The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 23 Issue 48

Monday 9 August 2004

Contents

Kolwicz kicked out for submitting real election tests
via Susan Marie Weber
Image flaw pierces PC security
Keith A Rhodes
Windows Buffer Overflow Protection Programs: Not Much
Paul Robinson
Security Cavities Ail Bluetooth
Kim Zetter via Monty Solomon
Emoticon-interpreters create risks in instant messaging services
Dale Hawkins
First malicious program aims for handhelds
Keith A Rhodes
Two more Canadian Banks with computer software screwups
Bob Heuman
Top Australian banking sites vulnerable
NewsScan
Cable giants seek to dominate VoIP
NewsScan
Another airline outage
Jeremy Epstein
Two Million Scans Uncover 55 Million Instances of Spyware
Monty Solomon
Memory error paper
Laurent Guerby
Risks of automated calling systems
Jeremy Epstein
Internet voting in The Netherlands update
Joseph Kiniry
Re: The Mr Micawber Syndrome
Fernando Pereira
Re: Stolen: one-third of the world's software
Jurek Kirakowski
REVIEW: "Software Forensics", Robert M. Slade
Rob Slade
Info on RISKS (comp.risks)

Kolwicz evicted for submitting real tests (via Susan Marie Weber)

<alkolwicz@qwest.net>
Thursday, August 05, 2004 11:27 AM

> Date: Thu, 5 Aug 2004 14:30:13 -0700
> From: "SusanMarieWeber" <susanmarieweber@earthlink.net>
> Subject: Kolwicz kicked out for submitting real election tests

> This is message from Al Kolwicz.  I suspect that we are all going to face
> these problems during the next accuracy and logic testing of the voting
> machines before the November 2004 election.  Imagine having cops around to
> tell people to leave.  We must stop questioning authority?  I don't think
> so, NOW more than ever we need to keep asking these questions.

> Susan Marie Weber

Kolwicz kicked out for submitting real election tests

Al Kolwicz, official representative to Boulder County's test of its new vote
counting system, was asked by County Clerk, Linda Salas, to leave the test.
When asked what happened, Kolwicz said, "we submitted sample ballots to test
the security and accuracy of the county's new vote counting system."

The sample ballots included tests such as - (a) what happens if a voter
circles the box rather than filling in the entire box with a black pen, and
(2) what happens if a voter marks over the ballot serial number in hopes
that this will make the ballot secret.  (Boulder County's new ballots are
not secret.)

Salas consulted with the Secretary of State, Donetta Davidson's office, by
phone.  Following their private conversation, Salas asked Kolwicz to leave.
Kolwicz left immediately and went outside of the building to record some
notes.  Deputy P. Dunphy, who was in the room where the testing was being
conducted, came out to find Kolwicz on a bench.  He told Kolwicz that he was
not to return to the building.  "It looks like a sham is being foist upon
the public", said Kolwicz.  The tests prepared by Kolwicz are limited to
things that can happen in this year's primary election.

Al Kolwicz, CAMBER -  Citizens for Accurate Mail Ballot Election Results
2867 Tincup Circle, Boulder, CO 80305, 303-494-1540  AlKolwicz@qwest.net
www.users.qwest.net/~alkolwicz  http://coloradovoter.blogspot.com


Image flaw pierces PC security

<"Keith A Rhodes" <RhodesK@GAO.GOV>>
Fri, 06 Aug 2004 07:31:51 -0400

Robert Lemos, CNET News.com, 5 Aug 2004
  http://zdnet.com.com/2100-1105-5298999.html

Six vulnerabilities in a common code that handles an open-source image
format could allow intruders to compromise computers running Linux and may
allow attacks against Windows PCs as well as Macs running OS X.  The
security issues appear in a library supporting the portable network graphics
(PNG) format, used widely by programs such as the Mozilla and Opera browsers
and various e-mail clients. The most critical issue, a memory problem known
as a buffer overflow, could allow specially created PNG graphics to execute
a malicious program when the application loads the image.

