precedence: bulk Subject: Risks Digest 22.01 RISKS-LIST: Risks-Forum Digest Monday 1 April 2002 Volume 22 : Issue 01 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at and by anonymous ftp at ftp.sri.com, cd risks . Contents: [This issue includes two old items, primarily for the archives.] ATF Takes Responsibility for Federal Software Policy Enforcement (ATFS Director) REVIEW: "Hacking for Dummies", Bill Murray III/Gene Spafford (Rob Slade) Computers to Cars (unknown source via PGN) Surprise Settlement Evenly Splits Microsoft (unknown source via Gene Spafford) Big security leak in Internet s*xshop (Paul van Keep) Web site leaks customers address, offers extra discounts (Ron Gut) Hackers find new way to bilk eBay users (Monty Solomon) BT is publishing confidential ex-directory telephone numbers (Clive Jones) Risks of using anti-spam blacklists (Eric Murray) The smart highway (Raphael Lewis via Monty Solomon) E-mail subscriptions, windows 2000 patches and photocopiers (Alistair McDonald) Re: Out with pilots, in with pibots (Robert Woodhead) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Mon, 1 Apr 2002 00:30:00 ET From: Director@ATFS.gov Subject: ATF Takes Responsibility for Federal Software Policy Enforcement WASHINGTON (Reuters) - The Department of the Treasury announced today that responsibility for enforcement of new federal regulations of the software industry will fall under the jurisdiction of the Bureau of Alcohol, Tobacco and Firearms (ATF). As the regulations come into effect, the bureau will be renamed to be the Bureau of Alcohol, Tobacco, Firearms, and Software (ATFS). The new regulations have been taken by most observers as a key indication of the Federal Government's serious concern over the software production scandal gripping the nation. The final verdict of the grand jury investigation into the dangers of unregulated software production was praised as a major victory by software leaders in Redmond last month. The grand jury investigation centered on the disturbing trend that key portions of the nation's critical infrastructure are being entrusted to a software product for which the secret inner workings (known as `source code') are becoming as prevalent as pornography on the Internet. The Director of the ATF's 5,000-strong team of agents has pledged his full support to enforce the new regulations, under which all software development must take place only in licensed facilities by trained induhviduals. He was joined at a press conference this morning by the Director of the National Infrastructure Protection Center, who said, "It's about time the ATF took the entire software industry into its jurisdiction." He continued, "We would never consider laying the blueprints for our critical assets out for all to see. I applaud the new regulations for bringing sanity to a long unchecked industry." The public will have until 1 Jun 2002 to dispose of all unregulated software products they may own. Possession of unlicensed software products can result in penalties up to 20 years in jail and multi-million dollar fines. Currently, only Smallsoft of Redmond, Washington, has achieved the necessary regulatory status to produce software in compliance with the new regulations. An underground group of activists using the moniker ``the Electronic Frontier Foundation'' (EFF) has been strongly critical of the Federal Government's position throughout. Police have indicated the violent clashes are expected between supporters of the EFF and US Presidential nominee Billy Doors, the major proponent of the regulations, as he addresses business leaders in Winnemucca, Nevada, this afternoon. [I suppose we can understand why they chose the acronym ATFS, given alternatives such as FATS, AFTS, FAST, etc. PGN] ------------------------------ Date: Mon, 1 Apr 2002 07:19:57 -0800 From: "Rob, grandpa of Ryan, Trevor, Devon & Hannah" Subject: REVIEW: "Hacking for Dummies", Bill Murray III/Gene Spafford BKHAKDUM.RVW 20020401 "Hacking for Dummies", William Hugh Murray III/Eugene Spafford, 1802, 076455302X, U$21.99/C$437.84 %A William Hugh Murray III whmurray3@spryguy.com %A Eugene Spafford spif@serious.purdue.edu %C 155 Divet Road, Suite 310, San Mateo, CA 94402 %D 1902 %G 076455302X %I International Data Group (IDG Books) %O U$21.99/C$411.95 415-312-0650 fax: 415-286-2740 %P 166 p. %S for Dummies %T "Hacking for Dummies" As regular RISKS readers will note, I always enjoy a new addition to the "for Dummies" series. This time the imprint has outdone itself with a lighthearted romp through network naughtiness, by two of the least known, but most accomplished, practitioners of the field. Some may question the need for such a work, but the authors maintain that they are performing a valuable service to corporations and society at large. "A vital system security penetration