The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 22 Issue 73

Tuesday 20 May 2003

Contents

Time synchronization error leads to mistaken arrests
Timothy J. Miller
U.S. cracks down on Internet fraud
NewsScan
Intel says Itanium 2 error can crash servers
Monty Solomon
MS Windows crash traps Thai politician in car
Robert J. Berger via Dave Farber
Internet worm disguised as e-mail from Microsoft
Monty Solomon
Microsoft toilet project wasn't hoax
NewsScan
The Exterminator
Monty Solomon
Immature air-traffic controllers?
Carl Fink
The Great Capacitor Scare of 2003
Jay R. Ashworth
Los Altos Vault & Safe Deposit Co.
Drew Dean
Risk of automatic type conversion
Dave Brunberg
Earthlink awarded $16M in spamages
NewsScan
Potential Chilling Effect: IEEE publications and DMCA
Sean Smith
Re: OpenBSD release protects against buffer-overflow attacks
Mike Albaugh
Re: more spelling-checker follies?
Bill Hopkins
Bill Stewart
REVIEW: "802.11 Security", Bruce Potter/Bob Fleck
Rob Slade
REVIEW: "Mobile VPN", Alex Shneyderman/Alessio Casati
Rob Slade
Info on RISKS (comp.risks)

Time synchronization error leads to mistaken arrests

<"Timothy J. Miller" <cerebus@sackheads.org>>
Tue, 20 May 2003 11:11:31 -0500

http://www.azstarnet.com/star/Tue/30520SIERRAVISTACHARGES.html

  A grainy picture from an ATM surveillance camera aired by TV's "America's
  Most Wanted" connected three Sierra Vista residents to a June 2002
  strangulation murder of a woman in Maryland.  The mom, daughter and
  friend, authorities had said, were believed to have been trying to use the
  murder victim's bank card.  The problem with that link, investigators now
  concede, is that the time recorded by the camera was three minutes off the
  time recorded by the ATM.

The risks should be obvious; critical logs should be reliably synchronized
either to each other or an independent source.

  [For non-ATM users, here ATM means Automated Teller Machine, although this
  bank transaction seems to have created a new form of Asynchronous Transfer
  Mode.  Perhaps another use of the acronym might be Awfully Terrible
  Monitoring.  PGN]


U.S. cracks down on Internet fraud

<"NewsScan" <newsscan@newsscan.com>>
Fri, 16 May 2003 09:44:28 -0700

The Justice Department has charged more than 130 people with perpetrating a
variety of Internet scams, as well as identity theft and failure to deliver
goods purchased online. The crackdown, dubbed Operation E-Con, involved more
than 90 investigations involving 89,000 victims whose losses totaled at
least $176 million. In one case, the suspects used a Web site to sell more
than $2 million worth of pharmaceutical drugs without any prescriptions or
physician involvement with the purchasers. In another scam, about 400 men
lost about $3,000 each when they sent money off in the hope of winning the
hand a Russian bride. Other scams promoted fraudulent investment
opportunities, Ponzi-type pyramid schemes and the illegal sale of
copyright-protected software, games and movies. Officials say they've
managed to recover about $17 million from alleged perpetrators.
  [AP/Siliconvalley.com, 16 May 2003; NewsScan Daily, 16 May 2003]
  http://www.siliconvalley.com/mld/siliconvalley/news/editorial/5876738.htm


Intel says Itanium 2 error can crash servers

<Monty Solomon <monty@roscom.com>>
Tue, 13 May 2003 00:48:12 -0400

Intel Corp. said that a flaw in some of its Itanium 2 microprocessors could
cause systems running the high-end chip to shut down or crash under certain
conditions.  [Source: Matthew Fordahl, AP, 12 May 2003]
  http://finance.lycos.com/home/news/story.asp?story=34164664


MS Windows crash traps Thai politician in car (From Dave Farber's IP)

<"Robert J. Berger" <rberger@ibd.com>>
Tue, 13 May 2003 17:31:11 -0700

Crashed Computer Traps Thai Politician, 14 May 2003
 http://aardvark.co.nz/daily/2003/n051301.shtml

Thailand's Finance Minister Suchart Jaovisidha had to be rescued today from
inside his expensive BMW limousine after the onboard computer crashed,
leaving the vehicle immobilized.

