The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 23 Issue 57

Monday 24 October 2004

Contents

Nonexistent URL in comic strip leads to pornocopia
Conrad Heiney
Fictional, but far too plausible
Paul Robinson
Critical infrastructure cybersecurity risks
PGN
South Korea vulnerable to cyber attacks from North
NewsScan
Maryland Motor Vehicle Admin disabled
Pete Carah
Cybersecurity largely ignored by individual users
NewsScan
Tourist concerns: war, terrorism, computer problems
David Magda
TV emits international distress signal
Mike Hogsett
Is Windows up to snuff for running our world?
Richard M. Smith
Of mice, snakes, and wiring
Brian Clapper
Descent from privacy: a 'slippery slope'
NewsScan
A LAME PHISHING ATTEMPT: Please confirm your account
F.J. Reinke
Do vendors read their own security policies?
Vassilis Prevelakis
World Bank Technology Risk Checklist
Gideon T. Rasmussen
What the world needs is more lawyer-bots
NewsScan
Pre-election hanky-panky in Ohio
PGN
Re: Internet voting
Ray Todd Stevens
Info on RISKS (comp.risks)

Nonexistent URL in comic strip leads to pornocopia

<Conrad Heiney <conrad@fringehead.org>>
Fri, 22 Oct 2004 09:06:45 -0700

"Regret the Error", a weblog that tracks media retractions, reports that a
comic strip included a link to a nonexistent URL. Shortly after the strip
hit the streets, the URL sprang to life, returning questionable content.

The risk of underestimating the Internet's reaction speed, plus a poor
understanding of what an URL is, results in a media disaster similar to the
Vice President's factcheck.com/org error recently. This reminds me of the
dot-com days when marketers would print up thousands of glossy brochures
with a vaporous address on them and then ask for the address to exist as
they were handing them out at a trade show.

  url: http://www.regrettheerror.com/2004/10/comic_porn.html

Conrad Heiney  conrad@fringehead.org  http://www.contentgoeshere.com/


Fictional, but far too plausible

<Paul Robinson <postmaster@paul.washington.dc.us>>
Sat, 23 Oct 2004 00:40:13 GMT

Today on one of the satellite channels I saw an episode of the TV show 'JAG'
in which a sailor in charge of a sophisticated command and control system
for a battleship was murdered in Japan, in order to cause his replacement to
be brought on, who was a long-term infiltrated double agent for North Korea.

Now, personally I would hope that most of the things the show claimed were
possible were dramatic license, but with the published and publicly known
use of Microsoft Windows in some military systems it implies that ordinary
programs could be inserted into operating weaponry and/or ordnance.

In the story, the agent had inserted rogue code into the software for the
ship's command, control and operational hardware.  Initially a system test
designed to perform simulated targeting activates live missiles that shoot
down two aircraft (fortunately after the pilots are able to eject.)

The new code essentially disables every weapons system and propulsion
control, without capability of override, until it starts up a pre-programmed
scheduled event: to sail the warship into North Korea, which would allow
their military to obtain all of the technology on the ship, including the
advanced control system.

The show points out that in an attempt to stop the system, a backdoor was
attempted to be accessed - for use in just such an emergency - but it had
been eliminated by the agent.

What I also noted about the system that they mentioned sounded plausible,
and perhaps it is appropriate in view of the fact this is a warship
(although having any system without an 'off' switch is a bad idea, in my
opinion), but the thought is frightening if true.  It stated that there is
no means to disable the system to make it shut down dead; in the event of
disconnect it stays in the last state it was in, which in the case of the
ship would be in live fire mode, in which it would continue to target all
aircraft or flying objects approaching the ship.

Again I wish to stress that I do understand it was a work of fiction and
some of what is being stated may not be correct or is just dramatic license,
but it still sounds reasonable as a potential way in which such systems
might be designed and as such it is something we should be aware of.

More than two generations ago the book and movie 'Fail Safe' warned of the
disastrous consequences of military systems designed such that they would
lock down in a non-disable-able mode.  If the examples given by this TV
program are in any way even close to accurate it seems to indicate that not
much has changed.

