Subject: RISKS DIGEST 18.69 RISKS-LIST: Risks-Forum Digest Thursday 19 December 1996 Volume 18 : Issue 69 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator ***** See last item for further information, disclaimers, caveats, etc. ***** Contents: Bright Field crash in New Orleans computer related (PGN) Bright Field: Risks of smart safety systems? (David Lesher) Major denial-of-service attack on WebCom in San Francisco bay area (PGN) Connecticut DPUC gets slammed (Daniel Pouzzner) U.S. program export controls ruled unconstitutional in No.California (PGN) German Cabinet Approves Internet Regulation (PGN) More savings we can count on our fingers... (Jeffrey Sorensen) URGENT! Major HOLE in NCSA httpd servers... (Matthew Healy) Warning! Security risks with ActiveX! (B Fiero) Re: November 1996 CACM article on InfoWar Defense (Geoff Kuenning) Re: Software hunts and kills Net viruses (Gregory B. Sorkin) First Workshop on Building and Using CORBAsec ORBs [urgent] (Richard Soley) New Security Paradigms '97, call for papers (Yvo Desmedt) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Tue, 17 Dec 96 8:49:42 PST From: "Peter G. Neumann" Subject: Bright Field crash in New Orleans computer related According to John Hammerschmidt of the NTSB, preliminary investigations into the freighter *Bright Field* crashing into the Riverwalk in New Orleans suggest that an oil-pump failure caused the ship's computer to automatically reduce speed. A standby pump kicked in, but under reduced power the ship's maneuverability was decreased. The impact cut a 200-foot swath into shops and a hotel condominium complex, and the pedestrian walkway. A language barrier between the Chinese-speaking captain (and crew) and the English-speaking pilot reportedly may also have contributed. The Liberian-registered 69,000-ton ship was not equipped with a U.S.-recommended voice recorder, and a second voice recorder was not functioning. Coast Guard Captain Gordon Marsh confirmed that large ships lose steering power as often as once a week. [Source: various news items, including *San Francisco Chronicle*, 17 Dec 1996] ------------------------------ Date: Tue, 17 Dec 1996 07:50:00 -0800 (PST) From: wb8foz@netcom.com (David Lesher) Subject: Bright Field: Risks of smart safety systems? [... see previous item ...] The pilot appears to have performed a miraculous job of parallel-parking the 761-foot vessel in the 900-foot space between two heavily populated entertainment boats. The RISK? While [the automatic reactions] clearly saved an engine that likely costs millions to rebuild, could the sacrifice of the engine have prevented the collision? Or would have the engine exploded; throwing LARGE pieces around and killing people that way? Is the low-speed version of the Airbus dilemma -- who knows more; the pilot or the computer? ------------------------------ Date: Tue, 17 Dec 1996 08:56:06 -0500 From: "Peter G. Neumann" Subject: Major denial-of-service attack on WebCom in San Francisco bay area A 200-message-per-second SYN-flood attack (see RISKS-18.45 for the precursor PANIX attack, and RISKS-18.48 for some defenses) was launched against WebCom (a large WWW service provider), affecting more than 3000 Web sites for 40 hours during most of what was otherwise a very busy shopping weekend. The attack began Saturday morning PST shortly after midnight. The initial attack triggered an automatic pager warning. WebCom engineers then traced the attack back to PSINet. Ten hours later PSINet traced it to MCI lines. MCI traced the attack route back to [a Toronto location of] CANet [a Canadian ISP], and then back to BC.Net. WebNet was unable to stanch the flood, so MCI finally blocked all traffic from CANet to WebCom -- allowing WebCom to restore service. Apparently, WebCom had experienced a milder SYN attack the weekend before, so it was better prepared than it might have been otherwise. [Source: High-Tech Attack Shuts Down Web Provider in Santa Cruz, an AP item written by but not attributed to Elizabeth Weise, seen in the *San Francisco Chronicle*, 17 Dec 1996, C18. PGN Stark Abstracting] ["Betty G. O'Hearn" submitted the entire AP item. PGN] [NOTE: I inserted a slight change in the archive copy to reflect CANet being Canada-wide. PGN] ------------------------------ Date: Tue, 17 Dec 1996 13:53:22 -0500 (EST) From: Daniel Pouzzner Subject: Connecticut DPUC gets slammed In an amusing twist on the now-tired practice of slamming, Connecticut's Department of Public Utility Control (DPUC) had 6 of its 14 long-distance lines switched involuntarily from MCI to Wiltel. The story, run today (17 Dec) as a full-width headline on the front page of the Hartford Courant, quotes a DPUC employee: "They did WHAT??? Excuse me, we're the DPUC, and we got slammed?" The change was orchestrated and confirmed by SNET, the local telephone monopoly; SNET also confirmed that Wiltel (owned by WorldCom, of Jackson Mississippi, and the fourth largest long distance carrier) had sent a request to SNET that the switchover be made. The practice of slamming is so