Once the computer failed, neither the door locks, power windows nor air
conditioning systems would function, leaving the Minister and his driver
trapped inside the rapidly heating vehicle.

Despite the pair's best efforts, it took a full ten minutes before they were
able to summon the attention of a nearby guard who freed the two men by
smashing one of the vehicle's windows with a sledgehammer.

A report (http://www.bangkokpost.com/Business/13May2003_biz12.html)
published in the *Bangkok Post* indicates that the vehicle was Mr
Jaovisidha's own BMW 520 which was being used while his state-supplied
Mercedes, was being repaired.

BMW's more up-market 7-series range uses a computer system called i-drive
which has Microsoft's WindowsCE at its core.
  http://www.microsoft.com/presspass/press/2002/Mar02/03-04BMWpr.asp

Did Mr Jaovisidha narrowly miss being killed by the blue windscreen of
death?

Robert J. Berger - Internet Bandwidth Development, LLC.
Voice: 408-882-4755 eFax: +1-408-490-2868
http://www.ibd.com

IP Archives at: http://www.interesting-people.org/archives/interesting-people/

  [At least 33 readers have noted this one thus far.  TNX!  PGN]


Internet worm disguised as e-mail from Microsoft

<Monty Solomon <monty@roscom.com>>
Mon, 19 May 2003 23:07:00 -0400

A new computer worm that disguises itself as an e-mail from Microsoft
Corp. is spreading, computer security firms warned on Monday.  The e-mail
containing the worm, dubbed Palyh or Mankx, appears to come from
support@microsoft.com, but is not from the software company.  When the
attachment is opened, the worm copies itself to the Windows folder, scoops
up e-mail addresses from the hard disk and starts sending itself out, said
U.K-based Sophos.  The malicious program can spread itself to other Windows
machines on a local area network.  [Source: Reuters, 19 May 2003]
http://finance.lycos.com/home/news/story.asp?story=34253416


Microsoft toilet project wasn't hoax

<"NewsScan" <newsscan@newsscan.com>>
Wed, 14 May 2003 09:53:32 -0700

Microsoft and its public relations firm are now saying that what they
themselves thought was a hoax (the development of the iLoo, a portable
toilet complete with wireless keyboard and Internet access) actually was a
real project of the company's MSN group in the UK. The original press
release indicated that the iLoo would offer its users "a unique experience."
An MSN product manager now says: " "We jumped the gun basically yesterday in
confirming that it was a hoax and in fact it was not," said Lisa Gurry, MSN
group product manager. "Definitely we're going to be taking a good look at
our communication processes internally. It's definitely not how we like to
do PR at Microsoft." In any event, whether really a hoax or really real, the
project is now dead -- flushed, as it were.  [AP/*USA Today*, 14 May 2003;
NewsScan Daily, 14 May 2003]
  http://www.usatoday.com/tech/news/2003-05-14-iloo-hoax-retract_x.htm


The Exterminator

<Monty Solomon <monty@roscom.com>>
Thu, 15 May 2003 09:14:04 -0400

Bug-ridden programs are savagely costly. Microsoft engineer Amitabh
Srivastava may have just what we need--a software insecticide.

A strange thing happened last spring to the Board of Directors Web page of
furniture maker Herman Miller, Inc. Instead of seeing the company's
quarterly numbers, staffers saw a Star of David and a sad face. The chief
executive thought someone was mocking his Protestant faith. Computer
security chief Dennis Peasley thought, "This has to be a hack." But it was
no hack, just a software glitch in how Microsoft's PowerPoint program
recognized Herman Miller's custom fonts.

Amitabh Srivastava, a computer scientist deep inside Microsoft Research, is
the guy Microsoft is counting on to automate and accelerate the process of
purging mistakes. "The impression is that we don't write very good
software," says Srivastava. "Every time my computer crashes, it is a
reminder of my failure."

Computer bugs have been around since malfunctions in a 1945 [Harvard] Mark
II were blamed (facetiously) on a moth trapped in a relay. Nowadays the term
refers to programming flaws--commands that don't accomplish the desired
result because computers have a habit of following the letter rather than
the spirit of the instructions handed to them. The cost to customers of
these flaws is necessarily a nebulous figure, but for what it's worth a
National Institute of Standards & Technology report puts it at $38 billion a
year. Evaluating only the cost of intrusions by hackers, who exploit flaws
in computer security, Gartner Group comes up with $5.4 billion a year.