On a side note, with so many countries becoming democratic - or at least,
somewhat less totalitarian - I suspect it's probably becoming harder and
harder to find believable foreign enemies for TV shows and movies.  We've
lost Russia, East Germany and South Africa over the last twenty years, plus
Iraq and Afghanistan in the last five, so basically there aren't a whole lot
of believable bad-guy countries in the world left.  I figure that won't last
long, the U.S. Government will find some new country to target as the 'enemy
of the month' or whatever period of time they need to distract the public.
:)


Critical infrastructure cybersecurity risks

<"Peter G. Neumann" <neumann@csl.sri.com>>
Mon, 11 Oct 2004 12:09:07 PDT

[Source: Canada NewsWire, 9 Oct 2004; PGN-ed, starkly excerpted]

British Columbia Institute of Technology cyber security research leader Eric
Byres testified for the U.S. Congressional Subcommittee on Technology,
Information Policy, Intergovernmental Relations and the Census in Washington
D.C. on 1 Oct 2004, warning that hacker attacks on North America's critical
industrial infrastructure [power, etc., and of course the information
technology on which they all depend] could soon become as commonplace as the
practice of hacking Web pages.  Particularly vulnerable are the Supervisory
Control and Data Acquisition (SCADA) systems used ubiquitously for operation
and maintenance.  They efficiently enable the collection and analysis of
data and control of equipment from remote locations.

There is a growing concern that this reliance on computers and computer
networks raises the vulnerability of critical infrastructures to attack by
cyber terrorists. A recent National Research Council report has identified
"the potential for attack on control systems" as requiring "urgent
attention."

In May, a researcher at a British conference showed how by remotely
adjusting overload settings on a grid's power transformers during the warm
summer months, it is possible to destroy millions of dollars of equipment and
shut the grid for days.

As early as 1997, a six-month vulnerability assessment by the White
House's National Security Telecommunications Advisory Committee found basic
security flaws in the computerized systems that control generators, switching
stations and electrical substations. Among other things, the committee
reported that operational networks controlling critical portions of the grid
were accessible through electric companies' corporate LANs (local area
networks).  Some digital circuit breakers could be remotely tripped by anyone
with the right phone number.  Fixed passwords for remote vendor access went
unchanged for years. Not enough has changed since then, Byres notes.
While getting into a critical control system might not be easy, it is
certainly not impossible. Said Byres, "As we like to say in the lab, 'crunchy
on the outside, soft on the inside.'"

  [Canadian and British media seem to be more interested in these problems
  than U.S. media.  My Website includes Senate and House testimonies on this
  subject from 1996 and 1997, but those and other warnings and
  recommendations seem to be largely ignored by the U.S. authorities.  PGN]


South Korea vulnerable to cyber attacks from North

<"NewsScan" <newsscan@newsscan.com>>
Tue, 05 Oct 2004 10:50:03 -0700

South Korea's defense ministry says that North Korea has trained hundreds of
computer hackers who could launch a cyber-war on South Korea, the US or
Japan. Because South Korea has the world's highest usage of broadband
services yet maintains relatively low levels of Internet security, the
country is especially vulnerable to network attacks.   [*Financial Times*,
4 Oct 2004; NewsScan Daily, 5 Oct 2004]
  http://news.ft.com/cms/s/3d592eb4-15f0-11d9-b835-00000e2511c8.html


Maryland Motor Vehicle Admin disabled

<Pete Carah <pete@altadena.net>>
Thu, 14 Oct 2004 13:44:31 -0700

  [Re: Virus disables Colorado DMV for nearly a week]

Within a day or so of the initial appearance of Blaster in Aug 2003, the
Maryland MVA (Motor Vehicle Administration, DMV equivalent) was totally
disabled (statewide) for most of a week.

