A grid overload just after 4pm EDT knocked out power in NY City, Boston, Cleveland, Detroit, Toronto, and Ottawa, among many other cities, and spanning New York, New Jersey, Vermont, Connecticut, Pennsylvania, Ohio, Michigan, Ontaria, and parts of Quebec. Much of midtown NYC and Wall Street were shut down. At least 10 major airports, causing schedule problems across the country and abroad. Nine nuclear power plants were shut down. Landline phones and cell circuits were severely affected, with extensive traffic saturation even where battery backups were available. At least 50 million people were affected. 800 trapped-in-elevator rescues. For a while, a lightning strike on the US side of Niagara Falls was reportedly the trigger, and then attributed to a fire, although this morning the exact cause is still mysterious -- with one power expert suggesting "somewhere in the midwest". Terrorism is ruled out, but not apparently not yet cyberactivity. All this supposedly happened in nine seconds, and yet the cause is still unclear! (My summary is of course *not* a definitive report.) Once again this should certainly be instructive from a RISKS point of view. Despite the experience gained from past power-outage propagations, plus the unrelated but propagationally similar 1980 complete ARPAnet collapse and 1990 nationwide AT&T collapse, we still have a lot to learn. Each time we get a widespread effect of this nature, the people who keep saying that this kind of propagation is impossible get serious egg on their faces. Stay tuned for more detailed analyses and more discussion of what it takes to have seriously defensive/preventive design and implementation. One quote from New Mexico governor Bill Richardson is intriguing: "We're a superpower with a Third World grid." [Date: field corrected in archive. Woops! PGN]
A pilot personally fixed a faulty plane stranded on Spain's Balearic island of Menorca before getting weary British tourists to vote on whether they wished to be flown home aboard the repaired jet. The incident occurred on 8 Aug 2003 after a Boeing 757 run by British tour operator MyTravel was found to have a faulty onboard computer that insisted the aircraft was airborne when it was in fact parked on the tarmac. Covered in oil after resetting a sensor in the aircraft's nosewheel, the pilot asked passengers gathered in the airport's terminal to raise their hands if they wished to board the plane. In the end, only 13 of nearly 200 tourists decided to stay put. [Source: AFP, 12 Aug 2003, from *The Times* (London); PGN-ed]
ATM swipe-and-snap scam netted A$620,000, court told Leonie Lamont, 12 Aug 2003, *Sydney Morning Herald*, 12 Aug 2003; PGN-ed http://www.smh.com.au/articles/2003/08/11/1060588322961.html [$A620,000 is about $US400,000.] In the first case of its kind in Australia, a man has pleaded guilty to defrauding more than A$623,000 from bank customers by electronically spying on them while they used ATMs. Kok Meng Ng, 29, a Malaysian, admitted in the District Court yesterday to taking part in an elaborate scheme in which an electronic skimming device and pin-head camera were planted in 36 ATMs in Sydney. The skimming devices read the data on the magnetic stripe on customer's cards, while the camera recorded the PINs as they were punched in, beaming a signal that could be received up to 400 metres away. On 64 occasions between May 2001 and November last year, Ng, who was in Australia on successive tourist visas, transferred amounts of less than A$10,000 to overseas accounts. Amounts over A$10,000 must be reported by financial institutions. The court heard that among the incidents, the scam was conducted on 15 Oct 2002 on a St George ATM in Darlinghurst, a Westpac machine in Bondi Junction a day later, and, four days later, on a Commonwealth Bank ATM in Chatswood. The prosecutor, Sunil de Silva, said Ng was part of a gang that raided the bank accounts of 315 people, generally withdrawing less than A$1000. Ng also pleaded guilty to federal charges under the Financial Transactions Act. The federal charges carry a maximum five year jail term, and the computer crime charges a three year term. ... John Colville, Dept of Computer Systems, University of Technology, Sydney AU PO Box 123, Broadway NSW Australia 2007 +61-2-9514-1854 email@example.com
