precedence: bulk Subject: Risks Digest 20.88 RISKS-LIST: Risks-Forum Digest Sunday 14 May 2000 Volume 20 : Issue 88 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at and by anonymous ftp at ftp.sri.com, cd risks . Contents: Love Letter Worm, CERT Advisory CA-2000-04 (CERT) Mainstream media get a clue about Microsoft security (Russ Cage) Peacefire: Eudora "Stealth Attachment" Security Hole Discovered (Bennett Haselton) Netscape Navigator Improperly Validates SSL Sessions, CERT Advisory CA-2000-05 (CERT) FBI gun-check computer crashes (Declan McCullagh) Risk: Selective denial of GPS signals (Mike Fisk) Phone fault sparks sausage frenzy (Ian Simpson) Network trashcan (Conrad Heiney) Stupid appliance ideas (Lloyd Wood) netzero: defenders of the free world? (Laurentiu Badea) Re: Security experts discover rogue code in Microsoft software (Russ Cooper) Re: Encryption code protected by First Amendment (Terry Carroll) Re: Hotmail wants to know... (Jon Ribbens) Re: No, Virginia (Mark Brader) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Thu, 4 May 2000 20:43:48 -0400 (EDT) From: CERT Advisory Subject: Love Letter Worm, CERT Advisory CA-2000-04 [Always check the CERT Web site for updates on any CERT Advisory that is included in RISKS. This item is a starkly abridged version of the original Advisory 2000-04. Subsequent to the first appearance of ILOVEYOU, there have been numerous copycat variants, and assessments of damage on the order of many billion dollars.] [HOWEVER, please take a look at my written testimony on ILOVEYOU and its wider implications, which I submitted to the House Science Committee Subcommittee on Technology on 10 May 2000, Risks in Our Information Infrastructures: The Tip of a Titanic Iceberg Is Still All That Is Visible -- http://www.csl.sri.com/neumann/house00.html PGN] CERT Advisory CA-2000-04 Love Letter Worm Original release date: May 4, 2000 Last revised: -- Source: CERT/CC Systems Affected * Systems running Microsoft Windows with Windows Scripting Host enabled Overview The "Love Letter" worm is a malicious VBScript program which spreads in a variety of ways. As of 2:00pm EDT(GMT-4) May 4, 2000 -- the CERT Coordination Center has received reports from more than 250 individual sites indicating more than 300,000 individual systems are affected. In addition, we have several reports of sites suffering considerable network degradation as a result of mail, file, and web traffic generated by the "Love Letter" worm. I. Description You can be infected with the "Love Letter" worm in a variety of ways, including electronic mail, Windows file sharing, IRC, USENET news and possibly via webpages. Once the worm has executed on your system, it will take the actions described in the Impact section. Electronic Mail When the worm executes, it attempts to send copies of itself using Microsoft Outlook to all the entries in all the address books. The mail it sends has the following characteristics: * An attachment named "LOVE-LETTER-FOR-YOU.TXT.VBS" * A subject of "ILOVEYOU" * A body which reads "kindly check the attached LOVELETTER coming from me." People who receive copies of the worm via electronic mail will most likely recognize the sender. We encourage people to avoid executing code, including VBScripts, received through electronic mail regardless of the sender without firsthand prior knowledge of the origin of the code. Internet Relay Chat When the worm executes, it will attempt to create a file named script.ini in any directory that contains certain files associated with the popular IRC client mIRC. The script file will attempt to send a copy of the worm via DCC to other people in any IRC channel joined by the victim. We encourage people to disable automatic reception of files via DCC in any IRC client. Executing Files on Shared File Systems When the worm executes, it will search for certain types of files and replace them with a copy of the worm (see the Impact section for more details). Executing (double clicking) files modified by other infected users will result in executing the worm. Files modified by the worm may also be started automatically, for example from a startup script. Reading USENET News There have been reports of the worm appearing in USENET newsgroups. The suggestions above should be applied to users reading messages in USENET newsgroups. II. Impact When the worm is executed, it takes the following steps: Replaces Files with Copies of the Worm When the worm executes, it will search for certain types of files and make changes to those files depending