The RISKS Digest
Volume 22 Issue 85

Friday, 15th August 2003

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…


Niagara-Mohawk power grid overload causes major outages
Pilot fixes faulty jet
Chuck Weinstock
ATM scam netted $620,000 Australian
John Colville
Credit-card theft spam
Drew Dean
New worm targets Microsoft security site
Blaster worm analysis
Monty Solomon
CERT Advisory CA-2003-20 W32/Blaster worm
Monty Solomon
DCOM worm analysis report: W32.Blaster.Worm
Dave Ahmad
FBI enters investigation of Blaster
Re: Software patching gets automated
Fuzzy Gorilla
Hidden risks: location dependence
Fuzzy Gorilla
Another variant on deceptive URLs
Geoffrey Brent
Risks of globally filtering mail to IT and security staff
Aryeh Goretsky
Denver school information system on the Internet
Dave Brunberg
Biloxi schools have cameras in classrooms, pictures on Internet
Carl G. Alphonce
Beyond Fear, Bruce Schneier
CFP: RFID Privacy and Security Workshop @ MIT
Simson L. Garfinkel
Info on RISKS (comp.risks)

Niagara-Mohawk power grid overload causes major outages

<"Peter G. Neumann" <>>
Fri, 15 Aug 2003 07:01:11 PDT

A grid overload just after 4pm EDT knocked out power in NY City, Boston,
Cleveland, Detroit, Toronto, and Ottawa, among many other cities, and
spanning New York, New Jersey, Vermont, Connecticut, Pennsylvania, Ohio,
Michigan, Ontaria, and parts of Quebec.  Much of midtown NYC and Wall Street
were shut down.  At least 10 major airports, causing schedule problems
across the country and abroad.  Nine nuclear power plants were shut down.
Landline phones and cell circuits were severely affected, with extensive
traffic saturation even where battery backups were available.  At least 50
million people were affected.  800 trapped-in-elevator rescues.  For a
while, a lightning strike on the US side of Niagara Falls was reportedly the
trigger, and then attributed to a fire, although this morning the exact
cause is still mysterious — with one power expert suggesting "somewhere in
the midwest".  Terrorism is ruled out, but not apparently not yet
cyberactivity.  All this supposedly happened in nine seconds, and yet the
cause is still unclear!  (My summary is of course *not* a definitive

Once again this should certainly be instructive from a RISKS point of view.
Despite the experience gained from past power-outage propagations, plus the
unrelated but propagationally similar 1980 complete ARPAnet collapse and
1990 nationwide AT&T collapse, we still have a lot to learn.  Each time we
get a widespread effect of this nature, the people who keep saying that this
kind of propagation is impossible get serious egg on their faces.  Stay
tuned for more detailed analyses and more discussion of what it takes to
have seriously defensive/preventive design and implementation.

One quote from New Mexico governor Bill Richardson is intriguing: "We're a
superpower with a Third World grid."

  [Date: field corrected in archive.  Woops!  PGN]

Pilot fixes faulty jet

<Chuck Weinstock <>>
Tue, 12 Aug 2003 10:34:20 -0400

A pilot personally fixed a faulty plane stranded on Spain's Balearic island
of Menorca before getting weary British tourists to vote on whether they
wished to be flown home aboard the repaired jet.  The incident occurred on 8
Aug 2003 after a Boeing 757 run by British tour operator MyTravel was found
to have a faulty onboard computer that insisted the aircraft was airborne
when it was in fact parked on the tarmac.  Covered in oil after resetting a
sensor in the aircraft's nosewheel, the pilot asked passengers gathered in
the airport's terminal to raise their hands if they wished to board the
plane.  In the end, only 13 of nearly 200 tourists decided to stay put.
[Source: AFP, 12 Aug 2003, from *The Times* (London); PGN-ed]

ATM scam netted $620,000 Australian

Tue, 12 Aug 2003 08:56:06 +1000

ATM swipe-and-snap scam netted A$620,000, court told
Leonie Lamont, 12 Aug 2003, *Sydney Morning Herald*, 12 Aug 2003; PGN-ed
[$A620,000 is about $US400,000.]