A virus-like computer attack expected to infect hundreds of thousands of computers worldwide is programmed to direct all infected computers to attack the security-related Microsoft Web site www.windowsupdate.com, used by millions of Microsoft users each week. The worm, variously called LoveSan, Blaster and MSBlaster, is apparently similar in structure to the Code Red virus that affected 300,000 computers two years ago; it targets a flaw in Microsoft Windows operating systems, and is considered to be a worm type of virus because it doesn't require computer users to open an e-mail attachment or take any other action to spread automatically from computer to computer. Home computer users who leave computers constantly online to the Internet through DSL or cable are among those most at risk. [*San Jose Mercury News 11 Aug 2003; NewsScan Daily, 12 Aug 2003] http://www.siliconvalley.com/mld/siliconvalley/6511962.htm
Blaster Worm Analysis Release Date: 11 Aug 2003 Severity: High Description: The Blaster worm uses a series of components to successfully infect a host. The first component is a publicly available RPC DCOM exploit that binds a system level shell to port 4444. This exploit is used to initiate a command channel between the infecting agent and the vulnerable target. Once the target is successfully compromised, the worm transmits the msblast.exe executable (the main body of the worm) via TFTP to infect the host. The payload used in the public DCOM exploit, as well as the TFTP functionality, are both encapsulated within msblast.exe. http://www.eeye.com/html/Research/Advisories/AL20030811.html
CERT Advisory CA-2003-20 W32/Blaster worm Original issue date: August 11, 2003 Last revised: August 12, 2003 Source: CERT/CC A complete revision history is at the end of this file. Systems Affected * Microsoft Windows NT 4.0 * Microsoft Windows 2000 * Microsoft Windows XP * Microsoft Windows Server 2003 Overview The CERT/CC is receiving reports of widespread activity related to a new piece of malicious code known as W32/Blaster. This worm appears to exploit known vulnerabilities in the Microsoft Remote Procedure Call (RPC) Interface. I. Description The W32/Blaster worm exploits a vulnerability in Microsoft's DCOM RPC interface as described in VU#568148 and CA-2003-16. Upon successful execution, the worm attempts to retrieve a copy of the file msblast.exe from the compromising host. Once this file is retrieved, the compromised system then runs it and begins scanning for other vulnerable systems to compromise in the same manner. In the course of propagation, a TCP session to port 135 is used to execute the attack. However, access to TCP ports 139 and 445 may also provide attack vectors and should be considered when applying mitigation strategies. Microsoft has published information about this vulnerability in Microsoft Security Bulletin MS03-026. Lab testing has confirmed that the worm includes the ability to launch a TCP SYN flood denial-of-service attack against windowsupdate.com. We are investigating the conditions under which this attack might manifest itself. Unusual or unexpected traffic to windowsupdate.com may indicate an infection on your network, so you may wish to monitor network traffic. Sites that do not use windowsupdate.com to manage patches may wish to block outbound traffic to windowsupdate.com. In practice, this may be difficult to achieve, since windowsupdate.com may not resolve to the same address every time. Correctly blocking traffic to windowsupdate.com will require detailed understanding of your network routing architecture, system management needs, and name resolution environment. You should not block traffic to windowsupdate.com without a thorough understanding of your operational needs. We have been in contact with Microsoft regarding this possibility of this denial-of-service attack. ... http://www.cert.org/advisories/CA-2003-20.html
A Bugtraq user has already pointed out that a worm has been discovered in the wild that exploits the Microsoft Windows DCOM RPC Interface Buffer Overrun Vulnerability (Bugtraq ID 8205) to infect host systems. Symantec has been tracking its activity and is currently conducting analysis/full disassembly of the malicious code, which has been named "Blaster". The results of our analysis are being made available to the public at the following location: https://tms.symantec.com/members/AnalystReports/030811-Alert-DCOMworm.pdf It is expected that this report will be updated frequently as more information is discovered. Readers are advised to download/refresh it throughout the day to ensure that any new information is not missed. David Mirza Ahmad, Symantec
