precedence: bulk Subject: RISKS DIGEST 18.84 RISKS-LIST: Risks-Forum Digest Friday 21 February 1997 Volume 18 : Issue 84 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator ***** See last item for further information, disclaimers, caveats, etc. ***** Contents: Highly classified files copied by Croat teens? (PGN) Windows 95 will crash in 2038! (David Perrell via Chuck Wozniak) Year 2K and my VCR... (Nicholas C. Weaver) Downloading UPS-captured Signatures (Sharif Torpis) Re: Myths about digital signatures (Theodore Y. Ts'o) Re: MS on the CCC ActiveX virus (Fred Cohen, Steve Kilbane) ActiveX - a real world view (John Pettitt) ActiveX exploitation code in iX 3/97 (Thomas Koenig) Re: Bank Sued for Racist E-Mail (Jon Seymour) Re: Who made the call in the Moldova porn scam? (John Kohl, Marc Horowitz) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Thu, 20 Feb 97 19:30:43 PST From: "Peter G. Neumann" Subject: Highly classified files copied by Croat teens? Dave Farber noted a 19 Feb 1997 Reuter report from Zagreb indicating that 3 Croatian teenagers apparently broke Pentagon protection codes on the Internet and copied classified files from the Anderson nuclear installation and an unnamed satellite research center. ``The damage caused by the teenagers' destruction of high-profile protection programs could reach half a million dollars,'' according to the Zagreb daily, *Vecernji List*. The three youths attend a special Zadar math-science school. ``Principal Zdravko Curko said the three had no criminal intent and their `success' was a compliment to their education.'' [PGN Abstracting] Might we suspect that the files were actually unclassified, that the $.5M is overblown, and that the breakins did not require much high-tech attacks? [Are they just looking for something to Cro-at?] ------------------------------ Date: Tue, 17 Dec 96 08:30:19 -0800 From: Chuck_Wozniak@quantumdata.com Subject: Windows 95 will crash in 2038! Accidental Year 2096 in e-mail message crashes Navigator w/ Win 95 The following was posted to two HTML related mail lists. The individual had his computer date accidentally set to 2096. Any mail that he sent or posted to a news group would crash the reader's computer if they were running Netscape Navigator Mail under Windows 95. The entire content, with headers, is supplied below. Chuck Wozniak, Applications Engineer, Quantum Data, Inc. - - - - - - - - - - - - - - - - Date: 11/25/96 7:59 AM >From: "David Perrell" Subject: Sorry if you crashed (W95 FYI: Chaos in 2038!) It was brought to my attention that my posts to these lists have caused Netscape Mail running on Win95 to crash. I tried to test this by sending myself a message but was unable to run NS Mail at all. I'm glad to say I found the problem: In the course of a HD upgrade my system clock had somehow built a 100-year bridge to the 21st century and was set to 2096. Subsequent testing shows that dates beyond 2038 cause many unwanted side effects in Win95, including the aforementioned crashes when NS Mail receives a message so dated. Having returned to the present, I retrieved my previously sent test message dated 2096, and, sure enough, NS Mail crashed. Sorry if anyone experienced this problem. It was not intentional. (Also sorry that I rewrote/resent a 'transparent text' post on www-style. I thought one of these crashes had trashed the message.) David Perrell ------------------------------ Date: Fri, 21 Feb 1997 10:23:24 -0800 (PST) From: "Nicholas C. Weaver" Subject: Year 2K and my VCR... As one of the few people who actually PROGRAMS his VCR, it came as a shock to me the realization that this piece of electronics (roughly two years old) will fail in the year 2000. One wonders how prevalent this problem is, in embedded systems shipping today. And I doubt there will be a bug fix for my VCR. Nicholas C. Weaver nweaver@cs.berkeley.edu [Are you talking about something that will fail only at midnight, or forever after the midnight turnover going into 1 Jan 2000? Furthermore, do you think the VCR makers are creative enough in their planned obsolescence to realize that this might be a nice way to induce you to buy a new VCR? PGN] ------------------------------ Date: Tue, 18 Feb 1997 13:15:59 -0800 (PST) From: storpis@redhead.pbi.net (Sharif Torpis) Subject: Downloading UPS-captured Signatures From a UPS ad in the Feb 1997 Wired: Once a signature is captured and downloaded to our mainframe, you can use UPS OnLine Tracking Software to view it. You can even print it. To get the software, just call 1-800-XXX-XXXX or