precedence: bulk Subject: Risks Digest 22.06 RISKS-LIST: Risks-Forum Digest Wednesday 8 May 2002 Volume 22 : Issue 06 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at and by anonymous ftp at ftp.sri.com, cd risks . Contents: [a few typos fixed] Unprepared for cyberattacks? (NewsScan) Ashcroft wants stiffer penalties for identity theft (NewsScan) The Console Buffer Knows... (Mark Bergman) Salespionage (Rob Slade) GNU is Not Unix (Dimitri Maziuk) More on Clez (Rob Slade) Moderated mailing lists and virus scanners (Matthew Byng-Maddick) CLUTS: Composable Low-assurance UnTrusted Systems (Ben Laurie) NRC report on porn (Herb Lin) ACM invitation (Lillian Israel) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Tue, 07 May 2002 09:01:12 -0700 From: "NewsScan" Subject: Unprepared for cyberattacks? People with knowledge of national intelligence briefings say that little has been done to protect the country against a cyberattack. Senator Jon Kyl (R-Ariz.) says: "It's a big threat, because it is easy to do and can cause great harm," and vulnerable U.S. targets are said to include the Centers for Disease Control and Prevention; FedWire, the money-movement clearing system maintained by the Federal Reserve Board; computer systems that operate water-treatment plants or that run electrical grids and dams; facilities that control the flow of information over the Internet; the nation's communications network, including telephone and 911 call centers; and air traffic control, rail and public transportation systems. Rep. Jane Harman (D-Calif.) says: "What I fear is the combination of a cyberattack coordinated with more traditional terrorism, undermining our ability to respond to an attack when lives are in danger." (USA Today 6 May 2002; NewsScan Daily, 7 May 2002) http://www.usatoday.com/life/cyber/tech/2002/05/06/cyber-terror.htm ------------------------------ Date: Fri, 03 May 2002 08:20:55 -0700 From: "NewsScan" Subject: Ashcroft wants stiffer penalties for identity theft U.S. Attorney General John D. Ashcroft is proposing legislation increasing by 2 to 5 years the jail time for persons convicted of aggravated identity theft a crime . "The Department of Justice is committed to seeing to it that criminals and terrorists cannot find refuge in the identities of law-abiding citizens of this country." Since October 1998, 2,223 criminal cases have been filed against 2,899 defendants. The call for tougher penalties won immediate support from Democrat Sen. Dianne Feinstein of California, who chairs the Senate Judiciary subcommittee on technology, terrorism and government. (*The Washington Post*, 3 May 2002; NewsScan Daily, 3 May 2002) http://www.washingtonpost.com/wp-dyn/articles/A24368-2002May2.html ------------------------------ Date: Mon, 06 May 2002 13:13:32 +0200 From: Mark Bergman Subject: The Console Buffer Knows... The advantage (and risk) of being able to use screen buffers and scroll bars to go "back in time" and see what happened in a terminal session is fairly well known, but I associate that kind of thing with fairly "intelligent" GUI terminal emulators such as xterm. I happened to be using the "GSP" (Guardian Service Processor--a set of low level hardware and diagnostic routines) to check the cause of the blinking error LED on an HP "L" class server recently. I was using a very "dumb" console--just an 80x24 monitor and a keyboard with a serial connection to the server to access the GSP. Among the dozens of commands within the GSP is a selection to show the console log. I was pleased to see that the console log contained the many diagnostic messages that are displayed when the server boots up, before logins are available. I was also very surprised to find that the log also held the screen shots of the last console login session, including a telnet session into a network switch and the complete log (not just the commands, but all output as well) of the switch reconfiguration! No passwords were visible this time, and this discovery isn't a particularly earth-shattering revelation. However, I think that there's a RISK when someone uses an apparently "dumb" device with no intrinsic "history" to connect to another device (the switch) with no command history, and yet there's a record of every screen preserved weeks later. Mark Bergman ------------------------------ Date: Mon, 22 Apr 2002 19:50:21 -0800 From: Rob Slade Subject: Salespionage Recently a RISKS reader has been regaling me with stories about life in the marketing trenches at--well, shall we just say A Very Large Technology Company. AVLTC (TC to its very close friends), like most other technology companies, has a marketing arm. The marketing people have managed to include directives