The FBI is investigating the origin of the malicious computer program Blaster (also known as MSBlaster and LoveSan), which has already wormed its way into more than 250,000 Internet-connected computers running Windows software. Blaster has been infecting computers in organizations of every kind (e.g, CBS, the Senate, and the Federal Reserve Bank of Atlanta) -- in spite of the fact that computer experts say it's not well-written software. Dan Ingevaldson of Internet Security Systems Inc. warns: "A better version of this worm wouldn't crash any machines; it would work correctly every time, move faster, and delete or steal its victims' files." [*The Washington Post*, 14 Aug 2003; NewsScan Daily, 14 Aug 2003] http://www.washingtonpost.com/wp-dyn/articles/A56071-2003Aug13.html
In http://catless.ncl.ac.uk/Risks/22.84.html#subj11.1 Peter Neumann speculates: "And when it is *fully* automated, think of how wonderful it will be to have new Trojan horses and security flaws installed instantaneously, without having to require human intervention.". Even without Trojan horses and security flaws, it introduces yet another point of failure into the system, as evidenced by the "Blaster" worm. According to a New Scientist article "Computer worm attacks software patch server" http://www.newscientist.com/news/news.jsp?id=ns99994046 : After infecting a vulnerable computer, the worm is programmed to send a volley of bogus traffic to Microsoft's software update service, windowsupdate.com on 16 August. If enough machines are infected this will overwhelm the site, preventing system administrators from using it to download the software patches needed prevent other machines being infected. "It's an extremely devious trick by Blaster's author," says Graham Cluley, of UK anti-virus company Sophos. "Blaster attempts to knock Microsoft's windowsupdate.com Web site off the Internet."
Although this example comes from biology rather than computers, I think it helps to point out the problem of hidden risks and the value of questioning assumptions. Basically, a researcher was working on a study that showed a strong link between cholesterol and an Alzheimer's like disease in rabbits -- until he changed the location of his lab. Sparks has been working with rabbit models of Alzheimer's for years. "Every time I ever fed a bunny cholesterol, I got Alzheimer's pathology," he said. That is, until he moved to the Sun City lab. "I said, 'Something is wrong. I go down into the vivarium (where lab animals are kept) and the first thing I see is the wall being lined with big blue bottles."' It turns out the rabbits there were given distilled water, while all the other research animals Sparks had worked with got tap water. He analyzed the tap water from previous labs and found it contained copper. When the rabbits at Sun Health were fed tap water, they also developed Alzheimer's symptoms. When Sparks added copper to the distilled water and gave the rabbits cholesterol, they also developed Alzheimer's-like symptoms and brain lesions. http://asia.reuters.com/newsArticle.jhtml?type=healthNews&storyID=3258703 Just as in biological systems, computers and computer networks are very complex and sometimes the variables are well hidden.
Another refinement of the "please click this link and log into your financial Web site" scam. This morning I got one purporting to be from Westpac Australia. Obviously a fraud, since (a) legitimate institutions don't do business that way, and (b) I don't have an account with them. But it still took me a moment to see how this one worked. The link given in the e-mail purported to be "https://olb.westpac.com.au" (Westpac's online banking site). I was curious to see how this one worked, so I did what I usually do with such hoaxes and ran the mouse over it. I expected to see a completely different URL show up in the status bar, or perhaps something along the lines of "...firstname.lastname@example.org" and was rather surprised to see what looked to be a genuine Westpac URL, differing only in being HTTP rather than HTTPS: http://olb.westpac.com.au/ -- which, although unencrypted, would still be owned by Westpac. In fact, on looking closer, the _real_ URL is: http://olb.westpac.com.au%20%20%20%20%[lots more space characters snipped] :UserSession%3D2f4d0zzz899amaiioiiabv5589955&userrstste %3DSecurityUpdate&StateLevel%3DCameFrom@european.website29.ebizdns.com/ The spaces ensure that the interesting bits in the link don't show up onscreen, and since one doesn't expect to see spaces in URLs it wasn't something I'd expected. (And yes, I missed the ... on the RHS of the bar that indicated that there was more to follow). AFAICT, the http/s mismatch is simply sloppiness on the culprit's part rather than a necessary part of the scam. I can't be the first to point this out, but: having a character that is visually indistinguishable from the absence of a character is in itself a risk. Perhaps it would be useful for URL-display and similar outputs to use a visible character to indicate spaces, as can be done with word-processors?
