precedence: bulk Subject: Risks Digest 21.02 RISKS-LIST: Risks-Forum Digest Saturday 26 August 2000 Volume 21 : Issue 02 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at and by anonymous ftp at ftp.sri.com, cd risks . Contents: Hoaxes: When will they learn? (Dave Farber) NY State's running out of fingerprint IDs (Danny Burstein) Mobile phone malware on i-mode in Japan (Kevin Connolly) Firepower via Web interface (Anatole Shaw) Sydney Airport baggage system fails for second time in five days (Stellios Keskinidis) Airline E-Ticket risks (Paul Wallich) Risks on public transit: mechanical and human failures in Toronto (Stephen van Egmond) Bangkok robot security guard (Torrey Hoffman) Professor stole 40 student SSNs and IDs to get credit cards (Joan L. Brewer) Kaiser Permanente medical e-mails go astray (Sheri Alpert) Wake up, your TV is talking to your bracelet (NewsScan) SSL Server Security Survey (Monty Solomon) *The Globe and Mail* Web site exposing search-engine log file (Esteban Gutierrez-Moguel) Blocked e-mail and Web sites (PGN) Major security hole in new online organizer service (Paul van Keep) Hackers breach Firewall-1 (PGN) GAO says EPA's computer security is "riddled" with weaknesses (Declan McCullagh) Bruce Schneier's Secrets and Lies (PGN) Software Risk Management Conference ISACC (Gary McGraw) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Fri, 25 Aug 2000 14:24:13 -0400 From: Dave Farber Subject: Hoaxes: When will they learn? We have had the technology to do digitally signed authentication for many years and yet still companies and people do not sign their email and look what happens, and I mean REAL signatures not just what the Congress thinks is digitally signed material. Dave Shares of the Emulex Corporation plunged more than 60 percent Friday following the distribution of a bogus press release about the computer network equipment maker's earnings. Trading in the stock was halted for about three hours after the hoax started showing up in financial news reports. The hoax wiped more than $2 billion off the company's stock market value, leaving it around $2 billion. Emulex's shares finally resumed trading at 1:30 p.m. Eastern time and recaptured most of their loss. The stock was lately trading down 6, or 5.3 percent, at 107 1/16 after earlier plunging as low as 43. The fake press release, which appeared on the Internet around the time of the market's opening bell, claimed that Emulex would restate it fiscal fourth-quarter earnings as a loss. There were also headlines that the Securities and Exchange Commission was investigating accounting irregularities at the company and that Emulex's president and chief executive, Paul Folino, was stepping down. [Source: http://www.nytimes.com/yr/mo/day/news/financial/25tsc-emulex.html From Dave Farber's IP list. See also http://cnnfn.cnn.com/2000/08/25/companies/emulex/ . PGN] ------------------------------ Date: Sat, 26 Aug 2000 01:44:20 -0400 (EDT) From: danny burstein Subject: NY State's running out of fingerprint IDs In a problem officials are comparing to the Y2K scare, the state says it will run out of numbers to assign to the fingerprints it keeps on file -- and will begin recycling old ones -- next year. [Source: State's running out of fingers to count IDs on, by Greg Wilson, *NY Daily News*, 25 Aug 2000] The article continues by pointing out that there are only seven digits for the ID field, meaning a total of 9,999,999 records. (I'd be a bit surprised if they had actually started with "0000001" rather than "1000001", but since these date from the old paper card days it's quite possible.). With NYS's population being about 18 million (subject to whether you use the "actual enumeration" census figures or the "statistical correction" - but that's another Risk entirely...) and with records going back for decades, the justice division is rapidly running out of numbers. So, effective in August 2001, they anticipate reusing ID numbers of people who have died or otherwise been removed from the register. No need to worry if your ID number matches that of a serial murderer, though. The article continues that: Officials offered assurances that the numbers crunch will not result in the misidentification of law-abiding citizens who are issued numbers previously assigned to criminals. Why am I not reassured? ------------------------------ Date: Fri, 25 Aug 2000 08:25:13 +0100 From: kmc@eircom.net Subject: Mobile phone malware on i-mode in Japan The risk is that people designing new mobile phone functions do not learn from the mistakes in the MS Word macro "virus enabling" feature. http://www.zdnet.co.uk/news/2000/31/ns-17205.html "Hundreds of Japanese i-mode users were stung by a prank which forced phones to dial "110" -- the police emergency telephone number in Japan -- during an online quiz." Kevin Connolly ------------------------------ Date: Thu, 17 Aug 2000 19:44:36 -0400 (EDT) From: Anatole Shaw Subject: Firepower via Web interface http://www.bangkokpost.net/170800/170800_News03.html [FIXED in archive copies. PGN] The Thailand Research Fund has unveiled a new robot, resembling a giant ladybug with a couple of extra limbs. The unit is equipped with visible-spectrum and thermal vision, and a gun. According to Prof. Pitikhet Suraksa, its shooting habits can be automated, or