In the first case of its kind in Australia, a man has pleaded guilty to
defrauding more than A$623,000 from bank customers by electronically spying
on them while they used ATMs.  Kok Meng Ng, 29, a Malaysian, admitted in the
District Court yesterday to taking part in an elaborate scheme in which an
electronic skimming device and pin-head camera were planted in 36 ATMs in
Sydney.  The skimming devices read the data on the magnetic stripe on
customer's cards, while the camera recorded the PINs as they were punched
in, beaming a signal that could be received up to 400 metres away.

On 64 occasions between May 2001 and November last year, Ng, who was in
Australia on successive tourist visas, transferred amounts of less than
A$10,000 to overseas accounts.  Amounts over A$10,000 must be reported by
financial institutions.  The court heard that among the incidents, the scam
was conducted on 15 Oct 2002 on a St George ATM in Darlinghurst, a Westpac
machine in Bondi Junction a day later, and, four days later, on a
Commonwealth Bank ATM in Chatswood.

The prosecutor, Sunil de Silva, said Ng was part of a gang that raided the
bank accounts of 315 people, generally withdrawing less than A$1000. Ng also
pleaded guilty to federal charges under the Financial Transactions Act.  The
federal charges carry a maximum five year jail term, and the computer crime
charges a three year term.  ...

John Colville, Dept of Computer Systems, University of Technology, Sydney AU
PO Box 123, Broadway NSW Australia 2007 +61-2-9514-1854

Credit-card theft spam

<Drew Dean <>>
Thu, 14 Aug 2003 12:38:08 -0700 (PDT)

I've recently received a couple pieces of spam trying to induce me to give
out my credit-card number.  One used a lot of artwork from PayPal, and even
referenced PayPal's privacy policy.  The biggest problem with it (besides
the decidedly non-PayPal domain the form was submitted to, of course :-)) is
that I don't have a PayPal account.

Interestingly, neither spam used https to actually submit the form.  This
makes one wonder about the RISK: what a machine to crack and to steal
credit-card numbers from!  The operators of the scam can hardly go to law
enforcement, after all.  The owners of the machine, if it's a Web-hosting
service, might be able to go to law enforcement, although it would rather
embarrassing for them.

Drew Dean, SRI International, Computer Science Laboratory

New worm targets Microsoft security site

<"NewsScan" <>>
Tue, 12 Aug 2003 11:19:20 -0700

A virus-like computer attack expected to infect hundreds of thousands of
computers worldwide is programmed to direct all infected computers to attack
the security-related Microsoft Web site, used by
millions of Microsoft users each week.  The worm, variously called LoveSan,
Blaster and MSBlaster, is apparently similar in structure to the Code Red
virus that affected 300,000 computers two years ago; it targets a flaw in
Microsoft Windows operating systems, and is considered to be a worm type of
virus because it doesn't require computer users to open an e-mail attachment
or take any other action to spread automatically from computer to computer.
Home computer users who leave computers constantly online to the Internet
through DSL or cable are among those most at risk.  [*San Jose Mercury News
11 Aug 2003; NewsScan Daily, 12 Aug 2003]

Blaster worm analysis

<"monty solomon" <>>
Tue, 12 Aug 2003 15:02:01 -0400

Blaster Worm Analysis
Release Date: 11 Aug 2003
Severity: High

Description: The Blaster worm uses a series of components to successfully
infect a host.  The first component is a publicly available RPC DCOM exploit
that binds a system level shell to port 4444.  This exploit is used to
initiate a command channel between the infecting agent and the vulnerable
target.  Once the target is successfully compromised, the worm transmits the
msblast.exe executable (the main body of the worm) via TFTP to infect the
host.  The payload used in the public DCOM exploit, as well as the TFTP
functionality, are both encapsulated within msblast.exe.