community is important," they state in the introduction. "It thins the herd of security practitioners. We have a moral responsibility to ensure that those who, not having the authority to fire people who insist on using Outlook, get blamed when major events happen and are forced to look for work in other fields." In a switch from the standard format, the "Part of Tens" comes first, pointing out how to knock holes in each of the ten domains of the security common body of knowledge. This sets up a series of helpful icons used to point out specific attacks that can be mounted against each domain. (Security management attacks tend to get a bit repetitive after a while: there are only so many ways of rewording the advice to pretend to be the CEO's secretary.) Some common and handy attacks (such as the ubiquitous brute force denial-of- service attack, featuring a sledgehammer) are listed, but there are a number of little-known tricks, like the means of attacking a computer that has been sealed in a lead-lined vault, surrounded by armed guards, and cast in concrete. Dorothy Denning's sidebar on starting wars by manipulating e-mail systems is particularly interesting. Security professionals are not ignored: in an interesting display of fair-mindedness, the authors suggest that incident-response team members prepare by ensuring they always have plenty of sugar in their gas tanks for extra energy on late-night calls. Critical reaction to the tome has been spirited but mixed. Winn Schwartau, in the foreword, asks "is it moral, is it ethical" to provide such information to the general public, before concluding, "Who cares? Nobody has time for this." Phil Zimmermann has roundly condemned the section on anonymous communications, stating that the government has a legitimate need for access to private communications, while Fred Cohen is upset that the authors suggest viruses could be used for beneficial purposes. Richard Stallman is reported to be disturbed by the position that software development can take place in the kind of anarchic environment promoted by the book, and has launched a campaign to ensure that everyone has valid licenses for Microsoft products. Bruce Schneier, on the other hand, points out that the information in the book presents no danger to the public. "As long as you've got a strong crypto algorithm and good technical solutions, it doesn't matter about implementation and people." copyright Robert M. Slade, 2002 BKHAKDUM.RVW 17020401 rslade@vcn.bc.ca rslade@sprint.ca slade@victoria.tc.ca p1@canada.com http://victoria.tc.ca/techrev or http://sun.soci.niu.edu/~rslade ------------------------------ Date: Mon, 1 Apr 2002 From: Peter Neumann Subject: Computers to Cars (unknown source) [I have had several requests for including this item in RISKS from those who have not yet seen it, even though it has been circulating for a while. I have no idea who originally created it, but I am grateful to the author for his or her incisive observations. PGN] For all of us who feel only the deepest love and affection for the way computers have enhanced our lives: At a recent computer exposition (COMDEX), Bill Gates reportedly compared the computer industry with the auto industry and stated: "If General Motors had kept up with the technology like the computer industry has, we would all be driving $25.00 cars that got 1,000 miles to the gallon." In response to Bill's comments, GM issued a press release stating: "If General Motors had developed technology like Microsoft, we would all be driving cars with the following characteristics: 1. For no reason whatsoever, your car would crash twice a day. 2. Every time they repainted the lines in the road, you would have to buy a new car. 3. Occasionally your car would die on the freeway for no reason. You would have to pull over to the side of the road, close all of the windows, shut off the car, restart it, and reopen the windows before you could continue. For some reason, you would simply accept this. 4. Occasionally, executing a maneuver such as a left turn would cause your car to shut down and refuse to restart, in which case you would have to reinstall the engine. 5. Macintosh would make a car that was powered by the sun, was reliable, five times as fast and twice as easy to drive -- but would run on only five percent of the roads. 6. The oil, water temperature, and alternator warning lights would all be replaced by a single "General Protection Fault" warning light. 7. The airbag system would ask "Are you sure?" before deploying. 8. Occasionally, for no reason whatsoever, your car would lock you out and refuse to let you in until you simultaneously lifted the door handle, turned the key and grabbed hold of the radio antenna. 