controlled "from anywhere through the Internet" with a password. The risks of both modes are obvious, but the latter is new to this arena. Police robots of this ilk have been around for a long time, but are generally radio-controlled. The apparent goal here is to make remote firepower available on-the-spot from around the Internet, which means insecure clients everywhere. How long will it take for one of these passwords to be leaked via a keyboard capture, or a browser bug? Slowly, we're bringing the risks of online banking to projectile weaponry. ------------------------------ Date: Sun, 20 Aug 2000 19:07:17 +1000 (EST) From: stellios keskinidis Subject: Sydney Airport baggage system fails for second time in five days As a result of an hour-long computer glitch during the integration of the security system with the main baggage-handling system, Sydney airport's new $43 million baggage system failed on 20 Aug 2000 for the second time in five days (with the Olympic Games a month away). (The previous problem was in the new checked bag screening system.) [Source: PGN-ed from http://news.ninemsn.com.au/01_national/story_8815.asp, 20 Aug 2000] [Same article also noted by Steve Gillanders. PGN] ------------------------------ Date: Tue, 1 Aug 2000 16:39:31 -0400 From: Paul Wallich Subject: Airline E-Ticket risks Continental Airlines has installed a very efficient new system for travelers whose tickets exist only in computerized form: swipe a credit card or other means of ID, tell the touch screen how many bags you have to check and answer the usual security questions about who packed them and whether they've been out of your sight, and it prints out a boarding pass. You can also change your seat and (possibly) other aspects of your itinerary on the spot. The machines are supposed to be tended by agents who check your luggage (should you have any to check) and look at a photo ID to make sure you're who your credit card says you are. But in some busy airports (say, for example, Detroit last weekend) the machines appear to function unmonitored. There's a long list of risks here relating both to terrorism and to theft, and I don't see any obvious way of fixing them in the context of the current system, except perhaps to require an ID check somewhere downstream of the boarding pass issuance. (Of course it doesn't make me any happier to note that with the endemic delays in today's air transport system you also have passengers leaving aircraft and then reboarding with no verifiable checks on either identity or luggage.) Paul Wallich pw@panix.com ------------------------------ Date: Wed, 16 Aug 2000 21:47:07 -0400 From: Stephen van Egmond Subject: Risks on public transit: mechanical and human failures in Toronto http://www.ttc.ca/postings/gso-comrpt/documents/report/f910/_conv.htm This URL gives an interesting report the Toronto Transit Commission describing an alarming situation on a revenue train. It provides a lot more detail than you might find in a media article. The sequence of mechanical and human failures that contributed to the dangerous situation is interesting, as is the TTC's response, which includes: * training (i.e., pounding on the table and saying "don't do that") * reducing training (i.e., not teaching operators how to do a dangerous procedure) * physical hacks For background, the TTC runs trains in sets of six cars composed of three mated pairs. Each car has an operator's cab where motion and doors can be controlled, and a window which, when opened, reveals door control buttons. Stephen van Egmond http://bang.dhs.org/ ------------------------------ Date: Thu, 17 Aug 2000 09:49:24 -0700 From: Torrey Hoffman Subject: Bangkok robot security guard I think that even long-time RISKS readers will find this to be a bad idea of prize-winning magnitude. (Perhaps RISKS should give out yearly awards for the worst (most risky) ideas implemented in software systems. Outlook VBS scripting comes to mind...) The world's first armed robot security guard that can open fire on intruders while controlled through the Internet was unveiled in Bangkok yesterday. It is one of five Thai-made hi-tech robots revealed by the Thailand Research Fund. Asst Prof Pitikhet Suraksa, of the King Mongkut Institute of Technology's Lat Krabang campus, said his roboguard was developed from an unarmed "telerobot" built in Australia in 1994. "The robot is equipped with a camera and sensors that track movement and heat. It is armed with a pistol that can be programmed to shoot automatically or wait for a fire order delivered with a password from anywhere through the Internet. With further development the technology could be applied to building robot guards for important places, including museums that house precious artifacts." Deployment of this could lead to all sorts of interesting scenarios. The first time it perforates one of the cleaning staff, will the owners blame it on a "programming glitch"? [... potential puns about loose cannons ...] Torrey Hoffman [With no human in the loop, this would be really terrible. However, even with a human in the loop, it is another egregious example of security supposedly enforced by passwords floating sniffably unencrypted around the Internet! And with a little IP spoofing, a penetrator might even be untraceable. Perhaps Prof Suraksa