CERT Advisory CA-2003-20 W32/Blaster worm

<"monty solomon" <>>
Tue, 12 Aug 2003 15:05:56 -0400

CERT Advisory CA-2003-20 W32/Blaster worm

Original issue date: August 11, 2003
Last revised: August 12, 2003
Source: CERT/CC

A complete revision history is at the end of this file.

Systems Affected
* Microsoft Windows NT 4.0
* Microsoft Windows 2000
* Microsoft Windows XP
* Microsoft Windows Server 2003


The CERT/CC is receiving reports of widespread activity related to a new
piece of malicious code known as W32/Blaster.  This worm appears to
exploit known vulnerabilities in the Microsoft Remote Procedure Call
(RPC) Interface.

I. Description

The W32/Blaster worm exploits a vulnerability in Microsoft's DCOM RPC
interface as described in VU#568148 and CA-2003-16.  Upon successful
execution, the worm attempts to retrieve a copy of the file msblast.exe from
the compromising host.  Once this file is retrieved, the compromised system
then runs it and begins scanning for other vulnerable systems to compromise
in the same manner.  In the course of propagation, a TCP session to port 135
is used to execute the attack.  However, access to TCP ports 139 and 445 may
also provide attack vectors and should be considered when applying
mitigation strategies.  Microsoft has published information about this
vulnerability in Microsoft Security Bulletin MS03-026.

Lab testing has confirmed that the worm includes the ability to launch a TCP
SYN flood denial-of-service attack against  We are
investigating the conditions under which this attack might manifest itself.
Unusual or unexpected traffic to may indicate an infection
on your network, so you may wish to monitor network traffic.

Sites that do not use to manage patches may wish to block
outbound traffic to  In practice, this may be difficult
to achieve, since may not resolve to the same address
every time.  Correctly blocking traffic to will require
detailed understanding of your network routing architecture, system
management needs, and name resolution environment.  You should not block
traffic to without a thorough understanding of your
operational needs.

We have been in contact with Microsoft regarding this possibility of this
denial-of-service attack.  ...

DCOM worm analysis report: W32.Blaster.Worm

<Dave Ahmad>
Mon, 11 Aug 2003 15:36:24 -0600 (MDT)

A Bugtraq user has already pointed out that a worm has been
discovered in the wild that exploits the Microsoft Windows DCOM RPC
Interface Buffer Overrun Vulnerability (Bugtraq ID 8205) to infect
host systems.  Symantec has been tracking its activity and is
currently conducting analysis/full disassembly of the malicious code,
which has been named "Blaster".  The results of our analysis are
being made available to the public at the following location:

It is expected that this report will be updated frequently as more
information is discovered.  Readers are advised to download/refresh
it throughout the day to ensure that any new information is not missed.

David Mirza Ahmad, Symantec

FBI enters investigation of Blaster

<"NewsScan" <>>
Thu, 14 Aug 2003 08:46:52 -0700

The FBI is investigating the origin of the malicious computer program
Blaster (also known as MSBlaster and LoveSan), which has already wormed its
way into more than 250,000 Internet-connected computers running Windows
software. Blaster has been infecting computers in organizations of every
kind (e.g, CBS, the Senate, and the Federal Reserve Bank of Atlanta) — in
spite of the fact that computer experts say it's not well-written software.
Dan Ingevaldson of Internet Security Systems Inc. warns: "A better version
of this worm wouldn't crash any machines; it would work correctly every
time, move faster, and delete or steal its victims' files."  [*The
Washington Post*, 14 Aug 2003; NewsScan Daily, 14 Aug 2003]

Re: Software patching gets automated (RISKS-22.84)

<"Fuzzy Gorilla" <>>
Tue, 12 Aug 2003 12:23:22 -0400

In Peter Neumann
speculates: "And when it is *fully* automated, think of how wonderful
it will be to have new Trojan horses and security flaws installed
instantaneously, without having to require human intervention.".

