precedence: bulk Subject: Risks Digest 21.57 RISKS-LIST: Risks-Forum Digest Tuesday 7 August 2001 Volume 21 : Issue 57 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at and by anonymous ftp at ftp.sri.com, cd risks . Contents: WEP insecurity (Avi Rubin) European Union strives for openness (Stephen A. Boyd) WinXP blocks some versions of some programs (B. Elijah Griffin) Cyanide for Code Red (Jeremy) I am virus generator? (Bob Frankston) AT&T Worldnet exposes all user passwords (Una Smith) Password changes -- SIGH! (Jim Horning) The risks of online order tracking (Darryl Smith) Mixing advertising and credit-card activation (Bob Green) Techs must report child pornography (Brien Webb) Re: Dutch government and virtual child pornography (Christian Reiser) Re: Super-accurate atomic clock hates Sundays (Phil Kos) What is your area code, really? (Andrew Koenig) Online advertising: Fraud, false positives and a novel DOS attack (John O'Connor) Re: Even a fatal error can't kill it (Terry Brugger, Joe Thompson, John M. Hayes) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Tue, 07 Aug 2001 05:56:27 -0400 From: Avi Rubin Subject: WEP insecurity [Read it and WE(E)P, unless you already WEPt. PGN] We have a new paper: Using the Fluhrer, Mantin, and Shamir Attack to Break WEP by Adam Stubblefield, John Ioannidis, and Aviel D. Rubin We implemented an attack against WEP, the link-layer security protocol for 802.11 networks. The attack was described in a recent paper by Fluhrer, Mantin, and Shamir. With our implementation, and permission of the network administrator, we were able to recover the 128-bit secret key used in a production network, with a passive attack. The WEP standard uses RC4 IVs improperly, and the attack exploits this design failure. This paper describes the attack, how we implemented it, and some optimizations to make the attack more efficient. We conclude that 802.11 WEP is totally insecure, and we provide some recommendations. The paper is available at http://www.cs.rice.edu/~astubble/wep/ Avi Rubin, AT&T Labs - Research http://avirubin.com/ White-Hat Security Arsenal: http://white-hat.org/ ------------------------------ Date: Fri, 3 Aug 2001 13:01:18 EDT From: "Stephen A. Boyd" Subject: European Union strives for openness The European Commission issued a White Paper last week that aims to address widespread public dissatisfaction with politics by increasing the openness and accountability of European Union institutions. "Many Europeans feel alienated from the Union's work," according to the White Paper, and they "no longer trust the complex system to deliver what they want." The White Paper identifies five principles that define "good governance" Openness, Participation, Accountability, Effectiveness, and Coherence. The Paper goes on to identify proposed changes in European Union policy derived from these principles. "We simply cannot go on as we are," said European Commission President Romano Prodi. "The White Paper is not an instant cure for everything, but it is a serious attempt to address the concerns that many people have." To a American reader, the White Paper's diagnosis of public disenchantment with politics is familiar. Its prescription, however, may seem a little naive in its faith that political life can be reinvigorated through procedural changes. Even so, it is a refreshing reminder that political institutions are not simply inherited, but are also maintained and can be recreated by regular people. "European Governance -- A White Paper" was adopted by the European Commission on July 25 and published for public comment here: http://europa.eu.int/comm/governance/white_paper/index_en.htm First, the source: This commentary was copied and pasted directly from *Secrecy News*, a digest (but not a forum) written by Steve Aftergood, an employee of the Federation of American Scientists (http://www.fas.org). Second, the irony: It is ironic that, on one hand, the EU ministers would issue statements like this, while on the other hand, they are pursuing the ECHELON continental-wide wireless surveillance and monitoring network. I guess "openness", the ministers contend, must go both ways, regardless of any privacy issues the EU's constituency may have. Third, the RISK: I believe this veil of purported openness is a valid RISK, since it seems the EU chiefs are making a push for pulling the wool over their constituents eyes. The issue Mr. Aftergood astutely mentions of "public disenchantment" is not only reinforced, it seems, but gives Americans no more confidence in our own government with respect to privacy and auto-accountability issues, since the same game is being played here. I'm all for good government and a solid nation, but only when the members of those governments are accountable to their bosses (i.e., the