Risks Digest 20.89
From
risks@csl.sri.com
Date
Mon, 29 May 2000 12:54:08 -0700 (PDT)
[: hacktivism :]
RISKS-LIST: Risks-Forum Digest Monday 29 May 2000 Volume 20 : Issue 89
FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator
***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <URL:http://catless.ncl.ac.uk/Risks/20.89.html>
and by anonymous ftp at ftp.sri.com, cd risks .
Contents:
Top-secret stolen UK laptop recovered (Doneel Edelson)
Nuclear reactor shuts down in California (Linda Kaplan)
Venezuela cites computer glitch, postpones elections (Declan McCullagh)
NHL Web attack (Keith A Rhodes)
A rather risky device to end high-speed chases (Serguei Patchkovskii)
Media gullibility on laser gun to stop cars (John Pettitt)
Study shows mobile phones do interfere with avionics (Kevin Connolly)
Junk-mail filters: excerpted (Gary Cattarin)
Revision control (Mike Albaugh)
Outlook "security" patch (Dave Weingart)
VBS.NewLove.A false positives (Jeremy Epstein)
Risks of virus disinfection (Tom Hayhurst)
Widespread Web-Trojan alerts (Chris Adams)
CERT Advisory CA-2000-07 (CERT)
Misleading warning, failure of Netscape SSL server authentication (Kevin Fu)
I did not say that! wrt deja.com (Stephen Keeling)
Risky quotation (Zygo Blaxell)
Abridged info on RISKS (comp.risks)
----------------------------------------------------------------------
Date: Mon, 22 May 2000 16:32:55 -0400
From: "Edelson, Doneel" <doneel.edelson@eulergroup.com>
Subject: Top-secret stolen UK laptop recovered
A stolen laptop computer holding details of a top secret 250-billion-pound
Anglo-US super-lethal stealth Strike fighter project has been recovered by
*The Mirror*. The laptop was stolen from a naval intelligence officer at a
London station two weeks before. [Source: *Mirror* article 22 May 2000
<http://www.sundaymirror.co.uk> <http://www.people.co.uk>; PGN-ed]
------------------------------
Date: 15 May 2000 11:21:49 -0700
From: Linda.Kaplan@eng.sun.com ("Rainbow(Queen of infinite Space)")
Subject: Nuclear reactor shuts down in California
Due to an electrical problem at 12:25 a.m. on 15 May 2000, an automated
shutdown of a Diablo Canyon Unit 1 nuclear power plant reactor released a
small amount of radioactive steam. Everything seemed to function properly
in the triggered shutdown. [Source: An AP item on 15 May 2000]
------------------------------
Date: Fri, 26 May 2000 11:30:11 -0400
From: Declan McCullagh <declan@well.com>
Subject: Venezuela cites computer glitch, postpones elections
CARACAS, VENEZUELA -- Citing technical woes, Venezuela's high court on
Thursday suspended this weekend's general elections, saying fair balloting
is impossible until the problems are resolved. Conditions for "credibility
and transparency" in Sunday's presidential, congressional and regional
elections do not exist, said Ivan Rincon of the Supreme Tribunal of Justice.
[...] President Hugo Chavez had earlier blamed an Omaha (Neb.)-based
company for the technical problems, saying it was part of an overall plan to
"destabilize" the country's electoral process. [Source: Citing major
computer woes, high court delays elections *Chicago Tribune*, 26 May 2000
http://www.chicagotribune.com/news/printedition/article/0,2669,SAV-0005260364,FF.html;
PGN-ed; see also:
http://www.washingtonpost.com/wp-dyn/articles/A7231-2000May25.html
http://www.foxnews.com/world/0523/i_ap_0523_111.sml
http://news.bbc.co.uk/low/english/world/americas/newsid_764000/764372.stm]
[Contrast the controversy over the recent election in Peru. PGN]
------------------------------
Date: Fri, 26 May 2000 07:53:22 -0400
From: "Keith A Rhodes" <rhodesk.aimd@gao.gov>
Subject: NHL Web attack
Add the National Hockey League to the long list of sites that have been
attacked. A distributed denial of service attack on the NHL Web site took
it off the air for several days, 21 through 25 May. The rather long period
was blamed by the NHL's Web manager on their lack of technical resources,
and chalked it up as a learning experience. [Source: NHL Web Site Back
Online, Associated Press item, 26 May 2000]
------------------------------
Date: Sun, 14 May 2000 9:54:14 MDT
From: "Serguei Patchkovskii" <patchkov@ucalgary.ca>
Subject: A rather risky device to end high-speed chases
High-speed police chases have been a rather hot topic in Canadian media
recently. Larry Martens, a 22-year veteran former Mountie (RCMP), has a
patent on a radio device that would allow police to stop the engine of any
fleeing vehicle at the push of a button. Every vehicle would require a $150
receiver. [Source: Device could end high-speed chases, by Scott Crowson,
*Calgary Herald*, city section, 14 May 2000; PGN-ed]
Sounds like a worthwhile addition to "1000 ways of having fun with a
police scanner" to me. [SP]
home page: http://www.cobalt.chem.ucalgary.ca/ps/
------------------------------
Date: Thu, 18 May 2000 23:11:25 -0700
From: John Pettitt <jpp@cloudview.com>
Subject: Media gullibility on laser gun to stop cars
After a recent car chase that ended with the fugitive jumping off the
Golden Gate Bridge there was an item on the TV (NBC national news) about a
new device being promoted to enable police to stop any car using a "laser
gun". This caught my attention, mostly because it didn't sound
reasonable. Indeed the secret was revealed at the end of the story when
the reporter said that for the device to work all cars would need to be
fitted with an "inexpensive receiver".