I saw no explanation in the local papers of how it got inside the security
perimeter but in the networks I admin'd at the time it mostly got in via
carried laptops.  (or, maybe Blaster had a mail variant, though I thought it
didn't, or maybe the firewall wasn't good enough, or....)  (for those who
don't know, Blaster and its successor Nachi (or Welchia) were
direct-transmission worms that attacked the NT DCOM software.  As usual, MS
had released a patch for at least part of the buffer-overflow in question
before the worms appeared in the wild, but it was not widely applied.)  In
the risks list at the time, someone noted that a very easy vector for these
worms was a laptop on a hotel (or other open) network using a VPN to connect
in to the internal network.

Of course, trying to apply the removal tool and patch online were usually
fruitless since the reinfection rate was faster than the time it took to
download the patch...  This led on my networks, to everyone in the support
group madly running around the campus with CDs doing clean+patch...

And MS finally got the message with XP SP2 that the software firewall should
default to ON, only years late, and I don't know if they do this yet in Win
2K or Server 2003 (or do those even ship with an internal firewall?)


Cybersecurity largely ignored by individual users

<"NewsScan" <newsscan@newsscan.com>>
Mon, 25 Oct 2004 08:01:44 -0700

A new study by America Online and the National Cyber Security Alliance
indicates that about 80% of home PCs are infected with spyware, but most
users aren't even aware of it. And while 85% of users had installed
antivirus software, two-thirds of those had not updated it in the past
week. In addition, about 20% had an active virus on their machines and
two-thirds did not have a firewall installed. AOL chief trust officer
Tatiana Gau says the results highlight just how vulnerable the average
online user is to malicious hackers. "No consumer would walk down the street
waving a stack of cash or leave their wallet sitting in a public place, but
far too many are doing the exact same thing online. Without basic
protections like antivirus, spyware and firewall software, consumers are
leaving their personal and financial information at risk."  [CNet News.com,
24 Oct 2004; NewsScan Daily, 25 Oct 2004]

http://news.com.com/Plague+carriers+Most+users+unaware+of+PC+infections/2100-1029_3-5423306.html
  http://news.com.com/
  Plague+carriers+Most+users+unaware+of+PC+infections/2100-1029_3-5423306.html


Tourist concerns: war, terrorism, computer problems

<David Magda <dmagda@ee.ryerson.ca>>
Tue, 12 Oct 2004 21:36:47 -0400

I was looked at perhaps taking a package tour. I ran across a site that had
some interesting options and decided to read the terms & conditions. One
sentence stuck out:

> Additionally, responsibility is not accepted for losses or expenses due to
> sickness, lack of appropriate medical facilities or practitioners,
> weather, strikes, theft or other criminal acts, war, terrorism, computer
> problems, or other such causes.

http://www.historytelevision.ca/travel/containers/terms_conditions.asp

I found it amusing that computer problems were listed right beside war and
terrorism. Was someone bitten by this issue and thus decided to do a CYA, or
are people becoming more aware the complexity of digital systems?


TV emits international distress signal

<Mike Hogsett <michael.hogsett@sri.com>>
Tue, 19 Oct 2004 09:36:04 -0700

An Oregon man discovered earlier this month that his year-old Toshiba
Corporation flat-screen TV was emitting an international distress signal
picked up by a satellite, leading a search and rescue operation to his
apartment in Corvallis, Oregon, 70 miles south of Portland.  More in the
article:
  http://www.cnn.com/2004/SHOWBIZ/TV/10/18/odd.television.reut/index.html


Is Windows up to snuff for running our world?

<"Richard M. Smith" <rms@computerbytesman.com>>
Sat, 23 Oct 2004 10:27:56 -0400

  [RMS also contributed this to bugtraq.  PGN]

The Microsoft Windows operating system is increasingly being used in devices
which run our world.  Some examples include cash registers, ATMs, electronic
voting machines, and factory control computers.  But is the Windows
operating system really reliable and secure enough for these kinds of
applications?  A small incidence at the Atlanta airport last May makes me
wonder.