visit our web site at www.ups.com. Sure, we've all known about the capturing ever since UPS started doing it, but now malicious users can add this to their toolbag. The more things change the more they stay the same. Sharif Torpis (storpis@pbi.net), Network Engineering, Pacific Bell Internet ------------------------------ Date: Fri, 21 Feb 1997 16:31:27 -0500 From: "Theodore Y. Ts'o" Subject: Re: Myths about digital signatures (Felten, RISKS-18.83) * Myth 2: If X has signed a program, and I trust X, then it is safe for me to download the program. [...] Ed, It's even worse than what you described. Even if X has carefully managed his cryptographic keys, and X's security hasn't been penetrated, X might not have designed the component carefully, or have executed a competent implementation of that design. For example, if an Active X component has a loophole where (with the right document) said component can be induced to interpret and execute arbitrary Visual Basic statements, even if the signer was honest, and legitimate, and properly went through all of the Microsoft certification procedures, it still might be possible to exploit a security bug in the Active X component. The Java security model at least *thinks* about this issue, where as the Active X approach completely punts about this concern. So this is a double-edged RISK, combining the RISK of people not understanding what the digital signature means, and the RISK of more and more complex applications with powerful macro facilities being used in interesting ways (the prime example being the Word concept virus; the demarkation between code and data can get awfully blurry!). Both of these RISKS aren't new ones, but when combined with the web and the automatic downloading of Active X components, the potential for problems caused by this combined set of RISKS is quite scary and sobering. - Ted ------------------------------ Date: Fri, 21 Feb 1997 11:46:11 -0800 (PST) From: fc@ca.sandia.gov (Fred Cohen) Subject: Re: MS on the CCC ActiveX virus (RISKS-18.83) Re: SBN Wire: News Flash, Brad Silverberg > You may have heard reports about a malicious software program created and > demonstrated recently by the Chaos Computer Club (CCC) in Hamburg, Germany. > I want to personally assure you that Microsoft(R) Internet Explorer 3.0 has > the appropriate safeguards to protect against this type of threat. By using > its default security level (High) that comes pre-set, Internet Explorer 3.0 > will not download and run any "unsigned" control such as the one from the > CCC. I appreciate your insightful opinion on this matter, however... Anyone can get a signature key without authenticating their legitimacy. It's relatively easy to break into a system and take a legitimate key. The default may be changed by the user for one use and remain changed. Other flaws in Explorer may be used to turn that feature on - then look out. > The CCC demonstrated its malicious executable code running on Microsoft > Internet Explorer 3.0, though they could just as easily have demonstrated a > similar attack on any other browser. While it is unfortunate that hackers > have created this harmful program, it does point out the need for users to > act cautiously and responsibly on the Internet, just as they do in the > physical world. I appreciate your insightful opinion on this matter, however... This is not accurate. The very nature of ActiveX makes it impossible to operate it securely. Unlike other vendors who make attempts at providing improved protection, ActiveX is a hole waiting to be exploited. > Malicious code can be written and disguised in many ways - within > application macros, Java(tm) applets, ActiveX(tm) controls, Navigator > plug-ins, Macintosh(R) applications and more. For that reason, with > Internet Explorer 3.0, Microsoft has initiated efforts to protect users > against these threats. Microsoft Authenticode(tm) in Internet Explorer 3.0 > is the only commercial technology in use today that identifies who published > executable code you might download from the Internet, and verifies that it > hasn't been altered since publication. I appreciate your insightful opinion on this matter, however... No disguise is needed for malicious ActiveX programs. Any ActiveX program can potentially - either maliciously or by accident or even as a result of configuration differences, cause a system crash, the corruption or destruction of information and/or unlimited leakage and it doesn't depend on some hard-to-find hole in an otherwise secure application. It is a direct