The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 22 Issue 91

Thurs 18 September 2003

Contents

VeriSign's Site Finder profits from typos
NewsScan
VeriSign change to .com/.net behavior
Matt Larson via Monty Solomon
VeriSign DNS change broke my HP printer
John Leyden via Lindsay Marshall
London blackout caused by incorrect relay fitting
Phil Thornley
Lockheed Martin accident with satellite
Gerrit Muller
Craig S. Bell
E-Voting Audit Ready for Public
Kim Zetter via Monty Solomon
Instant message: you're under arrest
NewsScan
Yahoo requests ATM card pin nos.!!
Chris J. Brady
Utterly amazing spam/scam?
Drew Dean
How to Steal $65 Billion: Why Identity Theft is a Growth Industry
Robert X. Cringely via Dave Farber
Dave Barry column results in denials of service to telemarketers
Max
Cehck tihs out!
Jim Schindler
Call for papers: IWIA 2004
Stephen D.B. Wolthusen
REVIEW: "Desktop Witness", Michael A. Caloyannides
Rob Slade
Info on RISKS (comp.risks)

VeriSign's Site Finder profits from typos

<"NewsScan" <newsscan@newsscan.com>>
Tue, 16 Sep 2003 09:22:06 -0700

Internet registrar VeriSign has launched a new service, Site Finder, that
offers users who mistype a URL a list of alternative Web sites that they
might be trying to reach. Several ISPs do the same thing -- most notably AOL
and MSN -- but critics say that because VeriSign controls the directory
computers for ".com" and ".net" names, they could easily reroute all queries
to Site Finder. "We put so much of our research into developing this AOL
search result page," says an AOL spokesman. "We are reviewing our potential
options. We are strongly opposed to them interjecting themselves into our
members' search experience." Site Finder's suggestions include both standard
search results and pay-for-placement advertisements, which are identified as
such. But while VeriSign VP Ben Turner says the new service is designed to
"improve overall usability of the Internet," Danny Sullivan, editor of
Search Engine Watch, warns that Site Finder's capabilities could also be
abused -- by directing users only to pay-for-placement sites, for
instance. Meanwhile, the new service provides a much-needed new revenue
stream for the Internet registrar. "Right now, VeriSign's business is not a
growing business, and anything that they do to add the slightest amount of
growth is going to be positive," says an analyst with U.S. Bancorp Piper
Jaffray.  [AP 15 Sep 2003; NewsScan Daily, 16 September 2003]
  http://apnews.excite.com/article/20030915/D7TJ2U5O0.html

  [This move by VS has caused huge reactions within the Internet community.
  We include just a few items here from among what is available on the Net,
  as a sample.  The list of reasons why this is a very foolish move by VS is
  enormous.  Apparently, the folks who really should have known that this
  was going to happen did not, and were blindsided.  DNS disablers are being
  developed to circumvent the VS strategy, but the net results are ugly.
  See the People For Internet Responsibility (PFIR) statement by Lauren
  Weinstein, PGN, and Dave Farber:
    http://www.pfir.org/statements/vs-domain-abuse
  PGN]


VeriSign change to .com/.net behavior

<Matt Larson (via Monty Solomon)>
Mon Sep 15 19:32:04 2003

  [http://www.merit.edu/mail.archives/nanog/msg13603.html]

Today VeriSign is adding a wildcard A record to the .com and .net zones.
The wildcard record in the .net zone was activated from 10:45AM EDT to
13:30PM EDT.  The wildcard record in the .com zone is being added now.  We
have prepared a white paper describing VeriSign's wildcard implementation,
which is available here:
  http://www.verisign.com/resources/gd/sitefinder/implementation.pdf