common that it behooves regulators to consider how the infrastructure might be altered to make the practice impossible. As a starting point, the hand-written signature of the client (or representative thereof) should be required for any change of service, but future systems will surely involve digital signatures which are issued on a per-call basis. As the line between packet-switched networks and pseudocircuit-switched networks continues to blur, a new type of competition will eventually come to the fore. In the future, we should expect smart telephones to automatically choose the cheapest route to a destination. In the meantime, with customers essentially at the mercy of whimsical telephony moguls, only two policies are viable: either avoid becoming a dialtone customer in the first place (avoiding both slamming, and outright theft of service by phone card and cell phone profile trafficking rings), or be eternally vigilant. -Daniel Pouzzner Westport, CT ------------------------------ Date: Thu, 19 Dec 96 8:42:45 PST From: "Peter G. Neumann" Subject: U.S. program export controls ruled unconstitutional in No.California U.S. District Judge Marilyn Hall Patel has ruled in favor of Daniel Bernstein, whose Snuffle encryption program (and corresponding Unsnuffle for decryption) had been considered a munition under the ITAR regulations -- and therefore subject to export controls. She ruled that the government restrictions on the export of encryption programs are an unconstitutional interference with freedom of speech. However, the ruling does not extend to the constitutionality of the export controls themselves. Somewhat curiously, the ruling is not applicable outside of California's Northern District (e.g., Silicon Valley). Earlier, dissemination of his research paper describing the algorithm had been blocked by the State Department in 1993. However, when that paper was deemed distributable abroad in 1995, the distribution of the software itself was still subject to export controls -- whereupon Bernstein sued. (See RISKS-18.05.) ------------------------------ Date: Wed, 18 Dec 1996 03:34:31 -0500 From: "Peter G. Neumann" Subject: German Cabinet Approves Internet Regulation German Chancellor Helmut Kohl's cabinet has approved a bill that seeks to protect Internet users' privacy and prevent smut and Nazi propaganda. The new law covers businesses such as telebanking and database services, as well as online services. Perhaps redundant, acts already prohibited in Germany such as conducting fraudulent business -- will also be illegal electronically. Responsibility for suspect content is on the ``suppliers'', not the service providers. The law requires the use of ``digital signatures''. It bans certain forms of tracking of individual usage, and encourages some anonymity. It also calls for descriptors that would permit automatic filtering of material unsuitable for minors. [Sort of a minor's lamp?] [Source: a Reuters item, by Terence Gallagher, 11 Dec 1996, via BEYOND THE FRINGE: vol 27 no 16, from: alm@znet.com, contributed in its entirety to RISKS by Betty O'Hearn, betty@infowar.com 813-367-7277. PGN Stark Abstracting.] ------------------------------ Date: Tue, 17 Dec 1996 10:54:03 -0500 From: Jeffrey Sorensen Subject: More savings we can count on our fingers... Way back in RISKS-13.40, I complained about New York's plan to install fingerprinting systems for welfare recipients. Back then the fraud was estimated to be between $150 million and $2 billion, give or take 3 decimal places. I now live in Connecticut, and the 12 Dec 1996 _New Haven Advocate_ reports that the Connecticut fingerprinting system (to catch welfare recipients "red-handed") cost $5.1 million. The system has discovered six *possible* cases of fraud out of 70,000 recipients. That's $850,000 each for people who receive $300 a month. Of course, the state maintains that the system has worked as a scarecrow and that an estimated 3,000 of the 7,000 people who never showed up to be fingerprinted probably never will. So there. This isn't the first time that flimsy science is invoked in a hot-button political issue. Troubling questions remain: (1) Does the fingerprinting system work as intended, i.e. is it an accurate biometric device? How many are wrongly accused of being welfare cheats? How many cheats does the system miss? (2) How much fraud is there in the welfare system? Approximately? (3) In the absence of answers to 1 & 2, how do we judge if these systems are worth their price? (4) Is it appropriate to subject welfare recipients to this additional burden, or is it intended to demean and demoralize an already disadvantaged group? (5) Of those who are afraid, for whatever reason, to be fingerprinted, how many are being denied legitimate benefits? (6) Who in the political system cares about any of this? If things continue this way, the states will probably blow their block grants on those new millimeter wavelength holographic imaging scanners... sorenj@alumni.rpi.edu ------------------------------ Date: Wed, 18 Dec 1996 