precedence: bulk Subject: Risks Digest 20.89 RISKS-LIST: Risks-Forum Digest Monday 29 May 2000 Volume 20 : Issue 89 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at and by anonymous ftp at ftp.sri.com, cd risks . Contents: Top-secret stolen UK laptop recovered (Doneel Edelson) Nuclear reactor shuts down in California (Linda Kaplan) Venezuela cites computer glitch, postpones elections (Declan McCullagh) NHL Web attack (Keith A Rhodes) A rather risky device to end high-speed chases (Serguei Patchkovskii) Media gullibility on laser gun to stop cars (John Pettitt) Study shows mobile phones do interfere with avionics (Kevin Connolly) Junk-mail filters: excerpted (Gary Cattarin) Revision control (Mike Albaugh) Outlook "security" patch (Dave Weingart) VBS.NewLove.A false positives (Jeremy Epstein) Risks of virus disinfection (Tom Hayhurst) Widespread Web-Trojan alerts (Chris Adams) CERT Advisory CA-2000-07 (CERT) Misleading warning, failure of Netscape SSL server authentication (Kevin Fu) I did not say that! wrt deja.com (Stephen Keeling) Risky quotation (Zygo Blaxell) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Mon, 22 May 2000 16:32:55 -0400 From: "Edelson, Doneel" Subject: Top-secret stolen UK laptop recovered A stolen laptop computer holding details of a top secret 250-billion-pound Anglo-US super-lethal stealth Strike fighter project has been recovered by *The Mirror*. The laptop was stolen from a naval intelligence officer at a London station two weeks before. [Source: *Mirror* article 22 May 2000 ; PGN-ed] ------------------------------ Date: 15 May 2000 11:21:49 -0700 From: Linda.Kaplan@eng.sun.com ("Rainbow(Queen of infinite Space)") Subject: Nuclear reactor shuts down in California Due to an electrical problem at 12:25 a.m. on 15 May 2000, an automated shutdown of a Diablo Canyon Unit 1 nuclear power plant reactor released a small amount of radioactive steam. Everything seemed to function properly in the triggered shutdown. [Source: An AP item on 15 May 2000] ------------------------------ Date: Fri, 26 May 2000 11:30:11 -0400 From: Declan McCullagh Subject: Venezuela cites computer glitch, postpones elections CARACAS, VENEZUELA -- Citing technical woes, Venezuela's high court on Thursday suspended this weekend's general elections, saying fair balloting is impossible until the problems are resolved. Conditions for "credibility and transparency" in Sunday's presidential, congressional and regional elections do not exist, said Ivan Rincon of the Supreme Tribunal of Justice. [...] President Hugo Chavez had earlier blamed an Omaha (Neb.)-based company for the technical problems, saying it was part of an overall plan to "destabilize" the country's electoral process. [Source: Citing major computer woes, high court delays elections *Chicago Tribune*, 26 May 2000 http://www.chicagotribune.com/news/printedition/article/0,2669,SAV-0005260364,FF.html; PGN-ed; see also: http://www.washingtonpost.com/wp-dyn/articles/A7231-2000May25.html http://www.foxnews.com/world/0523/i_ap_0523_111.sml http://news.bbc.co.uk/low/english/world/americas/newsid_764000/764372.stm] [Contrast the controversy over the recent election in Peru. PGN] ------------------------------ Date: Fri, 26 May 2000 07:53:22 -0400 From: "Keith A Rhodes" Subject: NHL Web attack Add the National Hockey League to the long list of sites that have been attacked. A distributed denial of service attack on the NHL Web site took it off the air for several days, 21 through 25 May. The rather long period was blamed by the NHL's Web manager on their lack of technical resources, and chalked it up as a learning experience. [Source: NHL Web Site Back Online, Associated Press item, 26 May 2000] ------------------------------ Date: Sun, 14 May 2000 9:54:14 MDT From: "Serguei Patchkovskii" Subject: A rather risky device to end high-speed chases High-speed police chases have been a rather hot topic in Canadian media recently. Larry Martens, a 22-year veteran former Mountie (RCMP), has a patent on a radio device that would allow police to stop the engine of any fleeing vehicle at the push of a button. Every vehicle would require a $150 receiver. [Source: Device could end high-speed chases, by Scott Crowson, *Calgary Herald*, city section, 14 May 2000; PGN-ed] Sounds like a worthwhile addition to "1000 ways of having fun with a police scanner" to me. [SP] home page: http://www.cobalt.chem.ucalgary.ca/ps/ ------------------------------ Date: Thu, 18 May 2000 23:11:25 -0700 From: John Pettitt Subject: Media gullibility on laser gun to stop