Among the programs that use libPNG and are likely to be affected by the
flaws are the Mail application on Apple Computer's Mac OS X, the Opera and
Internet Explorer browsers on Windows, and the Mozilla and Netscape browsers
on Solaris, according to independent security researcher Chris Evans, who
discovered the issues. Apple and Microsoft could not immediately be reached
for comment. Evans did not test every platform to check which
vulnerabilities work, he said.


Windows Buffer Overflow Protection Programs: Not Much

<"Paul Robinson" <postmaster@paul.washington.dc.us>>
Mon, 09 Aug 2004 17:24:00 GMT

I  happened to stumble upon the most recent issue of the hacker e-zine
Phrack, Issue #62, of July 10, 2004, and looking over the table of contents
I found article #5, "Bypassing 3rd Party Windows Buffer Overflow Protection"
which can be read at the following url:
http://www.phrack.org/show.php?p=62&a=5

I found the article fascinating in that it shows exactly why several major
commercial anti-buffer overflow exploit programs are inadequate for their
advertised purposes.  The article even points out what you are going to end
up with: a false sense of security.

For those who are not so technically inclined, a buffer overflow exploit is
one in which someone sends too much data to a program (such as a web server
application), sending far more data than the program would expect, in order
to force arbitrary data into a storage area (a "buffer") so the amount of
data forced into the buffer goes beyond the expected limits, causing the
data to overflow the buffer and makes it possible for that data to be
executed as arbitrary program code.  Since the attacker forces code of his
choosing into the execution stream, he now 0wns your box, because as the
saying goes, if I can run code on your machine - especially if it's a
Windows machine where there is not much protection - I can pretty much do
anything I please there.

These anti-buffer overflow exploit protection programs then try to prevent
this by watching for attempts to execute calls to the operating system, in
places where only data should occur as opposed to program code.  The article
shows why these programs are inadequate both from a standpoint of how they
fail to provide full protection, and how to get around the limited
protection they do provide.

This sort of article is an excellent example of why full disclosure of a
serious problem is necessary in order to solve it.  The type of response to
an anti-buffer overflow exploit protection program by an attacker would, as
a matter of necessity, be somewhat complicated and technical in nature, and
the only way one could explain why there is a problem, what the problem is,
and then allow someone to be able to solve it, is to describle how to
exploit the flaw.  Nothing less will do because nothing less will explain
how the flaw is exploited.

It is reports such as these that are important even to those that are not
interested in breaking into a place, and in fact are probably of crucial
interest to security people in order that (1) they not be given a false
sense of security by these products that only solve part of the problem; (2)
explain exactly why the products are ineffective; and (3) explain exactly
what the issues are.

An explanation such as the one given shows why these products are
ineffective, shows what those who have to defend themselves need to look
for, and can show those trying to build safety systems in the future how to
better secure them.

Does this mean someone can create an attack using the information shown?
Absolutely.

This does not make the exposure of such information any less valid.  Telling
someone that it is still possible to trigger a buffer overflow exploit even
if a buffer overflow exploit security program is in place is probably not
going to convince them without some proof.  Explaining that these systems
don't block everything and mentioning why will not give someone enough
information to reliably check what is happening or understand how the
problem affects them.  Only a clear explanation of how the process is done
is going to show someone how to guard against it.

Digging one's head in the sand does not hide a danger, nor does making it
illegal to publicize such information help, as those who will use such
information for criminal purposes, since they are already breaking the law,
any penalties for selling such information to other crackers (or trading it
for other information) simply keeps it out of the hands of the good guys who
would need it to figure out how to work around it.

Additionally, by making such information available, third parties, who are
neither selling security software, nor trying to crack other people's boxes
in order to own them, can read this information and give an objective
validation as to whether they are valid or not, and perhaps can supply
solutions not requiring multi-thousand-dollar support contracts from some
vendor who is more interested in what they can sell than in security, who
just happen to sell this particular type of product because there is a
market for it and who might not be interested in giving away information
that they can sell to others.  There's nothing particularly wrong with
charging whatever the traffic will bear for what you know, but it creates a
strong disadvantage for those kept in the dark.