on the type of file. For files on fixed or network drives, it will take the following steps: * For files whose extension is vbs or vbe it will replace those files with a copy of itself. * For files whose extensions are js, jse, css, wsh, sct, or hta, it will replace those files with a copy of itself and change the extension to vbs. For example, a file named x.css will be replaced with a file named x.vbs containing a copy of the worm. * For files whose extension is jpg or jpeg, it will replace those files with a copy of the worm and add a vbs extension. For example, a file named x.jpg will be replaced by a file called x.jpg.vbs containing a copy of the worm. * For files whose extension is mp3 or mp2, it will create a copy of itself in a file named with a vbs extension in the same manner as for a jpg file. The original file is preserved, but its attributes are changed to hidden. Since the modified files are overwritten by the worm code rather than being deleted, file recovery is difficult and may be impossible. Users executing files that have been modified in this step will cause the worm to begin executing again. If these files are on a filesystem shared over a local area network, new users may be affected. Creates an mIRC Script While the worm is examining files as described in the previous section, it may take additional steps to create a mIRC script file. If the file name being examined is mirc32.exe, mlink32.exe, mirc.ini, script.ini or mirc.hlp, the worm will create a file named script.ini in the same folder. The script.ini file will contain: [script] n0=on 1:JOIN:#:{ n1= /if ( $nick == $me ) { halt } n2= /.dcc send $nick DIRSYSTEM\LOVE-LETTER-FOR-YOU.HTM n3=} where DIRSYSTEM varies based on the platform where the worm is executed. If the file script.ini already exists, no changes occur. This code appears to define a script such that whenever the user joins a channel in IRC, a copy of the worm will be sent to others on the channel via DCC. The script.ini file is created only once per folder processed by the worm. Modifies the Internet Explorer Start Page If the file \WinFAT32.exe exists, the worm sets the Internet Explorer Start page to one of four randomly selected URLs. These URLs all refer to a file named WIN-BUGSFIX.exe, which presumably contains malicious code. The worm checks for this file in the Internet Explorer downloads directory, and if found, it is added to the list of programs to run at reboot. The Internet Explorer Start page is then reset to "about:blank". Information about the impact of running WIN-BUGSFIX.exe will be added to this document as soon as it is available. Send Copies of Itself via E-mail The worm will attempt to use Microsoft Outlook to send copies of itself to all entries in all address books as described in the Description section. Other Modified Registry Keys In addition to other changes, the worm updates the following registry keys: HKLM\Software\Microsoft\Windows\CurrentVersion\Run\MSKernel32 HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\Win32DLL HKLM\Software\Microsoft\Windows\CurrentVersion\Run\WIN-BUGSFIX HKCU\Software\Microsoft\Windows Scripting Host\Settings\Timeout HKCU\Software\Microsoft\Internet Explorer\Main\Start Page HKCU\Software\Microsoft\WAB\* III. Solution Update Your Anti-Virus Product [...] Disable Windows Scripting Host [...] Disable Active Scripting in Internet Explorer [...] Disable Auto-DCC Reception in IRC Clients [...] Filter Virus in E-Mail [...] Sendmail [...] PostFix [...] Procmail [...] Exercise Caution When Opening Attachments [...] Appendix A. Anti-Virus Vendor Information [...] [The full Advisory as updated is available from: http://www.cert.org/advisories/CA-2000-04.html] CERT/CC Contact Information E-mail: cert@cert.org Phone: +1 412-268-7090 (24-hour hotline) Fax: +1 412-268-6989 Postal address: CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 U.S.A. CERT personnel answer the hotline 08:00-20:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends. Conditions for use, disclaimers, and sponsorship information [...] Copyright 2000 Carnegie Mellon University. [PGN-ed for RISKS.] ------------------------------ Date: Fri, 5 May 2000 10:01:20 -0700 (PDT) From: Russ Cage Subject: Mainstream media get a clue about Microsoft security In the flurry of news about the LoveBug virus, this article stands out: http://news.bbc.co.uk/low/english/sci/tech/newsid_737000/737396.stm. It represents one of the first mainstream media pieces to note that the problem with computer viruses is enabled by Microsoft's