Even without Trojan horses and security flaws, it introduces yet another
point of failure into the system, as evidenced by the "Blaster" worm.
According to a New Scientist article "Computer worm attacks software patch
server" :

  After infecting a vulnerable computer, the worm is programmed to send a
  volley of bogus traffic to Microsoft's software update service, on 16 August. If enough machines are infected this will
  overwhelm the site, preventing system administrators from using it to
  download the software patches needed prevent other machines being
  infected.  "It's an extremely devious trick by Blaster's author," says
  Graham Cluley, of UK anti-virus company Sophos. "Blaster attempts to knock
  Microsoft's Web site off the Internet."

Hidden risks: location dependence

<"Fuzzy Gorilla" <>>
Tue, 12 Aug 2003 13:03:31 -0400

Although this example comes from biology rather than computers, I think it
helps to point out the problem of hidden risks and the value of questioning
assumptions.  Basically, a researcher was working on a study that showed a
strong link between cholesterol and an Alzheimer's like disease in rabbits --
until he changed the location of his lab.

  Sparks has been working with rabbit models of Alzheimer's for years.
  "Every time I ever fed a bunny cholesterol, I got Alzheimer's pathology,"
  he said.

  That is, until he moved to the Sun City lab.

  "I said, 'Something is wrong. I go down into the vivarium (where lab
  animals are kept) and the first thing I see is the wall being lined with
  big blue bottles."'

  It turns out the rabbits there were given distilled water, while all the
  other research animals Sparks had worked with got tap water.

  He analyzed the tap water from previous labs and found it contained
  copper. When the rabbits at Sun Health were fed tap water, they also
  developed Alzheimer's symptoms.

  When Sparks added copper to the distilled water and gave the rabbits
  cholesterol, they also developed Alzheimer's-like symptoms and brain

Just as in biological systems, computers and computer networks are very
complex and sometimes the variables are well hidden.

Another variant on deceptive URLs

<Geoffrey Brent <>>
Thu, 14 Aug 2003 09:51:46 +1000

Another refinement of the "please click this link and log into your
financial Web site" scam. This morning I got one purporting to be from
Westpac Australia. Obviously a fraud, since (a) legitimate institutions
don't do business that way, and (b) I don't have an account with them.  But
it still took me a moment to see how this one worked.

The link given in the e-mail purported to be ""
(Westpac's online banking site). I was curious to see how this one worked,
so I did what I usually do with such hoaxes and ran the mouse over it. I
expected to see a completely different URL show up in the status bar, or
perhaps something along the lines of "" and
was rather surprised to see what looked to be a genuine Westpac URL,
differing only in being HTTP rather than HTTPS:
-- which, although unencrypted, would still be owned by Westpac.

In fact, on looking closer, the _real_ URL is:[lots more space characters snipped]

The spaces ensure that the interesting bits in the link don't show up
onscreen, and since one doesn't expect to see spaces in URLs it wasn't
something I'd expected. (And yes, I missed the ... on the RHS of the bar
that indicated that there was more to follow). AFAICT, the http/s mismatch
is simply sloppiness on the culprit's part rather than a necessary part of
the scam.

I can't be the first to point this out, but: having a character that is
visually indistinguishable from the absence of a character is in itself a
risk. Perhaps it would be useful for URL-display and similar outputs to use
a visible character to indicate spaces, as can be done with word-processors?

Risks of globally filtering mail to IT and security staff

<Aryeh Goretsky <>>
Wed, 13 Aug 2003 02:43:40 -0600

Earlier this evening I received a message in my in-box advertising an
organic compound which, allegedly, would increase the dimensions of a
particular body part.

Such unsolicited messages are quite commonplace these days and a quick
perusal of the message header revealed nothing especially interesting about
the message.