By way of background, over the course of last year, VeriSign has been
engaged in various aspects of Web navigation work and study.  These
activities were prompted by analysis of the IAB's recommendations regarding
IDN navigation and discussions within the Council of European National
Top-Level Domain Registries (CENTR) prompted by DNS wildcard testing in the
.biz and .us top-level domains.  Understanding that some registries have
already implemented wildcards and that others may in the future, we believe
that it would be helpful to have a set of guidelines for registries and
would like to make them publicly available for that purpose.  Accordingly,
we drafted a white paper describing guidelines for the use of DNS wildcards
in top-level domain zones.  This document, which may be of interest to the
NANOG community, is available here:
  http://www.verisign.com/resources/gd/sitefinder/bestpractices.pdf

Matt Larson <mlarson@verisign.com>
VeriSign Naming and Directory Services


VeriSign DNS change broke my HP printer (John Leyden)

<"Lindsay Marshall" <Lindsay.Marshall@newcastle.ac.uk>>
Wed, 17 Sep 2003 12:48:37 +0100

http://www.theregister.co.uk/content/6/32872.html

VeriSign DNS change broke my HP printer, By John Leyden, *The Register*,
17 Sep 2003

LettersReg readers have plenty of say about VeriSign's controversial move to
direct surfers who get lost on the Web to a search site run by the company.
Our coverage provoked a large number of letters, almost all hostile, about
Versign's audacious typo-squatting land grab:

  "All your Web typos belong to us"

Martin Ward is the first to fire brickbats at the company, which Reg readers
have rechristened as "VeriSlime".

VeriSign are essentially "squatting" on every unregistered domain name, and
using them for profit.  How many trademarked names does that include? What
are the fines for squatting on just *one* trademark for commercial
exploitation?

Roger Thomas worries about the implications if other DNS providers adopt
VeriSign's tactics.

That's a worrying article, and just thinking about the issues raised I can
see the following:

1) If it's good enough for VeriSign to mess about with the root servers I
   can see other DNS providers doing the same, by redirecting users to their
   own systems.

2) This will poison DNS servers across the world as they will end up caching
   the SOA records created by VeriSign for these 'dynamic' DNS entries.
   While the time to live on these records is short, real entries will be
   dropped as the junk entries are added to the database. There is now a new
   DNS attack were nodes on the Internet create vast numbers of random DNS
   look up requests so clearing the DNS caches of all the DNS servers they
   access.

[...]


London blackout caused by incorrect relay fitting

<Phil Thornley <phil.thornley@baesystems.com>>
Thu, 11 Sep 2003 11:00:28 +0000

Britain's biggest blackout for 25 years, which plunged large parts of London
into darkness, was the result of a one-amp fuse being fitted in place of a
five-amp fuse at a substation.

*The Guardian*, 11 Sep 2003:
  http://www.guardian.co.uk/transport/Story/0,2763,1039722,00.html
The full report is available at:
  http://image.guardian.co.uk/sys-files/Guardian/documents/2003/09/10/
  London28082003.pdf

  [An off-er they could not re-fuse!  PGN]


Lockheed Martin accident with satellite

<Gerrit Muller <gerrit.muller@embeddedsystems.nl>>
Thu, 11 Sep 2003 08:35:56 +0200

Goddard Space Flight Center: Earth Science Missions Anomaly Report:
  GOES/POES Program/POES Project: 6 Sep 2003
  http://www.spaceref.com/news/viewsr.html?pid=10299

As the NOAA-N Prime spacecraft was being repositioned from vertical to
horizontal on the "turn over cart" at approximately 7:15 PDT on 6 Sep 2003,
it slipped off the fixture, causing severe damage.  The 18' long spacecraft
was about 3' off the ground when it fell.  The mishap was caused because 24
bolts were missing from a fixture in the "turn over cart".  Two errors
occurred.  First, technicians from another satellite program that uses the
same type of "turn over cart" removed the 24 bolts from the NOAA cart on
September 4 without proper documentation.  Second, the NOAA team working
today failed to follow the procedure to verify the configuration of the NOAA
"turn over cart" since they had used it a few days earlier.