Srivastava's fix is an arsenal of tools that help code testers fumigate
buggy code. He has a big fan in Microsoft Chairman Bill Gates. "Software
quality is about removing or preventing defects. The sooner any defect is
caught, the better--ideally, they are simply never coded," says Gates.

Building clean code is getting more daunting, especially for Microsoft . The
Windows operating system has 50 million lines of code (a line averages 60
characters) and grows 20% with every release.  It's put together by 7,200
people, comes in 34 languages and has to support 190,000 devices--different
models of digital cameras, printers, handhelds and so on.  ...
  [Source: Lycos.com, 26 May 2003]
http://finance.lycos.com/home/news/story.asp?story=34131541


Immature air-traffic controllers?

<Carl Fink <carl@fink.to>>
Tue, 20 May 2003 13:36:05 -0400

Reuters reports that pilots approaching Luton airport were hearing a baby's
cries instead of instructions from the controllers.

It turned out that a baby monitor, in a house in the approach path, was
being picked up by their radios.  Replacing the monitor fixed the problem,
so seemingly it was transmitting on the wrong frequency.

The article says that no one was endangered because the pilots could switch
to another frequency.  My question: exactly how powerful a transmitter is in
this baby monitor if a plane moving at hundreds of kilometers per hour would
stay in its "radius of interference" long enough to have to switch
frequencies?

http://news.excite.com/odd/article/id/327280|oddlyenough|05-20-2003%3A%3A10%3A44|reuters.html

Carl Fink  http://www.jabootu.com  carl@fink.to


The Great Capacitor Scare of 2003

<"Jay R. Ashworth" <jra@baylink.com>>
Tue, 20 May 2003 16:44:19 -0400

In RISKS-19.13, Mich Kabay quoted the *EE Times* on "The Great Capacitor
Scare Of 1997".  People were building motherboards without enough power
supply filter caps, it seems, and machines were locking up.

Oh, to have problems that minor again...

The Great Capacitor Scare of 2003 is going to be *much* worse.

It seems, according to several news stories (linked at the end) that a
materials chemist who worked for a Japanese company, Rubycon Corporation --
which manufactured electrolyte for electrolytic (! :-) capacitors -- left
his employ, and ended up working for a Chinese capacitor maker, Luminous
Town Electric.  (These names tend to sound quaintly amusing to USAdian ears,
which might not be accidental...)

Apparently, in a fairly clear case of corporate espionage, the fellow's
cow-orkers then "defected with the formula" (PCN says, in a confusing bit;
defected to where he was?), and began to sell the electrolyte to many
Taiwanese capacitor makers.

Alas, there was one small problem.

The formula wasn't *complete*.  The capacitors, which ought to have been
good (in some cases) for up to 4000 hours, were failing in half that -- or,
if you believe Intel, in as little as 250 hours.

The electrolyte apparently outgasses hydrogen, and pops the seals on the
cap, leaking electrolyte onto the board.  The missing ingredient was the one
which prevented this.  I'd speculate that this might not be a
point-catastrophic failure... these caps might pop and leak out slowly,
shorting out circuits.

But it's even worse.

The Inquirer may put it best:

  It is not currently known how many market segments may have been affected
  by these poor parts, which can be found in motherboards, switchmode power
  supplies, modems and other PC boards.

  The failures of the aluminum capacitors might just be the 'tip of the
  iceberg,' says Zogbi. "Other component failures from low-cost Asian
  suppliers might be forthcoming," he warns.

  Around 30 per cent of the world's supply of aluminum capacitors is
  manufactured in Taiwan, according to the Paumanok Group.  Confusion over
  which manufacturers may have used the faulty electrolyte is sending buyers
  back to Japan to source their capacitors.

  The extent of the problem in product that has already shipped won't become
  clear until components start failing, which may not happen until halfway
  through the products' life expectancy.

But even *that* may understate the problem...