There is so much wrong with this idea it's hard to know where to start;
even if the system was designed well enough that only "real" guns would
work (very unlikely IMHO) a stolen "gun" could create total gridlock in a
city.
Perhaps the biggest risk here is that NBC actually ran the item without
stopping to notice how silly the idea was.
John
------------------------------
Date: Mon, 29 May 2000 09:14:13 +0100
From: Kevin Connolly <Kevin.Connolly@ck.cit.alcatel.fr>
Subject: Study shows mobile phones do interfere with avionics
See http://www.newscientist.com/nsplus/insight/phones/dangersignals.html
The study showed that mobiles caused problems for older generation
avionics during tests in a parked jet.
"interference levels that exceed demonstrated susceptibility
levels for aircraft equipment approved against earlier standards"
Kevin Connolly
------------------------------
Date: Fri, 19 May 2000 11:41:41 -0700
From: "Gary Cattarin" <gcattari@nortelnetworks.com>
Subject: Junk-mail filters
[NOTE: Entire item in RISKS-20.89x. See below. PGN]
This I'm sure has been covered before, but here's an interesting example of
filters gone awry.
I recently upgraded (?) to MS Office 2000, which, among other things, lets
you have more than 8 e-mail filters active at once. In my glee I started
turning things on, including junk mail filtering. Surprise! I found 8-10
important messages -- all replies to a query I sent out to a personal mailing
list -- all dumped into the Junk Mail folder.
What was it? I'm riding in a charity bicycle ride, and I needed to tell my
pledge-ees that I needed their money now. So I sent them an e-mail updating
my training status and asking them to send their checks. Obviously, this
message had at least one dollar sign "$" in it -- and because I'm an
excitable guy it had at least one multiple exclamation mark "!!", and since,
at the end, I chided my manager to make good on my exaggerated version of
his pledge:
>> Mark, didn't you promise $5,000 or something like that?
...we also hit the magic phrase ",000".
Now, the fine folks in Redmond have determined that if these three elements
converge, you have received Spam. The actual rule (from their web site) is:
Body contains ",000" AND Body contains "!!" AND Body contains "$"
Who'd have guessed? In fact, even looking at their filter list, it took me
a long time to figure out which rule I'd hit. (OK, I'm slow sometimes.)
I guess the rule is (a) don't get too excited ! -- one "!" at a time! (b)
specify your currency as "USD", and (c) use European periods ("5.000")
instead of North American commas in large numbers. OK, that's silly. But
just as silly is the fact that any spammer can read the list of rules and
tailor their e-mail to avoid them.
Of course, you might never read this, because if you have junk e-mail
filtering turned on, Outlook will catch THIS message and do with it as
you've requested for junk mail.
Two other interesting points:
(1) In the adult filters you'll find these two:
Subject contains " sex"
Subject contains "free" AND Subject contains "sex"
The first is set up with a leading space to only accept the *word* "sex", so
those of us who live here in Middlesex county don't lose any local-related
mail. But the writer of the second wasn't so careful -- what if the
Middlesex News offers free subscriptions? That's Spam, yes, but not porn (I
guess that's why that newspaper changed its name...).
(2) Don't address your dear friend as such -- note the rule:
Body contains "Dear friend"
My golly! I can't send some good old-fashioned heartfelt feelings to my
dear friends!! (oops, double "!!" -- I got excited!)