cars After a recent car chase that ended with the fugitive jumping off the Golden Gate Bridge there was an item on the TV (NBC national news) about a new device being promoted to enable police to stop any car using a "laser gun". This caught my attention, mostly because it didn't sound reasonable. Indeed the secret was revealed at the end of the story when the reporter said that for the device to work all cars would need to be fitted with an "inexpensive receiver". There is so much wrong with this idea it's hard to know where to start; even if the system was designed well enough that only "real" guns would work (very unlikely IMHO) a stolen "gun" could create total gridlock in a city. Perhaps the biggest risk here is that NBC actually ran the item without stopping to notice how silly the idea was. John ------------------------------ Date: Mon, 29 May 2000 09:14:13 +0100 From: Kevin Connolly Subject: Study shows mobile phones do interfere with avionics See http://www.newscientist.com/nsplus/insight/phones/dangersignals.html The study showed that mobiles caused problems for older generation avionics during tests in a parked jet. "interference levels that exceed demonstrated susceptibility levels for aircraft equipment approved against earlier standards" Kevin Connolly ------------------------------ Date: Fri, 19 May 2000 11:41:41 -0700 From: "Gary Cattarin" Subject: Junk-mail filters [NOTE: Entire item in RISKS-20.89x. See below. PGN] This I'm sure has been covered before, but here's an interesting example of filters gone awry. I recently upgraded (?) to MS Office 2000, which, among other things, lets you have more than 8 e-mail filters active at once. In my glee I started turning things on, including junk mail filtering. Surprise! I found 8-10 important messages -- all replies to a query I sent out to a personal mailing list -- all dumped into the Junk Mail folder. What was it? I'm riding in a charity bicycle ride, and I needed to tell my pledge-ees that I needed their money now. So I sent them an e-mail updating my training status and asking them to send their checks. Obviously, this message had at least one dollar sign "$" in it -- and because I'm an excitable guy it had at least one multiple exclamation mark "!!", and since, at the end, I chided my manager to make good on my exaggerated version of his pledge: >> Mark, didn't you promise $5,000 or something like that? ...we also hit the magic phrase ",000". Now, the fine folks in Redmond have determined that if these three elements converge, you have received Spam. The actual rule (from their web site) is: Body contains ",000" AND Body contains "!!" AND Body contains "$" Who'd have guessed? In fact, even looking at their filter list, it took me a long time to figure out which rule I'd hit. (OK, I'm slow sometimes.) I guess the rule is (a) don't get too excited ! -- one "!" at a time! (b) specify your currency as "USD", and (c) use European periods ("5.000") instead of North American commas in large numbers. OK, that's silly. But just as silly is the fact that any spammer can read the list of rules and tailor their e-mail to avoid them. Of course, you might never read this, because if you have junk e-mail filtering turned on, Outlook will catch THIS message and do with it as you've requested for junk mail. Two other interesting points: (1) In the adult filters you'll find these two: Subject contains " sex" Subject contains "free" AND Subject contains "sex" The first is set up with a leading space to only accept the *word* "sex", so those of us who live here in Middlesex county don't lose any local-related mail. But the writer of the second wasn't so careful -- what if the Middlesex News offers free subscriptions? That's Spam, yes, but not porn (I guess that's why that newspaper changed its name...). (2) Don't address your dear friend as such -- note the rule: Body contains "Dear friend" My golly! I can't send some good old-fashioned heartfelt feelings to my dear friends!! (oops, double "!!" -- I got excited!) This stuff can be very dangerous... The entire list is at http://officeupdate.microsoft.com/Articles/newfilters.htm I included it here, but the moderator may choose to cut it from the journal in the interest of space. [Your moderator chose to create a supplemental issue, RISKS-20.89x that contains the complete original submission. I would have included it here, but it is likely to have greatly increased the likelihood that the entire RISKS issue would be bounced by many filtering programs. As it is, I frequently get porn-bounce