result of the methods used by Microsoft, cannot be easily cured with any bug-fix. > If users choose to change the default security level from High to Medium, > they still have the opportunity to protect themselves from unsigned code. > At a Medium setting, prior to downloading and running executable software on > your computer, Microsoft Internet Explorer presents you with a dialog either > displaying the publisher's certificate, or informing you that an "unsigned > control" can be run on your machine. At that point, in either case, you are > in control and can decide how to proceed. I appreciate your insightful opinion on this matter, however... Even if you choose wisely, ActiveX is a hole waiting to be exploited and provides essentially no protection. As the folks at Microsoft know well, impediments are easily and commonly removed - and the use of the display box for popular applications is likely to result in the question being turned off in favor of easy access. > As you know, Microsoft is committed to giving users a rich computing > experience while providing appropriate safeguards. Most useful and > productive applications need a wide range of system services, and would be > seriously limited in functionality without access to these services. This > means that many Java applications will have to go "outside the sandbox" to > provide users with rich functionality. By signing code, a developer can > take advantage of these rich services while giving users the authentication > and integrity safeguards they need. Other firms such as Sun and Netscape > are following our lead, and have announced that they will also provide code > signing for Java applets. Microsoft will also be providing an enhanced Java > security model in the future, giving users and developers flexible levels of > functionality and security. I appreciate your insightful opinion on this matter, however... "...while providing appropriate safeguards" is just not true. Microsoft has a long history of providing systems with no protection, and only recently introduced the first system with even mild protection in it's NT product. Java provides a lot of functionality within the "sandbox", but I am not an advocate of Java either. The syle of computing being pushed out to consumers is inherently risky and must be implemented with substantial controls if it is to be used safely. But this is not Microsoft's goal. There is nothing wrong with having signatures, but it is no guarantee either. > Microsoft takes the threat of malicious code very seriously. It is a > problem that affects everyone in our industry. This issue is not tied to > any specific vendor or group of people. All of us that use computers for > work, education, or just plain fun need to be aware of potential risks and > use the precautions that can insure we all get the most out of our > computers. For this reason, we are committed to providing great safeguards > against these types of threats in Internet Explorer. We expect hackers and > virus writers to get increasingly sophisticated but we pledge we'll continue > to keep you and us one step ahead of them. I appreciate your insightful opinion on this matter, however... Microsoft still has not addressed Work Macro viruses, PC viruses, Windows viruses, etc. The claim that "Microsoft takes the threat of malicious code very seriously" is ludicrous on its face. This is the same company that has distributed viruses to its customers because it didn't do adequate checking of its distributions for known viruses. This is the company whose Windows installation deleted all of the README files on a system when the user upgraded. This is the same company that continues to ship software with inadequate protection. All of this "perception management" doesn't change the fact, and it shouldn't sway the readers of this letter either. FC [Fred Cohen can be reached at tel:510-294-2087 fax:510-294-1225] [NOTE: I usually truncate all but a salient excerpt from included message text on which a responder is commenting. In this case, it would have required too much editing effort to delete the interstitiated originals and still convey the sense of the relevant references. Your cross-reading effort would also have been much greater. PGN] ------------------------------ Date: Fri, 21 Feb 1997 17:38:47 GMT From: Steve_Kilbane@cegelecproj.co.uk Subject: Re: MS on the CCC ActiveX virus (RISKS-18.83) > Other firms such as Sun and Netscape are following our lead, and have > announced that they will also provide code signing for Java