to be issued to all incoming staff. Prime among these is indoctrination about the importance of Contacts. Contacts, are, of course, the life blood of Sales and Marketing. Every Contact is to be forwarded to Marketing for inclusion in the database. And, in order for the Contact to be useful, it must include as much information about the Contact as possible. (Remember the old joke price list for Answers, Correct Answers, and so forth? Well, in the TC world, an Answer costs you a name, address, and phone number, while a Correct Answer costs you a life history. Even a Dumb Look costs you a name and phone number, at the very least.) Since TC deals in Solutions (and don't we all?), many people approach TC speakers at conferences and seminars with Problems. In order to get a TC person to even listen to your Problem (hopefully thinking that they might get back to you with a Solution) you have to give them your Contact info. And that info goes into the database. And, of course, many of the people with the most interesting Problems might work for important agencies. Like, say, the military. So TC has a Very Extensive List of names and phone numbers of people in the military, as well as other agencies. Now, given the least benefit of the doubt, we can assume that TC is not interested in espionage. What TC *is* interested in is Aggressive Marketing. So they regularly have people call the numbers in the List. And, of course, if they have no other information, and if they are worthy of their Marketing headsets, they start asking questions. In security realms this would be known as social engineering, and it is a really neat way to get people to tell you things that they ordinarily wouldn't. If you have the right number, and the right name, there tends to be a presumption that you also have the right to ask questions. Particularly if you also know the right Problem. But remember, this is not espionage, just Aggressive Marketing. Now comes an interesting twist. Assume that TC has no interest in espionage. Assume that their Marketing and Sales people are all of the highest ethical calibre. (No, Peter, this is not a military pun.) Even granted all of this, TC does not use its own sales staff to gather this information. TC sales staff are highly trained and skilled workers, and are also paid more than three dollars per hour. So TC contracts out this information gathering work to outside companies. At this point, unfortunately, the tale gets a bit fuzzy, since we don't know an awful lot about these companies, except that they are likely also the people who phone you at dinner time to sell excess credit cards and unwanted magazines. Well, we do know slightly more about these companies. Said companies provide a valuable employment opportunity to any number of rather low paid workers who are very likely industrious and entrepreneurial. And, if the lack of command of the English language is any indication, also recent immigrants to these shores. rslade@vcn.bc.ca rslade@sprint.ca slade@victoria.tc.ca p1@canada.com http://victoria.tc.ca/techrev or http://sun.soci.niu.edu/~rslade ------------------------------ Date: Mon, 6 May 2002 14:52:30 -0500 From: dmaziuk@yola.bmrb.wisc.edu (Dimitri Maziuk) Subject: GNU is Not Unix (Re: Markettos, RISKS-22.05) Well, that particular risk is well known to professional Unix systems administrators -- in fact, I was rather surprised to see that Linux "killall" made the RISKS now: it's been [in]famous among Unix sysadmins for quite a while now. I see two issues here: one is that of false advertising, and another one -- of professionalism (not that they are entirely unrelated). Stallman's rants about "LiGNUx" have a perfectly good technical reason behind them: "Linux" (as in "OS based on Linux kernel and free software") has lots of GNU software in it, and "GNU is Not Unix". Hence, Linux is *Not* Unix, regardless of what Linux advocates may be telling us, it is "GNU". (And, BTW, Unix is Not GNU.) That was about false advertising, now let's look at professionalism. Linux killall is perfect illustration of what happens when a product is designed by a dilettante. Back in 1975 professionals designed an OS called Unix. Being professionals, they realised the need for certain design principles. Such as splitting a task into a number of smaller subtasks and designing a separate tool to handle each subtask (that does one thing, and does it well)[0]. For example, shutting down a computer involves flushing (synchronizing) file buffers to disk ("sync"), killing all running processes ("killall"), and powering off the machine ("poweroff", at least on Solaris). All perfectly neat and logical. Along comes a layman who is unaware of the above