This stuff can be very dangerous...
The entire list is at
http://officeupdate.microsoft.com/Articles/newfilters.htm
I included it here, but the moderator may choose to cut it from the journal
in the interest of space.
[Your moderator chose to create a supplemental issue,
RISKS-20.89x
that contains the complete original submission. I would have
included it here, but it is likely to have greatly increased the
likelihood that the entire RISKS issue would be bounced by many filtering
programs. As it is, I frequently get porn-bounce or spam-bounce notices
on seemingly harmless issues of RISKS. PGN]
------------------------------
Date: Thu, 25 May 2000 11:03:35 -0700 (PDT)
From: Mike Albaugh <albaugh@agames.com>
Subject: Revision control
When I heard that Microsoft was considering action against the person[s]
responsible for the "Weenie" security hole, "_If they can be found_", my
first thought was along the lines of "These guys don't even have
revision-control on _security_ software?!?", but yesterday morning my
clock-radio woke me up to even more startling news. In a story about the
egregious expansion of search-and-seizure that was added to the new
"Bankruptcy Reform" bill, was the news that the Senate apparently did not
_know_ who had inserted the language, but believed it was the work of a
staffer in Orin Hatch's office. Now, maybe I was still too groggy, but my
reaction to this was "These guys don't even have revision-control on
_laws_?!?". I wish I could add a :-), but the consequences are potentially
far worse than one more bug in software well known for security
weaknesses. The fact that the suspect language was apparently "included by
reference" from an un-related bill is yet another example of the hazards of
abstraction. IMHO, we as a society place entirely too much trust in
un-trustworthy components and agents.
Note also the parallels to the debate on Open Source. _In Principle_, every
congressperson would read (and understand) every word of every bill (and
follow/verify references). In practice, only by chance do these alterations
become known.
Mike albaugh@agames.com
------------------------------
Date: Thu, 18 May 2000 11:15:50 -0400
From: Dave Weingart <dave.weingart@us.randstad.com>
Subject: Outlook "security" patch
Microsoft has decided that since the scripting behavior of Outlook is
unsafe, they're going to disable the ability to actually get many file
attachments (it's not entirely clear if the file will be saved or simply
trashed -- it seems to imply that you can't access the attachments within
Outlook 98 and Outlook 2000 only. If the file is completely trashed, a
whole new RISK is created by people assuming that an e-mailed attachment got
through).
http://www.officeupdate.com/2000/articles/Out2ksecarticle.htm has
Microsoft's official word on the update.
Dave Weingart, Randstad North America dave.weingart@us.randstad.com
1-516-682-1470
------------------------------
Date: Fri, 19 May 2000 17:58:53 -0400
From: "Jeremy Epstein" <jepstein@webmethods.com>
Subject: VBS.NewLove.A false positives
As everyone knows, VBS.NewLove.A is sweeping the world. Or is it? Norton
AntiVirus, using the latest set of definition files (5/18/00) is giving
false positives on a range of files. On my system, it's complaining about
some pure HTML files (i.e., with no scripting or anything else remotely
malicious). Their web page doesn't give any details, and I haven't been
able to find anything out, but their technicians did admit to false
positives, and they're working on a new version.
In fairness to Symantec, they're trying to rush out patches as fast as they
can to a rapidly proliferating virus. However, it's obvious that they
didn't do a very good job of getting the pattern match correct.
--Jeremy
------------------------------
Date: Thu, 25 May 2000 15:51:33 GMT
From: "Tom Hayhurst" <aserinsky@hotmail.com>
Subject: Risks of virus disinfection
In the aftermath of the Love Bug, all e-mail inboxes at my place of
employment have been scanned for suspect attachments. Apparently, a
home-grown perl script (run as root) was used to delete or modify tainted
e-mails. Unfortunately, a side-effect of this was to make all files in the
mail spool directory world-readable about ten days ago. This has only just
been noticed and rectified.
Obvious Risk: immediate, disruptive threats can divert attention away from
safe, well-known procedures.
Tom Hayhurst <aserinsky@hotmail.com>
------------------------------
Date: Mon, 15 May 2000 08:17:29 -0700
From: Chris Adams <chris@improbable.org>
Subject: Widespread Web-Trojan alerts
The people at Zope found a problem with their admin interface
(http://www.zope.org/Members/jim/ZopeSecurity/ClientSideTrojan) that also
applied to just about any web-based admin tool. Basically, an attacker could
create a page that redirected to site's admin interface or a form that
submitted to it (possibly using JavaScript for automatic submission); in any
case, the effect was that any use who was logged in as a site administrator
could have an attacker execute arbitrary commands in their security context
merely by following a link. If this was carefully set up using JavaScript
and frames, it's more than possible that the admin would never notice what
had happened. This attack would be particularly effective against online
news sites and anyone else for whom it is common to receive many URLs every
day as submissions.