needs an effrontal robotomy. As the old joke goes, this may be a case in which you can always telerobot, but you can't tell it much. PGN] ------------------------------ Date: Thu, 17 Aug 2000 17:19:05 -0700 From: "Pegasus" Subject: Professor stole 40 student SSNs and IDs to get credit cards According to prosecutors, Cadello got names and Social Security numbers of unwitting students from the school computer and named them as "parents" of fictitious children whose Massachusetts birth certificates he forged. He then obtained new Social Security numbers with those names and used them to obtain various sets of ID and apply for credit cards (40 sets). The incident has cost the university thousands of dollars for a new computer system that lists students without using their Social Security numbers. [http://seattletimes.nwsource.com/news/local/html98/altprof17m_20000817.html Central Washington professor sentenced in fraud, Mike Carter, *Seattle Times*, 17 Aug 2000] Here is the really weird part. When he was arrested the students protested and gave him support (?). Well at least someone found a flaw in their database. Perhaps other colleges can learn from this one. ;-) Joan L. Brewer BS CSE -- retired... ------------------------------ Date: Thu, 10 Aug 2000 02:18:59 -0400 (EDT) From: Sheri Alpert Subject: Kaiser Permanente medical e-mails go astray Beginning on 2 Aug 2000, Kaiser Permanente accidentally sent 858 e-mail messages from nurses and pharmacists (some including sensitive medical information) to the wrong people. Blame was placed on "human error" and a "technological glitch" in upgrading their Web site. Kaiser spokesperson Beverly Hayon said Kaiser has "fixed the problem. We have changed protocols for sending out e-mails. We feel safe saying this particular problem will never happen again." [Source: article by Bill Brubaker, *The Washington Post*, 10 Aug 2000 E01] ------------------------------ Date: Wed, 16 Aug 2000 09:51:39 -0700 From: "NewsScan" Subject: Wake up, your TV is talking to your bracelet A new system called Whispercode, designed by a New Jersey company for monitoring the effectiveness of TV advertising, will involve the encoding of commercials with inaudible, identifying signals that can be picked up by a small device worn by a participant (perhaps in a bracelet or keychain) and relayed to a nearby recording box that records the fact that the wearer was in the room when the commercial was broadcast. [It should be noted, though, the system can't detect whether the participant is awake, attentive, and not bored to death.] The company's chief executive officer says, "With Whispercode, we will finally be providing our clients with a true accounting of where their advertising money is going." (*The New York Times*, 15 Aug 2000 http://partners.nytimes.com/library/financial/columns/081600tv-adcol.html; NewsScan Daily, 16 August 2000 ------------------------------ Date: Sun, 13 Aug 2000 23:05:14 -0400 From: Monty Solomon Subject: SSL Server Security Survey SSL Server Security Survey, Eric Murray, ericm@lne.com 31 Jul 2000 A random sample of 8081 different secure Web servers running the SSL protocol in active use on the Internet shows that 32% are dangerously weak. These weak servers either support only the flawed SSL v2 protocol, use too-small key sizes ("40 bit" encryption), or have expired or self-signed certificates. Data exchanges with all types of weak servers are vulnerable to attack. http://www.meer.net/~ericm/papers/ssl_servers.html ------------------------------ Date: Thu, 17 Aug 2000 01:59:33 -0500 (CDT) From: Esteban Gutierrez-Moguel Subject: *The Globe and Mail* Web site exposing search-engine log file The Web site of the Canadian newspaper *The Globe and Mail* seems to have a badly configured access policy of a log file. The log file is a standard Web server log file that contains browser information, requested data, and the IP address of each visitor who performs a search from the online edition of the newspaper. A simple test of this problem is searching for some know text (for example: "Hello World") using http://www.theglobeandmail.com (Globe 7-day Search) and few seconds later you will find an entry in http://archives.theglobeandmail.com/generated/Fragments/access containing the string "Hello+World". ------------------------------ Date: Tue, 22 Aug 2000 12:14:06 PDT From: "Peter G. Neumann" Subject: Blocked e-mail Web sites Lately, we have had another flurry of reports of perfectly reasonable Web sites and e-mail being blocked for the usual stupidities of overzealous filtering. But this one is somewhat different: The U.S. Air Force Space Command blocked the San Francisco Exploratorium Yahoo site because it describes making a mixture out of baking soda and vinegar that would blow up a Ziploc bag. Elementary fizz-ics, my dear What's-on? [Source: http://www.exploratorium.edu/pr/bubble_bomb.html] ------------------------------ Date: Wed, 16 Aug 2000 19:57:27 +0200 From: Paul van Keep Subject: Major security hole in new online organizer service The recently opened online organizer service annapa.com (Anna, your Personal Assistant) suffered from a major security hole last week. The site has a security statement prominently displayed on its homepage with the usual statements about how they value their customers' data