Which is the only thing that security by obscurity - trying to hide problems
in the hope someone doesn't discover them - does, it keeps the people who
most need to know how to solve the problem in the dark.


Security Cavities Ail Bluetooth

<Monty Solomon <monty@roscom.com>>
Sat, 7 Aug 2004 16:20:31 -0400

Kim Zetter, Wired.com, 6 Aug 2004

Serious flaws discovered in Bluetooth technology used in mobile phones can
let an attacker remotely download contact information from victims' address
books, read their calendar appointments or peruse text messages on their
phones to conduct corporate espionage.

An attacker could even plant phony text messages in a phone's memory, or
turn the phone sitting in a victim's pocket or on a restaurant table top
into a listening device to pick up private conversations in the phone's
vicinity. Most types of attacks could be conducted without leaving a trace.

Security professionals Adam Laurie and Martin Herfurt demonstrated the
attacks last week at the Black Hat and DefCon security and hacker
conferences in Las Vegas. Phone companies say the risk of this kind of
attack is small, since the amount of time a victim would be vulnerable is
minimal, and the attacker would have to be in proximity to the victim. But
experiments, one using a common laptop and another using a prototype
Bluetooth "rifle" that captured data from a mobile phone a mile away, have
demonstrated that such attacks aren't so far-fetched.

Laurie, chief security officer of London-based security and networking firm
ALD , discovered the vulnerability last November.  Using a program called
Bluesnarf that he designed but hasn't released, Laurie modified the
Bluetooth settings on a standard Bluetooth-enabled laptop to conduct the
data-collection attacks.

Then, German researcher Herfurt developed a program called Bluebug that
could turn certain mobile phones into a bug to transmit conversations in the
vicinity of the device to an attacker's phone.  ...
  http://www.wired.com/news/privacy/0,1848,64463,00.html


Emoticon-interpreters create risks in instant messaging services

<"Hawkins Dale" <hawkins@pobox.com>>
Fri, 30 Jul 2004 09:36:39 -0400

Many popular instant-messaging tools interpret text "emoticons" and replace
them with graphical icons.  For example, if you send your buddy a
colon-right-parenthesis, your correspondent's messaging client may replace
the :) with a yellow smiley-face icon.

This is very nice, but the sender has no control.  And it's hard to know in
advance what character-strings will be parsed into what kind of unintended
image.

A colleague was discussing his 401(k) plan with his boss, who happens to be
female, via instant messaging.  He discovered, to his horror, that the boss'
instant-messaging client was rendering the "(k)" as a big pair of red
smoochy lips.    :(


First malicious program aims for handhelds

<"Keith A Rhodes" <RhodesK@GAO.GOV>>
Fri, 06 Aug 2004 07:29:27 -0400

  [The "first" as far as we know.]

Ina Fried, Malicious program aims for Pocket PCs, CNET News.com, 5 Aug 2004
http://zdnet.com.com/2100-1105-5298781.html

A malicious Trojan horse program has emerged for Pocket PCs, antivirus
companies, but they characterized the threat as relatively low.  The
program, known alternately as Backdoor.Bardor.A and WinCE.Brador.a, lets an
attacker gain full control of the handheld and is the first such "backdoor
Trojan" program to emerge for Pocket PCs. However, such backdoor programs
are not capable of propagating on their own and instead must be sent as
e-mail attachments or through similar means, making them less dangerous.


Two more Canadian Banks with computer software screwups

<Bob Heuman <rsh@idirect.com>>
Fri, 30 Jul 2004 21:17:30 -0400

TD, CIBC glitches bring down key banking systems, ITBusiness, 29 Jul 2004
  http://www.itbusiness.ca/userredirect.asp?linkid=37706&userid=5

Two of Canada's best-known financial institutions join RBC in the annals of
IT horror stories. Find out what went wrong, and to what extent customers'
loyalty will be tested.

* The CIBC error was definitely a program change that made it through testing
and was put into production with an uncaught error in the code.

* The TD error was still being investigated at the time of the article I
reference above. Basically, more of the same, and impacting a lot of
customers in Canada and elsewhere.

Proof that as many times as it gets pointed out to them, it still happens,
and will continue to happen.


