precedence: bulk Subject: Risks Digest 21.26 RISKS-LIST: Risks-Forum Digest Monday 5 March 2001 Volume 21 : Issue 26 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at and by anonymous ftp at ftp.sri.com, cd risks . Contents: Smart bombs miss again (Lord Wodehouse) Air gaps (Bruce Schneier) Bibliofind exposes lots of credit card data they shouldn't have had (Lenny Foner) TurboTax potential overstatement of gross income (Richard Mason) Risks of buggy cell phone networks (Kragen) SETI@Home felled by a Single Point of Failure (Malcolm Pack) Passwords don't protect Palm data, security firm warns (Yves Bellefeuille) Risks of laptop anti-theft devices (Tony Yip) Where does NAVSTAR say we are, again? (James Paul) Beware assumptions about keyboard layouts... (Perry Pederson) Re: On paper-size standards (Gideon Sheps) REVIEW: "Tangled Web", Richard Power (Rob Slade) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Thu, 22 Feb 2001 15:05:03 +0000 (GMT Standard Time) From: Lord Wodehouse Subject: Smart bombs miss again >From BBC New online at http://news.bbc.co.uk/hi/english/world/middle_east/newsid_1184000/1184086.stm "Pentagon officials have admitted that most of the bombs dropped by US and British warplanes on Iraq last Friday missed their targets." Yet again I find myself writing to RISKS to point out that these computer-game type weapons are almost always oversold on their abilities and have been little more effective than plain dumb bombs. The Patriot missile is another case oversold (see many article in RISKS). However, if smart weapons fail in Iraq, how much less well will they work in Europe under bad weather. Kosovo was such a case and often the weapons could not be used. The military rely on them more and more, and yet they are shown to be more limited and often less usable. Extending this on to the smart guns and systems for soldiers, I see the fighting forces becoming less effective. The small band of fighters often now seem to beat the big armies. It will become worse, if technology is used exclusively. And what about the NBMD system. Five failures so far. I do not see be being anything apart from a means of keeping some companies in work and something that destabilizes the current situation. Shooting down a long range missile is a lot harder than trying to hit a static target! Global Research Information Systems, GlaxoSmithKline Medicines Research Centre Stevenage SG1 2NY UK +44 1628 482 634 w0400@ggr.co.uk http://www.gsk.com/ ------------------------------ Date: Wed, 21 Feb 2001 16:39:50 -0600 From: Bruce Schneier Subject: Air gaps This is from the February Crypto-Gram. http://www.counterpane.com/crypto-gram-0102.html Whale Communications has been marketing something called e-Gap, which they claim is an "air gap" between two networks. Basically, the system consists of two servers. One is connected to the Internet and the other to the internal network. The two servers only connect through the e-Gap system, a SCSI-based memory device that gets toggled between them. The two servers are never directly connected. This is an interesting idea, but it's not an air gap. What E-Gap really does is create a proxy connection between two computers. It's a slow connection. It's a very limited connection; the system strips down any network layers under the session layer. What that means is that if you set up a system using E-Gap and an intruder were to break into the Internet server, he could not obtain TCP/IP connectivity to the internal server. This certainly increases the security of the back-end server. Nonetheless, the intruder can still access the back-end server as a regular client. The intruder can still break into the internal system by exploiting any vulnerabilities above the transport layer. The whole point of an air gap is that there is no automated connection between the two devices. It's not simply that there is no physical connection between the devices most of the time, but that any logical connection between the two devices is not automated. If the Internet server and the back-end server were on opposite sides of a room, there would be an air gap between them. To connect the two computers, a user has to walk a floppy disk across the room. For an attacker to attack one computer from the other, he needs to be physically present. Even if an attacker gains access to the Internet server remotely, he cannot bridge the air gap to the back-end server. While E-Gap can claim that with their device systems are "completely disconnected at all times," the truth is that their switch operates automatically at all times. There is always a logical connection between the systems connected by their device. And that connection is subject to remote attack, and possible compromise. I'm not saying that this is a bad product -- it sounds like a good product -- but it is not an air gap. Calling it one is deceptive marketing. Kind of like calling a stream cipher a one-time pad. Whale's page describing their technology: They call it "impenetrable." Also note that on their home page they don't just call it an air gap but a *physical* air gap, just in case someone might have wanted to give them the benefit of the