11:42:10 -0500 From: Matthew.Healy@yale.edu (Matthew D. Healy) Subject: URGENT! Major HOLE in NCSA httpd servers... One of the utilities that comes with NCSA httpd -- a cgi program called phf -- has a serious security hole. With a suitable URL, it can be tricked into sending the /etc/passwd file to any user. A number of computers here at Yale School of Medicine have been compromised in this manner. To check whether YOUR password file has been downloaded: egrep 'phf' /etc/httpd.dir/logs/access_log | grep 'passwd' ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ (or wherever your WWW server log is) When I checked the logs on our WWW servers, I found that people in several different countries have recently downloaded /etc/passwd files. So the bad guys know about this one. Many bad guys know about this one. IF YOU HAVE BEEN HIT BY THIS, then: 1. disable the phf script until you can install a version that refuses to display the password file 2. CHANGE YOUR PASSWORDS! When you do, choose passwords that will resist cracking with a dictionary. Remember that under most flavors of Unix only the first 8 characters of a password matter, so a password like apricot57tree is really just apricot5 to a cracker! Matthew D. Healy Ph.D., Center for Medical Informatics, Yale School of Medicine Matthew.Healy@yale.edu http://paella.med.yale.edu/~healy ------------------------------ Date: 17 Dec 1996 04:46:04 GMT From: bfieroct@aol.com (BFiero CT) Subject: Warning! Security risks with ActiveX! With Java, there was a sort of `Java virus' scare. Remember, anyone? It ended up being an application that put a load on your processor. It was real tough to hit that Back or Stop button in Netscape to stop the application, and then not go to that site anymore. Java programmers were quick to point out that the Java language can't access your operating system at all, much less do any damage. But with Microsoft's Active-X, there are many more serious concerns. A programmer can access your memory and disk i/o sub-systems using Microsoft's Active-X. What does that mean? Well, ... the easiest thing a malicious person would do is plant a virus quietly on your system, or simply delete important files. But I believe Gates' plan is to be able to extract more information from your system. What? Forget so soon that when you electronically register Win95, your directory tree structure and other information is sent to M.$. with your registration info? This a quote from `Computerworld'. December 2, 1996 Vol. 30 No.49 On page 139 you'll find ... *_*_*_*_Quote Begin FIX ACTIVE-X SECURITY PROBLEMS. Objects built with ActiveX can access system resources on users' desktops, which can lead to security breaches or corruption of PC data. Microsoft's answer is to provide certification the ActiveX code comes from the developer that users think it comes from. But that isn't good enough, said Oliver Pflug, president of SiteCast. Users must "set up software to receive certificates, understand the entire process and have a way of verifying the certificate," he said. "It's awkward." *_*_*_*_Quote End Is this what you want when using the Internet? To have to worry about properly setting up software to prevent people from taking advantage of M.S.'s intentional security flaws? And even then, this doesn't prevent a `certified' content provider from accessing data from your system. At Comdex it was finally made public knowledge that Billyboy plans on creating a `Microsoft Java.' Why? Because as hard as Microsoft tried, it couldn't take over and control the development of the real Java. So now instead of supporting something that would be a good thing, Gates wants to use strong-arm tactics to wipe out something that works well and replace it with his versions and `visions' of how he feels it should be. Of course, people are hard at work making M.S. Java incompatible with what is out there now. And code is already being worked on that will enable M.S. Java to be able to extract information from your system while you use the Web, just as ActiveX does now. It's bad enough that Microsoft can retrieve stuff from your hard drive, but here's one thing I really fear ... As you may know, web pages are stored on your hard disk in a cache as you view them. Frequently accessed sites can be retrieved from there and displayed more quickly. But say someone writes some Active-X or M.S. Java code to randomly grab a couple of those cache files while you view their web page? Let's say they get one where you entered your credit card # to order that rare Pink Floyd album from a record dealer on the web. Or possibly a file on your disk that contains sensitive personal or business information? All I can say is... Be afraid of using M.S. products, be very afraid. ------------------------------ Date: 18 Dec 1996 00:21:34 GMT From: geoff@ficus.cs.ucla.edu (Geoff Kuenning) Subject: Re: November 1996 CACM article on InfoWar Defense (Cohen, RISKS-18.68) I am quite surprised that our esteemed moderator allowed Mr. Cohen's rather excitable, accusatory, and low-content