How many electronic products do *you* know of that use electrolytic
capacitors?  The RISKS are so obvious that I don't even have to say "The
RISKS are obvious".  [But you did anyway!  PGN]

*The Inquirer* coverage is at http://www.theinquirer.net/?article=6085

*Passive Component News* is at http://www.niccomp.com/taiwanlowesr.htm
Check out the tenor of the editorial footnote; it's as classic as it is
uncommon.

TTI, who bill themselves as "The world's leading distributor of Passive,
Interconnect, and Electromechanical components" have put up an entire page
tracking press coverage of the issue:
  http://www.ttiinc.com/MarketEye/Aluminum_Cap_Issue.asp

Jay R. Ashworth, The Suncoast Freenet, Tampa Bay, Florida
http://baylink.pitas.com  jra@baylink.com  +1 727 647 1274


Los Altos Vault & Safe Deposit Co.

<Drew Dean <ddean@csl.sri.com>>
Sun, 18 May 2003 13:11:49 -0700 (PDT)

The Los Altos Vault & Safe Deposit Company has been running an ad in local
newspapers (here from the May 14, 2003, Los Altos Town Crier, p. 12) with
the following:

"It is impossible for hackers to penetrate our computer system.  Reason -
We have no computers.  We do business the old fashioned way."

Now that's a convincing assurance argument!  I find it quite interesting
that this is being advertised to the general public, or at least that
portion living in Silicon Valley.

On the other hand, the old fashioned way has its own risks, but those
aren't mentioned.  Again, interesting from a marketing viewpoint.

Drew Dean, Computer Science Laboratory, SRI International


Risk of automatic type conversion

<Dave Brunberg <DBrunberg@FBLEOPOLD.com>>
Fri, 16 May 2003 11:20:32 -0400

I recently downloaded a copy of an MSDS document for a particular chemical
used frequently in water treatment.  While scanning through the pages I
noticed the following:

  "US Patent No. ................ 5E + 06"

I can only assume (bad policy?) that this is related to the document being
automatically generated from a database of chemical information.

A quick look at the rest of the document showed no obvious errors, but in
something as potentially important to health and safety as an MSDS, one
would expect better proofreading by the distributor.  That's not to mention
any legal problems they may run into regarding disclosure of product
hazards.

David W. Brunberg, Engineering Supervisor - Field Process
The F.B. Leopold Company, Inc.


Earthlink awarded $16M in spamages

<"NewsScan" <newsscan@newsscan.com>>
Thu, 08 May 2003 09:23:09 -0700

A federal judge awarded Earthlink $16.4 million in damages and instituted a
permanent injunction against a Buffalo, NY, man identified as the ringleader
of a group that used Earthlink's network to send 825 million spam messages
over the past year. Earthlink said Howard Carmack and his cronies used
Internet accounts opened with stolen identities and credit cards to send
junk e-mail. The ruling is the latest in a series of legal actions taken by
ISPs against bulk spammers. Last year Earthlink won $25 million in damages
in a suit against another bulk e-mailer, Kahn C. Smith of Tennessee, but it
hasn't collected the award. The company also has several other lawsuits
pending. Meanwhile, last December, America Online won a $6.9 million
judgment against a now-defunct Illinois company that specialized in
p*rnographic spam. Over the last few years, AOL has won 25 spam-related
lawsuits against more than 100 companies and individuals, says a company
spokesman.  [AP 7 May 2003; NewsScan Daily, 8 May 2003]
  http://apnews.excite.com/article/20030507/D7QSJOQ80.html


Potential Chilling Effect: IEEE publications and DMCA

<Sean Smith <sws@cs.dartmouth.edu>>
Fri, 16 May 2003 12:48:18 -0400

This morning, I noticed that in the IEEE copyright form
(which authors must sign when they publish papers with the IEEE),
the signer must warrant that "publication or dissemination of the
work" will not violate the DMCA.

Sean W. Smith, Ph.D.  sws@cs.dartmouth.edu  http://www.cs.dartmouth.edu/~sws/
Department of Computer Science, Dartmouth College, Hanover NH USA


Re: OpenBSD release protects against buffer-overflow attacks

<Mike Albaugh <albaugh@spies.com>>
Mon, 12 May 2003 13:47:48 -0700 (PDT)

> [Ardley: over 30 years ago ... reinvented in software...]