What did surprise me, though, was the sender's choice of a falsified
return address from the domain.  Knowing financial
institutions are very sensitive to misuse of their names I forwarded a
copy to "" with a self-explanatory subject and
a concise, one-line description of what the message was and I why I
had forwarded it.

I received the following automated reply (unimportant headers removed):

 >  Date: Sat, 09 Aug 2003 03:17:53 -0700
 >  From:
 >  To: "Aryeh Goretsky" <>
 >  Subject: Inappropriate Language Notification
 >  A communication sent from your e-mail account was
 >  intercepted and quarantined because it contained language
 >  deemed inappropriate for business communications.  If
 >  you feel your message was quarantined in error,
 >  please contact the intended recipient.
 >  Sender: Aryeh Goretsky <>
 >  Subject: spam sent with forged address
 >  Date: 08/09/2003, 03:17:53 AM
 >  Policy: Inappropriate Language

As someone who provided technical support in the security field for a long
time I regularly received messages with "inappropriate" language in them,
usually in the form of messages contained in computer viruses, worms and the
like.  As a security professional, I *needed* to know the exact message as
it appeared on-screen or embedded in a program in order to help isolate and
identify the problem.

Frankly, the idea of *not* being able to gather this information because
that someone, somewhere might see "inappropriate" language floored me.

I understand that large companies such as American Express cannot afford to
vet new IT hires, let alone existing ones, for a good organizational fit
which among other things includes not being offended by "inappropriate"
language, but the idea that someone whose job responsibilities may require
viewing such information and not being able to see it strikes me as willful
misconduct by whatever employee(s) came up with such a policy in the first

Perhaps organizations which perform such filtering should provide staff
whose job requirements required them to receive messages containing
"inappropriate" language with a waiver.

In the meantime, I can't help but wonder what would happen if someone
defaced one of American Express's web servers with a message containing
"inappropriate" language and none of their IT or security staff were able to
coordinate a response due to their internal communiques being rejected.

The *RISKS* seem obvious.

  [... but not surprising.  I have had so many such requests to sites
  bounced for similar reasons.  PGN]

     [True, but I assume (with all problems thereof) a higher level of
     accountability from the security/fraud unit of a financial institution.

Denver school information system on the Internet

<Dave Brunberg <>>
Thu, 14 Aug 2003 09:33:03 -0400

I found this link to an article about Denver's "Internet Student Information
System," which offers parents (or anyone with a userid/password combo) to
view their children's (targets'?) whereabouts, grades, disciplinary records,
and demographic info online.,1413,36~53~1569401,00.html

  Teachers enter class attendance data into the system at the beginning of
  each class, and "Almost on an hourly basis, a parent can find out if their
  child is in a particular class. Most schools will stick to updating
  attendance two or three times a day."  "While the systems differ, they
  share a concern for security with school-issued user IDs and passwords. "
  "If [parents] want to participate, they must take a photo ID to the school
  and then they are given a user ID and personal password. They have access
  only to their children's information."

Sounds really secure, no?  No word on the form of userid or password, or how
to change the password, etc., standard RISKs apply.  Near the end of the
article, security and privacy issues are given a brief note:

  "Like Castagna at Lakewood High, Bailey said no concerns have been raised
  about privacy, and nobody's information has been hacked.  David Craven,
  Cherry Creek's director of instructional technology, said the systems use
  the same safeguards as online banking.  "People have an expectation to get
  general information on the Web.  It's just part of their lives."

  "The value is contingent on how secure the database is," said Stephen
  Keating, director of the Privacy Foundation at the University of
  Denver. "If the school district thinks they've got it protected so that
  only the parents or the student can get access to that student's
  information, then it sounds viable."  But, he cautioned, "just because you
  think it's secure doesn't mean it is."

  Mark Silverstein, legal director of the American Civil Liberties Union in
  Denver, said, "If the information is only available to the parents of a
  student, I don't see what the concern is about privacy."