principle, nor of the significant "prior art"[1]. Result? -- read Theo's message. (Various observations to show that isn't such a big problem (in no particular order): * professionals already know that similarly-named utilities often behave differently on different operating systems, * GNU folks never intended to uphold the aforementioned design principle in the first place (see EMACS), so no surprises there, after all, you'll only run "killall" on a Unix once.) We have a bigger problem with another Unix principle: source code portability. As software becomes more complex, it requires more sophisticated build tools. More and more open source software is being developed using GNU compilers and build tools, and it is becoming dependant on them. The result? -- While portability at the level of each compilation unit is still maintained, the whole thing is not portable anymore. It fails to build on non-GNU systems[2]. GNU project in particular did a great service to software community by promoting and popularizing free software. It also did a great disservice by turning the whole thing into a political issue, and pretty much ignoring the need for competence and expertise on the part of software developers. Instead of sound software engineering, we now have "Free Speech" flag-waving[3]. With more companies (individuals, governments) jumping on Linux bandwagon, the situation becomes eerily reminiscent of the recent dot-com boom; back then we had The Internet and e-words, now we have Open Source and Linux. Back then a few cautionary voices drowned in marketing hype, now they're likely to be branded Paid Advocates of Evil Entertainment Industry and Oppressors of Free Speech[tm] -- so they shut up and go learn Plan9, or something. (BTW, if it sounds like I'm singling GNU out, I'm not. Microsoft et al., did at least as much as GNU to get us where we are now. The whole thing would be very different if there was e.g. a liability clause in every software license.) But the $15 question remains: would you board an airplane designed by, say, 2nd year biology student as a night-time hobby? So what makes you think their software design skills are any better? Hmm. This came out sounding like a rant. Well, it probably is. Dima [0] Various aspects of the problems related to complex software systems are very familiar to RISKS readers. They come up in, what? -- every other RISKS issue? 25+ years ago Unix authors were well aware of them, too. [1] Irix and Solaris "killall", for examle, behave like HP-UX one -- not surprising, considering the "grand scheme of things" outlined above. [2] Anyone who ever tried building open source software on Solaris using native build tools knows that 9 times out 10 GNU "libtool" fails to link shared libraries. The remaining 1 time GNU ./configure script fails to determine compiler flags to make position-independent code (needed for said libraries). And since GNU compiler and build tools are unable to produce 64-bit code on Solaris, the libraries, and all software that uses them must be built as 32-bit binaries. Now, why did I pay for that 64-bit hardware, again? [3] And instead of one Shakespeare, we have a zillion monkeys with C compilers. As history of Usenet shows, we shouldn't expect them to come up with even "Hello World" anytime soon, not to mention "Hamlet". ------------------------------ Date: Tue, 7 May 2002 16:17:48 -0800 From: Rob Slade Subject: More on Clez (Re: Slade, RISKS-22.05) Crying Klez: Maybe the sky *is* falling by Robert M. Slade Maybe it's because the name is unassuming, without the flash of a "Melissa" or "Loveletter" or "Chernobyl." Maybe it's because various reports have called it Klaz, Kletz, W32/Klez.[a-k]@mm, or I-Worm.Klez. Maybe it's because the public's attention has been exhausted by media viruses like Code Red. Maybe it's because there have been a number of versions, and only the latest one has made an impact. Maybe it's because the beast is bewilderingly complicated. Whatever the reason, a virus called Klez (or, more specifically, Klez.H) seems to be happily spreading far and wide, without much attention from anyone except antiviral vendors. Warnings have been issued about it, but these are often limited and unhelpful. The general media does not appear to have paid any attention to the problem at all. One of the most widespread and dangerous viruses of recent times, Klez is hard to identify, is difficult to track, is generating serious numbers, and carries a number of payloads. Also, it probably isn't the last of it's kind. Klez is actually a family of viruses. The limited information available seems to indicate that the same author or a small group, probably resident in China, is likely