article to be published as it appeared. Peter must have been having a busy day, or perhaps this was the cleaned-up version. [Geoff, You are kind. But I try not to be a draconian censor -- only a moderator. Besides, it triggered *your* response. PGN] In any case, I fear that it is Mr. Cohen who misses the point. The issue is not one of cluelessness, it's one of priorities. Mr. Cohen asks: > Questions: Suppose we had absolute and perfect privacy but still had the > current inadequate level of information assurance. > > Could the phone system still be brought down? Yes > Could the power grid still be brought down? Yes > Could air traffic still be brought down? Yes > Does privacy protection solve the information assurance problem? NO! > > Question: Suppose we had absolute and perfect information assurance. > > Could we still have perfect privacy? Probably The point Mr. Cohen misses is that for some of us, privacy is vastly more important than information assurance. I'm not willing to accept his "probably." So all I have to do is turn his questions around, replacing all of his yesses with "probably" or even just "maybe," note that we could then have perfect privacy, and for me the decision is preferable. It's hardly an accident that the Founding Fathers of the United States chose to make law enforcement more difficult than it has to be. Some of us (e.g., many FBI employees) place security above liberty. Others prefer the reverse choice. In neither case does that reflect on the quality of our reasoning. Mr. Cohen is not clueless, but neither am I. I am, however, trying to be somewhat more polite. Geoff Kuenning g.kuenning@ieee.org geoff@ITcorp.com http://fmg-www.cs.ucla.edu/geoff/ ------------------------------ Date: Tue, 17 Dec 96 14:05:11 -0500 From: "Gregory B. Sorkin" Subject: Re: Software hunts and kills Net viruses (Rosbach, RISKS-18.65) RISKS-18.65 contains an item "Software hunts and kills Net viruses" (Hans A. Rosbach) that refers to a London *Times* article of the same title. (The *Sunday Times*, 1 Dec 1996, Innovations: Bits & Bytes.) Curiously, the same section of the Times includes articles entitled "Skull pins keep wigs in place" and "Cheeseburgers are rich in cancer-fighting compounds". (See http://www.sunday-times.co.uk/news/ pages/sti/96/12/01/stiinnbit01003.html?1483095.) Despite the fact that the article quotes me by name, as far as I know I was not interviewed by the *London Times*, and certainly the article gives an inaccurate account of IBM AntiVirus. It is true that IBM AntiVirus contains a neural network which detects new viruses by generalizing from old ones. It is also true that we are building towards an "immune system for cyberspace", whose functions will include an automated analysis of any new virus detected on a machine, and transmission of the results --- notably a procedure for removing the virus --- to affiliated machines. The prototype software is undergoing extensive testing, and will not be released until we are confident of its reliability. We would of course never design a program to spread to any system whose owner hadn't explicitly arranged for it to be there, nor do we have any release scheduled for this week. For those interested in the technical details, let me also mention that temporal difference learning has nothing to do with the neural network in IBM AntiVirus. Temporal difference learning was used for the very powerful backgammon-playing neural network developed by Gerry Tesauro, and Gerry also helped develop the anti-viral neural net, but there is no other connection between the backgammon network and the anti-viral one. For more information about computer viruses in general and IBM AntiVirus in particular, please see http://www.av.ibm.com/ Gregory Sorkin, IBM T.J. Watson Research Center, 30 Saw Mill River Road Hawthorne NY 10532 ------------------------------ Date: Wed, 18 Dec 1996 17:06:10 -0500 From: soley@omg.org (Richard Mark Soley) Subject: First Workshop on Building and Using CORBAsec ORBs [urgent] To Persons Interested in Security in Distributed Object Systems, the deadline for workshop participation is 20 Dec 1996. FIRST WORKSHOP ON BUILDING AND USING CORBASEC ORBS Marriott Inner Harbor, Baltimore, MD 21201, 1-3 April 1997 Co-Sponsored by the Object Management Group and the National Security Agency The Object Management Group (OMG) CORBA specification includes security protocols and services that are being widely adopted. Unfortunately, a full understanding of the strengths and weaknesses of the security aspects of the CORBA standards requires experience with Object Oriented Technology, Information Technology Security and operational system planning, development and deployment. OMG is hosting this workshop to bring together individuals with varying sets of these types of experience to examine, explain and critique the adopted OMG security specifications and other similar and related work. The workshop approach will be to have individuals with the full range of OOT, IT Security, and Operational System experience examine