I'll take a brief quote from that to look at again: "If the school district
thinks they've got it protected so that only the parents or the student can
get access to that student's information, then it sounds viable."  Um,
shouldn't the district KNOW they've got it protected?  Shouldn't they be
actively trying to crack the system?  Maybe they can ask some of their
brighter 10th graders to try--that would probably open up some interesting
discussion when the results became known.  Anyone want to take a bet on how
many Mountain Dews it takes to crack this one?

David W. Brunberg, Engineering Supervisor, The F.B. Leopold Company, Inc.,
227 South Division Street, Zelienople PA 16063  (724) 452-6300

Biloxi schools have cameras in classrooms, pictures on Internet

<"Carl G. Alphonce" <alphonce@cse.Buffalo.EDU>>
Wed, 13 Aug 2003 20:28:37 -0400

According to a CNN article
the Biloxi, Mississippi school district has put cameras in all of its
classrooms.  The project was funded by casino revenues.  Pictures taken by
the cameras are viewable on the Internet.  If the article is correct, and
the images really are accessible from anywhere on the Net, the risks of
others viewing the pictures is real.

The article does not give much motivation for installing the cameras.  It
states, "[Deputy superintendent] Voles said the camera installation is a
precaution, and that students and teachers have said they feel safer."  The
potential for abuse and the potential chilling effect on the classroom is
left as an exercise for the reader.  I wonder, might the introduction of
these cameras perhaps backfire, attracting those who seek publicity, since
they are guaranteed a record of their activities?

Carl Alphonce, Dept of Computer Science and Engineering
University at Buffalo, Buffalo, NY 14260-2000

Beyond Fear, Bruce Schneier

<"Peter G. Neumann" <>>
Fri, 15 Aug 2003 07:01:44 PDT

Beyond Fear: Thinking Sensibly about Security in an Uncertain World
Bruce Schneier
Copernicus Books (a Springer-Verlag imprint)
ISBN 0-387-02620-7

Copernicus was a Polish astronomer who observed that the Earth rotates on
its axis and revolves around the Sun.  That knowledge was absolutely
heretical at the time.

Bruce Schneier is a security guru who generally preaches common sense (a
common theme in RISKS, although common sense is apparently surprisingly
uncommon overall).  In our time, common sense may seem absolutely heretical
to people other than those of us who try to practice it.  Fortunately, RISKS
readers seem to be much more aware than nonreaders.  For those of you who
think you believe in common sense, this book will strongly reinforce your
beliefs — and will do so quite entertainingly.  On the other hand, those
who do not actually practice what we preach here had better read Bruce's
book very carefully.

CFP: RFID Privacy and Security Workshop @ MIT

<"Simson L. Garfinkel" <>>
Wed, 13 Aug 2003 20:05:19 -0400

Saturday, 15 Nov 2003, 10am - 4pm, Bartos Theater, MIT Media Lab, 20 Ames St.

Radio Frequency Identification technology is fast becoming a lightning rod
for consumer privacy activists.  Is RFID destined to become the enabling
technology for massive state-sponsored surveillance, Big Brother's
"call-home" chip?  Or is RFID really nothing more than a supply-chain
management technology, its dangers being over-hyped by alarmists who
fundamentally misunderstand the technology?  One thing is sure: in the
absence of strong data, decisions are being made and the public is either
being poorly informed or intentionally misled.

Last year Benetton pulled back from a previously-announced RFID trial after
a consumer group announced a global boycott of the clothing manufacturer.
Can pressure from consumer groups effectively prevent the introduction of
RFID technology, or were other matters at work behind the scenes?

The goal of the RFID Privacy Workshop is to bring together RFID
technologists, boosters, critics, privacy activists and journalists
covering the space to establish some technical truths and a creating a
framework for understanding the growing body of RFID policy issues.

To register online and/or submit a paper by 15 Sep 2003, see

Please report problems with the web pages to the maintainer