applets. This is what annoys me most about this response: not only are Microsoft attempting to justify giving away the family silver, but they're also trying to imply that they're the ones responsible for the idea of code signing (just like MS and IBM have been implying that they've recently invented multitasking....). When Java was announced at the Sun UK User Group conference back in '95, Chuck McManis said that code signing was in the plan, and that the main problem was the US export controls. He also commented that while exporting decent authentication software wasn't allowed, Sun had been told that there was nothing wrong, in principle, in shipping "a library for doing math with really big numbers". :-) I wasn't following Java back when it was called Oak and set-top boxes were the name of the game, but I wouldn't be hugely surprised to discover that signed code was part of the plan even then. Anyone with more authority care to comment? steve ------------------------------ Date: Fri, 21 Feb 1997 14:44:07 -0800 From: "John Pettitt" Subject: ActiveX - a real world view While at a technical level, most of what has been said about ActiveX and security is correct. It's worth noting that users take code from untrusted sources all the time. While the experience of users says that code they download is mostly well intended (even if it has harmful bugs) it's going to be a hard sell trying to convince them that a limited Java model is "better" than ActiveX. I'm using ActiveX on software.net (a restartable download control from centric development). Our experience it that it has a close to 100% acceptance rate by users (as compared to less than 50% for Netscape plug ins). Certainly the cute "certificate" dialog has a very positive impact on user confidence. We're about to start signing all the downloads from software.net (we download 1600+ commercial titles). We had an interesting debate about the ethics of signing other peoples code. However the user perception issue won out, we will sign the archives that we download (but not the applications inside them). In all the research we've done (and we download a lot of software) users big perceived risk is that their credit card # will be stolen. The idea that the copy of Microsoft Word we download to them may not be the real thing does not even feature. John Pettitt, jpp@software.net, EVP, CyberSource Corporation, 408 260 6013 ------------------------------ Date: Fri, 21 Feb 1997 20:05:41 +0100 (MET) From: Thomas Koenig Subject: ActiveX exploitation code in iX 3/97 iX Magazin 3/97 (a German computer magazine) has a fairly technical article by Lutz Donnerhacke and Steffen Peter about the ActiveX hack. Parts of the article can be found at http://www.heise.de/ix/artikel/1997/03/090/code.shtml ; the exploitation code is available at http://www.heise.de/ix/artikel/1997/03/090/code.shtml (minus some delay loops). Thomas Koenig, Thomas.Koenig@ciw.uni-karlsruhe.de [iX = neun? nein! PGNeu'n] ------------------------------ Date: Sat, 22 Feb 1997 07:23:10 +1100 From: Jon Seymour Subject: Re: Bank Sued for Racist E-Mail (Kennedy, RISKS-18.83) > :: Mail sent on Jan 28th. Suit claims little or no action was taken against > those who spread the message, although the company acknowledged an incident > did take place and it was "putting into effect disciplinary actions" against > the perpetrators. > > DMK Comment: Another company is being sued for objectionable content of > employee computer use. The corporation is being sued, I think, because it allegedly tolerates a culture of racism. At least part of (perhaps all?) the evidence for this happens to be an e-mail passed between employees. How this e-mail came to the attention of those who wish to sue has not been specified - at least by this discussion. There is a risk here if the courts were to find the corporation liable because it failed to prevent the e-mail being distributed in the first place (hardly practical or, indeed, desirable) or it is found responsible for the attitudes of its employees _soley_ on the basis of such e-mail. The relationships that existed between the people with whom the e-mail was communicated are surely relevant. For example, if the e-mail was sent to _all_ the white members of a group, but specifically not to the black members of the same group by the supervisor of that group then I personally think that might well be considered unprofessional behaviour in need of a disciplinary response. If it was sent to the black members too then that would either be stupid, tactless or both