and that everything had been audited by Arthur Andersen. Despite this, compromising other users' data was almost trivial: after logging in with the valid userid/password combo, all that had to be done was to twiddle with the URL which conveniently encodes your customer id. This simple operation gives access to all essential data from other users and allows changing of that data including blocking access by changing that user's password. The company behind annapa.com, IntraSites, issued a statement on its website in which it tried to belittle the issue. A translation of the part of the statement currently on their homepage: "[...] updating some program modules on the site disabled one security mechanism. This made it possible for an IT-specialist (consequently not for a normal user), to access random and limited user data on the screen". If all of that is true, what value does the security audit that AA performed have? Shouldn't AA review every update before installation? Is an IT-specialist not a 'normal' user? Aren't all crackers IT-specialists? Wouldn't a smart user be able to do the same? Was the hole only present for a couple of days? I sincerely doubt it. The URL twiddling trick seems to be a common security problem. Two months ago I encountered almost the same hole in the customer information portal for Exact Software (www.exactsoftware.com). The whole portal was removed from the site within an hour after I informed their CEO about the problem. Paul van Keep http://www.sumatra.nl ------------------------------ Date: Sun, 13 Aug 2000 19:52:47 PDT From: "Peter G. Neumann" Subject: Hackers breach Firewall-1 [Source: David Raikow, Sm@rt Partner, 2 Aug 2000 http://www.zdnet.com/zdnn/stories/news/0,4586,2610719,00.html] An audience of several hundred network security professionals watched with rapt attention last week as a trio of hackers repeatedly penetrated one of the industry's most trusted and popular firewall products -- Checkpoint Software's Firewall-1. The demonstration, presented at the "Black Hat" security conference in Las Vegas, challenged the widely accepted notion that firewalls are largely immune to direct attack. The panel -- John McDonald and Thomas Lopatic of German security firm Data Protect GmbH and Dug Song of the University of Michigan -- identified three general categories of firewall attacks. They began by demonstrating a number of relatively simple techniques by which an attacker could impersonate an authorized administrator, and thus gain access to the firewall application itself. A second type of attack tricked the firewall into believing an unauthorized Internet connection was actually an authorized virtual private network connection. Finally, the panel exploited a number of errors in the process used to examine traffic passing through the firewall to sneak in dangerous commands. While their presentation focussed on a single commercial firewall product, panel members repeatedly emphasized that most firewalls are vulnerable to the types of attacks demonstrated. "The problem is not just with [Firewall-1]," said Song. "The real problem is the blind trust most people place in their firewalls." Greg Smith, Checkpoint's director of product marketing for Firewall-1, pointed out that many of the attacks demonstrated relied on improper firewall configuration, and he asserted that they presented little practical threat. "Not a single customer has reported a problem with any of these issues." Nevertheless, Checkpoint worked with McDonald, Lopatic and Song in developing defenses against the attacks, which they released as part of Firewall-1 Service Pack 2 immediately following the demonstration. Checkpoint emphasized that the service pack should prevent all of the attacks discussed, even those dependent on misconfiguration. The panel also recommended a number of additional steps for "hardening" firewalls, including use of strong authentication protocols, "anti-spoofing" mechanisms and highly restrictive access rules. At the same time, they called on the IT community to abandon the "single firewall" model of network security and implement multiple lines of defense. However, one observer of the session, employed by a network switch manufacturer, thinks Checkpoint lost some credibility over its products. "Some of the exploited areas were because of dumb programming mistakes in the code for the firewall itself. If the [firewall] programmers can't get it right, what other problems may still be lurking?" he pondered. ------------------------------ Date: Sat, 12 Aug 2000 11:22:30 -0400 From: Declan McCullagh Subject: GAO says EPA's computer security is "riddled" with weaknesses Exact URL is: http://com-notes.house.gov/ai00215.pdf Press release: Bliley Releases GAO's Findings on Computer Security At EPA Report Calls EPA's Computer Network "Riddled With Security Weaknesses" Washington(August 11) --Ineffective, inadequate, and riddled with weaknesses. This is how the General Accounting Office (GAO) described the Environmental Protection Agency's (EPA) agency-wide information security program. Commerce Chairman Tom Bliley (R-VA), who in August 1999 requested the GAO audit of EPA's system as part of his review of the computer security policies and programs of certain Federal agencies within the Committee's jurisdiction, released