People). Stephen ------------------------------ Date: Thu, 2 Aug 2001 16:33:13 -0400 (EDT) From: "B. Elijah Griffin" Subject: WinXP blocks some versions of some programs *The Register* reports that WinXP 'Release Candidate 2' has a driver block that will prevent a number of programs from running. Some people are apparently worried that MS might become too bossy about what software their OS can run. The full story: http://www.theregister.co.uk/content/4/20805.html Elijah ------------------------------ Date: Mon, 6 Aug 2001 10:55:07 +0800 From: "Jeremy" Subject: Cyanide for Code Red Code Red may or may not be the major disaster that CERT predicted. It is certainly present and apparently mutating already. What does not seem to have happened is the production of an effective stopper for the Code Red. Present prophylactic activities involve getting as many systems as possible updated with 'the fix'. This of course will not work as a large number of systems are run out of the box by people with little to no technical training. They won't even know how to recognise they have the worm, let alone fix it. One simple fix is a passive worm that sits on a target machine and when a Code Red attack arrives, infects the attacker using the same technique that Code-Red uses (by definition, an attacking machine must be vulnerable to the attack). The passive worm could disinfect the attacker, and then sit waiting for further attacks on the original machine plus on the newly disinfected attacker. The rate of spread of the passive worm would be directly proportional to the spread of Code-Red. The passive worm cannot spread at all unless Code-Red is operating. The passive worm would almost certainly disable the IIS service, in fact it might be a good idea to have it produce a default web page stating so, together with instructions on how to download the security fix. An improved version may even apply the fix itself. The question arises as to whether a passive worm is illegal in any way. The arguments for a passive worm are that the system it is defending is under attack and it is taking steps to stop that attack. As a by-product, the attacker is unable to attack any other systems. The attacker does not suffer any damage as a result of the disinfection. The argument against it is that the defender places and executes code on the hostile machine. This may well breach any number of anti-virus laws. The real test of the argument will be when a very dangerous worm, say like Code-Red but 100 times as potent, is unleashed. The various Governments will be left in the serious dilemma as to whether to allow a vital national resource be destroyed, or to unleash a probably illegal antidote. The time scale to make such a decision could be a matter of hours from first discovery to Internet meltdown. Governments (and Microsoft) must have a contingency plan in place. I wonder what it is? Jeremy ------------------------------ Date: Fri, 3 Aug 2001 14:50:28 -0400 From: "Bob Frankston" Subject: I am virus generator? Norton Anti-Virus 2001 has decided that the script I use to backup my files is a virus. It says "Unable to repair this file OK" (no option for "Not OK")! In trying NAV2002 (beta) I found that it seems to label all scripts as viruses but, at least, it gives me an option of enabling them one by one by one. The trend to treat programming as a criminal act and put the onus on me to prove each action is not a crime is very worrisome. Outlook has the same attitude towards attachments, even URLs. It doesn't even deign to let me decide -- it just hides them. I guess it goes along with viewing PEDs as terrorist devices. (For those who haven't been following the issue in RISKS -- Personal Electronic Devices seem to be viewed as too dangerous to allow on airplanes, at least during safety-critical portions of a flight such as taxiing to the terminal.) Bob Frankston http://www.Frankston.com ------------------------------ Date: Fri, 3 Aug 2001 17:27:59 -0600 From: Una Smith Subject: AT&T Worldnet exposes all user passwords I called AT&T Worldnet customer support to ask a question about my bill. My question was entirely impersonal but nonetheless I was required to identify myself. I gave my name and current telephone number. The service rep then asked me for the number I had when I signed up; when I hesitated, she volunteered it. Then she asked for my e-mail password. When I refused she informed me my password is not a secret, and that *all passwords* connected to my Worldnet account (a Worldnet account can have up to 6 e-mail accounts) are *visible* on her screen. Una Smith, Los Alamos National Laboratory MS K-710, Los Alamos, NM 87545 ------------------------------ Date: Fri, 3 Aug 2001 12:12:52 -0700 From: Jim Horning Subject: Password changes -- SIGH! > From:
> Sent: Friday, August 03, 2001 10:12 AM > To: > Subject: IMPORTANT
INFORMATION - PLEASE READ > > We want to make you aware that
will be unavailable from 6pm > (PT) on Friday, August 3 to 11:59pm (PT) on Sunday, August 5 due to server > upgrades. During this time, you will not be able to access the website. > In 's ongoing effort to improve site performance, > these upgrades are occurring to load balance and increase site stability. > Part of this site upgrade includes a password change. ALL USERS WILL HAVE > A PASSWORD OF "change123" as of 12:01am PT Monday, August 6th, 2001. Once > you enter the system for the first time on or after August 6th, you will > be required to change your password and answer a secret question. In the > future, you will be able to use the answer to the question to reset your > own password. > If you experience problems, please contact the whereiwork help desk at > support@. ------------------------------ Date: Mon, 30 Jul 2001 17:51:49 +1000 From: "Darryl Smith" Subject: The risks of online order tracking I have just purchased a computer from Dell Computer. My experiences are interesting. 1. When I entered the 'E Code' to select the right configuration and price, the price given did not include the $500 discount that I should have received. I ordered by phone and got the substantial discount. RISK: Paying $500 more on line. 2. Knowing that I might have problems with my credit (debit card) I specifically asked the credit union what my limit was per day. They told me that it was whatever my balance was. When I went to purchase this computer the purchase was declined. When I contacted the credit union by phone they informed me about a $1000 per day limit unless it is up-ed but ONLY for the period that it was needed. I was to ring back as soon as the transaction was completed. RISK: Not having access to my money. 3. When I contacted DELL to let them know that the transaction could go ahead I was told that it would be a while for the transaction to occour - in other words they could not immediately process the transaction but it would be hours. RISK: There was increased potential for fraud because my account limit was upped for longer than I would have liked. 4. Sydney is 10 hours ahead of GMT at the moment, meaning that most parts of the world are behind us. When I logged onto the tracking WWW site at 7AM I was told that what the status was at 8PM that day, or 13 hours ahead. But that night I checked it at 5PM and was told that the status was at 4AM that day, or 11 hours behind. This does not make sense, unless the time is 11 hours behind at all times, and that the WWW site is reporting the clients day and the server time. RISK: Times and Dates should be based on either the clients date and time, or the servers, but not a combination of the two. 5. The tracking WWW site notes that computer is in 'Delivery Prep' and has been for about 5 days and about to be shipped. When I checked up with DELL the computer had been shipped to Australia, and was at the Sydney warehouse for final delivery. RISK: When relying on online order status systems, work out what the results mean before relying on them Darryl Smith, VK2TDS POBox 169 Ingleburn NSW 2565 Australia Mobile Number 0412 929 634 [+61 4 12 929 634 International] ------------------------------ Date: Mon, 30 Jul 2001 21:39:07 -0400 From: Bob Green Subject: Mixing advertising and credit-card activation I recently received a new AT&T Universal Card Visa Card. The card came with a security callback activation feature where you call an 800 number and enter your card number. If you are calling from home (and presumably have not blocked the caller ID feature), this call activates the card. The part of the procedure that surprised me was that after typing in my card number, the voice response system: - cautioned me to stay on the line until I heard a confirmation that my card was activated - launched in to 30 second advertisement for a form of disability insurance. The insurance is sold with a 3 month trial period after which the insurance is automatically charged to your card. - asked me to type "1" to purchase the insurance or "2" to not purchase the insurance - asked me a second time to to type "1" to purchase the insurance! - finally, after two "2" responses, the voice confirmed activating my card Besides being quite annoyed at being solicited in this manner, I had a moment of panic at the first question. Voice response systems that ask you to enter "1" to confirm a request are very common. Was this confirmation request to activate the card or to purchase the insurance? It took a moment of reflection to assure myself that I was saying no to the insurance. The risks are that one might - accidentally purchase insurance they don't want - feel forced to buy insurance in order to activate the