doubt. A response to critics by someone with Whale: Hall of shame puff piece: Whale isn't the only one. Here's a review of six "air gap" products: Airgap Networks, which has few details on their product, is notable for actually defining "air gap" (albeit in an Orwellian manner). Bruce Schneier, CTO, Counterpane Internet Security, Inc. 1-408-556-2401 3031 Tisch Way, 100 Plaza East, San Jose, CA 95128 http://www.counterpane.com ------------------------------ Date: Mon, 5 Mar 2001 17:26:25 -0500 (EST) From: Lenny Foner Subject: Bibliofind exposes lots of credit card data they shouldn't have had Bibliofind matches up people looking for used books, and book dealers who have them. Every time you use it to actually buy a book, you're forced to enter all of your name, address, CC info, etc, etc, and that's then sent to the book dealer. They didn't appear to actually keep any of this information around, given that it was never presented in the UI (e.g., as a pre-filled-in form, or something else useful). So I'm especially appalled to have just read that my data, along with about 100K others' data, was perhaps being read for the last 4 months. See http://www.cnn.com/2001/TECH/internet/03/05/bibliofind/index.html Not only did they -not- say they were keeping it (instead of just serving as a conduit), keeping it did nothing to make their customers' lives easier. So it looks like they got it wrong coming and going. Perhaps the press report got it wrong, and it was some sniffer-like attack instead, but it sure seems to imply that they had a big database hanging around that they didn't tell their customers about and which wasn't helping anybody, except to serve as a big fat target. Feh. I guess we'll see if phantom charges appear on various cards. Not to mention perhaps enabling identity frauds of various sorts. I can't get any info about this directly from Bibliofind at the moment, because their site is off the air. ------------------------------ Date: Thu, 01 Mar 2001 14:41:45 -0800 From: Richard Mason Subject: TurboTax potential overstatement of gross income In using TurboTax there is an ability to directly download income tax information on dividends, interest and securities sales, from various brokerage firms directly into TurboTax. When downloading income tax information from Fidelity Investments for a joint tax return I ended up with duplicate, i.e. double amounts of interest and dividends, in the following circumstance. Husband and wife each have individual brokerage accounts. They also have a joint brokerage account. Husband's account info downloads into TurboTax on his social security number and password, wife's account information downloads into TurboTax on her social security number and password. Joint account information downloads on each access. The result is a doubling of the interest and dividend income into TurboTax. This may be unique to the Fidelity account account access system that allows joint account access from either social security number and password, but it is a concern. Richard Mason, University of Nevada ------------------------------ Date: Fri, 2 Mar 2001 02:22:56 -0500 (EST) From: kragen@pobox.com Subject: Risks of buggy cell phone networks I've been a customer of Sprint PCS in Silicon Valley since mid-January. I've noticed that, frequently, when I call busy phone numbers, I never hear a busy signal; instead, I hear my own voice echoed back at me. My morning train seatmate had a Motorola Sprint PCS phone she claims works everywhere but San Francisco. Here, whenever she called her Sprint PCS voice mail (located in Texas), she got connected to someone else's in-progress call --- apparently selected at random. I observed the same phenomenon later today trying to call my girlfriend's Seattle Sprint PCS phone and (non-Sprint, non-cellular) home phone. Sometimes I got fast busy signals, sometimes I got my own echo, and sometimes I got other people's conversations. It appeared that I was only hearing one side of the conversation, the speakers could not hear me, and my listening did not disrupt their conversation; but it only lasted for ten seconds or so. Still, I heard snatches like, "Yeah. She says this is the sickest she's ever felt." One eavesdropping session lasted nearly a minute. I suspect these are two manifestations of a single bug in Sprint's base station software. I wonder who's listening in on my conversations? This (plus Sprint billing me $161 for my first day of service, then $99 for the next 30 days) will probably wean me from Sprint. Any secure communications architecture that relies on hop-by-hop encryption will be vulnerable to bugs like this in switches. End-to-end encryption is more robust against such things. ------------------------------ Date: Thu, 01 Mar 2001 07:35:22 +0000 From: Malcolm Pack Subject: SETI@Home felled by a Single Point of Failure After being unavailable for over 24 hours, the home page for the SETI@Home project, , has currently (1 March 2001) been set to redirect to a holding page at . | Fiber cut silences SETI@Home | | At about 3:30 AM PST on 27 February an optical fiber cable connecting | the U.C. Berkeley campus with the Lawrence Berkeley National | Laboratory was cut, apparently by vandals trying to "salvage" copper | from other nearby cables. | | The broken fiber carries data and voice connections for LBNL and also | for the Space Sciences Lab. SSL is where the SETI@Home project is | located, so the millions of participants helping to analyze data have | been unable to contact the SETI@Home servers for more than a day. | | Contractors are pulling new cable now. It's expected that service to | SSL will be restored by Friday, 2 March 2001. We'll update this page | as we learn more about the progress of the repairs. I infer either: o Traffic to and from the SET@Home servers is too great to be permitted to use any backup connection that exists between the two facilities. or o LBNL and SSL are cut off from the 'Net altogether until this SPF is repaired. The loss of processing time to the project is unimportant in terms of contribution to overall success or failure (I doubt ET will be too upset if we find him/her/it/them 4 days later than expected), but the drop-out rate may increase as people simply give up instead of checking the home page for an explanation for their lack of progress. Malcolm Pack ------------------------------ Date: Fri, 02 Mar 2001 17:41:00 -0500 From: yan@storm.ca (Yves Bellefeuille) Subject: Passwords don't protect Palm data, security firm warns At http://news.cnet.com/news/0-1006-202-5005917-0.html: Passwords don't protect Palm data, security firm warns By Robert Lemos Special to CNET News.com March 2, 2001, 11:45 a.m. PT http://news.cnet.com/news/0-1006-201-5005917-0.html?tag=prntfr People who rely on passwords to keep strangers from poking through the data stored on their Palms actually have no protection at all, a network security company warns. In an alert posted Thursday, @Stake pointed to a back door in the Palm operating system that allows anyone with developer tools to access data on handhelds that have been "locked" with a password. If someone finds or steals a Palm, the owner's data is basically an open book. And the theft of mobile devices for their data is becoming more common. "This is the nail in the coffin of the notion that the Palm has any security for your data," said Chris Wysopal, director of research and development for Cambridge, Mass.-based @Stake. "Any attacker with a laptop and a serial (syncing) cable is pretty much able to access everything on the device," he said. Handspring's Visor handhelds and Sony's Clie use the Palm OS. Palm representatives would not immediately comment on the advisory. The security flaw is actually in the OS for a reason. Palm software engineers and many of its application developers use the back door to debug applications running on the handheld. Many of them do not consider it to be a security issue, Wysopal said. However, few people who use the devices realize that using a password will keep only the casually curious from looking at their data. For that reason, @Stake said, it released the warning. "It's equivalent to adding a password to your PC's screensaver. "There's no true security in that," said Wysopal, who is known in the security community by his hacker handle, Weld Pond. Last September, @Stake discovered that the encrypted password used by Palm OS to protect so-called private records from prying eyes could easily be broken. With the discovery of the latest back door, it would seem that no data is safe. With a laptop loaded with developer tools and a sync cable, anyone who obtains access to a handheld can access the owner's data, add or delete applications, and format the memory card. Even Palm handhelds protected by encryption software could be compromised by using the back door to load a program to record all passwords as they are entered. Wysopal warned that weak Palm security could lead to other compromises as well. "You have corporate administrators keeping their company's critical passwords on their Palm because they think it is secure," he said. The back door affects all current versions of the Palm OS, Wysopal said. Palm OS 4.0, due later this year, is expected to correct the problem. Yves Bellefeuille , Ottawa, Canada ------------------------------ Date: Mon, 5 Mar 2001 12:01:30 -0800 From: Tony Yip Subject: Risks of laptop anti-theft devices Edited slightly from Burnaby Now, March 4, 2001, page 8. Nearly 300 people were evacuated from "the boot" (the phone company's main office building) last Monday after an employee mistook a computer's anti-theft device for a bomb. Spokesman said police were called to the company offices around 4:45 pm to investigate a small beeping object wrapped in tape that was left in the men's washroom. Investigators examined the device and determined the little bundle was nothing more than a loss prevention device removed from one of the company's laptop computers. Police have since learned that when the device was removed, frustrated employees tried to muffle its persistent alarm noise by wrapping it in tape. When that effort proved fruitless, one of the workers stashed the alarm in the washroom "for a little peace and quiet." "The guy walking in there afterwards must have had some scare. Thankfully this wasn't the real thing, but