responsible for all of the Klez variants. Eight have been identified so far, seemingly released between the fall of 2001 and spring of 2002. Each variant has added new features and payloads. In little over half a year the Klez family has gone from being a minor nuisance to a major threat. The first version was so buggy that flaws in programming seemed to be the major concern. However, even then the virus was notable for its ambition and complexity. In addition to spreading itself, Klez dropped a virus called ElKern. (There have been reports of a new version of a new version of the CIH virus traveling with Klez, but this may be due to infection of the Klez program file itself.) The subject line, sender address, and filename attachment were all variable, avoiding the major means of e-mail virus detection. (Various Klez variant subject lines have promised games, humour, pornography, vague but important messages, and, interestingly, antiviral protection.) Klez also used a vulnerability in Microsoft's Outlook mailer (actually resident in Internet Explorer programming) that would automatically unpack and invoke the message attachment, in some cases before the message was even read by the user. (This mailer loophole, sometimes known as the IFRAME vulnerability, had actually been addressed and patched by Microsoft in March of 2001. Users who had regularly upgraded installed patches would not have been at risk of this specific function. The bug is addressed in www.microsoft.com/windows/ie/downloads/critical/q290108/default.asp and http://www.microsoft.com/technet/security/bulletin/MS01-020.asp. However, the more widely known Microsoft security bulletin, http://www.microsoft.com/technet/security/bulletin/MS01-027.asp, deals with a composite patch, and talks about browser certificates, rather than the mail problem. It is also interesting to note that, in order to use this function, Klez forms messages with a non-standard MIME [Multimedia Internet Mail Extensions] format. Non-Microsoft mailers, such as Pegasus and Netscape Communicator, may not even allow users to see the attachment, and thus, inadvertently, offer users additional protection.) The file attachment, as of version H, will have an extension of .EXE, .BAT, .PIF, or .SCR. The MIME file type will not match the extension (although that is not a reliable indicator of a virus infection). E-mail addresses used to create new infected messages are harvested from the infected machine. Recent versions of the virus also have code to use ICQ as a source of e-mail addresses. Klez.E (version 2.0, according to internal text), released in January of 2002, added file infection capabilities, so that the virus could spread using e-mail, direct copying to network shares, and infection of program files. (Windows system files were often corrupted by the infection attempts. Other files might be infected by a companion type method: the original file was renamed and hidden and a copy of Klez written with the original filename.) The virus carried its own SMTP (Simple Mail Transfer Protocol) program so that it did not need to use local mail clients. The "From" line was also faked such that if Alice received an infected message from Bob, it might not come from Bob but from Charles, who had addresses for both Alice and Bob on his infected machine. This function not only prevented tracking of the infected machine, but caused many people to try and track infections in the wrong place. In addition, the virus had a payload to overwrite text, Microsoft Word, MP3, HTML and other files with random data, thus destroying the contents. Early versions of the virus had a hidden message (in the body of the infected message) seemingly indicating that the author was trying to gain a reputation in order to get a better job. Later versions tried to kill processes of the Code Red family of worms, including Nimda, and included hidden messages suggesting that Klez was an antivirus virus. Klez.E, in addition to adding to the list of virus processes that would be stopped, also killed processes for a number of the most popular and effective antiviral programs. It would remove Windows Registry keys for antiviral software, and also corrupted checksums or deleted files for antiviral systems. (Text strings seemed to indicate that this was because the world had not offered the author a well- paying computer job.) The latest version (as of this writing), Klez.H, often sends itself in a message offering a tool to remove and immunize against Klez.E. (It purports to come from one of a number of well-known antiviral companies.) Klez.H also added a new function: it would frequently pick up a file from the infected computer and add it as an attachment