precedence: bulk Subject: RISKS DIGEST 18.83 RISKS-LIST: Risks-Forum Digest Friday 21 February 1997 Volume 18 : Issue 83 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator ***** See last item for further information, disclaimers, caveats, etc. ***** Contents: TCAS and the F-16 incidents (PGN) B777 autopilot/flight-director problems? (Peter Ladkin) Myths about digital signatures (Edward Felten) Suit Over Computer Use (David Kennedy) Bank Sued for Racist E-Mail (David Kennedy) Computer glitch mails out multiple driver's licenses (Dave Tarabar) Proprietary data formats and backcompatibility (Lloyd Wood) Web banking (Harold Asmis) Forgeries and Dejanews (Robert Ames) Judge Shuts Down Another Cyberporn Scam (Edupage) Who made the call in the Moldova porn scam? (Doug Claar) Virus mailed out on PhotoDisc CD-ROM (John C. Rivard) Y2K "problem" in virus? (Jim Griffith) Mobile code security mailing list (Edward Felten) ActiveX basic problem (Paul Robinson) MS on the CCC ActiveX virus (Tod Nielsen and Brad Silverberg via Lloyd Wood) Microsoft "defends" ActiveX (Travis Winfrey) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Thu, 20 Feb 97 11:03:13 PST From: "Peter G. Neumann" Subject: TCAS and the F-16 incidents There have now been four recent incidents involving F-16s and commercial airliners with the TCAS automated collision avoidance system. 1. On 5 Feb 1997, two Air Force F-16s closed on a Nation's Air Boeing 727 passenger jet heading for JFK in NY. A TCAS alarm caused the 727 pilot to take evasive action, flooring three passengers and crew members. This occurred in a fairly large restricted area through which the 727 had been cleared to fly. One of the F-16 pilots had earlier identified the 727 as a passenger plane, but continued to chase it ``as an intruder into his airspace''. The instructor pilot told his trainee pilot to stay out of the way ``till this, uh, bozo gets out of the airspace.'' He was eventually ordered to stop the chase, but ``the command may have been delayed because the fighter pilot was on the wrong frequency'' (according to the Air Force report). 2. On 7 Feb 1997, four Air National Guard F-16s from Andrews Air Force Base passed an American Eagle commuter plane bound from Raleigh to NY. Three of the F-16s were above the commuter plane, one below. A TCAS alarm caused the American Eagle pilot to take evasive action. 3. Also on 7 Feb 1997, two Air Force F-16s entered the safety zone around an American Airlines jet over Palacios TX. 4. Also on 7 Feb 1997, two Air Force F-16s entered the safety zone around an Northwest Airlines jet over Clovis, NM. The Air Force insists that none of these cases was a close call (that is, with less than 500 feet separation), and that such close encounters have happened routinely in the past without causing concern -- before the advent of TCAS. So, we can chalk this up either as an indication that TCAS works (albeit too well?), or as a failure of the Air Force to understand the risks of false alarms in someone else's safety system! [Sources: items in *The Washington Post* 8 Feb 1997, *Los Angeles Times*, 11 Feb 1997, A14, and *The New York Times*, 19 Feb 1997.] ------------------------------ Date: Tue, 18 Feb 1997 17:58:08 +0100 From: Peter Ladkin Subject: B777 autopilot/flight-director problems? Flight International (19-25 Feb 97, p4) reports that the UK AAIB is looking into an uncommanded-rudder-movement incident on a British Airways Boeing 777-200A in October 1996. The B777 is a fly-by-wire (FBW) aircraft. The aircraft departed Heathrow en route Jeddah, and was forced to turn back. A UK CAA Occurrence Report talks of uncommanded movement of rudder and rudder pedals during climb and cruise, at random intervals. The flaperons were also observed to move, it is surmised in counterresponse to the rudder movements. "Large rudder input" was required on the landing. An intermittent fault in the two autopilot/flight-director computers is suspected, and they're being lab-tested -- as are the rudder backdrive actuators. It's perhaps important to point out the difference between the flight management system (FMS), of which the autopilot/flight-director is part, and the aircraft control system. The term `fly-by-wire' is used by aerospace engineers (but not usually journalists) to refer to digital-computer operation of the control system. Many non-FBW aircraft, some which have been in service for 14 years now, have digital computer-controlled FMS's. In this B777 incident, FMS problems are suspected (but not yet confirmed), whereas control-system problems are not. Peter Ladkin ------------------------------ Date: Wed, 19 Feb 1997 17:12:43 -0500 From: Edward Felten Subject: Myths about digital