you should always be aware of your surroundings... you can never be too careful." ------------------------------ Date: Fri, 2 Mar 2001 13:52:07 -0500 From: James Paul Subject: Where does NAVSTAR say we are, again? OS/COMET, top-secret U.S. computer-system source code for guiding spacecraft, rockets, and satellites, has been obtained through an Internet breakin at the U.S. Naval Research Laboratory in Washington D.C., traced to a company in Stockholm and then to someone with username LEEIF (seemingly in Germany) masquerading as a user of freebox.com. This software is used in NAVSTAR GPS monitoring. [Source: Hacker gets hold of top secret U.S. space codes, Reuters News Service, 2 Mar 2001; PGN-ed; see also http://www.washingtonpost.com/wp-dyn/articles/A16751-2001Mar2.html http://www.washingtonpost.com/wp-dyn/articles/A16751-2001Mar2.html ] ------------------------------ Date: Fri, 2 Mar 2001 08:30:00 -0800 From: "Perry Pederson" Subject: Beware assumptions about keyboard layouts... I recently started a checking account at Hewlett-Packard's credit union, and as part of the process of obtaining a VISA debit card attached to the account, I needed to create a four digit PIN number for the card. After the card was initialized at the credit union, it failed to work at ATM machines, giving me an "invalid PIN number" error. I re-initialized the card three different times with credit union personnel, to no avail. Finally, after several calls to the credit union's main office to determine why my PIN wasn't taking, I noticed that the keypad that I used at the credit union to set the PIN number had the rows appearing in the opposite order of a "normal" PC keyboard-- the topmost row of keys had the numbers "123", the second row "456", and the third row "789". When I was generating my PIN, I was automatically pressing keys that had the same pattern as an "old" PIN that had I used at a previous bank without checking the numeric values associated with the keys. Once I entered the "correct" numbers, the card worked fine at ATM machines. The RISKs here should be obvious-- one should observe the input hardware being used, regardless of how similar it may look to other input devices. ------------------------------ Date: Wed, 28 Feb 2001 10:40:31 +0800 From: Gideon Sheps Subject: Re: On paper-size standards (Klossner, RISKS-21.25) > Other disparaging remarks, such as the "bizarre" way that we > norteamericanos measure paper density, would perhaps be more compelling if > they did not come from an island where everyone drives on the wrong side > of the road. I would be more inclined to be sympathetic if America wasn't the only country in the world still using the "British Imperial Standard of Measure" based on such sensible units such as the length of the King's foot or distance from his thumb to nose with arm outstretched, some 225 years after their revolution. Further, the whole world hardly drives on the same side of the road as the USA - in fact, as you might discover, the Brits are hardly alone. The Japanese, as well as much of Asia, Australia, New Zealand, parts of Africa, (e.g., S. Africa), and the Carribean (Bermuda, Bahamas, BVI...), also drive on the right. Given that India and Indonesia drive on the right, which roughly match China for population, I'd say its a tight race for the question of who is really on the wrong side. Technically, the Brits are on the correct side of the road, as approaching your opponent with your right hand free to hold the lance or sword is preferential for the 85% of the population who are right handed. (make that Gun for Americans... one might ask how many fewer random drive-by shooting victims might there be if they were firing with the right instead of left hand and could aim better?). I think the real risk here is that American schools don't prepare Americans for life outside America. G. Sheps (A "nortamericano" in Hong Kong) ------------------------------ Date: Mon, 26 Feb 2001 08:25:15 -0800 From: "Rob Slade, doting grandpa of Ryan and Trevor" Subject: REVIEW: "Tangled Web", Richard Power BKTANGWB.RVW 20001027 "Tangled Web", Richard Power, 2000, 0-7897-2443-X, U$25.00/C$37.95/UK#18.50 %A Richard Power %C 201 W. 103rd Street, Indianapolis, IN 46290 %D 2000 %G 0-7897-2443-X %I Macmillan Computer Publishing (MCP) %O U$25.00/C$37.95/UK#18.50 800-858-7674 317-581-3743 www.mcp.com %P 431 p. %T "Tangled Web: Tales of Digital Crime from the Shadows of Cyberspace" This book gives a reasonably balanced review of the perception of security experts in regard to the level of computer or communications involved crime going on in our networked world. That is because this is not so much a book, as an extended compilation article. Power reproduces interviews with, or grabs quotations from the written works of, a great many forensic and security specialists or researchers. Very large chunks of the book are taken from previously published works. Note also that I say "balanced," and not "complete." Part one appears to be intended as a general introduction to computer related crime. Chapter one is the usual statement that it goes on, mercifully brief. Despite an interview with Sarah Gordon and