WELL OVER 30 years ago, considering that the machine described in the "First
Draft" paper on EDVAC (leaked by John von Neumann) was "tagged", in a sense.
Every word of memory was meant to be designated as "Instruction" or "Data"
during the program-loading process.  It was not exactly the way we think of
such things today.  An attempt to "execute data" produced not an exception
but effectively a "load immediate", while an attempt to "store to an
instruction" altered only the address-part of the word.  Yes, chilluns, this
was before B-Boxes :-)

> Memory that was tagged as data could not be executed. The result
> was that no stack overflow attack was possible.

This ignores the prevalence of interpreted "data", the basis of numerous
email and web malware. There is still plenty of mischief that can be done
without the ability to "execute the stack", and some utility in being able
to convert from data to executable, vis. work by David Keppel, et al.
(http://citeseer.nj.nec.com/78783.html)

"They may make it illegal, but they'll never make it unpopular" (as noted in
another context, in RISKS-10.27).

  [The Harvard Mark I went even further.  There were programs in program
  store and there were data words in data store.  And ne'er the twain could
  meet.  PGN]


Re: more spelling-checker follies? (Smith, RISKS-22.72)

<"Bill Hopkins" <whopkins@wmi.com>>
Tue, 20 May 2003 17:09:42 -0400

For three minutes, an AP story posted on *The New York Times* Web site about
Justice Clarence Thomas referred to his predecessor as "Turgid Marshall."
After checking that MS Word indeed deemed "Thurgood" a misspelling and
suggested "turgid" as a replacement, I discovered that the story had been
updated to use the correct name of the distinguished jurist.


Re: more spelling-checker follies? (Smith, RISKS-22.72)

<Bill Stewart <bill.stewart@pobox.com>>
Sat, 10 May 2003 19:44:06 -0700

A long long time ago, on a Microsoft Mail version far far obsolete by now, I
forwarded a copy of my department's org chart to somebody.  Unfortunately,
MS.Mail decided to spell-check the message and change anything it didn't
like without checking with me first.  So, it not only changed any of the
names it didn't recognize to words it did, including my department head's
name, it also changed her Org Chart to an Orgy Chart.

Fortunately, either nobody read it carefully, or they ignored it, so there
weren't embarrassing explanations to be made, but my attitude did change
from "Lousy unreliable mail client" to "Bill Gates Must ... ." [Verb deleted
by moderator for RISKS-obvious reasons.  PGN]  MS.Outlook is much better than
its earlier versions, though it's still fundamentally flawed in a few areas.


REVIEW: "802.11 Security", Bruce Potter/Bob Fleck

<Rob Slade <rslade@sprint.ca>>
Tue, 13 May 2003 08:03:48 -0800

BK8021SC.RVW   20030404

"802.11 Security", Bruce Potter/Bob Fleck, 2003, 0-596-00290-4,
U$34.95/C$54.95
%A   Bruce Potter
%A   Bob Fleck
%C   103 Morris Street, Suite A, Sebastopol, CA   95472
%D   2003
%G   0-596-00290-4
%I   O'Reilly & Associates, Inc.
%O   U$34.95/C$54.95 800-998-9938 fax: 707-829-0104 info@ora.com
%O  http://www.amazon.com/exec/obidos/ASIN/0596002904/robsladesinterne
  http://www.amazon.co.uk/exec/obidos/ASIN/0596002904/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0596002904/robsladesin03-20
%P   176 p.
%T   "802.11 Security"

The preface states that this book is aimed at the network engineer,
and the security engineer, or the hobbyist, but it is not an
introductory work.  The reader will need to know Linux to the kernel
configuration level, and TCP/IP networking to the ARP (Address
Resolution Protocol) level.

Part one addresses the basics of 802.11 security.  Chapter one
provides a background, and looks at issues, in wireless
communications, although primarily from a communications, rather than
security, perspective.  There is a review of attacks and risks, in
chapter two, and for once there is a comparison of wired versus
wireless hazards, ranging from the common (interference from portable
phones) to the sophisticated (signal strength attacks related to
diversity antennae).