signatures There has been a lot of public discussion lately about digital signatures on mobile code. Several myths permeate this discussion. I'd like to puncture three of them. * Myth 1: Digital signatures let you know who wrote a program, or where it came from. Reality: Anybody can remove the author's signature or add their own signature. At best, a signature tells you that the signer endorsed the program recently. Endorsement is more useful than authorship anyway; most people care more about whether their corporate MIS department has endorsed a program than about who wrote the program. * Myth 2: If X has signed a program, and I trust X, then it is safe for me to download the program. Reality: There have been plenty of incidents of reputable and well-meaning organizations spreading viruses or serving as the base for security attacks. Before accepting a download from X, it's not enough to ask "Do I trust X?" One must also ask questions like "How carefully has X managed his cryptographic keys?" and "What is the probability that X's security has been penetrated?" * Myth 3: Digital signatures provide accountability; if a program signed by X is malicious, the victim can sue X. Reality: Suppose I accept a download signed by X. A few seconds later there is some mysterious network traffic and then my disk gets wiped clean. X could be the culprit. Or X could be innocent --- that code I downloaded from Y three days ago could have waited a while before detonating. Or somebody could have exploited a bug somewhere else in my system. I have *no evidence* to distinguish these cases --- all the evidence disappeared when my disk was erased. (We can assume the attacker is smart enough to remove the hostile code from his site immediately after the attack.) If the attacker doesn't erase my disk, I can't trust the apparent evidence anyway. After all, the attacker had free run of my system and could have planted whatever "evidence" he liked. The evidence, whether real or not, will collapse in the first cross-examination. Signatures can provide accountability, but only with much more rigorous logging and auditing than today's consumer software provides. ------------------------------ Date: 18 Feb 97 22:00:21 EST From: David Kennedy <76702.3557@CompuServe.COM> Subject: Suit Over Computer Use Courtesy of United Press International via CompuServe's Executive News Service: UW prof accused of copying porno pics (UPI US & World, 13 Feb 1997) > MADISON, Wis., Feb. 13 (UPI) -- The University of Wisconsin-Madison is > facing (Thursday) a sexual harassment lawsuit, claiming a former medical > professor used campus computers to copy hundreds of pornographic pictures > from the Internet. Another employee is suing because the professor propositioned her. DMK Comment: Privacy fanatics balk when companies claim privilege over the contents and uses of the systems the companies own. In this case, the university is being held responsible for the actions of one of their employees. Given the academic-freedom environments in most (all?) American Universities (and probably elsewhere), the university is in a no-win position. Dave Kennedy [CISSP] Research Team Chief, National Computer Security Assoc. ------------------------------ Date: 19 Feb 97 21:00:09 EST From: David Kennedy <76702.3557@CompuServe.COM> Subject: Bank Sued for Racist E-Mail Courtesy of the Dow Jones News Service via CompuServe's Executive News Service: Citibank Workers File Bias Lawsuit Over Racist E-Mail (Dow Jones, 18 Feb 1997) By Frances A. McMorris Staff Reporter of The Wall Street Journal > NEW YORK -- Two black employees of the Citibank NA unit of Citicorp filed > a race discrimination lawsuit after racist jokes were allegedly sent via > electronic mail by several bank supervisors. The e-mail was identical to a > set of racially charged jokes at the center of a lawsuit against Morgan > Stanley & Co. > The plaintiffs, Alvin Williamson, a vice-president, and Brenda Curtis, a > secretary, contend that several Citibank supervisors, including > vice-presidents, spread the offensive e-mail to specific colleagues around > the country. The e-mail created a "pervasively abusive racially hostile > work environment," the plaintiffs said in their lawsuit. :: Mail sent on Jan 28th. Suit claims little or no action was taken against those who spread the message, although the company acknowledged an incident did take place and it was "putting into effect disciplinary actions" against the perpetrators. DMK Comment: Another company is being sued for objectionable content of employee computer use. Dave Kennedy [CISSP] Research Team Chief, National Computer Security Assoc. ------------------------------ Date: Thu, 20 