Kerberos and
IPSec are used as examples of approaches to security of insecure networks.
Chapter nineteen finishes with some ideas for work that yet needs to be done
to help with the security of the Internet.

The place of firewalls in regard to network security has broadened
considerably in the past decade.  This book does reflect that reality.
Unfortunately, that breadth of topic has come at the expense of some depth
in coverage.  The result is a book that is definitely worthwhile as an
introduction to the field, but which may no longer be suitable as a working
reference.  I must admit that, for some time, I have been recommending
Chapman and Zwicky (cf. BKBUINFI.RVW) over Cheswick and Bellovin's original
text, since "Building Internet Firewalls" seems to have the edge in terms of
practicality.  Upon reviewing this new edition of the classic, I would have
to stick to that recommendation.

copyright Robert M. Slade, 1994, 2003   BKFRINSC.RVW   20030321

REVIEW: "Inside the Security Mind", Kevin Day

<Rob Slade <>>
Fri, 2 May 2003 08:21:11 -0800

BKINSCMI.RVW   20030321

"Inside the Security Mind", Kevin Day, 2003, 0-13-111829-3,
%A   Kevin Day
%C   One Lake St., Upper Saddle River, NJ   07458
%D   2003
%G   0-13-111829-3
%I   Prentice Hall
%O   U$44.99/C$69.99 +1-201-236-7139 fax: +1-201-236-7131
%P   309 p.
%T   "Inside the Security Mind: Making the Tough Decisions"

I am quite sympathetic to the idea that the realization of a security
mindset or attitude (I frequently refer to it as professional paranoia) is
more important to attaining security than isolated technical skills.  I'm
sorry to say that this work is not likely to help you find, attain, or
assess that protection perspective.

Right from the beginning of the book, readers will find a flavour of eastern
philosophy, and even mysticism, to it.  There are four virtues, an
eight-fold path, and even repeated injunctions for the reader to keep an
"open mind"--a phrase which those who have conversed with devotees of the
Buddhist faith will find rather familiar.

Unfortunately, chapter one seems to demonstrate that Day is bringing us only
a newage vagueness in his description of the security mind.  We are to rid
ourselves of negative thoughts, and follow fundamental virtues, which we
haven't been given yet.  Computer security is only a decade old, we are told
in chapter two, and constantly changing, and expensive, and there are few
practitioners, and lots of bad guys out there, and we are paralyzed by
fear--but we have nothing to fear but fear itself!  Chapter three finally
lists the four virtues for us: security is ongoing, a group effort, requires
a generic approach, and is dependent upon education.  I don't disagree with
any of these points (other than the philological debate about whether they
should be called virtues), and neither would any other security
professional.  However, they don't really provide us with much in the way of
help.  Eight security "rules," in chapter four, list principles such as
"least privilege," which are also commonly known in security work.

Chapter five is supposed to tell us how to develop a security mind, but
actually seems to be an exercise in wishful thinking.  If the world were
neatly divided into safe and unsafe zones, and if our systems all worked
perfectly and in correspondence with our users' known requirements, and if
everyone that we trusted were completely competent in regard to their own
defence, security would be much easier.  Decision-making is likewise
simplisticly seen to be supported by the virtues and rules, in chapter six.
There is a superficial overview of blackhats and vulnerabilities in chapter
seven.  Chapter eight has a standard review of risk analysis.  Vague ideas
on hiring security, and some thoughts on outsourcing, are in chapter nine.
The author gives his opinion on some security tools in chapter ten.  Chapter
eleven is another attempt to prove that the rules can be used.  We are given
a final adjuration to change our attitudes in chapter twelve.

Basically, this book is yet another attempt to write a general security
guide, without first ensuring that the material is structured, sound,
complete, or useful.

copyright Robert M. Slade, 2003   BKINSCMI.RVW   20030321

Please report problems with the web pages to the maintainer