or spam-bounce notices on seemingly harmless issues of RISKS. PGN] ------------------------------ Date: Thu, 25 May 2000 11:03:35 -0700 (PDT) From: Mike Albaugh Subject: Revision control When I heard that Microsoft was considering action against the person[s] responsible for the "Weenie" security hole, "_If they can be found_", my first thought was along the lines of "These guys don't even have revision-control on _security_ software?!?", but yesterday morning my clock-radio woke me up to even more startling news. In a story about the egregious expansion of search-and-seizure that was added to the new "Bankruptcy Reform" bill, was the news that the Senate apparently did not _know_ who had inserted the language, but believed it was the work of a staffer in Orin Hatch's office. Now, maybe I was still too groggy, but my reaction to this was "These guys don't even have revision-control on _laws_?!?". I wish I could add a :-), but the consequences are potentially far worse than one more bug in software well known for security weaknesses. The fact that the suspect language was apparently "included by reference" from an un-related bill is yet another example of the hazards of abstraction. IMHO, we as a society place entirely too much trust in un-trustworthy components and agents. Note also the parallels to the debate on Open Source. _In Principle_, every congressperson would read (and understand) every word of every bill (and follow/verify references). In practice, only by chance do these alterations become known. Mike albaugh@agames.com ------------------------------ Date: Thu, 18 May 2000 11:15:50 -0400 From: Dave Weingart Subject: Outlook "security" patch Microsoft has decided that since the scripting behavior of Outlook is unsafe, they're going to disable the ability to actually get many file attachments (it's not entirely clear if the file will be saved or simply trashed -- it seems to imply that you can't access the attachments within Outlook 98 and Outlook 2000 only. If the file is completely trashed, a whole new RISK is created by people assuming that an e-mailed attachment got through). http://www.officeupdate.com/2000/articles/Out2ksecarticle.htm has Microsoft's official word on the update. Dave Weingart, Randstad North America dave.weingart@us.randstad.com 1-516-682-1470 ------------------------------ Date: Fri, 19 May 2000 17:58:53 -0400 From: "Jeremy Epstein" Subject: VBS.NewLove.A false positives As everyone knows, VBS.NewLove.A is sweeping the world. Or is it? Norton AntiVirus, using the latest set of definition files (5/18/00) is giving false positives on a range of files. On my system, it's complaining about some pure HTML files (i.e., with no scripting or anything else remotely malicious). Their web page doesn't give any details, and I haven't been able to find anything out, but their technicians did admit to false positives, and they're working on a new version. In fairness to Symantec, they're trying to rush out patches as fast as they can to a rapidly proliferating virus. However, it's obvious that they didn't do a very good job of getting the pattern match correct. --Jeremy ------------------------------ Date: Thu, 25 May 2000 15:51:33 GMT From: "Tom Hayhurst" Subject: Risks of virus disinfection In the aftermath of the Love Bug, all e-mail inboxes at my place of employment have been scanned for suspect attachments. Apparently, a home-grown perl script (run as root) was used to delete or modify tainted e-mails. Unfortunately, a side-effect of this was to make all files in the mail spool directory world-readable about ten days ago. This has only just been noticed and rectified. Obvious Risk: immediate, disruptive threats can divert attention away from safe, well-known procedures. Tom Hayhurst ------------------------------ Date: Mon, 15 May 2000 08:17:29 -0700 From: Chris Adams Subject: Widespread Web-Trojan alerts The people at Zope found a problem with their admin interface (http://www.zope.org/Members/jim/ZopeSecurity/ClientSideTrojan) that also applied to just about any web-based admin tool. Basically, an attacker could create a page that redirected to site's admin interface or a form that submitted to it (possibly using JavaScript for automatic submission); in any case, the effect was that any use who was logged in as a site administrator could have an attacker execute arbitrary commands in their security context merely by following a link. If this was carefully set up using JavaScript and frames, it's more than possible that the admin would never notice what had