9. Every time GM introduced a new car, car buyers would have to learn to drive all over again because none of the controls would operate in the same manner as the old car. 10. You'd have to press the "Start" button to turn the engine off. ------------------------------ Date: Mon, 21 Jan 2002 23:07:30 -0500 From: Gene Spafford Subject: Surprise Settlement Evenly Splits Microsoft (unknown source) [From SatireWire, via various intermediaries. Reprised for the occasion. PGN] Decision Keeps Redmond from Monopolizing Massive Microsoft Patch Industry Surprise Settlement Evenly Splits Microsoft; One Firm To Make Software, Other To Make Patches Redmond, Wash. In a surprise settlement today with nine U.S. states, Microsoft agreed to be split into two independent companies -- one that will continue to make Microsoft operating systems, browsers, and server software, and another, potentially larger company that will make patches for Microsoft operating systems, browsers, and server software. Critics immediately charged that the settlement -- which overrides a previous agreement with the U.S. Department of Justice -- does nothing to diminish Microsoft's standing as the world's most powerful software company. But industry analysts argued that providing patches for security holes in Microsoft programs is a major, untapped growth industry, and applauded the states for not allowing Redmond to control it. "Just consider, Microsoft can make an operating system, such as Windows XP, and sell 200 million copies, but each one of those copies is going to need at least five patches to fix security holes, so that's 1 billion patches," said Gartner Group analyst Mitch Fershing. "That is an enormous, undeveloped market." Microsoft employees seem to agree, as sources in Redmond described a "mad scramble" among staffers to position themselves for spots at the new company, called Patchsoft. Asked why people would want to leave Microsoft for a startup, the source said the answer was "really quite simple." "Everyone here is asking themselves, 'Do I want to be part of the problem, or part of the solution?'" he said. But J.P. Morgan analyst Sherill Walk suspects another motive. "Considering the sheer number of patches we're talking about, I think the new company will become another monopoly, and I believe the people who've jumped ship very well know that." "Nonsense. It's really all about consumer choice," responded Patchsoft's new co-CEOs, Bill Gates and Steve Ballmer. But how will Patchsoft make money? Currently, Microsoft issues free patches for problems in Windows XP, SQL Server, Internet Explorer, Outlook, Windows 2000, Flight Simulator, Front Page, Windows Me, Media Player, Passport, NT Server, Windows 98, LAN Manager (for a complete list of MS software needing patches, see www.support.microsoft.com). Under the agreement, Microsoft will no longer issue patches, which Gates said explains the recent five-day outage at Microsoft's upgrade site. "That was planned," he said. "It was a test of the Microsoft No Patch Access system. Went perfectly. No one was able to download anything." At a press conference to outline the settlement, Connecticut Attorney General Richard Blumenthal pledged to keep a close eye on Patchsoft to ensure it would not overcharge for its services. He also expressed hope that other firms would soon become Certified Microsoft Patch Developers (CMPDs) and challenge the spin-off. Asked if Patchsoft, with so many former Microsoft employees, will have an advantage over potential competitors in the Microsoft patch market, Blumenthal said the settlement prohibits collaboration. "Patchsoft developers will not have any foreknowledge of bugs or security holes before software is released. They'll just have to be surprised," he said. "So it will be just like it was when they were at Microsoft," he added. One Reuters reporter, meanwhile, questioned the long-term viability of Patchsoft. "This seems like a logical split right now, but what if Microsoft's products improve to the extent that patches are needed less frequently, or perhaps not at all?" she asked. "I'm sorry, I can only respond to serious questions," Blumenthal answered. ------------------------------ Date: Fri, 22 Mar 2002 21:56:08 +0100 From: Paul van Keep Subject: Big security leak in Internet s*xshop Christine Le Duc, a dutch chain of s*xshops, and also a mail & Internet order company, suffered a major embarrassment last weekend. A journalist who was searching for information on the company found a link on Google that took him to a page on the Web site with a past order for a CLD customer. He used the link in a story for online newspaper nu.nl. The full order information including name and shipping address was available for public viewing. To make things even worse it turned out that the classic URL twiddling trick, a risk we've seen over and over again, allowed access to ALL orders for all customers from 2001 