I was flying home to Boston from Atlanta on Delta Airlines.  When I got to
my gate at the Atlanta airport, I immediately noticed that there was a
Windows error alert box in the middle of the large display screen over the
gate door.  I walked around the terminal and saw that many of the gate
display units had the same error alert box being displayed.  In many cases,
the display units were no longer usable since the alert boxes covered up
critical information on the screens.

Here are some photos I took of the problem:

   http://www.ComputerBytesMan.com/atlanta

The problem existed for at least 30 minutes, but no one from Delta seemed to
be interested in fixing it.  I wanted to click the "Okay" button myself, but
I couldn't find a mouse. ;-)

I even recognized the software package that was failing at the Delta
terminal.  It is a customer support package that a number of computer makers
ship with their home PC systems.  This same software package was
pre-installed on my Sony laptop but I removed it after discovering that it
contained a number of ActiveX controls with serious security holes.  These
security holes can potentially be used by a virus writer to take over a
Windows PC using simple script code.

The customer support software was failing because it couldn't find a
standard Microsoft ActiveX control which ships with Windows.  My impression
is that the Windows operating system in control of a display unit had
somehow been corrupted.  Ironically this customer support package is
designed to diagnose and fix these kinds of problems with home PCs.  Why
Delta was running consumer-grade PCs for this application is bit hard for me
to fathom.

I sure that this is not the first time a Windows system has failed in a
dedicated application.  If you have any interesting photos of similar
Windows failures, please send them along to rms@computerbytesman.com.

Richard M. Smith  http://www.ComputerBytesMan.com

Links

Microsoft server crash nearly causes 800-plane pile-up
http://www.techworld.com/opsys/news/index.cfm?NewsID=2275

Car crazy: Microsoft in the driver's seat
http://tinyurl.com/6s24a

ATMs in peril from computer worms?
http://www.theregister.co.uk/2004/10/20/atm_viral_peril/

Shifting cyber threats menace factory floors
http://www.securityfocus.com/news/9671

Software vendors just don't "get" ActiveX security
http://archives.neohapsis.com/archives/fulldisclosure/2003-q3/0043.html


Of mice, snakes, and wiring

<Brian Clapper <bmc@clapper.org>>
Fri, 22 Oct 2004 11:04:58 -0400

Here's a slight twist on an old RISKS favorite.

For the last couple weeks, We've been experiencing intermittent DSL
"drop-outs", for thirty seconds at a time, a few times a day. The light on
the modem would start blinking, and the Internet connection would become
unresponsive. Then, shortly thereafter, the modem would "find" the signal
again, and everything would come back. This is an unusual situation for us.
In the almost five years we've had ADSL, it has rarely gone out for any
appreciable amount of time.

I initially figured the DSL problems were transient--someone working at the
C.O., or something. But then, a few days ago, the home phone line (which
carries the the DSL signal) started having some audible static, sometimes
bad enough to make it nearly impossible to hear. I plugged a phone into the
jack at the network interface box, and I heard the static there, too. At
that point, I figured it was time to call Verizon.

Verizon sent someone out this morning. The woman who came out to check the
wiring found that the pedestal down the street--where all the phone lines
on the street connect--had become a shelter for mice, and the mice had
chewed through some of the wires, including ours. The inevitable corrosion
was having predictable effects on the electrical signals.

The woman told me that sometimes, when she goes to service larger boxes
that handle hundreds of phone lines for an entire community, she'll find
that those boxes have also become infested with mice. At that point, she
made a face, and said, "It's pretty disgusting." But then, she said, it
gets worse, because the snakes come along. (Free mouse buffet! Come and get
it!) After telling me that, she made a another face, and said, "Y'know, I'm
not especially fond of snakes."