happened. This attack would be particularly effective against online news sites and anyone else for whom it is common to receive many URLs every day as submissions. This story was picked up by LWN (http://www.lwn.net/2000/features/ Redirect.phtml) and spread rapidly to the usual security forums. There's a very simple fix that prevents this attack from working in any of the cases reported. The problem is that the form parameters can all be guessed by the attacker, allowing them to generate a URL easily. Putting in a random parameter prevents this from being true. Given that you need to have a random identifier that is not leaked to third parties for meaningful session management, an obvious step is to put in a parameter in the form that must match the user's session ID (e.g. Confirm=346593045 instead of Confirm=true). (This is still vulnerable if the browser has a security hole which allows an unrelated site to capture cookies. However, such a bug is really a separate issue as it would allow an attacker to easily hijack the session directly. A browser that buggy should not be used.) What I've found disturbing is that there have been several people attempting to get the news out since the original wave of reports (~5/10) about having such a fix that will defang this entire class of attack in a single line of code. These efforts don't seem to have achieved anything like the visibility given to the original reports. There's a great deal of speculation about convoluted, partial means of stopping such attacks and even suggestions about disabling web-based admin interfaces entirely but, thus far, very little word about what has to be one of the easiest fixes in the history of computer security. The risks? Besides the obvious security concerns, there's the risk that people will do something rash or remain vulnerable despite the fact that, contrary to some of the reports, there is a fix and it's quite simple. A casual observer could easily get the impression that this problem is a major threat. ------------------------------ Date: Wed, 24 May 2000 15:54:49 -0400 (EDT) From: CERT Advisory Subject: CERT Advisory CA-2000-07 [Abridged for RISKS] CERT Advisory CA-2000-07 Microsoft Office 2000 UA ActiveX Control Incorrectly Marked "Safe for Scripting" [The full Advisory is at http://www.cert.org/advisories/CA-2000-07.html PGN] Systems Affected * Systems with Internet Explorer and Microsoft Office 2000 components, including * Word 2000 * Excel 2000 * PowerPoint 2000 * Access 2000 * Photodraw 2000 * FrontPage 2000 * Project 2000 * Outlook 2000 * Publisher 2000 * Works 2000 Suite Overview The Microsoft Office 2000 UA ActiveX control is incorrectly marked as "safe for scripting". This vulnerability may allow an intruder to disable macro warnings in Office products and, subsequently, execute arbitrary code. This vulnerability may be exploited by viewing an HTML document via a web page, newsgroup posting, or e-mail message. I. Description Microsoft and L0pht Research Labs have recently published advisories describing a vulnerability in the Microsoft Office 2000 UA ActiveX control. Due to the severity of this vulnerability, we are issuing a CERT advisory to help reach as broad an audience as possible. Microsoft has published a security bulletin, an FAQ, and a knowledgebase article describing this vulnerability. These documents are available from Microsoft's web site: http://microsoft.com/technet/security/bulletin/ms00-034.asp http://microsoft.com/technet/security/bulletin/fq00-034.asp http://microsoft.com/technet/support/kb.asp?ID=262767 The CERT Coordination Center thanks L0pht Research Labs and @Stake for initially discovering and reporting this vulnerability. We also thank the Microsoft Security Team for their assistance in preparing this advisory. ------------------------------ Date: Fri, 26 May 2000 09:51:05 EDT From: Kevin Fu Subject: Misleading warning, failure of Netscape SSL server authentication Here is an example where improper caching and poor GUI design can render a particular implementation of SSL server authentication insecure. Within one Netscape session, if a user clicks on "continue" in response to a "hostname does not match name in certificate," then that certificate is incorrectly validated for future use in the Netscape session, REGARDLESS of the hostname or IP address of other servers that use the certificate. It seems that the "Certificate Name Check" warning will cache a certificate as valid for any hostname or IP address in the future. In this way, if an adversary tricks a user