Earlier this evening I received a message in my in-box advertising an organic compound which, allegedly, would increase the dimensions of a particular body part. Such unsolicited messages are quite commonplace these days and a quick perusal of the message header revealed nothing especially interesting about the message. What did surprise me, though, was the sender's choice of a falsified return address from the americanexpress.com domain. Knowing financial institutions are very sensitive to misuse of their names I forwarded a copy to "email@example.com" with a self-explanatory subject and a concise, one-line description of what the message was and I why I had forwarded it. I received the following automated reply (unimportant headers removed): > Date: Sat, 09 Aug 2003 03:17:53 -0700 > From: firstname.lastname@example.org > To: "Aryeh Goretsky" <email@example.com> > > Subject: Inappropriate Language Notification > > A communication sent from your e-mail account was > intercepted and quarantined because it contained language > deemed inappropriate for business communications. If > you feel your message was quarantined in error, > please contact the intended recipient. > > Sender: Aryeh Goretsky <firstname.lastname@example.org> > Subject: spam sent with forged address > Date: 08/09/2003, 03:17:53 AM > Policy: Inappropriate Language As someone who provided technical support in the security field for a long time I regularly received messages with "inappropriate" language in them, usually in the form of messages contained in computer viruses, worms and the like. As a security professional, I *needed* to know the exact message as it appeared on-screen or embedded in a program in order to help isolate and identify the problem. Frankly, the idea of *not* being able to gather this information because that someone, somewhere might see "inappropriate" language floored me. I understand that large companies such as American Express cannot afford to vet new IT hires, let alone existing ones, for a good organizational fit which among other things includes not being offended by "inappropriate" language, but the idea that someone whose job responsibilities may require viewing such information and not being able to see it strikes me as willful misconduct by whatever employee(s) came up with such a policy in the first place. Perhaps organizations which perform such filtering should provide staff whose job requirements required them to receive messages containing "inappropriate" language with a waiver. In the meantime, I can't help but wonder what would happen if someone defaced one of American Express's web servers with a message containing "inappropriate" language and none of their IT or security staff were able to coordinate a response due to their internal communiques being rejected. The *RISKS* seem obvious. [... but not surprising. I have had so many such requests to sites bounced for similar reasons. PGN] [True, but I assume (with all problems thereof) a higher level of accountability from the security/fraud unit of a financial institution. AG]
I found this link to an article about Denver's "Internet Student Information System," which offers parents (or anyone with a userid/password combo) to view their children's (targets'?) whereabouts, grades, disciplinary records, and demographic info online. http://www.denverpost.com/Stories/0,1413,36~53~1569401,00.html Teachers enter class attendance data into the system at the beginning of each class, and "Almost on an hourly basis, a parent can find out if their child is in a particular class. Most schools will stick to updating attendance two or three times a day." "While the systems differ, they share a concern for security with school-issued user IDs and passwords. " "If [parents] want to participate, they must take a photo ID to the school and then they are given a user ID and personal password. They have access only to their children's information." Sounds really secure, no? No word on the form of userid or password, or how to change the password, etc., standard RISKs apply. Near the end of the article, security and privacy issues are given a brief note: "Like Castagna at Lakewood High, Bailey said no concerns have been raised about privacy, and nobody's information has been hacked. David Craven, Cherry Creek's director of instructional technology, said the systems use the same safeguards as online banking. "People have an expectation to get general information on the Web. It's just part of their lives." "The value is contingent on how secure the database is," said Stephen