IMPACT ON PROGRAM/PROJECT AND SCHEDULE: The shock and vibration of the fall
undoubtedly caused tremendous damage.  Significant rework and retest will be
required.  NOAA-N Prime is planned for launch in 2008.

CORRECTIVE ACTION: Lockheed Martin formed an Accident Review Team in which
GSFC is participating.  The immediate actions concern safety (preventing the
spacecraft from rolling, discharging the batteries, and depressurizing the
propulsion system).  NOAA-N Prime is under guard, all records have been
impounded, and the personnel interviewed.  After the safety issues are
addressed, attention will focus on assessing the damage to NOAA-N Prime.


Lockheed Martin accident with satellite

<"Craig S. Bell" <craig@runbox.com>>
Wed, 17 Sep 2003 02:40:22 GMT

So, Lockheed Martin dropped my satellite!  [I say "my" because I reckon that
my U.S. tax dollars are paying for NOAA equipment.]

Under-construction satellite drops to floor in mishap:
  http://www.sfgate.com/cgi-bin/article.cgi
  ?file=/news/archive/2003/09/09/state1637EDT0153.DTL

Risks: Never move anything worth $239M (regardless of it's technological
complexity, or overall robustness) without first making sure that you can do
so without utterly dropping it!  I imagine that it would be relatively easy
to check for the presence or absence of a few load-bearing bolts beforehand.

Also, because the poor thing was energized, they can't even go examine it to
see how bad the damage is.  It may be a number of days before we truly know
the effects of dribbling satellites.  Somebody is going to get a bad
performance review this year.

There is a purportedly exclusive photograph on Effed Company (most of you
know the site I mean).  I would include the link; but, I know that this
would merely be filter-bait. =-) The photo can be easily found on the front
page.

Just how many companies are there building satellites these days?  Could a
relative lack of competition have anything to do with it; or, is the market
healthy?  This can't be good for business (even if the customer just awarded
you some extra rocket launches that were surrendered by your misbehaving
competitor).


E-Voting Audit Ready for Public

<"monty solomon" <monty@roscom.com>>
Thu, 18 Sep 2003 11:54:08 -0400

By Kim Zetter, Wired.com, 18 Sep 2003

A security audit ordered by Maryland Gov.  Robert Ehrlich on Diebold
Election Systems' touch-screen voting machines is complete, and a version of
it is ready for public consumption.

Shareese DeLeaver of the governor's office said the 200-page report has been
shown to Diebold officials and is now being reviewed by the state's
Department of Budget and Management and the State Board of Elections.  The
report was commissioned by the governor after researchers at Johns Hopkins
University and Rice University discovered serious security flaws (PDF) in
code for the AccuVote-TS voting terminals.

A redacted version of the report, with information useful to malicious
crackers taken out, will be available on the state's Web site Friday or early
next week.  The severity of Hurricane Isabel and the amount of energy the
governor's office must devote to recovery from the storm will determine the
timing of the report's posting.

Last month Gov. Ehrlich charged Science Applications International, or SAIC,
in San Diego with conducting the audit before the state would proceed with a
$55.6 million purchase and servicing contract for Diebold's electronic
voting machines.  Ehrlich said it was imperative the government ensure the
integrity of the election process by conducting "a thorough, fully
independent review of the Diebold system."

Diebold has maintained that its system has no security vulnerabilities.  ...
  http://www.wired.com/news/technology/0,1282,60486,00.html


Instant message: you're under arrest

<"NewsScan" <newsscan@newsscan.com>>
Thu, 18 Sep 2003 09:00:30 -0700

The investigation of a Wall Street trading scandal (in which a former Bank
of America broker has been charged with grand larceny and securities fraud)
is the first case that has used a chain of evidence derived from the instant
messaging records of licensed brokers and dealers.  Instant messaging (IM)
systems are now widely used on Wall Street and to a large extent have
replaced traditional e-mail.  One attorney who consults on electronic
communications said a New York Stock Exchange executive's question about
instant messaging was: "Wait a minute, is that what my 13-year-old daughter
uses at home?"  The answer: "I said yes -- and your traders."  [*USA Today*,
18 Sep 2003; NewsScan Daily, 18 Sep 2003]
  http://www.usatoday.com/tech/techinvestor/techcorporatenews/
  2003-09-18-ims_x.htm


Yahoo requests ATM card pin nos.!!