This story was picked up by LWN (http://www.lwn.net/2000/features/
Redirect.phtml) and spread rapidly to the usual security forums.
There's a very simple fix that prevents this attack from working in any of
the cases reported. The problem is that the form parameters can all be
guessed by the attacker, allowing them to generate a URL easily. Putting in
a random parameter prevents this from being true. Given that you need to
have a random identifier that is not leaked to third parties for meaningful
session management, an obvious step is to put in a parameter in the form
that must match the user's session ID (e.g. Confirm=346593045 instead of
Confirm=true).
(This is still vulnerable if the browser has a security hole which allows an
unrelated site to capture cookies. However, such a bug is really a separate
issue as it would allow an attacker to easily hijack the session directly. A
browser that buggy should not be used.)
What I've found disturbing is that there have been several people attempting
to get the news out since the original wave of reports (~5/10) about having
such a fix that will defang this entire class of attack in a single line of
code. These efforts don't seem to have achieved anything like the visibility
given to the original reports. There's a great deal of speculation about
convoluted, partial means of stopping such attacks and even suggestions
about disabling web-based admin interfaces entirely but, thus far, very
little word about what has to be one of the easiest fixes in the history of
computer security.
The risks? Besides the obvious security concerns, there's the risk that
people will do something rash or remain vulnerable despite the fact that,
contrary to some of the reports, there is a fix and it's quite simple. A
casual observer could easily get the impression that this problem is a major
threat.
------------------------------
Date: Wed, 24 May 2000 15:54:49 -0400 (EDT)
From: CERT Advisory <cert-advisory@cert.org>
Subject: CERT Advisory CA-2000-07 [Abridged for RISKS]
CERT Advisory CA-2000-07 Microsoft Office 2000 UA ActiveX Control
Incorrectly Marked "Safe for Scripting"
[The full Advisory is at
http://www.cert.org/advisories/CA-2000-07.html
PGN]
Systems Affected
* Systems with Internet Explorer and Microsoft Office 2000
components, including
* Word 2000
* Excel 2000
* PowerPoint 2000
* Access 2000
* Photodraw 2000
* FrontPage 2000
* Project 2000
* Outlook 2000
* Publisher 2000
* Works 2000 Suite
Overview
The Microsoft Office 2000 UA ActiveX control is incorrectly marked as
"safe for scripting". This vulnerability may allow an intruder to
disable macro warnings in Office products and, subsequently, execute
arbitrary code. This vulnerability may be exploited by viewing an HTML
document via a web page, newsgroup posting, or e-mail message.
I. Description
Microsoft and L0pht Research Labs have recently published advisories
describing a vulnerability in the Microsoft Office 2000 UA ActiveX
control. Due to the severity of this vulnerability, we are issuing a
CERT advisory to help reach as broad an audience as possible.
Microsoft has published a security bulletin, an FAQ, and a knowledgebase
article describing this vulnerability. These documents are available from
Microsoft's web site:
http://microsoft.com/technet/security/bulletin/ms00-034.asp
http://microsoft.com/technet/security/bulletin/fq00-034.asp
http://microsoft.com/technet/support/kb.asp?ID=262767
The CERT Coordination Center thanks L0pht Research Labs and @Stake for
initially discovering and reporting this vulnerability. We also thank the
Microsoft Security Team for their assistance in preparing this advisory.
------------------------------
Date: Fri, 26 May 2000 09:51:05 EDT
From: Kevin Fu <fubob@MIT.EDU>
Subject: Misleading warning, failure of Netscape SSL server authentication
Here is an example where improper caching and poor GUI design can render a
particular implementation of SSL server authentication insecure.
Within one Netscape session, if a user clicks on "continue" in response to a
"hostname does not match name in certificate," then that certificate is
incorrectly validated for future use in the Netscape session, REGARDLESS of
the hostname or IP address of other servers that use the certificate.
It seems that the "Certificate Name Check" warning will cache a certificate
as valid for any hostname or IP address in the future. In this way, if an
adversary tricks a user into accepting an invalid certificate at a seemingly
benign site, then the user can then be tricked if he/she ever visits a
malicious site using the same certificate. A "continue" click on a
seemingly benign SSL web server might end up taking away server
authentication from visiting
https://www.a-site-that-you-give-private-info.com/ that has poisoned DNS.