Feb 1997 09:02:54 -0500 From: Dave Tarabar Subject: Computer glitch mails out multiple driver's licenses *The Boston Globe*, 20 Feb 1997, has a picture of a woman holding six copies of her new driver's license which came in the mail on the same day. Two years ago, the Massachusetts Registry of Motor Vehicles converted to a new state-of-the-art system for producing driver's licenses. When a person renews a license, a digital color picture is taken. You are given a temporary paper license and are told that your permanent license will arrive shortly in the mail. The permanent license is a single piece of plastic (like a credit card). It should be more tamper-resistant than previous licenses, which had a Polaroid picture laminated to paper. So far there have been no reported problems with the system. It appears that in certain cases, the system was spitting out multiple copies of a license and mailing them on the same day. A spokesman for the Registry says that a computer programming error has been identified and fixed. The Registry says that about 50 people reported receiving multiple licenses. The major Risk here is that extra licenses could be sold (or stolen) for the purpose of false IDs. Another feature (or risk?) of the digital photographs is that it is no longer necessary to go in person to the Registry when renewing your license or replacing a lost or stolen license. You can just send a check. For many people, the most serious risk is that there is no longer only one copy of their driver's license picture :-) Dave Tarabar, SystemSoft Corp., 2 Vision Drive Natick, MA 01760 dtarabar@systemsoft.com 1-508-647-2952 ------------------------------ Date: Wed, 19 Feb 1997 16:25:36 +0000 (GMT) From: Lloyd Wood Subject: Proprietary data formats and backcompatibility From the Electronic Telegraph, Connected Newsbytes, Tuesday 18 Feb 1997: Microsoft says that it has solved the problem of forward compatibility - the way that old word processors can't read documents produced by newer versions of the same software. Apparently, if you're still using Office97 10 years from now and someone sends you an Office2007 file, your computer will lead you on to the Web to download a converter utility. There are a number of risks inherent in this (assuming a network connection, assuming that the web hasn't undergone a sea change to a completely different access protocol), but these risks are experienced by you, the user of software that writes its data in a proprietary, publically undocumented, format that leaves you nothing else to fall back on. In fact, these risks will encourage you to upgrade Office (or Acrobat's 'portable'-document-format pdf reader, say) regularly to avoid them. Is this the best way forward? L. Software marketing - so good it's almost criminal. +44-1483-300800x3435 ------------------------------ Date: Thu, 13 Feb 1997 12:37:30 -0500 From: harold.w.asmis@hydro.on.ca (Harold Asmis) Subject: Web banking Problem: Quirks in either our Corporation's implementation of caching or in other sites' interpretation of how caching works, has allowed the ability for complete strangers (in the organization) to view your confidential bank accounts. Two weeks ago, we were setting up My Yahoo (a customized web page) for somebody (strictly technical news :). After setting up, we were quite surprised to get somebody else's web page. Ha, ha we thought, and it never happened again. Now I've been informed that somebody was checking their Bank of Montreal web bank account. This is fairly heavily protected by user name and password. Lo and Behold, he came up with somebody else's (in the organization) bank account! This fellow almost came to blows accusing that person of using his PC at night! :) What is happening here? I believe that MBANX is probably being slack about caching and the use of common IP firewalls, but we are probably caching something that shouldn't be cached. Until this is resolved, I recommend that web accounts be only checked at home. Harold W. Asmis harold.w.asmis@hydro.on.ca 1-416.592.7379 fax 416.592.5322 [Disclaimers] ------------------------------ Date: Mon, 17 Feb 1997 08:21:44 -0500 From: amesr@interlog.com (Robert Ames) Subject: Forgeries and Dejanews It seems that an effective way to attack an individual is to forge a Usenet article purportedly from that person, and to include in the article "admissions" or bigotted statements which would reflect poorly on his character. The forged article is then collected by Dejanews and similar organizations and archived. It becomes part of the Dejanews "profile" on the supposed author. I was one of the victims of a series of forgeries in August and September, 1996. The perpetrator originated at