and 2002. The company did the only decent thing as soon as they were informed of the problem and took down the whole site. http://nu.nl/document?n=53855 ------------------------------ Date: Thu, 14 Mar 2002 18:43:34 -0500 From: Ron Gut Subject: Web site leaks customers address, offers extra discounts Saab USA embarked on a direct-mail marketing campaign to sell its cars. To past and potential customers it sent postcards with a web site address and an ID number, promising a $50 savings bond for test driving a new car or a $500 discount on the purchase of one. The ID numbers run consecutively, starting at 1 (though Saab's personnel took care to pad the numbers out with leading zeros to a certain length, which does not present a difficulty if one already has an ID number in hand). The web site asks for the ID and presents the surfer with the ID holder's address and the choice of the two incentives. Once the surfer chooses which incentive to receive the web site presents a JPEG image which needs to be printed, brought to a dealer and stamped by a sales person for Saab to honor it. Problem number one: it is very easy to print out both types of coupons, and receive more discounts on a new car than Saab likely intended (a financial RISK here). Problem number two: as was already hinted at above, it is very easy to enter other valid IDs at the web site, and therefore collect the addresses of people Saab thinks are likely to want a new car (both a privacy RISK to the unwitting customers and financial and PR RISKs to Saab). Problem number three: since those IDs have already been sent out, Saab cannot change them! The web site can be changed to request the customer's name, as printed on the post card, in addition to the ID. The state or municipality should not be relied upon, as it appears Saab assigned IDs to customers sequentially after sorting the list geographically, making that field easier to guess. RISK here -- fixing this problem in the design stage would have been simpler, cheaper and less embarrassing than after release. Problem number four: I decided to be a good netizen and report this to the Saab webmasters. Alas, I was foiled by their very fancy web site. The "Contact Saab" web page presents a form, but in Netscape 4.7 on X Windows the only field that I can actually edit is the "Subject" field -- I can't actually report this problem (thus compounding all of the above RISKS). The same version of Netscape on Windows displays the form just fine, as does IE. What is the source of the RISK here? Non-conformance to standards? I doubt conformance to web standards will solve every instance of such a problem since most of the popular browsers do not fully comply with those standards (Netscape 4.7 certainly does not). ------------------------------ Date: Mon, 25 Mar 2002 22:26:02 -0500 From: Monty Solomon Subject: Hackers find new way to bilk eBay users Source: Troy Wolverton, CNET News.com, 25 Mar 2002 Someone other than Gloria Geary had access to the Washington artist's eBay account last week. Using Geary's user ID, the person set up an auction for an Intel Pentium computer chip. Not only that, but the person changed Geary's password so she could no longer access her own account--or cancel the bogus auction. Geary, who discovered the auction Friday, was able to convince eBay to pull down the auction over the weekend, but not before suffering through a stressful day of worrying about how the auction would affect her legitimate listings. http://news.com.com/2100-1017-868278.html ------------------------------ Date: Thu, 21 Mar 2002 14:56:40 GMT From: clive-nospam-risks@nsict.org (Clive Jones) Subject: BT is publishing confidential ex-directory telephone numbers British Telecom offers, in the UK, a range of discounted telephone services to domestic subscribers under the name "BT Together". One of their exclusions under some such schemes is calls to ISPs. Go to the following part of their Web site: http://www.bt.com/together/isp_exclusion.jsp ...and follow the "click here to view the full list" link. This purports to be a list of telephone numbers for ISPs. However, it has been very crudely assembled, and includes several (possibly many) telephone numbers that are actually confidential ex-directory dial-in numbers for various organisations. When I looked, the list contained 4960 numbers in total. The potential for abuse (especially denial of service) is obvious. I.T. managers in the UK should check whether their dial-in numbers appear on the list. If they do, they should urgently consider having the telephone number changed. ------------------------------ Date: Fri, 22 Mar 2002 11:43:17 -0800 From: Eric Murray Subject: Risks of using anti-spam blacklists In the last week I have run up against two different RISKS related to anti-spam blacklists. These lists have