card - hang up too soon and not activate the card Given the confusion that is often intentionally introduced by creative marketing, mixing advertising and a security procedure seems a very poor practice. -Bob Green ------------------------------ Date: Mon, 30 Jul 2001 20:00:02 -0700 From: "Brien Webb" Subject: Techs must report child pornography Source: Associated Press http://www.washingtonpost.com/wp-srv/aponline/20010727/aponline203146_000.htm In South Carolina, a new law on education standards for day-care workers has a requirement that private technicians tell police if they find child pornography when servicing computers. Think of the possibilities. You're servicing computers, and you get the idea to have some fun. You take a client's computer, roll the date back, access some child pornography web site(s), reset the date, and call the cops. Carrying it one step further, imagine that this as a political "dirty trick". It might just be the mayor or some legislative representative who gets victimized. Who would believe any protestations of innocence? --Brien Webb ------------------------------ Date: Mon, 30 Jul 2001 11:53:16 +0200 From: Christian Reiser Subject: Re: Dutch government and virtual child pornography (Dinwiddie, R-21.47) A comment to a quite old posting, but it might still be interesting: George Dinwiddie brought up the issue, how difficult it is, to guess a person's age. This is a problem, when the definition of child pornography depends on the age of the person on the picture. In Austrian legislation the definition of child pornography does not depend on the age of the person, but something is child pornography, when one or more persons involved in pornography look as if they were under 14. This solves the problem of finding out the age, but obviously raises some others. Christian Reiser, ASSIST, 1190 Wien, Nussdorfer Laende 29-33 C.Reiser@internet-security.at, priv: Christian@Reiser.at +43 1 370 94 40 ------------------------------ Date: Tue, 31 Jul 2001 17:28:53 -0700 From: Phil Kos Subject: Re: Super-accurate atomic clock hates Sundays (Knowlton, RISKS-21.55) Ironically enough, when I went to *The NYTimes* online to check out the article on AT&T's new speech synthesis software (also mentioned in RISKS-21.55), I noticed an article on a new type of atomic clock currently under development at NIST. The article quotes Dr. Alan Madej of the National Research Council, Ottawa, as saying "It certainly is a very big advance for atomic clocks." Presumably the display problems can be fixed now that MS has (finally, after at least three years) fixed the 4/1 DST bug. Or do you suppose the NRC's display software had their very own equivalent to MS's mis-implementation of DST? After all, any error that can be made once can be made again and again (buffer overruns are a good example). ------------------------------ Date: Sun, 29 Jul 2001 20:00:15 -0400 (EDT) From: Andrew Koenig Subject: What is your area code, really? This evening, I wanted to connect a laptop to the Internet to download updated virus definition files. I tried placing a call, then realized that didn't know whether the machine was set up correctly for my present location, so I cancelled the call. After checking the machine, I thought it looked reasonable, so I tried again. Five minutes later, two police officers showed up at my door, saying that they had received a 911 (emergency) call from my home. It took me a while to piece together what had happened: 1. Because I wanted to update the virus definition files, I called from "Administrator" rather than from my own account. 2. The last time I dialed out on that machine as "Administrator" was from a hotel room in San Antonio. 3. On the other hand, the phone number to dial for the ISP had since been changed to back home in New Jersey. 4. The default area code for a dial-up connection is 1, which happens to be the same as the country code for USA. Therefore, when setting the ISP's phone number, I had mistakenly assumed that the area code would go along with the phone number and specified an area code of 1 (which I thought was the (correct) country code of 1) and a phone number if 908 yyy yyyy (instead of yyy yyyy as it should have been). 