into accepting an invalid certificate at a seemingly benign site, then the user can then be tricked if he/she ever visits a malicious site using the same certificate. A "continue" click on a seemingly benign SSL web server might end up taking away server authentication from visiting https://www.a-site-that-you-give-private-info.com/ that has poisoned DNS. Since this is a risks post, there has to be a lesson: * Be explicit. Netscape's security warning does not indicate clearly what will result by clicking "continue." * Even if the design is good, an implementation can go wrong. Netscape invented SSL, but it has a hard time using it correctly. Does this scare you? It should. If a company who designs an accepted security protocol cannot use it correctly, then think about the companies implementing homebrew security... * Implementation bugs are not unique to Netscape. PGP has a relatively good but absolutely dangerous user interface that can mislead users. See the "Why Johnny Can't Encrypt" paper by Alma Whitten for an excellent analysis. [SEE NOTE] For a full report, see http://snafu.fooworld.org/~fubob/netscape-ssl.html or http://www.cert.org/advisories/CA-2000-08.html Kevin E. Fu (fubob@mit.edu) [NOTE: The paper must be Whitten in Inwisible Ink. PGN-Enquipped] ------------------------------ Date: Wed, 24 May 2000 01:01:12 -0600 From: "s. keeling" Subject: I did not say that! wrt deja.com I don't know if this is a problem or if I'm over reacting. I just did a search on my user id and chanced across a misquoted (by some usenet newbie) news article that attributes statements I never said to me. http://x69.deja.com/[ST_rn=fs]/getdoc.xp?AN=624428330&CONTEXT=959150860.1906835472&hitnum=6 Do people take deja/usenet with a grain of salt, or should I worry about what anyone can say I said? keelingNO@SPAM.spots.ab.ca (Stephen) TopQuark Software & Serv. [Misinformation has a horrible way of propagating. If I were you, I would put a note on your Web site disowning something like that and perhaps putting in a thoughtful item on the risks of being misquoted. PGN] ------------------------------ Date: 22 May 2000 23:25:38 -0400 From: uryse0d5@umail.furryterror.org (Zygo Blaxell) Subject: Risky quotation While at a bookstore the other day, my spouse was presented with a credit card signature slip printed by an Interac point-of-sale terminal. It was just like any other credit signature slip, except that the usual "customer signature" line was printed twice, one on top of the other, with ample space for the signature in both places--a harmless glitch, probably due to an obvious and simple programming error. We pointed the error out to the cashier, who was probably barely old enough to be legally employed, and her response, if she speaks for her generation, was ominous, even terrifying: "It does that because ... because it's a computer." An entire generation is growing up believing that the current sorry state of affairs in information technology could ever be accepted as _normal_! ------------------------------ Date: 13 Dec 1999 (LAST-MODIFIED) From: RISKS-request@csl.sri.com Subject: Abridged info on RISKS (comp.risks) The RISKS Forum is a MODERATED digest. Its Usenet equivalent is comp.risks. => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) if possible and convenient for you. Alternatively, via majordomo, SEND DIRECT E-MAIL REQUESTS to with one-line, SUBSCRIBE (or UNSUBSCRIBE) [with net address if different from FROM:] or INFO [for unabridged version of RISKS information] .MIL users should contact (Dennis Rears). .UK users should contact . => The INFO file (submissions, default disclaimers, archive sites, copyright policy, PRIVACY digests, etc.) is also obtainable from http://www.CSL.sri.com/risksinfo.html ftp://www.CSL.sri.com/pub/risks.info The full info file will appear now and then in future issues. *** All contributors are assumed to have read the full info file for guidelines. *** => SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line. => ARCHIVES are available: ftp://ftp.sri.com/risks or ftp ftp.sri.comlogin anonymous[YourNetAddress]cd risks [volume-summary issues are in risks-*.00] [back volumes have their own subdirectories, e.g., "cd 19" for volume 19] http://catless.ncl.ac.uk/Risks/VL.IS.html [i.e., VoLume, ISsue]. http://the.wiretapped.net/security/textfiles/risks-digest/ . ==> PostScript copy of PGN's comprehensive historical summary of one liners: illustrative.PS at ftp.sri.com/risks . ------------------------------ End of RISKS-FORUM Digest 20.89 ************************