grown from the old MAPS RBL system and are now run by a number of people. ORDB lists 15 different blacklists run by 12 different people or organizations. Background: I run a small network that supports my consulting business and a few mailing lists. I've been a Unix geek since 1985, I've run some very large networks, and I've been active in network security since 1991. I've used RBL and I distribute my own anti-spam freeware. I hate spam. Last week I got some bounced mail from one of my lists-- the recipient system was rejecting it as "spam" and the error message pointed me to ORDB.org. I was surprised to see this since I'm not running an open relay and there's never been spam sent from my network. At ORDB.org I discovered that while my network was not actually listed by ORDB itself, it was listed by blackholes.five-ten-sg.com which is somehow linked to ORDB. I followed their web sites' process for getting off the list, which is to send e-mail to the maintainer. He reported that my network range is within a block "owned" by Verio, and he was blocking all of Verio because of a particular spammer that Verio hasn't gotten rid of. I replied "all of Verio for one spammer? What about everyone else who's not a spammer? Couldn't you be more accurate with your list and not list the netblock I'm in (in reality owned by Meer, not Verio)?" His answer: "Too bad for you, you should move". The RISK here is that in using a blacklist or a service that checks many blacklists, one might be blocking a lot more than spammers. Blacklists might not be following the policy that you think they are following, and may be blocking address ranges out of spite or laziness, not because of actual spam. Yesterday I started getting bounces from another list subscriber, the error messages said that I was an "insecure site" according to ORBZ, another blacklist service. ORBZ was taken off the net yesterday due to legal threats. Evidently the software that makes the check treats ORBZ as a whitelist, and since it's not answering, is rejecting mail that it shouldn't reject. (the site in question doesn't have aliases for postmaster, admin or root, so I can't even notify them of their problem). The RISK? Poorly written checks of blacklists can produce unintended results when the list fails. The temptation to go all out to kill spam needs to be tempered with the realization that communication is what makes the Internet work. If you don't care how much real mail you reject in your drive to block spam, then simply turn off your mailer and you won't get any spam at all. ------------------------------ Date: Sun, 24 Mar 2002 18:28:57 -0500 From: Monty Solomon Subject: The smart highway Over budget, behind schedule, the big brain would allow instant communication between controllers and drivers - if and when it works [...] Called the Integrated Project Control System, or IPCS, the Central Artery's electronic monitoring mechanism will constitute the nation's largest, most sophisticated, and most expensive system, allowing highway operators and engineers to respond in real-time to collisions, car fires, and traffic jams, with plenty of help from computers that will do much of the thinking for them. [...] Beneath the pavement, 1,500 magnetic ''loop detectors'' will monitor the progress of each vehicle passing above to gauge traffic flow, determine if a car has suddenly stopped or dramatically slowed - which could mean there has been an accident - and provide traffic counts to aid in planning. While the loop detectors could easily detect a speeder, project officials insist that state troopers will not have access to the data. [...] Source: Raphael Lewis, *The Boston Globe*, 24 Mar 2002 http://www.boston.com/dailyglobe2/083/metro/The_smart_highway+.shtml ------------------------------ Date: Mon, 18 Mar 2002 21:54:55 +0000 From: Alistair McDonald Subject: E-mail subscriptions, windows 2000 patches and photocopiers E-mail subscriptions I was working on-site for a client and a manager forwarded an e-mail newsletter, pointing a virus warning out to us. At the bottom of the message was a lint to a web page to manage his subscription. I accidentally clicked the link, and was surprised that I had full control, without password, of his personal details and newsletter preferences (English, French, German, plain text or HTML). Maybe a confirmation e-mail would be sent to him about changes, I didn't try, but even being able to view the information should be forbidden without authentication. Windows 2000 bugs One of the items in a newsletter I received recently was this Microsoft knowledgebase article listing all the knowledgebase articles (bug reports, clarifications, and similar) about windows 2000 since the release of service pack 2 (released late 2001). There are currently 663 articles. No, make that 714, more