designs and wouldn't exist without them. ``Peter Sommer... told BBC News Online that Microsoft created these by building in to their software the tools needed to customize applications. Microsoft customers are going to have to ask the company to review very carefully the level of functionality that they are putting into their systems. [...] One has got to ask why products are put out which contain these programming languages, which may be of use to perhaps only 3 to 4% of the customers but for everyone else presents a considerable threat. [...] These features are also very difficult to turn off. The lesson from Love Bug is that people must be able to kill off this programming functionality within applications programs." Other experts from virus companies are quoted as deflecting the blame from Microsoft, but their business interests depend on there being viruses to stop. If the Windows security model made it very difficult for viruses to propagate, these companies would probably not exist any more. ------------------------------ Date: Thu, 27 Apr 2000 18:35:39 -0500 From: Bennett Haselton Subject: Peacefire: Eudora "Stealth Attachment" Security Hole Discovered Peacefire has discovered a security hole in all versions of Eudora mail for Windows, that can allow a hacker to execute code on a user's machine, by sending the user e-mail and having them click on a link: http://www.peacefire.org/security/stealthattach/ (For example, a Eudora user would see this message with the URL above made into a hyperlink so that you can click on it and load it into your browser. Using the "stealth attachment" security exploit, you can force code to run on the user's machine when they click on the link. Don't worry, *this* message is safe :-) But you can go to the above URL and request a "demonstration mail" to be sent to you.) Security holes that allow you to run code on a remote user's machine just by sending them e-mail, are extremely dangerous -- a hacker could use this to steal or erase any classified data on a remote user's hard drive, even if that user were behind a corporate firewall and had anti-virus software running. A virus writer could use the exploit to write a virus that could spread to almost all Eudora users -- numbering in the millions -- and potentially do hundreds of millions of dollars' worth of damage. (Unlike most such tricks, this exploit does not require the user to do anything "naive", like run an .exe that is sent to them as an attachment.) USA Today reported last year on the "BubbleBoy" virus, which similarly used a security hole in Microsoft Outlook to cause code to run on a user's machine, simply by reading an e-mail message: http://www.usatoday.com/life/cyber/tech/ctg633.htm Unfortunately, unlike the security hole that Peacefire discovered last week: http://www.peacefire.org/security/jscookies/ http://news.cnet.com/news/0-1005-200-1717169.html http://www.zdnet.com/zdnn/stories/news/0,4586,2553337,00.html http://www.ntsecurity.net/go/load.asp?iD=/security/netscape2.htm this security hole doesn't involve any cool industry buzzwords like "javascript" or "cookies". This one just involves -- *YAWN* -- e-mail. That is, like, *so* 20th-century. Sorry if this is inconvenient for journalists writing about this stuff :-) bennett@peacefire.org (425) 649 9024 http://www.peacefire.org ------------------------------ Date: Fri, 12 May 2000 15:06:11 -0400 (EDT) From: CERT Advisory Subject: Netscape Navigator Improperly Validates SSL Sessions, CERT Advisory CA-2000-05 CERT Advisory CA-2000-05 Netscape Navigator Improperly Validates SSL Sessions Original release date: May 12, 2000 Source: ACROS, CERT/CC [...] Systems Affected * Systems running Netscape Navigator 4.72, 4.61, and 4.07. Other versions less than 4.72 are likely to be affected as well. Overview The ACROS Security Team of Slovenia has discovered a flaw in the way Netscape Navigator validates SSL sessions. [The complete CERT Advisory is available from: http://www.cert.org/advisories/CA-2000-05.html PGN-ed for RISKS] ------------------------------ Date: Sat, 13 May 2000 11:51:37 -0400 From: Declan McCullagh Subject: FBI gun-check computer crashes http://www.wired.com/news/print/0,1294,36310,00.html The FBI's Interstate Identification Index database system crashed on 11 May, preventing background checks of some 100,000 would-be gun purchasers who have to be vetted by the National Instant Check System. The crash also prevented use of the Integrated Automated Fingerprint Identification System associated with the National