Brian Clapper, http://www.clapper.org/bmc/


Descent from privacy: a 'slippery slope'

<"NewsScan" <newsscan@newsscan.com>>
Fri, 22 Oct 2004 08:13:23 -0700

Pam Dixon, executive director of the World Privacy Forum, warns: "Most
consumers don't fully understand the tradeoffs they're making with privacy."
As an example, she argues that the potential widespread use of the VeriChip
-- a tiny radio transmitter inserted under a person's skin -- is "a
nightmare situation" for privacy, because at first workers might be induced
to wear the devices simply to get high-security jobs but that eventually the
transmitters would be much more broadly required: "All of a sudden it
becomes mandatory for certain classes of people. I just see this as an
extremely slippery slope."  [*Christian Science Monitor*, 21 Oct 2004;
NewsScan Daily, 22 October 2004]
  http://www.christiansciencemonitor.com/2004/1021/p13s01-stct.html


A LAME PHISHING ATTEMPT: Please confirm your account

<"reinke, f. j. \(Yahoo\)" <reinkefj@yahoo.com>>
Fri, 22 Oct 2004 12:23:10 -0400

[This might have worked (not very likely) if I even had an account at
Citibank. It's tiring to see these. The fact that this lame attempt might
even work is really frustrating to this security pro.  John]

-----Original Message-----
>From: Citibank [mailto:rosend@sullcrom.com]
Sent: Thursday, October 21, 2004 5:08 PM
To: John
Subject: Please confirm your account

  <http://218.4.196.49/signin/citifi/scripts/login2/header.gif>

Dear valued Citibank member,

Due to concerns, for the safety and integrity of the online banking
community we have issued the following warning message.

It has come to our attention that your account information needs to be
confirmed due to inactive customers, fraud and spoof reports. If you could
please take 5-10 minutes out of your online experience and renew your
records you will not run into any future problems with the online
service. However, failure to confirm your records may result in your account
suspension.

Once you have confirmed your account records your Internet banking service
will not be interrupted and will continue as normal.

Please click here
<http://218.4.196.49/signin/citifi/scripts/login2/index.html>  to
confirm your bank account records.

Thank you for your time,
Citibank Billing Department.

  <http://218.4.196.49/signin/citifi/scripts/login2/citi_lsm.gif>
Citibank.com <http://www.citibank.com>
<http://218.4.196.49/signin/citifi/scripts/login2/mem_citi.gif>
Citigroup  <http://www.citibank.com/privacy/promise.htm> Privacy Promise
Terms,  <http://www.citibank.com/citibank/disclaim.htm> conditions,
caveats and small print
Copyright C 2004, Citicorp


Do vendors read their own security policies?

<Vassilis Prevelakis <vp@cs.drexel.edu>>
Fri, 22 Oct 2004 00:18:01 -0400 (EDT)

Now everybody is "committed to security", with almost every site giving
security advice. But do these people ever bother to read their own security
policies or to ensure that their procedures are compatible even with
common-sense security policies.

Two examples:

1) Paypal

In their "Security Center" web page
  (https://www.paypal.com/cgi-bin/webscr?cmd=_security-center-outside)
PayPal advises (in big letters next to a "hazard" icon):

  Avoid Fake Websites
  Log in safely to your account. Open a new web browser (e.g., Internet
  Explorer or Netscape) and type in the following: https://www.paypal.com/

So far so good, but why do they also advice customers to

  This recipient only accepts PayPal payments through their website. To make
  this payment, please go to http://www.auctionworks.com/pay.asp

This web site encourages users to fill-in their order details and then jumps
to the paypal web site so that the customer can log on and authorize the
payment.

THIS IS EXACTLY THE MO USED BY TRICKSTERS, because the user cannot verify
the URL used to perform the redirection.

2) Roxio

I really like this message:

  If you are having trouble downloading, disable any firewalls
  such as Personal Firewall(TM) or Gauntlet(TM) and disable any
  download managers such as RealDownload(TM) or GetRight(TM).