<chris.j.brady@britishairways.com>
Wed, 17 Sep 2003 13:06:41 +0100

There's a scam e-mail going round purporting to come from Yahoo. It is a
bulk e-mail stating that anyone with a Premium Account (that is one where you
pay by credit card for extra e-mail storage) needs to update their account
details or else the account will be closed. The e-mail links to the following
page: http://yahoo-wallet.com/ When you click on the link you get a form
requesting your:

Yahoo E-mail address,
Password,
First Name,
Last Name,
ZIP code,
Debit or Credit Card no,.
Expiration Date AND -
Debit / ATM Pin. no. <==== NOTE THIS !!

The form has the Yahoo logo and appears innocuous, but .... why do they
want passwords and pin nos.?

The risks are obvious - but this e-mail is either the most stupidest yet and
if it comes from Yahoo then they have learned nothing about such scams in
the years that they have they been in the Internet business. And if it is a
scam then it is the most blatant fraud on the Internet yet. Of course e-mail
to abuse@yahoo.com remain ignored.


Utterly amazing spam/scam?

<Drew Dean <ddean@csl.sri.com>>
Thu, 11 Sep 2003 17:03:37 -0700 (PDT)

I've recently received 2 spams from the same people.  In one message,
they offer: (1) heroin, (2) "Tomohawk" [sic] rockets, (3) cocaine,
(4) (sex) slaves, (5) counterfeit currency, and (6) child pornography,
among other commodities.  Their "special offers" are rather beyond belief,
too.

The mail itself appears to have been sent from Japan, based on Received:
headers added by SRI's mailservers.  (Or they're perfect forgeries, which is
extremely unlikely for reasons I won't go into here.)  The URL in the
message goes to a Web site for which the whois database gives contact info
in Thailand, but the server itself physically appears to be in Florida (at
least according to traceroute).  (Why I am not surprised that these people
are downstream from Global Crossing?)  Tracking down contact e-mail info
takes a detour via Latin America, but would seem to eventually end up in
Missouri, although with Arizona contact information.  There's a US toll-free
number to call the spam-list manager, and a mailing address in Florida.

Now, I can't imagine anyone actually responding to this: (1) it could
be a sting operation, although that's kind of hard to imagine.  "Your
Honor, I didn't really expect a missile, but I wanted to see what
they'd send me instead...." (2) As you'd be committing a felony, you
can't go to law enforcement if the deal goes wrong, hence the
prevalence of violent crime among criminals.  However, this requires
that you be able to find the other party....

It's also worth noting that the price of illegal narcotics depends
greatly on where you are in the world: smugglers demand risk pay.
It's not at all clear where these people are offering delivery.

Meta-RISK: How many e-mail filters will this message trip?

Drew Dean, Computer Science Laboratory, SRI International


How to Steal $65 Billion: Why Identity Theft is a Growth Industry

<Dave Farber <dave@farber.net>>
Sat, 13 Sep 2003 08:51:35 -0400

  [excerpt from an article by Robert X. Cringely, PGN]

Recently my mail was stolen. It wasn't supposed to be stolen, which is a
given, but it also wasn't supposed to be able to be stolen because I was
out of town for two weeks and had the Post Office hold my mail. Only it
turns out that in Santa Rosa, California at least, holding mail means
different things to different mail carriers. Someone -- a substitute
carrier I'm told -- saw that big old pile of mail down at the post office
(the pile with the big "vacation hold" sign above it) and thought what the
heck I'll just deliver that mail anyway. And so they did. That big old pile
of mail sat in my big old mail box on my little old country road under a
walnut tree and across from a pond and sometime in the next few days it was
stolen. The only reason I know any of this is because a neighbor eventually
found some of my mail and some of a lot of other people's mail strewn along
the road like errant unmarked bills after a bank heist.