5. The network dialer, which still thought I was in a hotel room, dialed 9 (for an outside line), 1 (for a toll call), 1 again (for what it thought was the area code), and then 908 yyy yyyy (which was ignored). I suppose the risks are obvious... Andrew Koenig ------------------------------ Date: Fri, 27 Jul 2001 11:49:15 From: "John O'Connor" Subject: Online advertising: Fraud, false positives and a novel DOS attack There has been some comment, in recent editions of risks, on the subject of online advertising as seen from the perspective of a Web surfer. From the viewpoint of a Webmaster seeking ad income, there are some interesting aspects including what seems to be a novel form of DOS attack. I'll focus on one particular advertising model known as Cost Per Click or CPC. In this mechanism, a Web site will display a banner for an advertiser and, when a surfer clicks on the banner, the advertiser will pay a small sum to the publisher of the Web site. Thus the publisher will receive an income dependent on the CPC multiplied by the Click Through Ratio or CTR. A simple click may cost an advertiser somewhere between two and fifty US cents and there is normally an agency of some sort between the two parties to see fair play, count the clicks, handle payments etc. One fairly obvious risk is that an advertiser who wants brand awareness and not clicks can get free advertising by running ads that will not get clicked but which will enhance brand recognition. From the advertisers viewpoint, fraud is the main risk. A Web site owner may use an automated system to generate bogus clicks to claim money that was not properly earned. There are thousands of http proxy servers that suffer from the same weakness that allows spam e-mail to exploit open smtp relays. Using these, a Web site owner bent on fraud can generate thousands of bogus mouse clicks. Of course, advertisers or, more commonly, the agencies with whom they deal take whatever steps they can to combat such fraud. One route used by many is just to have a cut off point for the CTR and say that a Web site with a high CTR will be automatically barred for fraud. Clearly this leads to the normal risk of false positives where a legitimate site with a high CTR is excluded. Interestingly, the false positives will here work to exclude the sites which are the best ones for the advertiser to use. For example, suppose that a dating agency, specialising in women from Russia seeking men from the West, uses an agency to run its banner ads on the Web sites represented by the agency. Most of the time, such ads will attract a CTR of about 0.2%. But what if one of the sites in the ad agency network happens to specialise in advice on exactly this topic? (Fiancee visas, how to address a letter to a country the uses the Cyrillic alphabet etc.) That site may see a CTR of over 5% which will rapidly earn it exclusion for fraud. Of couse, that is exactly the site on which the advertiser would like to run its ads. And the novel DOS attack? Recent reports on the Web publisher forums at geekvillage.com have focussed on another problem. Suppose that two sites are in competition as they cover the same subject area and target the same pool of surfers and advertisers. Site A runs banner ads and site B would like to get those ads for itself and perhaps even close down site A and get the surfers too. The operator of site B could set up a click-bot to cause open proxy servers to send thousands of clearly false clicks to the advertiser: seemingly on behalf of site A. Site A will soon be flagged for fraud and will lose its advertising income and may well close. John O'Connor http://www.jpoc.net ------------------------------ Date: Sun, 22 Jul 2001 10:45:38 -0700 From: Terry Brugger Subject: Re: Even a fatal error can't kill it (Haynes, RISKS-21.53) I recently had a similar experience with Ticketmaster's on-line ordering system. I was buying a ticket to a show by my favourite artist as soon as the tickets went on sale (I wanted a good seat). Unfortunately, the group has MANY other fans in the Bay Area, so the system was quite sluggish and timed out frequently. I selected the seat I wanted, entered in all my info and submitted it. After waiting a minute or two it came back with an error message to the effect of, "Unable to confirm your order - hit the back button and resubmit it." When I did so I was informed that my session timed out and that I should try again from the beginning. So I did, five times before the order went through and was confirmed. Everyone knows what happened next: I ended up with five tickets. Ticketmaster was nice enough about it, but I was still left with the task of mailing them the unwanted tickets in order to receive my refund. The risk: If you're going to build a system with the primary task of selling tickets to popular events: 1. Make sure it can handle the load when those events go on sale and 2. Make sure it correctly reports on the completion of transactions. "Zow" Terry Brugger http://bruggerink.com/~zow ------------------------------ Date: Thu, 19 Jul 2001 23:45:44 -0400 From: Joe Thompson Subject: Re: Even a fatal error can't kill it (RISKS 21.53) jhaynes@alumni.uark.edu noted in RISKS 21.53: > No doubt there are other systems out there which have the possibility of > completing a transaction and then telling the user that there has been a > fatal error. Maybe a whole lot