Part two deals with station, or remote device, security.  Chapter
three examines attacks against machines and networks, and suggests the
use of SSL (Secure Sockets Layer) and SSH (Secure SHell).
Configuration recommendations for the kernel, startup, firewall, and
other aspects of FreeBSD are covered in chapter four.  Chapters five,
six, and seven do the same for Linux, OpenBSD, and Mac OS X,
respectively (with a concentration on the AirPort utilities for the
Mac).  Windows, in chapter eight, reviews basic workstation items
only, with limited advice and direction.

Part three looks at access port security, and the setup of access
points under Linux, FreeBSD, and OpenBSD are all contained in chapter
nine.

Gateway security is the topic of part four, with chapter ten looking
at gateways and firewalls, while the use of the three UNIX variants as
gateways is discussed in chapters eleven, twelve, and thirteen.
Authentication and encryption, mostly with IPSec, is reviewed in
chapter fourteen.  A rather vague closing is given in fifteen.

As noted, this is not a book for beginners.  Presumably readers should
already know the most common dangers of wireless LANs, such as
allowing default access passwords to remain active, and broadcasting
the station set identifier.  WEP (Wired Equivalent Privacy) is
dismissed as irrelevant: since it is deeply flawed, one can assume
that the concentration on technologies such as IPSec and station
security is of greater use than suggesting minor improvements in the
use of WEP keys and initialization vectors.  However, it is a bit of a
pity that the authors took this route.  With the addition of possibly
an extra fifty pages this could have been an excellent reference for
all wireless LAN administrators.

copyright Robert M. Slade, 2003   BK8021SC.RVW   20030404
rslade@sprint.ca  rslade@vcn.bc.ca  slade@victoria.tc.ca p1@canada.com


REVIEW: "Mobile VPN", Alex Shneyderman/Alessio Casati

<Rob Slade <rslade@sprint.ca>>
Thu, 15 May 2003 07:59:40 -0800

BKMBLVPN.RVW   20030401

"Mobile VPN", Alex Shneyderman/Alessio Casati, 2003, 0-471-21901-0,
U$45.00/C$69.95/UK#33.50
%A   Alex Shneyderman
%A   Alessio Casati
%C   5353 Dundas Street West, 4th Floor, Etobicoke, ON   M9B 6H8
%D   2003
%G   0-471-21901-0
%I   John Wiley & Sons, Inc.
%O   U$45.00/C$69.95/UK#33.50 416-236-4433 fax: 416-236-4448
%O  http://www.amazon.com/exec/obidos/ASIN/0471219010/robsladesinterne
  http://www.amazon.co.uk/exec/obidos/ASIN/0471219010/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0471219010/robsladesin03-20
%P   330 p.
%T   "Mobile VPN"

Part one presents wireless data fundamentals.  Chapter one gives an
introduction to mobile virtual private networks (MVPN), and the emphasis on
cellular technology points out that the authors are familiar with the
telecommunications, rather than security, field of work.  The material
contains a weak suggestion that MVPNs may be useful, lots of alphabet soup,
and very little in the way of conceptual background.  The data networking
technologies in chapter two are not explained very clearly: basic ideas get
bogged down with details.  Cellular radio interfaces are listed in chapter
three, with data services that can be provided over cellular networks in
chapter four.

Part two looks at MVPN and advanced wireless data services.  MVPN
fundamentals, in chapter five, basically reiterates the text from chapter
two, with a little extra emphasis on virtual private networks.  Chapter six
describes various GSM (Global System for Mobile communications)/GPRS
(General Packet Radio Service) and UMTS (Universal Mobile Telecommunication
System) offerings.  Options for CDMA2000 (Code Division Multiple Access) are
listed in chapter seven.  Chapter eight explains MVPN equipment components
and requirements.  Possible developments in mobile VPN are advanced in
chapter nine.

This book once again emphasizes the divide not only between the cellular and
wireless LAN camps, but also between communications and security.  It fails
to bring all the related technologies together between two covers.  At the
same time, for those in the LAN or security fields who need to know about
cellular service offerings, this work does not provide a consistent level of
explanation and depth of background for those issues.  Possible utilities
are tabulated, but these could be obtained from almost any cell company
sales office.

copyright Robert M. Slade, 2003   BKMBLVPN.RVW   20030401
rslade@sprint.ca  rslade@vcn.bc.ca  slade@victoria.tc.ca p1@canada.com

Please report problems with the web pages to the maintainer

Top