to the infected message sent out. There is already one known case where a confidential negotiating document was transmitted to a mailing list of several thousand people in this manner. Fortunately, the file overwriting payload seems to have been removed. Any available virus tends to spawn variants. It is also not unusual for a virus author to improve on his (or her) own work, and release new versions. However, variants seldom involve additions of functions and features to the extent seen in Klez. The original version alone demonstrated effective social engineering and polymorphic techniques, as well as complex features that would be dangerous in conjunction with other forms of malware. In less than six months, the author (and the greatest probability is that there is a single author) has added features manipulating processes in memory, attacking antiviral and security software, increasing the means of reproduction and spread, and attacking data availability and confidentiality. It is unlikely that this is the last version of Klez that will be seen, and a number of common viruses could give the author new ideas for new payloads to add and new technologies to employ. In a sense, though, there is absolutely nothing new about Klez. Microsoft software is well-known to be full of bugs and security loopholes: Internet Explorer is much more dangerous to use as a browser than is Netscape Navigator. There are dangerous technologies in common programs that should be disabled or patched. There is a definite trend towards convergence in malware, with different types of programs supporting and distributing each other. Polymorphism has long been known in file infecting viruses: the use of variant subject lines in Klez is tame compared to the (literally) myriad forms of files generated by Tremor. Most importantly, however, your mother's old adage still holds true. "DON'T RUN THAT PROGRAM ON YOUR COMPUTER! YOU DON'T KNOW WHERE IT'S BEEN!" rslade@vcn.bc.ca rslade@sprint.ca slade@victoria.tc.ca p1@canada.com http://victoria.tc.ca/techrev or http://sun.soci.niu.edu/~rslade ------------------------------ Date: Tue, 7 May 2002 14:12:46 +0100 From: Matthew Byng-Maddick Subject: Moderated mailing lists and virus scanners Some readers of RISKS may be familiar with Dan Bernstein's ezmlm mailing list manager, and some more may have used the slightly more full-featured ezmlm-idx. In both of these, extensive use is made of a cryptographically hashed input address, to confirm particular actions. In particular, it almost always sets these addresses as the e-mail "Reply-To:" header, so that when you just hit your "Reply" button in your user-agent, things work sanely. The case of a moderated announce list managed by ezmlm-idx is no different. The moderation includes the full request (as with the rest of ezmlm), and a bit of text telling you how to moderate the message, and the "Reply-To:" header set. This would seem fine. Now let us consider the case where the moderator has some kind of virus scanning, a not entirely uncommon case in this modern world, and that we have a virus which picks senders and recipients out of addresses in your address book. The virus decides that it's going to send itself to the announce list. This should not be a problem, as the list is moderated, except, in this case, the message is included in its entirety at the bottom of the request for moderation. An online virus scanner, looking for signatures will decide (correctly) that there is a virus. It therefore replies to the sender of the message to tell them that there is a virus, but in this case, the virus software in question is slightly broken, and uses the From: and Reply-To: headers to work out where it should send the warning. But, any mail to the Reply-To: address will cause the held message to be sent out to the announcees. So the only time the protection doesn't work is when there are viruses, arguably when it most needs it. Of course, this doesn't just apply to viruses, but what happens with moderator "Out of office" autoreplies? The RISKS: Well, I can see several here * In the quest to make such things as moderation of a list easier, the MLM is using the Reply-To header so that all you need to do is reply to that virtual mailbox. There is no checking of, say, a subject line, or something that necessitates human input. * The virus scanner is non-compliant with the standards, and is delivering an effective Delivery Status Notification message (``We couldn't deliver your message because we believe it to be virus-infected.'') to address designated for user-agent rather than transport-agent use. * This case only occurs where the system sees a virus infected file, which is not a case