Since this is a risks post, there has to be a lesson:
* Be explicit. Netscape's security warning does not indicate
clearly what will result by clicking "continue."
* Even if the design is good, an implementation can go wrong.
Netscape invented SSL, but it has a hard time using it correctly.
Does this scare you? It should. If a company who designs
an accepted security protocol cannot use it correctly, then
think about the companies implementing homebrew security...
* Implementation bugs are not unique to Netscape. PGP has a
relatively good but absolutely dangerous user interface that can
mislead users. See the "Why Johnny Can't Encrypt" paper by Alma
Whitten for an excellent analysis. [SEE NOTE]
For a full report, see
http://snafu.fooworld.org/~fubob/netscape-ssl.html or
http://www.cert.org/advisories/CA-2000-08.html
Kevin E. Fu (fubob@mit.edu)
[NOTE: The paper must be Whitten in Inwisible Ink. PGN-Enquipped]
------------------------------
Date: Wed, 24 May 2000 01:01:12 -0600
From: "s. keeling" <keeling@spots.ab.ca>
Subject: I did not say that! wrt deja.com
I don't know if this is a problem or if I'm over reacting. I just did
a search on my user id and chanced across a misquoted (by some usenet
newbie) news article that attributes statements I never said to me.
http://x69.deja.com/[ST_rn=fs]/getdoc.xp?AN=624428330&CONTEXT=959150860.1906835472&hitnum=6
Do people take deja/usenet with a grain of salt, or should I worry
about what anyone can say I said?
keelingNO@SPAM.spots.ab.ca (Stephen) TopQuark Software & Serv.
[Misinformation has a horrible way of propagating. If I were you, I would
put a note on your Web site disowning something like that and perhaps
putting in a thoughtful item on the risks of being misquoted. PGN]
------------------------------
Date: 22 May 2000 23:25:38 -0400
From: uryse0d5@umail.furryterror.org (Zygo Blaxell)
Subject: Risky quotation
While at a bookstore the other day, my spouse was presented with a credit
card signature slip printed by an Interac point-of-sale terminal. It was
just like any other credit signature slip, except that the usual "customer
signature" line was printed twice, one on top of the other, with ample
space for the signature in both places--a harmless glitch, probably
due to an obvious and simple programming error.
We pointed the error out to the cashier, who was probably barely old
enough to be legally employed, and her response, if she speaks for her
generation, was ominous, even terrifying:
"It does that because ... because it's a computer."
An entire generation is growing up believing that the current sorry state
of affairs in information technology could ever be accepted as _normal_!
------------------------------
Date: 13 Dec 1999 (LAST-MODIFIED)
From: RISKS-request@csl.sri.com
Subject: Abridged info on RISKS (comp.risks)
The RISKS Forum is a MODERATED digest. Its Usenet equivalent is comp.risks.
=> SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent)
if possible and convenient for you. Alternatively, via majordomo,
SEND DIRECT E-MAIL REQUESTS to <risks-request@csl.sri.com> with one-line,
SUBSCRIBE (or UNSUBSCRIBE) [with net address if different from FROM:] or
INFO [for unabridged version of RISKS information]
.MIL users should contact <risks-request@pica.army.mil> (Dennis Rears).
.UK users should contact <Lindsay.Marshall@newcastle.ac.uk>.
=> The INFO file (submissions, default disclaimers, archive sites,
copyright policy, PRIVACY digests, etc.) is also obtainable from
http://www.CSL.sri.com/risksinfo.html ftp://www.CSL.sri.com/pub/risks.info
The full info file will appear now and then in future issues. *** All
contributors are assumed to have read the full info file for guidelines. ***
=> SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line.
=> ARCHIVES are available: ftp://ftp.sri.com/risks or
ftp ftp.sri.com<CR>login anonymous<CR>[YourNetAddress]<CR>cd risks
[volume-summary issues are in risks-*.00]
[back volumes have their own subdirectories, e.g., "cd 19" for volume 19]
http://catless.ncl.ac.uk/Risks/VL.IS.html [i.e., VoLume, ISsue].
http://the.wiretapped.net/security/textfiles/risks-digest/ .
==> PostScript copy of PGN's comprehensive historical summary of one liners:
illustrative.PS at ftp.sri.com/risks .
------------------------------
End of RISKS-FORUM Digest 20.89
************************
[: hacktivism :]
[: for unsubscribe instructions or list info consult the list FAQ :]
[: http://hacktivism.tao.ca/ :]