and discuss, in turn, the content and meaning of the CORBA Security standards, the design issues relevant to realizing the CORBA Security standards in ORBs, and the design issues relevant to using ORBs meeting the CORBA Security standards as the foundation for operational systems. Interested individuals or organizations are invited to submit a brief position statement of one printed page (or 60 80-character email lines of text) outlining a position on one or more of the three major categories [CORBA security standards, Secure ORB design issues, Secure ORB usage issues] by 20 December 1996 to secws-submissions@omg.org . [Contact Richard Soley or David Chizmadia immediately for detailed information. I did not find it on the omg.org webpage. PGN] WORKSHOP COMMITTEE Co-Chairs: Dr. Richard Soley Mr. David Chizmadia Vice President & Technical Director Office of INFOSEC Computer Research Object Management Group National Security Agency soley@omg.org dmc@tycho.ncsc.mil ------------------------------ Date: Thu, 19 Dec 1996 00:09:12 -0600 From: "Dr. Yvo Desmedt" Subject: New Security Paradigms '97, call for papers PRELIMINARY CALL FOR PAPERS NEW SECURITY PARADIGMS '97 A workshop sponsored by ACM and the University of Newcastle upon Tyne. Langdale Hotel, Great Langdale, Cumbria, UK 23 - 26 September 1997 Paradigm shifts disrupt the status quo, destroy outdated ideas, and open the way to new possibilities. This workshop explores deficiencies of current computer security paradigms and examines radical new models which address those deficiencies. Previous years' workshops have identified problematic aspects of traditional security paradigms and explored a variety of possible alternatives. Participants have discussed alternative models for access control, intrusion detection; new definitions of security, privacy, secrecy and trust; biological and economic models of security; multiple policies; and a wide variety of other topics. The 1997 workshop will strike a balance between building on the foundations laid in past years and exploring in new directions. [This is an important workshop, but attendance is limited to about 25 people. Somewhat surprisingly, the committee folks in the full notice total 23, but I suppose that they are not all going to attend. To participate, please get from Mary Ellen Zurko or Catherine Meadows the full information regarding your submitted paper, justification for your would-be invitation, and your commitment to attend all three days, which must be received by 4 April 1997. PGN] E-mail to: newparadigms97@opengroup.org use anonymous FTP from: ftp.cs.uwm.edu in directory: /pub/new-paradigms Use World Wide Web from: http://www.cs.uwm.edu/~new-paradigms NEW SECURITY PARADIGMS '97 WORKSHOP ORGANIZERS Steering Committee: Tom Haigh, Bob Blakley, Mary Ellen Zurko, Catherine Meadows, John Dobson, Hilary Hosmer Workshop Co-Chair: Tom Haigh, voice: +1 (612) 628-2738, fax : +1 (612) 628-2701, email: Haigh@sctc.com post : Tom Haigh, Secure Computing Corp., 2678 Long Lake Road Roseville, MN 55113 USA Workshop Co-Chair: Bob Blakley, voice: +1 (512) 838-8133 fax : +1 (512) 838-0156, email: blakley@vnet.ibm.com post : Bob Blakley, IBM, 11400 Burnet Road, Mail Stop 9134 Austin, TX 78758 USA Program Committee Co-Chair: Mary Ellen Zurko, voice: +1 (617) 621-7231 fax : +1 (617) 621-8696, email: zurko@osf.org post : Mary Ellen Zurko, The Open Group Research Institute 11 Cambridge Center, Cambridge, MA 02142 USA Program Committee Co-Chair: Catherine Meadows, voice: +1 (202) 767-3490 fax : +1 (202) 404-7942, email: Meadows@itd.nrl.navy.mil post : Catherine Meadows, Naval Research Laboratory Code 5543 Washington, DC 20375 USA ------------------------------ Date: 15 Aug 1996 (LAST-MODIFIED) From: RISKS-request@csl.sri.com Subject: Abridged info on RISKS (comp.risks) The RISKS Forum is a MODERATED digest. Its Usenet equivalent is comp.risks. => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) if possible and convenient for you. Or use Bitnet LISTSERV. Alternatively, (via majordomo) DIRECT REQUESTS to with one-line, SUBSCRIBE (or UNSUBSCRIBE) [with net address if different from FROM:] or INFO [for unabridged version of RISKS information] => The INFO file (submissions, default disclaimers, archive sites, .mil/.uk subscribers, copyright policy, PRIVACY digests, etc.) is also obtainable from http://www.CSL.sri.com/risksinfo.html ftp://www.CSL.sri.com/pub/risks.info The full info file will appear now and then in future issues. *** All contributors are assumed to have read the full info file for guidelines. *** => SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line. => ARCHIVES are available: ftp://ftp.sri.com/risks or ftp ftp.sri.comlogin anonymous[YourNetAddress]cd risks or http://catless.ncl.ac.uk/Risks/VL.IS.html [i.e., VoLume, ISsue]. The ftp.sri.com site risks directory also contains the most recent PostScript copy of PGN's comprehensive historical summary of one liners: get illustrative.PS ------------------------------ End of RISKS-FORUM Digest 18.69 ************************