Here is something you probably didn't know. If you have the Post Office
hold your mail and they do something stupid like NOT hold it for some
reason, as happened to me, you have no recourse.  [...]
  <http://www.pbs.org/cringely/pulpit/../index.html>


Dave Barry column results in denials of service to telemarketers

<Max <max7531@earthlink.net>>
Thu, 11 Sep 2003 12:51:03 -0700

Dave Barry column gives telemarketers headaches, 11 Sep 2003
http://www.thekcrachannel.com/news/2474750/detail.html

Now it's the telemarketers who are refusing to answer their phones, thanks
to a weekend column by *Miami Herald* columnist Dave Barry.  The American
Teleservices Association was targeted by Barry in his 31 Aug 2003 column.
Barry urged readers to call the ATA and "tell them what you think" about
telemarketers.  Thousands have done so, forcing the association to stop
answering its phones.  Callers now hear a recording, which says that because
of "overwhelming positive response to recent media events, we are unable to
take your call at this time."  ATA director Tim Searcy said the added calls
will be costly to his group because of toll charges and staffing issues.
Barry's only response is to sarcastically say he feels "just terrible,
especially if they were eating or anything."
  [American Teleservices Association: (877) 779-3974]


Cehck tihs out!

<Jim Schindler <Jimschin@pacbell.net>>
Wed, 17 Sep 2003 10:44:28 -0700

Cehck tihs out.

Aoccdrnig to a rscheearch at Cmabrigde Uinervtisy, it deosn't mttaer in
waht oredr the ltteers in a wrod are, the olny iprmoetnt tihng is taht
the frist and lsat ltteer be at the rghit pclae.
The rset can be a total mses and you can sitll raed it wouthit porbelm.
Tihs is bcuseae the huamn mnid deos not raed ervey lteter by istlef, but
the wrod as a wlohe. Amzanig huh?

  [This has been circulating around the Net.  I'm not sure wehre it
  orginitaed.  Apogolies to nonEgnilsh sepakres.  PGN]


Call for papers: IWIA 2004

<wolt@igd.fhg.de (Stephen D.B. Wolthusen)>
Tue, 16 Sep 2003 19:57:03 +0200

Call for Papers, Second IEEE International Information Assurance Workshop
8-9 April 2004 -- University of North Carolina at Charlotte, NC, USA

 Sponsored by the IEEE Computer Society Task Force on Information Assurance
                          in cooperation with the
        ACM Special Interest Group on Security, Audit, and Control

Full paper submissions due: October 10th, 2003
Full CfP as well as PostScript and PDF versions of the call:
  http://www.iwia.org/2004/
Accepted papers will be published by IEEE Press in a proceedings volume.
Program Chair, Stephen D. Wolthusen, Fraunhofer-IGD, Fraunhoferstr. 5,
64283 Darmstadt GERMANY Tel +49 (0) 6151 155 539 | Fax: +49 (0) 6151 155 499


REVIEW: "Desktop Witness", Michael A. Caloyannides

<Rob Slade <rslade@sprint.ca>>
Tue, 9 Sep 2003 12:27:44 -0800

BKDSKWTN.RVW   20030819

"Desktop Witness", Michael A. Caloyannides, 2002, 0-471-48657-4
%A   Michael A. Caloyannides
%C   5353 Dundas Street West, 4th Floor, Etobicoke, ON   M9B 6H8
%D   2002
%G   0-471-48657-4
%I   John Wiley & Sons, Inc.
%O   416-236-4433 fax: 416-236-4448
%P   366 p.
%T   "Desktop Witness: The Do's and Don'ts of Personal Computer Security"

The title and the subtitle of this book are somewhat at odds.  Is this text
about the evidence that can be extracted from desktop machines?  Or is it
about protecting yourself and your personal computer or information?
Caloyannides would seem to be making the point that the answer is both: that
there is an overwhelming need to ensure that your computer isn't finking on
you, and that you must make every effort to ensure that the government
cannot obtain the information on your desktop.  While he is clearly on the
personal side of the privacy versus national security debate, even those who
agree with him may find the arguments shrill and extreme.