have been added in the last 6 hours. Not all are bugs, but some are, and some are pretty serious too, for example Q265296: "Toshiba PC Card Controller May Power 3.3-Volt R2 PC Card at 5 Volts." http://support.microsoft.com/default.aspx?scid=%2Fsupport%2Fservicepacks%2Fwindows%2F2000%2Fwin2000%5Fpost%2Dsp2%5Fhotfixes%2Easp, [Apparently requires IE. PGN] Photocopier stores document for later printing While on-site at a client, I needed to copy a confidential document. I placed the document in the copier, and it complained about not having enough paper. I saw that another tray was full, so rotated my document (a lot of copiers auto-detect size and orientation) and tried again -- no joy. I filched some paper from a nearby laser printer, but instead of getting the two copies I ordered, I got six -- two from my first attempt, two from the second with the wrong orientation, and the last two once I'd rotated my document and tried again. On investigation, the machine scans in a job even though there is no paper to fulfill it, and holds the documents in memory until there is. If I'd walked away to another photocopier, my confidential document would have been output whenever some kind-hearted soul replenished the paper, and when I was nowhere around. 1: Learn how to use all the tools you use, properly. 2: Assumptions don't carry from one device to the next, no matter how similar they seem. Alistair McDonald Inrevo Ltd http://www.inrevo.com/ ------------------------------ Date: Fri, 15 Mar 2002 09:18:47 -0500 From: Robert Woodhead Subject: Re: Out with pilots, in with pibots (Kristiansen, RISKS-21.96) > [Gives me a nightmarish vision of a cloud of little unmanned aircraft all > heading for the same place, trying to avoid each other, ... You see this happening every day. It is called a flock of birds, and the flocking algorithm is both very simple and works exceptionally well. They flow around obstructions like water. In a proper flocking algorithm (which IIRC is basically "try to stay close to the center of the flock, but not too close to nearby birds") a foreign object passing through the flock would generate evasive maneuvers by nearby planes but the effects on more distant planes would be more and more diluted. The reason a flock scatters is that the foreign object is often trying to eat a bird, at which point algorithm #2 ("It's every bird for himself") is activated. Nevertheless, such innovations must be carefully scrutinized, as the possibility of a serious flockup is always present. ------------------------------ Date: 29 Mar 2002 (LAST-MODIFIED) From: RISKS-request@csl.sri.com Subject: Abridged info on RISKS (comp.risks) The RISKS Forum is a MODERATED digest. Its Usenet equivalent is comp.risks. => SUBSCRIPTION : PLEASE read RISKS as a newsgroup (comp.risks or equivalent) if possible and convenient for you. Alternatively, via majordomo, send e-mail requests to with one-line body subscribe [OR unsubscribe] which requires your ANSWERing confirmation to majordomo@CSL.sri.com . [If E-mail address differs from FROM: subscribe "other-address " ; this requires PGN's intervention -- but hinders spamming subscriptions, etc.] Lower-case only in address may get around a confirmation match glitch. INFO [for unabridged version of RISKS information] There seems to be an occasional glitch in the confirmation process, in which case send mail to RISKS with a suitable SUBJECT and we'll do it manually. .MIL users should contact (Dennis Rears). .UK users should contact . => The INFO file (submissions, default disclaimers, archive sites, copyright policy, PRIVACY digests, etc.) is also obtainable from http://www.CSL.sri.com/risksinfo.html ftp://www.CSL.sri.com/pub/risks.info The full info file will appear now and then in future issues. *** All contributors are assumed to have read the full info file for guidelines. *** => SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line. => ARCHIVES are available: ftp://ftp.sri.com/risks or ftp ftp.sri.comlogin anonymous[YourNetAddress]cd risks [volume-summary issues are in risks-*.00] [back volumes have their own subdirectories, e.g., "cd 21" for volume 21] http://catless.ncl.ac.uk/Risks/VL.IS.html [i.e., VoLume, ISsue]. Lindsay Marshall has also added to the Newcastle catless site a palmtop version of the most recent RISKS issue and a WAP version that works for many but not all telephones: http://catless.ncl.ac.uk/w/r http://the.wiretapped.net/security/info/textfiles/risks-digest/ . http://www.planetmirror.com/pub/risks/ ftp://ftp.planetmirror.com/pub/risks/ ==> PGN's comprehensive historical Illustrative Risks summary of one liners: http://www.csl.sri.com/illustrative.html for browsing, http://www.csl.sri.com/illustrative.pdf or .ps for printing ------------------------------ End of RISKS-FORUM Digest 22.01 ************************