Crime Information Center NCIC 2000. Service expected to return on 14 May. [The U.S. General Accounting Office notes that NICS was offline for 215 hours from November 1998 to November 1999. [PGN-ed] ------------------------------ Date: Mon, 1 May 2000 17:44:03 +0000 (GMT) From: Mike Fisk Subject: Risk: Selective denial of GPS signals President Clinton announced today that the US government will no longer use its "Selective Availability" feature to degrade the precision of measurements possible with civilian (and non-US government) Global Positioning System (GPS) receivers. One of the concerns cited in the announcement is the ability to use GPS for emergency response and other critical, civilian uses. It is also stated that one of the reasons the US is comfortable making this change is that it has "demonstrated the capability to selectively deny GPS signals on a regional basis when our national security is threatened." The risks: Will this lead to more dependence on a system that may be made unavailable at any time? For example pilots, outdoor enthusiasts, and rescue services all use GPS for routine navigation. If that signal was suddenly made unavailable, would these people still have the necessary skills to navigate using non-GPS techniques such as map and compass and terrestrial radio beacons? What about fail-over in automatic computer systems (such as autopilots) that depend on GPS? The full announcement is available at the following URL: http://www.igeb.gov/sa/potus.txt Mike Fisk, RADIANT Team, Network Engineering Group, Los Alamos National Lab See http://home.lanl.gov/mfisk/ for contact information ------------------------------ Date: Thu, 4 May 2000 18:54:25 +0100 From: "Ian Simpson" Subject: Phone fault sparks sausage frenzy Alison Mckenzie, of Peterhead, in Aberdeenshire, phoned a 24-hour environmental services helpline after a chorizo sausage she had bought turned out to be green. As a result of a British Telecom system fault, the call was automatically forwarded to police service voicebanks, but also in text form to every BT pager number beginning with 01426. [Not green with envy, and certainly not environmentally green. Mayhaps it was an Irish chorizo? As usual, the wurst is yet to come. PGN-ed from Ian's sources, http://news2.thls.bbc.co.uk/hi/english/uk/scotland/newsid%5F735000/735531.stm http://www.thisisnorthscotland.co.uk/scripts/edarticle-p.asp? section=National+news&ID=29726&source=NAT] ------------------------------ Date: Fri, 28 Apr 2000 15:22:28 -0700 From: "Conrad Heiney" Subject: Network trashcan A friend of mine works for [Huge Corporation], where security is frequently announced as being imperative. The operating system of choice is Windows NT, and much work is shared on a networked "drive" type share. This "drive" has a trashcan icon on it. Fishing in said network trashcan results in the discovery of all sorts of information, including Word documents with draft policies, the home addresses of top executives, financial information, etc. The RISK here is that people expect something that looks like a trashcan to behave like one, and behave accordingly. The Memory Hole has become a security hole. -- Conrad Heiney conrad@fringehead.org http://fringehead.org/ [Ah, yes, that is just like your home trashcans. Publically available. You have no idea what dumpster diving can go on after you put something in it. Don't forget all the deleted stuff still in the Word file. You need a bit shredder. Cryptography? Still maybe not enough, but closer. PGN] ------------------------------ Date: Sun, 7 May 2000 00:32:36 +0100 (BST) From: Lloyd Wood Subject: Stupid appliance ideas Of late, there has been a surge in interest in networking domestic appliances. Electrolux and Whirlpool plan ScreenFridges, where you can see recipes and order food. Ariston has a washing machine with a built-in modem which can telephone automatically for software upgrades for the programme controller. And now there's BT, with: http://www.telegraph.co.uk/et?ac=000111464113065&pg=/et/00/5/7/ntac07.html where domestic appliances are chipped and authorised for use by a home management centre phoning your insurance company. The failure modes here are legion. Move house, and discover that your appliances no longer work while you enter a protracted discussion with your insurance company to authorise your home management centre in its new location (no doubt necessary to prevent the home management centre from being stolen). Have your home management centre crash [Ariston has proposed its kitchen centre