stupid and tactless. If the e-mail was sent between friends then, yes, the ethics of the situation are different, even if the ethics of the "humour" itself are not. E-Mail should not, ipso facto, be eliminated as evidence simply because it is e-mail. E-Mail happens to have the property, unlike the spoken word, of automatically leaving traces of itself about the place. This means that, technically, it is good evidence. Of course, one assumes that the e-mail in question was not digitally signed and is therefore not _very_ good evidence :-). Of course, this is not to say that e-mail should always be used as evidence. Clearly privacy concerns are important. If the e-mail in this case came to light because a system administrator snooped it, then it probably shouldn't qualify as evidence. If it came to light because one of its recipients decided to divulge it then it's fair game. What's the bet that it came to light because someone printed it and pinned it to wall? It would be interesting to learn more about the circumstances of this matter and what the eventual outcome of the case is. One suspects that the media will not report it unless there is something controversial about the ruling. jon seymour ------------------------------ Date: 21 Feb 1997 14:04:46 -0500 From: John Kohl Subject: Re: Who made the call in the Moldova porn scam? (Claar, RISKS-18.83) I'd expect that the consumers affected would have the option of suing for actual damages (i.e. phone charges) from the fraudulent scam operators. This would be akin to having your car stolen and illegally parked--the parking tickets would come to you as the registered owner of the vehicle. You could attempt to get the thief to cover your costs (if you can identify him/her :), or argue with the municipal parking clerk to waive them. ==John ------------------------------ Date: 21 Feb 1997 15:25:09 -0500 From: Marc Horowitz Subject: Re: Who made the call in the Moldova porn scam? (Claar, RISKS-18.83) >> ... But if you steal my phone line, AT&T thinks I'm at fault. This is an improper analogy. A more proper analogy: If someone steals your car, and crashes it into another car, totalling both, the owner of the other car is not responsible. If someone steals your phone line and makes lots of calls, AT&T is not responsible. The difference is that in the car situation, one or both insurance companies will pick up the costs (in most states), and then try to recover from the thief. You probably don't have wire fraud insurance. But perhaps AT&T should. In reality, such insurance would probably not be a good investment for either AT&T or the insurance company, because wire fraud, unlike car theft, is guaranteed to happen to AT&T. Instead, AT&T increases rates a little (in effect, implicitly selling you the wire fraud insurance) to cover the costs of fraud. This seems fair, because wire fraud is relatively unlikely for any particular customer, just like car theft. Of course, as you point out, AT&T is better off if they can make you pay for it, but that doesn't mean AT&T is right, it just means they're acting in self-interest, which is exactly what most of their shareholders would want. Marc ------------------------------ Date: 15 Aug 1996 (LAST-MODIFIED) From: RISKS-request@csl.sri.com Subject: Abridged info on RISKS (comp.risks) The RISKS Forum is a MODERATED digest. Its Usenet equivalent is comp.risks. => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) if possible and convenient for you. Or use Bitnet LISTSERV. Alternatively, (via majordomo) DIRECT REQUESTS to with one-line, SUBSCRIBE (or UNSUBSCRIBE) [with net address if different from FROM:] or INFO [for unabridged version of RISKS information] => The INFO file (submissions, default disclaimers, archive sites, .mil/.uk subscribers, copyright policy, PRIVACY digests, etc.) is also obtainable from http://www.CSL.sri.com/risksinfo.html ftp://www.CSL.sri.com/pub/risks.info The full info file will appear now and then in future issues. *** All contributors are assumed to have read the full info file for guidelines. *** => SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line. => ARCHIVES are available: ftp://ftp.sri.com/risks or ftp ftp.sri.comlogin anonymous[YourNetAddress]cd risks or http://catless.ncl.ac.uk/Risks/VL.IS.html [i.e., VoLume, ISsue]. The ftp.sri.com site risks directory also contains the most recent PostScript copy of PGN's comprehensive historical summary of one liners: get illustrative.PS ------------------------------ End of RISKS-FORUM Digest 18.84 ************************