ixc.net in New York, and then telnetted to news.uu.net and other open news servers to post as the victim. Although I cancelled the forged article and posted a PGP-signed repudiation, the article was still archived at Dejanews, and was recently used by someone to "prove" that I had made statements which put me in a bad light. Since this is a general problem which can impact on anyone, I feel it needs to be discussed. Perhaps news archivers should be under the same scrutiny as credit reporting agencies. ------------------------------ Date: Thu, 20 Feb 1997 15:40:44 -0500 From: educom@elanor.oit.unc.edu Subject: Judge Shuts Down Another Cyberporn Scam (Edupage, 20 February 1997) A federal district judge in New York has shut down an operation that lured pornography-seekers into visiting Web sites that surreptitiously dialed a telephone number in Moldova in the former Soviet Union, running up exorbitant long-distance phone charges. The scam is similar to several others which have been uncovered in recent months. A Web surfer is enticed to visit sites with names such as sexygirls, beavisbutthead, and ladult, which promise "All Nude All Free Pictures" and require that a special "viewer" must be downloaded to review the images. However, the viewer contains software that turns off the user's local connection to an Internet Service Provider and silently dials the number in Moldova. The Federal Trade Commission says this is "one of the most insidious scams" it has ever seen. (*The New York Times*, 20 Feb 1997; Edupage, 20 February 1997; see RISKS-18.80 for the earlier story.) [A similar Reuters item was noted by Avi Rubin . PGN] ------------------------------ Date: Thu, 20 Feb 1997 00:35:44 -0800 From: Doug Claar Subject: Who made the call in the Moldova porn scam? The San Jose Mercury News online service, discussing the Moldova porn scam, has two conflicting quotes, which raise an interesting question: Who is responsible? According to the article, The director of the FTC's Bureau of Consumer Protection, says "The defendants in this case are using software to hijack the computer's modem", which implies the defendants (who provided the trojan program) are at fault. Later on, the article quotes AT&T's security manager, Richard Petillo, who said that the customers who were victimized are expected to pay their bills because "The subscribers actually made the calls and it would be unfair to other subscribers to offer those people the option of not paying the charges." So AT&T claims that the users are at fault, though they clearly have a good reason to take that position, since they'll have to pay if the customers don't. Equating common sense and legal reality is always chancy, but if you steal my car and commit a crime, I don't *think* that I would be found to be at fault. But if you steal my phone line, AT&T thinks I'm at fault. Doug Claar ------------------------------ Date: Wed, 19 Feb 1997 15:29:56 -0600 From: "John C. Rivard" Subject: Virus mailed out on PhotoDisc CD-ROM PhotoDisc Inc. (http://www.photodisc.com) sells digital stock photography. They send out CD-ROM discs to their customers that contain mostly low-resolution images that can be used for comping during page layout. You pay to receive the high-resolution version for final production. The discs can be read on Macintosh and Windows machines, and also includes an image browser/catalog program, as well as Adobe Acrobat 3.0 (used to read the included documentation). Volume 4 of this disc arrived last week. Today I received a snail-mailed letter dated February 13, 1997 from Tom Hughes, President of PhotoDisc Inc., RE: "Problem discovered with Acrobat Reader Software on Comping Disc 4." It is directed to Macintosh users only, and warns against launching the Adobe Acrobat software on this disc, because it is "corrupt" and "may result in system file difficulties." The letter continues, "If you use an antiviral utility, chances are good it's already caught the problem." In the "unlikely event" that you have already "installed" Acrobat 3.0, the company has provided a downloadable utility (http://www.photodisc.com/solution) that can "rid your computer of all corrupt files." This "utility" is John Norstad's excellent freeware Macintosh anti-virus program, Disinfectant. Of course, the problem isn't "corruption" at all; PhotoDisc distributed an application infected with a virus, specifically MBDF B, a virus that has been in the wild since at least February 1992. This virus, according to the Disinfectant documentation, can spread and infect both applications and system files. I applaud PhotoDisc for taking prompt action, both in warning their users and in sending a replacement disc. However, I