the report today. "The GAO report, coupled with the Committee's other recent oversight in this area, shows that, despite the tough rhetoric, the Clinton-Gore Administration's cyber-security policy amounts to little more than paper pushing," Bliley said today in releasing the GAO Report. In February of this year, after GAO's preliminary review of EPA's system found "serious and pervasive problems," Chairman Bliley requested that EPA take down its computer systems and initiate a major overhaul of its computer network security. The EPA reluctantly complied. "It is unfortunate," Bliley said, "that years of gross mismanagement at the Agency have left these sensitive systems and data at such serious risk for so long. But it is even more unfortunate that it took this Committee's oversight and public pressure to motivate the Agency to undertake responsible steps to ensure its computer systems provide adequate protection for sensitive Agency data. "EPA, while shocking in degree, is not alone when it comes to poor management of cyber security. GAO and Committee oversight of other Federal agencies continues to reveal that, rather than being a model for the private sector to follow -- as the President has claimed he wants it to be -- the Federal government appears instead to be a model of what not to do when it comes to managing information security. "In today's world, information security is crucial. It is disturbing that government agencies with critical computer systems have paid so little attention to this issue, and are so vulnerable to attacks. It also reflects a lack of leadership from the White House, which under current law should be coordinating agency efforts to improve cyber security, but isn't. "I will continue my review of agency information systems in an effort to improve the Federal government's weak computer security practices." In late July 2000, Bliley requested the GAO complete a similar audit of the Commerce Department's cyber security program. Bliley also recently launched a review of the Food and Drug Administration's (FDA) information management policies and practices, requesting records detailing the agency's computer security practices and any hacker attacks against FDA. a copy of the GAO Report is available at: www.house.gov/commerce ------------------------------ Date: Tue, 22 Aug 2000 12:14:06 PDT From: "Peter G. Neumann" Subject: Bruce Schneier's Secrets and Lies Bruce's new book, *Secrets and Lies: Digital Security in a Networked World* (Wiley), concludes that cryptography alone cannot protect business networks. This a fine counterpoint to the mistaken belief that cryptography is the ultimate answer to security. "Protecting information has become increasingly difficult in the digital world. Teen-aged hackers have compromised the security of the U.S. State Department's web site and, in so doing, have proven that gaining access to personal passwords and other `secure' information is far easier than many could have ever anticipated." The book website is http://www.counterpane.com/sandl.html and is discussed in http://www.counterpane.com/crypto-gram-0008.html#1 ------------------------------ Date: Fri, 18 Aug 2000 14:09:13 -0400 From: Gary McGraw Subject: Software Risk Management Conference ISACC Reliable Software Technologies encourages all people interested in making software behave to attend ISACC, the Software Risk Management conference (http://www.isacc.com). We'll be discussing many of the topics RISKS readers are fond of: security, reliability, and safety. And just to spice things up, how about software certification as a controversial issue?! Hope to see you there. Gary McGraw, Ph.D gem@rstcorp.com, Vice President, Corporate Technology Reliable Software Technologies, Dulles, VA ------------------------------ Date: 13 Dec 1999 (LAST-MODIFIED) From: RISKS-request@csl.sri.com Subject: Abridged info on RISKS (comp.risks) The RISKS Forum is a MODERATED digest. Its Usenet equivalent is comp.risks. => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) if possible and convenient for you. Alternatively, via majordomo, SEND DIRECT E-MAIL REQUESTS to with one-line, SUBSCRIBE (or UNSUBSCRIBE) [with net address if different from FROM:] or INFO [for unabridged version of RISKS information] .MIL users should contact (Dennis Rears). .UK users should contact . => The INFO file (submissions, default disclaimers, archive sites, copyright policy, PRIVACY digests, etc.) is also obtainable from http://www.CSL.sri.com/risksinfo.html ftp://www.CSL.sri.com/pub/risks.info The full info file will appear now and then in future issues. *** All contributors are assumed to have read the full info file for guidelines. *** => SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line. => ARCHIVES are available: ftp://ftp.sri.com/risks or ftp ftp.sri.comlogin anonymous[YourNetAddress]cd risks [volume-summary issues are in risks-*.00] [back volumes have their own subdirectories, e.g., "cd 20" for volume 20] http://catless.ncl.ac.uk/Risks/VL.IS.html [i.e., VoLume, ISsue]. http://the.wiretapped.net/security/textfiles/risks-digest/ . ==> PostScript copy of PGN's comprehensive historical summary of one liners: illustrative.PS at ftp.sri.com/risks . ------------------------------ End of RISKS-FORUM Digest 21.02 ************************