extensive quoting from Donn Parker, chapter two's look at cybercriminals focuses rather narrowly on the fact that people who do crimes aren't normal. The CSI (Computer Security Institute)/FBI Computer Crime and Security Survey is introduced with many graphs and tables in chapter three. The description does mention, but doesn't emphasize, the fact that the survey was self-selecting and self- reporting, and therefore only marginally more informative than an opinion poll. Chapter four tries to look at costs. The title of part two seems to indicate a deeper analysis of criminals and system breakers. Chapter five touches on the infamous Operation Sundevil (the law enforcement disaster that was the inspiration behind Bruce Sterling's "The Hacker Crackdown," cf. BKHKRCRK.RVW), and the even more infamous Morris Internet Worm: is Power trying to equate police activity with system breaking? Three penetration episodes that led to the arrest of young crackers are described in chapter six. Some stories of theft of credit card numbers, bank fraud, and advanced phone phreaking are given in chapter seven, but these are cobbled together from published interviews with police, and have little technical background. There is a little bit about nuisances and vandalism, and a lot about distributed denial of service, in chapter eight. Chapter nine tells the stories of the Melissa and Love Bug e-mail worms. As with the earlier tales in the book, the material is technically weak, and has other errors of fact as well. (I exclude the respective CERT advisories, which are reproduced in full.) Part three is about spies and espionage. However, chapter ten, which talks about spies, doesn't really have anything to say about computer penetration. The stories are all very terse mentions of spying culled from general news reports. The tales of insider fraud, in chapter eleven, vary in length and don't really present any more than trivial information. Infowar gets a mix of anecdotes and speculation in chapter twelve. Part four looks at personal attacks. Both chapter thirteen, on identity theft, and chapter fourteen, on child pornography, are short and oddly unhelpful. Part five turns to defensive activities. Chapter fifteen concentrates on where the security department should be on the corporate org chart. Global law enforcement recounts a few presentations by non-US law enforcement people in chapter sixteen. There are more details on US government security offices and activities, in chapter seventeen, but not many. Countermeasures, in chapter eighteen, is a "once over lightly" of the entire security field. The epilogue, entitled "The Human Factor," is vague. If you haven't been paying any attention to computer security, this book is a quick read that will get you a very rough idea of what is going on in the areas of greatest concern to large corporations. If it scares a few people that will be all to the good: it certainly doesn't help you to start doing anything about security. Presumably it is the general public, with little knowledge of computer security, that is the intended audience. However, the lack of structure and uneven quality and depth of information make it difficult to know what those readers will take from this book. If, of course, you have been paying any attention at all, this is pretty old news. copyright Robert M. Slade, 2001 BKTANGWB.RVW 20001027 rslade@vcn.bc.ca rslade@sprint.ca slade@victoria.tc.ca p1@canada.com ------------------------------ Date: 12 Feb 2001 (LAST-MODIFIED) From: RISKS-request@csl.sri.com Subject: Abridged info on RISKS (comp.risks) The RISKS Forum is a MODERATED digest. Its Usenet equivalent is comp.risks. => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) if possible and convenient for you. Alternatively, via majordomo, SEND DIRECT E-MAIL REQUESTS to with one-line, SUBSCRIBE (or UNSUBSCRIBE) [with option of E-mail address if not the same as FROM: on the same line, which requires PGN's intervention -- to block spamming subscriptions, etc.] or INFO [for unabridged version of RISKS information] .MIL users should contact (Dennis Rears). .UK users should contact . => The INFO file (submissions, default disclaimers, archive sites, copyright policy, PRIVACY digests, etc.) is also obtainable from http://www.CSL.sri.com/risksinfo.html ftp://www.CSL.sri.com/pub/risks.info The full info file will appear now and then in future issues. *** All contributors are assumed to have read the full info file for guidelines. *** => SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line. => ARCHIVES are available: ftp://ftp.sri.com/risks or ftp ftp.sri.comlogin anonymous[YourNetAddress]cd risks [volume-summary issues are in risks-*.00] [back volumes have their own subdirectories, e.g., "cd 20" for volume 20] http://catless.ncl.ac.uk/Risks/VL.IS.html [i.e., VoLume, ISsue]. http://the.wiretapped.net/security/info/textfiles/risks-digest/ . ==> PGN's comprehensive historical Illustrative Risks summary of one liners: http://www.csl.sri.com/illustrative.html for browsing, http://www.csl.sri.com/illustrative.pdf or .ps for printing ------------------------------ End of RISKS-FORUM Digest 21.26 ************************