question their vagueness about and apparent unwillingness to admit the true nature of the problem in their warning letter. Nowhere in this letter does the word "virus" even occur. I also have to fault them for not understanding and communicating correct information about the problem: contrary to instructions in their letter and on their web site, your system CAN be infected without installing or copying the infected application. In fact, simply running Acrobat from the CD ROM will infect the System file on the user's machine. It's an old RISK: scan your golden master for virii! (And this was a really OLD and well-known virus: Any Mac anti-virus software released in the last four years would have caught this.) PhotoDisc recommends destroying Comping Disc 4 if you use a Macintosh. They will be sending a "clean, safe replacement disc" to all users, Windows included, next week. This disc will also include Disinfectant. John C. Rivard http://www.mcs.net/~jcr/ mailto:jcr@mcs.com ------------------------------ Date: Thu, 20 Feb 1997 17:10:25 -0800 From: griffith@netcom.com (Jim Griffith) Subject: Y2K "problem" in virus? Has anyone bothered to look and see if the Michaelangelo virus will be bitten by the Y2K problem? One can only hope... Jim [How many virus creators are concerned with good software engineering practice? Or does it matter? PGN] ------------------------------ Date: Wed, 19 Feb 1997 19:58:39 -0500 From: Edward Felten Subject: Mobile code security mailing list We are starting a moderated mailing list to discuss security issues relating to mobile code systems like Java, ActiveX, and JavaScript. To join, send e-mail to majordomo@cs.princeton.edu; your message body should contain the single line "subscribe secure-mobile-code" or if your desired TO: address is different from your FROM: address, "subscribe secure-mobile-code" (append your TO: address here) ------------------------------ Date: Wed, 19 Feb 1997 13:33:51 -0500 From: Paul Robinson Subject: ActiveX basic problem As it has been pointed out in *Dr. Dobbs' Journal*, an ActiveX control is no less than a Windows Dynamic Link Library (DLL) that has all the power and capability of any other DLL loaded on a Windows system, i.e. any damn thing it wants to do. This alone should ring the death knell on use of ActiveX for anything other than perhaps on an intranet behind a firewall that does not allow any incoming traffic, and maybe not even then. Paul Robinson, Evergreen Software ------------------------------ Date: Fri, 21 Feb 1997 16:06:20 +0000 (GMT) From: Lloyd Wood Subject: MS on the CCC ActiveX virus (fwd) Here is Microsoft's official line on the security of ActiveX. This leaves a very nasty taste in my mouth. The onus on the users to be responsible with their tools, as usual, rather than on the developers to create safer tools. Lloyd +44-1483-300800x3435 ---------- Forwarded message ---------- Date: Fri, 21 Feb 1997 10:31:18 -0500 >From: glen mccready Subject: MS on the CCC ActiveX virus Forwarded-by: garman@phs.k12.ar.us (Jason Garman) >From: Site Builder Network Subject: SBN Wire: News Flash Dear Site Builder Network Member, Tomorrow, Microsoft will be posting the attached letter to our web site, and sending it out to the Internet Explorer community. In it, Brad Silverberg addresses head-on the recent security questions facing the industry regarding malicious, unsigned controls. We know this issue is important to you and your customers, and wanted to give you a heads-up. For more information, check out http://www.microsoft.com/security Tod Nielsen, General Manager, Developer Relations Group = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = From the Office of Brad Silverberg Senior Vice President Microsoft Corporation 1 Microsoft Way Redmond, WA 98052 Dear Internet Users Everywhere: You may have heard reports about a malicious software program created and demonstrated recently by the Chaos Computer Club (CCC) in Hamburg, Germany. I want to personally assure you that Microsoft(R) Internet Explorer 3.0 has the appropriate safeguards to protect against this type of threat. By using its default security level (High) that comes pre-set, Internet Explorer 3.0 will not download and run any "unsigned" control such as the one from the CCC. The CCC demonstrated its malicious executable code running on Microsoft Internet Explorer 3.0, though they could just as easily have demonstrated a similar attack on any other browser. While it is unfortunate that hackers have created this harmful program, it does point out the need for users to act cautiously and responsibly on the Internet, just as they do in the physical world. Malicious code can be written and disguised in many ways - within application macros, Java(tm) applets, ActiveX(tm) controls, Navigator plug-ins, Macintosh(R) applications and more. For that reason, with Internet Explorer 3.0, Microsoft has initiated efforts to protect users against these threats. Microsoft Authenticode(tm) in Internet Explorer 3.0 is the only commercial technology in use today that identifies who published executable code you might download from the Internet, and verifies that it hasn't been altered since publication. If users choose to change the default security level from High to Medium, they still have the opportunity to protect themselves from unsigned code. At a Medium setting, prior to downloading and running executable software on your computer, Microsoft Internet Explorer presents you with a dialog either displaying the publisher's certificate, or informing you that an "unsigned control" can be run on your machine. At that point, in either case, you are in control and can decide how to proceed. As you know, Microsoft is committed to giving users a rich computing experience while providing appropriate safeguards. Most useful and productive applications need a wide range of system services, and would be seriously limited in functionality without access to these services. This means that many Java applications will have to go "outside the sandbox" to provide users with rich functionality. By signing code, a developer can take advantage of these rich services while giving users the authentication and integrity safeguards they need. Other firms such as Sun and Netscape are following our lead, and have announced that they will also provide code signing for Java applets. Microsoft will also be providing an enhanced Java security model in the future, giving users and developers flexible levels of functionality and security. Microsoft takes the threat of malicious code very seriously. It is a problem that affects everyone in our industry. This issue is not tied to any specific vendor or group of people. All of us that use computers for work, education, or just plain fun need to be aware of potential risks and use the precautions that can insure we all get the most out of our computers. For this reason, we are committed to providing great safeguards against these types of threats in Internet Explorer. We expect hackers and virus writers to get increasingly sophisticated but we pledge we'll continue to keep you and us one step ahead of them. Brad Silverberg P.s. Be sure to check out our Web Executable Security Advisor at http://www.microsoft.com/security ------------------------------ Date: Thu, 20 Feb 1997 10:43:36 -0800 From: Travis Winfrey Subject: Microsoft "defends" ActiveX The site http://www.news.com/News/Item/0,4,8096,00.html?latest discusses the MS response to the activeX/quicken bug where downloaded activeX applets can actually transfer real money out of your bank account (bug not applicable in America). They point to this URL: http://www.microsoft.com/security/ which has this instant-classic paragraph, emphasis not in the original: While the Java sandbox enforces a high degree of security, it does not let users download and run exciting multimedia games or other full-featured programs on their computers. As a result, users may want to download code that has full access to their computers' resources. ------------------------------ Date: 15 Aug 1996 (LAST-MODIFIED) From: RISKS-request@csl.sri.com Subject: Abridged info on RISKS (comp.risks) The RISKS Forum is a MODERATED digest. Its Usenet equivalent is comp.risks. => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) if possible and convenient for you. Or use Bitnet LISTSERV. Alternatively, (via majordomo) DIRECT REQUESTS to with one-line, SUBSCRIBE (or UNSUBSCRIBE) [with net address if different from FROM:] or INFO [for unabridged version of RISKS information] => The INFO file (submissions, default disclaimers, archive sites, .mil/.uk subscribers, copyright policy, PRIVACY digests, etc.) is also obtainable from http://www.CSL.sri.com/risksinfo.html ftp://www.CSL.sri.com/pub/risks.info The full info file will appear now and then in future issues. *** All contributors are assumed to have read the full info file for guidelines. *** => SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line. => ARCHIVES are available: ftp://ftp.sri.com/risks or ftp ftp.sri.comlogin anonymous[YourNetAddress]cd risks or http://catless.ncl.ac.uk/Risks/VL.IS.html [i.e., VoLume, ISsue]. The ftp.sri.com site risks directory also contains the most recent PostScript copy of PGN's comprehensive historical summary of one liners: get illustrative.PS ------------------------------ End of RISKS-FORUM Digest 18.83 ************************