Vassilis Prevelakis, Computer Science Dept, Drexel University, Philadelphia, PA


World Bank Technology Risk Checklist

<"Gideon T. Rasmussen" <lists@infostruct.net>>
Mon, 25 Oct 2004 16:56:16 -0400

"The World Bank Technology Risk Checklist is designed to provide Chief
Information Security Officers (CISO), Chief Technology Officers (CTO), Chief
Financial Officers (CFO), Directors, Risk Managers and Systems
Administrators with a way of measuring and validating the level of security
within a particular organization."

http://www.infragard.net/library/pdfs/technologyrisklist.pdf (31 pages)


What the world needs is more lawyer-bots

<"NewsScan" <newsscan@newsscan.com>>
Wed, 13 Oct 2004 11:01:15 -0700

Mark Rasch, founder and former head of the U.S. Justice Department's
computer crimes unit, says that the increasing trend toward lengthy,
tiny-font policy "agreements" that users must click on before they can
access a Web site are generating the need for more legal oversight.
"Increasingly, companies have been putting some pretty nasty things into
their clickwrap agreements -- such as that they can collect and sell your
detailed personal information or install software that will capture your
every keystroke This is not legal boilerplate, the kind that everybody orney
general's assents to when renting a car or buying a ticket to a ball
game. It affects the privacy, security, and operability of all of the
information you access online." Rasch says what's desperately needed is a
law robot -- "a browser-based automaton that could be adjusted to match your
tolerance for legal mumbo-jumbo Once you establish privacy settings, your
browser would > transfer personal data (after prompting you) only to sites
that conform with your privacy requirements." Rasch says such technology
would go a long way toward eradicating such online nuisances as porn spam
and spyware. "We will never fully automate the reading of contracts or
agreements online.  Nor would we want to -- after all, Internet lawyers need
jobs, too. But by automating the vetting of clickwraps or implied agreements
we could make everybody sleep a little easier."  [Wired.com, Oct 2004;
NewsScan Daily, 13 Oct 2004]
  http://www.wired.com/wired/archive/12.10/view.html?pg=2


Pre-election hanky-panky in Ohio

<"Peter G. Neumann" <neumann@csl.sri.com>>
Sat, 23 Oct 2004 14:56:25 PDT

1. Columbus voters report fake elections board calls

Completely bogus phone calls claiming to be from the Franklin County Board
of Elections have been received by voters, informing them that their polling
place had been changed from one precinct to another.
[Source: Suzanne Hoholik, Voters report fake calls: Instructions to change
polling place don't come from board of elections *The Columbus Dispatch*, 22
Oct 2004; PGN-ed]
  http://www.dispatch.com/election/election-local.php
  ?story=dispatch/2004/10/22/20041022-A1-00.html

2. Thieves steal campaign computers with sensitive information

Thieves broke in to Lucas County Democratic headquarters in Toledo, Ohio,
stealing computers with sensitive campaign information -- including e-mail
messages on campaign strategy, candidates' schedules, financial information,
and phone numbers of party members, candidates, donors, and volunteers.
[Source: Robin Erb, Thieves hit Democratic Party offices; computers
containing sensitive data removed; PGN-ed]
  http://www.toledoblade.com/apps/pbcs.dll/article
  ?AID=/20041013/NEWS03/410130378


Re: Internet voting (Thomas, RISKS-23.56)

<"Ray Todd Stevens" <raytodd@kiva.net>>
Wed, 13 Oct 2004 09:36:57 -5

I don't know I would go this far, on the other hand I would go farther.
Companies and governments wanting to implement Internet voting should be
required to first publish all the information that hackers over time could
acquire about the system, and then setup several test elections.  You know
vote for you favorite disney character, vote for your favorite ice cream
flavor, etc.  All attempts to hack these elections should be encouraged, and
there should be a big prize for doing it.  Once it goes live I am a little
iffy on allowing hacking.  How do you tell the difference between someone
hacking to get the prize and who will immediately admit their activities,
and one who is going to secretly hack the election and allow phony results
to stand?.  How about the problem of denial of service?  This had already
been an issue with regard to some electronic voting.

Maybe there should have to be a test election just before and just after
every real election where hacking is permitted, and rewarded.  In fact maybe
all electronic voting systems should be subject to this form of "audit".
There should be someone you can go and try to break the system.

But it should never be during a real election.

  [I continue to be amazed that folks persist on focusing only on the risks
  of penetrations by outsiders.  Insiders are by far the greatest concern
  here.  PGN]

Please report problems with the web pages to the maintainer

Top