Top Australian banking sites vulnerable

<"NewsScan" <newsscan@newsscan.com>>
Tue, 03 Aug 2004 09:16:48 -0700

The Web sites of three of Australia's four big banks are susceptible to
cross-site scripting attacks, according to a British tech professional who
gained prominence last year when he discovered a URL spoofing flaw in
Microsoft's Internet Explorer browser. Sam Greenhalgh, who recently tested
the Web sites of several British financial services companies and found many
of them susceptible to the same kind of attacks, said the flaw resulted from
sites not "sanitizing" information the user submits before displaying the
information on the page: "If the information contains HTML, those HTML tags
will be included on the site. Among other things this allows an attacker to
include a tag that instructs the page to load a JavaScript file from another
Web site." Greenhalgh provided demonstrations of injecting HTML on the sites
using scripts he wrote himself.  [*The Age*, 2 Aug 2004; Rec'd from John Lamp,
Deakin U.; NewsScan Daily, 3 Aug 2004]
  [http://theage.com.au/articles/2004/08/02/1091412044139.html]


Cable giants seek to dominate VoIP

<"NewsScan" <newsscan@newsscan.com>>
Wed, 04 Aug 2004 08:05:40 -0700

Time Warner Cable, Cablevision and other cable giants have begun setting up
their own Voice over Internet Protocol (VoIP) services for American
consumers, says a new Yankee Group report, aimed at quickly gaining the lead
over alternative Internet telephony providers in 2004.  "After many years of
testing, the VoIP technology is finally available and ready for prime
time. The U.S. market, which represents almost all the cable VoIP market
today, also will drive the global MSOs (multiservice operators) to move
forward," says a Yankee Group analyst. Already, some alternative providers
such as Vonage and Net2Phone are collaborating with cable and other
broadband partners to offer their services, but in the long run, consumers
likely will opt for VoIP service straight from their local cable or phone
company. In a separate report on the U.S. broadband market, Yankee predicts
that subscriptions to high-speed services will overtake narrowband signups
by 2006. That study listed Comcast as the leader in cable modem subscribers
and SBC as the dominant DSL provider.  [CNet 3 Aug 2004; NewsScan Daily, 4
Aug 2004]
  http://news.com.com/2100-7352-5295023.html


Another airline outage

<Jeremy Epstein <jeremy.epstein@webmethods.com>>
Tue, 3 Aug 2004 08:49:51 -0700

Independence Air (www.flyi.com), a newly formed airline, suffered from a
rather severe computer outage yesterday from about 3pm-9pm (not sure
exactly).  The result was that they couldn't check passengers in, couldn't
track baggage, etc.  The front-side people had no way of knowing which
flights were in the air or who was on them.

This may have been related to a severe round of thunderstorms that went
through the Washington DC area at about the same time.  One would hope they
had backup computer systems (or power supplies, or network connectivity),
but that's just a guess.

What made this particularly nasty as an outage is that they didn't have
backup procedures - no one had phone numbers, as they rely on getting those
from the computer system.  It made for a particularly long evening waiting 7
hours to pick my daughter up, since no one could tell us what the status was
of any flight, or even what flight she was on.  So when she walked out from
the security area, it was something of a surprise....


Two Million Scans Uncover 55 Million Instances of Spyware

<Monty Solomon <monty@roscom.com>>
Wed, 4 Aug 2004 09:00:46 -0400

EarthLink and Webroot Release Six-Month SpyAudit Report;
CoolWebSearch Identified as the Most Virulent Adware Program
(PR Newswire, 4 Aug 2004)
  http://finance.lycos.com/home/news/story.asp?story=42899777

EarthLink and Webroot Software (a producer of award-winning privacy,
protection and performance software) released their third SpyAudit Report,
which has tracked the growth of spyware on consumer PCs for the first half
of 2004.  Since the SpyAudit report's inception on 1 Jan 2004, more than two
million scans have been performed.  The scans discovered approximately 54.8
million instances of spyware, for an average of 26.5 traces per SpyAudit
scan.  Scans nearly doubled from the first to the second quarter.  For each
category, the instances of adware increased month-over-month, while adware
cookies, system monitors and Trojans decreased slightly overall.  The
complete report is available at <http://www.earthlink.net/spyaudit/press>.