be run on Windows CE], and watch it take out your entire kitchen, denying you service in the process. Not so much white goods ideas, as white jacket ideas. It's a recipe for disaster. plumb and play. hah. PGP ------------------------------ Date: 29 Apr 2000 17:19:10 -0700 From: Laurentiu Badea Subject: netzero: defenders of the free world? The "Terms and Conditions" you must accept to use the "free" NetZero service include giving up your privacy among other "minor" things: 1) obligation on your part to fill out with real information all questionnaires and survey forms they send; 2) allowing NetZero to learn your browsing habits by tracking all the websites you visit and compile, sell and USE that information. They say personal identifying info won't be disclosed but just the simple fact that they store it on their system where is available to anybody who could lawfully or not access it, is a problem. Let alone they don't exclude themselves from using it so it is possible for them to target you directly. 3) you cannot disable cookies, bypass their ad program (meaning that you can't install firewalling software that would block the ad stream) 4) you allow them to alter your e-mail messages by adding advertising which you cannot remove or obscure (not unusual); 5) the most ridiculous note is that the whole agreement can be changed at any time by posting them on their website, and require you to check them every time before you "use the service", and not use it if you don't agree. Let alone the impossibility of this (how can you browse their website without already being connected, thus using the service), it puts an unreasonable burden on the user. How many will remember the original contract and check the new one for differences, I doubt they would post a "diff" file there :-) Laurentiu Badea ------------------------------ Date: Mon, 1 May 2000 08:51:05 -0400 From: Russ Subject: Re: Security experts discover rogue code in Microsoft software It's extremely important to clarify this "Netscape engineers are weenies!" story. For a variety of reasons, one of which being my own quotes in the original *Wall Street Journal* article on this issue, the public has been overly warned against an extremely limited threat... while the real threat from the dvwssr.dll has been largely ignored by the media. First, clarification of the "secret backdoor password" threat. The possibility that the string above could be used to access the source of Active Server Page (.asp) web files, or configuration files known as .asa, is entirely dependent on the permissions configured on an IIS web server. By default, no access can be gained. If permissions are mis-configured, allowing anonymous read access to the files (they should be permissioned for anonymous *execute*, not read), then there is a way that the obfuscation could permit access. It should be noted that with such a mis-configured system, numerous other access methods would be available also. The important story overlooked was a discovery by CORE-SDI later in the evening after the backdoor story had run virtually everywhere. CORE-SDI, not more than 8 hours after first looking at the dvwssr.dll, was able to published details on a buffer overrun in that .dll that could permit a DoS of IIS boxes. By some other machinations (including moving the file to a directory where it would not normally be found), they were able to execute arbitrary code on the attacked box. Everyone, RFP (who's advisory caused the original stir), CORE-SDI, and Microsoft advised that the dvwssr.dll simply be deleted (from all of its locations) in order to remedy the potential problem(s). While this particular program had minimal use in its lifetime, the fact that a static password (used for obfuscation, not entry) was even present should not be understated. This program has survived numerous Q&A cycles and, if we believe that source code for NT has been available at some 30+ U.S. Universities for years, numerous code reviews. Of interest to RISKS readers should be the fact that MS was, presumably, unaware that it was using obfuscation for security in that program. Russ - NTBugtraq Editor "dot-age" (as in "we're in the dot-age") = senility (source Webster's) ------------------------------ Date: Fri, 28 Apr 2000 19:57:23 -0700 (PDT) From: Terry Carroll Subject: Re: Encryption code protected by First Amendment On Wed, 05 Apr 2000, "NewsScan" wrote: > A federal appeals court in Ohio has ruled that encryption software code is > protected by the First Amendment because such code is a