The subtitle of chapter one; indicating that the material is the author's
opinion; should warn the reader that the discussion is editorial rather than
closely reasoned.  Caloyannides may, however, have hurt his own case by
taking an anarchistic and almost paranoid position in stating the need for
privacy against government encroachment.  He does make a number of valid
points, but misses other grounds that might have been convincing to a much
wider audience, such as the point that the responsibility of protecting your
own information is recognized in such legal areas as the difference between
patent and trade secret.  (A patent offers control over a device for a
limited time as long as the technology is disclosed, whereas a trade secret
offers protection for unlimited time as long as reasonable efforts are made
to protect the information from disclosure.)  The major point of chapter two
appears to be that the use of encryption could, in and of itself, land you
in trouble, and you should prepare to either hide the fact that encryption
is taking place, or have a diversionary explanation ready for the
authorities.  (The recommended use of one-time-pad technology and variant
keys is technically interesting, but is unlikely to survive beyond a first
use.  Ironically, it seems to support a point that the author made earlier:
"clever" tricks that rely on obscurity provide very poor protection.)  The
types of information that might be available from your computer, or Internet
connection, are discussed in chapter three.  The material ranges over a
number of topics and has a difficult structure: some points are raised more
than once and there are a number of related issues that are not mentioned at
all.  Means of recovering some of the data, and of getting rid of it, are
reported, but not consistently.

Chapter four lists a vast array of protective measures.  Most are very
useful.  Depending upon your situation, many will be considered overkill.
Some are questionable: Caloyannides makes a blanket recommendation to
install all operating system patches, but notes that doing so for some
versions of Windows requires you to give away a lot of information.  He does
not, though, detail the times that official patches have made the situation
worse rather than better, nor the complexity of some patches: by mid-2002
one expert noted that an effective installation of the Windows NT operating
system required twenty nine steps, including no less then three separate
installations of the latest service pack at different points.  Oddly, while
this section is supposed to review measures for computers not connected to
networks, some of the points relate to activities on the Internet.
Protection for connected machines is discussed in chapter five, with a heavy
emphasis on the usage of the PGP encryption system.  There is also an
interesting insistence that steganography *is* an effective means of hiding
communications: while Caloyannides points out a number of pitfalls in the
use of the technology he does not mention detection measures, such as the
ease of determining excessive entropy in the low-order bits of graphic
images used to hide files.  Secure telephony is discussed in chapter six.
The legal issues reviewed in chapter seven are mostly related to recent
legislation providing for additional search authority.  The author does
include material and actions from outside the United States.  The editorial
finish in chapter eight warns against a society where everything must be
homogenized in order to be safe.

In many places the book suffers from very poor copy editing.  There are a
great many instances of improper punctuation, sentence fragments, and words
or phrases dropped into apparently unrelated text.  Generally speaking one
can discern the meaning, but deciphering the organization and intention of a
section can be difficult.  (Given the thrust of the book, is the author
embedding hidden messages?)

While there are issues of general security in the book, it is, first and
last, about privacy, and primarily personal privacy.  The material could
have been structured more usefully, and written less stridently, but a great
deal of helpful content is included.  Those interested in privacy will find
it interesting, and computer forensic specialists may also find it to be a
handy reference.

copyright Robert M. Slade, 2002   BKDSKWTN.RVW   20030819
rslade@vcn.bc.ca      slade@victoria.tc.ca      rslade@sun.soci.niu.edu
http://victoria.tc.ca/techrev    or    http://sun.soci.niu.edu/~rslade

Please report problems with the web pages to the maintainer

Top