Keating, director of the Privacy Foundation at the University of Denver. "If the school district thinks they've got it protected so that only the parents or the student can get access to that student's information, then it sounds viable." But, he cautioned, "just because you think it's secure doesn't mean it is." Mark Silverstein, legal director of the American Civil Liberties Union in Denver, said, "If the information is only available to the parents of a student, I don't see what the concern is about privacy." I'll take a brief quote from that to look at again: "If the school district thinks they've got it protected so that only the parents or the student can get access to that student's information, then it sounds viable." Um, shouldn't the district KNOW they've got it protected? Shouldn't they be actively trying to crack the system? Maybe they can ask some of their brighter 10th graders to try--that would probably open up some interesting discussion when the results became known. Anyone want to take a bet on how many Mountain Dews it takes to crack this one? David W. Brunberg, Engineering Supervisor, The F.B. Leopold Company, Inc., 227 South Division Street, Zelienople PA 16063 (724) 452-6300
According to a CNN article http://www.cnn.com/2003/EDUCATION/08/12/classroom.cameras.ap/index.html the Biloxi, Mississippi school district has put cameras in all of its classrooms. The project was funded by casino revenues. Pictures taken by the cameras are viewable on the Internet. If the article is correct, and the images really are accessible from anywhere on the Net, the risks of others viewing the pictures is real. The article does not give much motivation for installing the cameras. It states, "[Deputy superintendent] Voles said the camera installation is a precaution, and that students and teachers have said they feel safer." The potential for abuse and the potential chilling effect on the classroom is left as an exercise for the reader. I wonder, might the introduction of these cameras perhaps backfire, attracting those who seek publicity, since they are guaranteed a record of their activities? Carl Alphonce, Dept of Computer Science and Engineering University at Buffalo, Buffalo, NY 14260-2000
Beyond Fear: Thinking Sensibly about Security in an Uncertain World Bruce Schneier Copernicus Books (a Springer-Verlag imprint) ISBN 0-387-02620-7 http://www.schneier.com/bf.html Copernicus was a Polish astronomer who observed that the Earth rotates on its axis and revolves around the Sun. That knowledge was absolutely heretical at the time. Bruce Schneier is a security guru who generally preaches common sense (a common theme in RISKS, although common sense is apparently surprisingly uncommon overall). In our time, common sense may seem absolutely heretical to people other than those of us who try to practice it. Fortunately, RISKS readers seem to be much more aware than nonreaders. For those of you who think you believe in common sense, this book will strongly reinforce your beliefs -- and will do so quite entertainingly. On the other hand, those who do not actually practice what we preach here had better read Bruce's book very carefully.
RFID PRIVACY AND SECURITY -- WORKSHOP @ MIT -- CALL FOR PARTICIPATION Saturday, 15 Nov 2003, 10am - 4pm, Bartos Theater, MIT Media Lab, 20 Ames St. Radio Frequency Identification technology is fast becoming a lightning rod for consumer privacy activists. Is RFID destined to become the enabling technology for massive state-sponsored surveillance, Big Brother's "call-home" chip? Or is RFID really nothing more than a supply-chain management technology, its dangers being over-hyped by alarmists who fundamentally misunderstand the technology? One thing is sure: in the absence of strong data, decisions are being made and the public is either being poorly informed or intentionally misled. Last year Benetton pulled back from a previously-announced RFID trial after a consumer group announced a global boycott of the clothing manufacturer. Can pressure from consumer groups effectively prevent the introduction of RFID technology, or were other matters at work behind the scenes? The goal of the RFID Privacy Workshop is to bring together RFID technologists, boosters, critics, privacy activists and journalists covering the space to establish some technical truths and a creating a framework for understanding the growing body of RFID policy issues. To register online and/or submit a paper by 15 Sep 2003, see http://www.rfidprivacy.org/
Please report problems with the web pages to the maintainer