means of > communication between computer programmers. For those who want to read the court's opinion itself, it's online at the Sixth Circuit Court of Appeals website. The URL is ; a PDF-formatted file (in two-up form intended for publication as a slip opinion, so the pagination may look odd to you) is at . The citation is Junger v. Daley, No. 98-4045 (6th Cir. Apr. 4, 2000). The opinion is only 8 pages long, most of which simply relates the facts, discusses the standard of appellate review, or states the restates resulting order. The analysis of source code as speech is remarkably short, on page 7, the gist of which is: The Supreme Court has expressed the versatile scope of the First Amendment by labeling as "unquestionably shielded" the artwork of Jackson Pollack, the music of Arnold Schoenberg, or the Jabberwocky verse of Lewis Carroll. ... Though unquestionably expressive, these things identified by the Court are not traditional speech. Particularly, a musical score cannot be read by the majority of the public but can be used as a means of communication among musicians. Likewise, computer source code, though unintelligible to many, is the preferred method of communication among computer programers [sic]. Because computer source code is an expressive means for the exchange of information and ideas about computer programming, we hold that it is protected by the First Amendment. Terry Carroll, Santa Clara, CA "The United States is located in the District of Columbia." Uniform Commercial Code s. 9-307(h) ------------------------------ Date: Mon, 1 May 2000 20:28:41 +0100 From: Jon Ribbens Subject: Re: Hotmail wants to know... (Richards, RISKS-20.87) >The proof of adult status required? A credit card number. >1) I refuse to give my credit card number for a non-purchase reason. You may well find that your credit card Terms and Conditions forbid you from giving your credit-card number to anyone for any reason other than making a purchase. Mine do. Jon Ribbens / jon@oaktree.co.uk ------------------------------ Date: Fri, 28 Apr 2000 21:21:59 -0400 (EDT) From: msb@vex.net (Mark Brader) Subject: Re: No, Virginia (Burstein, RISKS-20.86) Danny Burstein writes: > Permit me to point out that the famous letter, from Virginia O'Hanlon, was > first printed in the *New York Sun* of 21 September 1897. And in the letter, Virginia quotes her father as saying "if you see it in the Sun, it's so". The New York Sun is also the paper where a series of six articles in August 1835 told how astronomer John Herschel, using a great telescope of new (and in fact impossible) design in South Africa, had observed amazing geological formations and a great variety of life-forms on (and flying above) the surface of the Moon... Of course, this message is off-topic. Questions such as how to determine which information source to trust have no Risks relevance whatever. :-) Mark Brader "Never trust anybody who says 'trust me.' Toronto Except just this once, of course." John Varley, "Steel Beach" ------------------------------ Date: 13 Dec 1999 (LAST-MODIFIED) From: RISKS-request@csl.sri.com Subject: Abridged info on RISKS (comp.risks) The RISKS Forum is a MODERATED digest. Its Usenet equivalent is comp.risks. => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) if possible and convenient for you. Alternatively, via majordomo, SEND DIRECT E-MAIL REQUESTS to with one-line, SUBSCRIBE (or UNSUBSCRIBE) [with net address if different from FROM:] or INFO [for unabridged version of RISKS information] .MIL users should contact (Dennis Rears). .UK users should contact . => The INFO file (submissions, default disclaimers, archive sites, copyright policy, PRIVACY digests, etc.) is also obtainable from http://www.CSL.sri.com/risksinfo.html ftp://www.CSL.sri.com/pub/risks.info The full info file will appear now and then in future issues. *** All contributors are assumed to have read the full info file for guidelines. *** => SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line. => ARCHIVES are available: ftp://ftp.sri.com/risks or ftp ftp.sri.comlogin anonymous[YourNetAddress]cd risks [volume-summary issues are in risks-*.00] [back volumes have their own subdirectories, e.g., "cd 19" for volume 19] http://catless.ncl.ac.uk/Risks/VL.IS.html [i.e., VoLume, ISsue]. http://the.wiretapped.net/security/textfiles/risks-digest/ PostScript copy of PGN's comprehensive historical summary of one liners: illustrative.PS at ftp.sri.com/risks . ------------------------------ End of RISKS-FORUM Digest 20.88 ************************