Memory error paper

<Laurent GUERBY <laurent@guerby.net>>
Wed, 04 Aug 2004 00:19:11 +0200

Since we're talking about memory errors, there's a nice
paper on memory vs a light bulb:

A. Appel and S. Govindavajhala.  "Using Memory Errors to Attack a Virtual
Machine" in IEEE Symposium on Security and Privacy, 2003.

  http://www.cs.princeton.edu/~sudhakar/papers/abstracts/memerr.html
  http://www.cs.princeton.edu/~sudhakar/papers/memerr-slashdot-commentary.html

I guess people designing voting machines without using some kind of heat
sensor with alert procedure, using properly shielded case, ECC memory,
etc... are not doing their engineering job. Not adding a paper trail at all
is also a real bad idea, but that's just me :).


Risks of automated calling systems

<Jeremy Epstein <jeremy.epstein@webmethods.com>>
Tue, 3 Aug 2004 17:48:37 -0400

I got this a few weeks ago, and just noticed it.  As with so many risks, the
problem isn't the technology, but rather the unexpected combinations of
technologies (i.e., cell phones left on all night along with automated
calling systems).

>I wanted to open this month's newsletter by sincerely apologizing to the
>almost 60 people in our database who mistakenly received a call in the
>middle of the night to remind them of our upcoming webinar held on [date].
>[Vendor] does not usually "telemarket" to our database - in fact, we
>had never done so before. But when the webinar company offered us a chance
>to broadcast a pre-recorded VM reminder at no charge, we fell for the lure
>of the "free" opportunity against our better judgment.  The theory was
>that if it was sent after hours, it would not disturb anyone during their
>work day.  It sounded good in theory...
>
>The result? Four complaints the next morning from people notifying us that
>we had woken them up by calling their home offices or cell phones that had
>not been turned off that night.  I asked the webinar company to run a call
>report afterward and although we only received a few actual complaints,
>the data showed that up to as many as 60 of you may have received these
>disturbing calls.  All I can say is that I am extremely sorry for the
>inconvenience and I assure everyone that we will never mass call to our
>database again.  I do hope you accept my sincere apology for the mistake.


Internet voting in The Netherlands update

<Joseph Kiniry <kiniry@acm.org>>
Wed, 4 Aug 2004 09:58:09 +0200

Major events in Internet Voting are taking place in The Netherlands.

The Dutch government tested an Internet voting system called "KOA" in the
European Elections last month. A portion of that system was written by the
Security of Systems (SoS) Group using formal methods.  Additionally,
partially based upon my group's work and influence, the entire KOA system
has been Open Sourced under the GPL license.

I have written a short article "Electronic and Internet Voting in The
Netherlands" on what has been happening here over the past few months.

See	<http://www.cs.kun.nl/sos/> and
	<http://kind.cs.kun.nl/~kiniry/papers/NL_Voting.html>
for more information.


Re: The Mr Micawber Syndrome

<Fernando Pereira <pereira@cis.upenn.edu>>
Mon, 2 Aug 2004 22:01:59 -0400

I was struck by the parallels between the risks discussed by Michael Bacon
and those arising in backcountry skiing and mountaineering. For example, his
risk (4) pretty much corresponds to the failure to set a firm turn-around
time that allows for a safe return. See Chapter 18 of "Mountaineering: the
Freedom of the Hills" (6th edition, Graydon & Hanson, 1997) for additional
interesting parallels. Articles like Ian McCammon's "Evidence of Heuristic
Traps in Recreational Avalanche Accidents"
 http://www.snowpit.com/articles/traps%20reprint.pdf
give independent evidence of decision-making bugs that are quite familiar to
us in the computing realm: "Even though people are capable of making
decisions in a thorough and methodical way, it appears that most of the time
they don't.  A growing body of research suggests that people unconsciously
use simple rules of thumb, or heuristics, to navigate the routine
complexities of modern life. In this paper, I examine evidence that four of
these heuristics -- familiarity, social proof, commitment and scarcity
-- have influenced the decisions of avalanche victims.".