of them. I recently had just such an incident with my bank (Chevy Chase Bank, based in Maryland). I used the online banking tools to transfer some funds from one account into another. Later that day I had a need to stop payment on a check, so again I logged on and transferred enough money back into the first account to cover the stop-payment fee. Later that night I withdrew some funds from the second account at an ATM, and my receipt showed the correct balance. The next night I did the same (total withdrawals $60.00 for the 2 transactions). The following day at lunch I tried to make a withdrawal at an ATM and was denied -- with the receipt showing a balance of approximately -$60.00 in the second account! You guessed it -- the online transfers I made had disappeared from the system, and my balances had "snapped back" to what they would have been had they never happened. Chevy Chase customer support, fortunately, believed me (in part because it's impossible to have a negative balance in a savings account without some really odd goings-on), and later that week it turned out to be a good thing because the chaos of those few days resulted in two checks that were currently going through the system "bouncing". CC refunded my insufficient- funds fees -- and the payees never knew because the two payments were made via Chevy Chase online payment, which sends the equivalent of a cashier's check (it can't bounce). The RISK, of course, is the old story: adding new systems adds complexity and can have entirely unexpected results. -- Joe ------------------------------ Date: Fri, 20 Jul 2001 10:59:35 -0400 From: "John M. Hayes" Subject: Re: Even a fatal error can't kill it The software that prevents duplicate transactions can be a problem in and of itself. I recently attempted to make hotel reservations through an online travel agency. On this particular site, there was no provision for reserving multiple rooms. So after making the first reservation, I went back and attempted to reserve a second room. The watchdog software would not allow me to reserve a second room in my name. I ended up having to use a different name in order to make a reservation for the second room. Eventually, this website does allow you to consolidate multiple reservations, but that was not at all clear as I struggled with their system. Note: For the trip home, I decided to just phone the hotel directly and talk to an operator in order to make similar reservations. It was MUCH easier. John Hayes (john.hayes@marconi.com) ------------------------------ Date: 12 Feb 2001 (LAST-MODIFIED) From: RISKS-request@csl.sri.com Subject: Abridged info on RISKS (comp.risks) The RISKS Forum is a MODERATED digest. Its Usenet equivalent is comp.risks. => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) if possible and convenient for you. Alternatively, via majordomo, send e-mail requests to with one-line body SUBSCRIBE [or UNSUBSCRIBE] which requires your ANSWERing confirmation to majordomo@CSL.sri.com . [If E-mail address differs from FROM: subscribe "other-address " ; this requires PGN's intervention -- but hinders spamming subscriptions, etc.] Lower-case only in address may get around a confirmation match glitch. INFO [for unabridged version of RISKS information] There seems to be an occasional glitch in the confirmation process, in which case send mail to RISKS with a suitable SUBJECT and we'll do it manually. .MIL users should contact (Dennis Rears). .UK users should contact . => The INFO file (submissions, default disclaimers, archive sites, copyright policy, PRIVACY digests, etc.) is also obtainable from http://www.CSL.sri.com/risksinfo.html ftp://www.CSL.sri.com/pub/risks.info The full info file will appear now and then in future issues. *** All contributors are assumed to have read the full info file for guidelines. *** => SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line. => ARCHIVES are available: ftp://ftp.sri.com/risks or ftp ftp.sri.comlogin anonymous[YourNetAddress]cd risks [volume-summary issues are in risks-*.00] [back volumes have their own subdirectories, e.g., "cd 20" for volume 20] http://catless.ncl.ac.uk/Risks/VL.IS.html [i.e., VoLume, ISsue]. Lindsay Marshall has also added to the Newcastle catless site a palmtop version of the most recent RISKS issue and a WAP version that works for many but not all telephones: http://catless.ncl.ac.uk/w/r http://the.wiretapped.net/security/info/textfiles/risks-digest/ . http://www.planetmirror.com/pub/risks/ ftp://ftp.planetmirror.com/pub/risks/ ==> PGN's comprehensive historical Illustrative Risks summary of one liners: http://www.csl.sri.com/illustrative.html for browsing, http://www.csl.sri.com/illustrative.pdf or .ps for printing ------------------------------ End of RISKS-FORUM Digest 21.57 ************************