Fernando Pereira, Dept. of Computer and Information Science U. of Pennsylvania


Re: Stolen: one-third of the world's software (RISKS-23.45-46)

<"Jurek Kirakowski" <jzk@ucc.ie>>
Mon, 12 Jul 2004 14:02:41 +0100

A while ago, I tried to find out the empirical basis for claims such as
these made by the Business Software Alliance. After all, they can't actually
be going round and physically inspecting the software being run on people's
computers, can they? Nor, presumably, are they relying on conviction rates!

After some digging, I found that in 2002 their basic methodology was to
count up the number of computers sold per year, and then check against the
revenue from licensed software sold. They make the assumption that each
computer should be loaded with X amount of licensed software. There is of
course an imbalance between predicted and actuals and this is the
inferential support for the detailed lists of amounts of software fraud per
country they publish.

The hazards of this methodology are (1) you don't check with enough software
vendors, only, say the top 1,000 big ones; and (2) you don't consider that
especially in economically poor countries, users may be using free-ware and
open-source software. Much of the latter may simply be downloaded
anonymously and you don't need to register.

Even in more affluent countries the use of open source software is spreading
- not only because of price, but because it is usually better written and
subject to less invasive user agreements than software created by many
members of the Business Software Alliance.


REVIEW: "Software Forensics", Robert M. Slade

<Rob Slade <rslade@sprint.ca>>
Fri, 6 Aug 2004 08:21:33 -0800

BKSFWRFR.RVW   20040706

"Software Forensics", Robert M. Slade, 2004, 0-07-142804-6,
U$39.95/C$3.95/UK#29.99
%A   Robert M. Slade rslade@vcn.bc.ca rslade@computercrime.org
%C   300 Water Street, Whitby, Ontario   L1N 9B6
%D   2004
%G   0-07-142804-6
%I   McGraw-Hill Ryerson/Osborne
%O   U$39.95/C$3.95/UK#29.99 800-565-5758 fax: 905-430-5020
%O  http://www.amazon.com/exec/obidos/ASIN/0071428046/robsladesinterne
  http://www.amazon.co.uk/exec/obidos/ASIN/0071428046/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0071428046/robsladesin03-20
%P   215 p.
%T   "Software Forensics"

As long as I'm reviewing books about which I can't be objective, I might as
well review my own.

This book is about software forensics.  Nobody seems to know what that is.

"Oh, you look for child porno and drug dealer addresses on seized computers,
right?"  Umm, no.  That's computer forensics which, although it should be
broader, has become limited to the basic data recovery aspect of the wider
field of digital forensics.

Software forensics delves into what evidence you can glean from software
itself.  This is useful in malware and virus research (where it has long
been known as forensic programming), as well as in cases involving
intellectual property and plagiarism.  The study and tools utilized in
software forensics can assist with determining the intent and authorship of
a piece of software.  At times it can even help with tasks such as
recovering source code with legacy programs, or porting to new systems.

In the book there is an overview of software forensics itself.  One chapter
looks at blackhat sociology and culture, since those characteristics can be
evident in the programming style.  There is material on the various tools,
and properties of malicious software.  Presentation of this type of evidence
in court is difficult, so chapter five reviews expert witness restrictions
and other legal issues.  Content is included on programming cultures,
stylistic analysis, and authorship analysis.

I can say, without any bias whatever, that this is the finest work on this
topic available today.  I can say that, because it's the *only* book that is
dedicated to the subject.

copyright Robert M. Slade, 2004   BKSFWRFR.RVW   20040706
rslade@vcn.bc.ca      slade@victoria.tc.ca      rslade@sun.soci.niu.edu
http://victoria.tc.ca/techrev    or    http://sun.soci.niu.edu/~rslade

  [Incidentally, Tim Grance at NIST noted out of band that a draft of a new
  guide on PDA Forensics is soon to be released by NIST.  Stay tuned.  PGN]

Please report problems with the web pages to the maintainer

Top