that will be tested for when building the system. * Sending out a virus to your customers via your announce list is probably unlikely to make you popular. Matthew Byng-Maddick http://colondot.net/ ------------------------------ Date: Tue, 07 May 2002 14:10:47 +0100 From: Ben Laurie Subject: CLUTS: Composable Low-assurance UnTrusted Systems ezmlm, when running a moderated mailing list, sends messages to the moderators with the From and Reply-To addresses set to cause rejection and acceptance of the moderated message, respectively. If the moderators use certain virus scanning services that shall remain nameless, and a virus (such as the currently rampant Klez, which also forges the sender address, so is more likely to be accepted for moderation) is sent to the moderated list, those services report the virus to the Reply-To address (erroneously, IMO - these should be seen as delivery errors and reported to the Return-Path, see RFC 2821), causing the virus to be accepted and distributed to the list. One RISK is obvious. The other, IMO, is poorly defined standards for e-mail that make it incredibly difficult to work out what the right thing to do is in these cases. Incidentally, vacation(1) send to the From address, which will cause rejection - not such a bad outcome, but also wrong. But whose fault is the error? http://www.apache-ssl.org/ben.html http://www.thebunker.net/ ------------------------------ Date: Mon, 6 May 2002 01:34:43 -0400 From: "Herb Lin" Subject: NRC report on porn Given RISKS readers' interest in these matters, the National Academies' report entitled "Youth, Pornography and the Internet" was released on May 2. The report examines approaches to protecting children and teens from Internet pornography, threats from sexual predators operating on-line, and other inappropriate material on the Internet. It discusses social and educational strategies, technological tools, and policy options for how to teach children to make safe and appropriate decisions about what they see and experience on the Internet. Chaired by former Attorney General Dick Thornburgh, it's the most comprehensive study yet on the topic. More information on the report is available at: http://www4.nationalacademies.org/onpi/webextra.nsf/web/porn?OpenDocument The report itself is available online at: http://bob.nap.edu/html/youth_internet/ If you are interested in a briefing on or discussions about the report, please contact the study director, Herb Lin, at 202-334-3191. ------------------------------ Date: Tue, 7 May 2002 14:26:40 -0400 From: Lillian Israel Subject: ACM invitation [The Risks Forum is an official ACM activity. Although we normally never run advertising in RISKS, perhaps we owe the ACM this one. PGN] IT and computing professionals are invited to join ACM and receive a special 15% discount on their first-year membership, PLUS receive a FREE Limited-Edition IT book! A second free book is also available if you add a subscription to the optional ACM Portal (available at a 15% savings as well). ACM even has a special offer designed just for students! To learn more, and to Join ACM now, go to: http://www.acm.org/joinacm1 Some of the valuable benefits of an ACM membership include: * Full access to the Online Guide to Computing Literature (July 2002) * Free access to ACM's new Distance Learning Portal (July 2002) - 150+ online courses * A one-year subscription to "Communications of the ACM" * The option to subscribe to the enormous online ACM Portal - one of the world's largest databases of IT information and the ultimate resource for IT professionals! Find out more about the many benefits of an ACM membership, and read about the FREE Limited Edition books at: http://www.acm.org/joinacm1 ACM, the Association for Computing Machinery, is the world's leading scientific and educational society serving the IT and Computing communities. Founded in 1947, ACM has members in more than 100 countries. ------------------------------ Date: 29 Mar 2002 (LAST-MODIFIED) From: RISKS-request@csl.sri.com Subject: Abridged info on RISKS (comp.risks) The RISKS Forum is a MODERATED digest. Its Usenet equivalent is comp.risks. => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) if possible and convenient for you. Alternatively, via majordomo, send e-mail requests to with one-line body subscribe [OR unsubscribe] which requires your ANSWERing confirmation to majordomo@CSL.sri.com . If Majordomo balks when you send your accept, please forward to risks. [If E-mail address differs from FROM: subscribe "other-address " ; this requires PGN's intervention -- but hinders spamming subscriptions, etc.] Lower-case only in address may get around a confirmation match glitch. INFO [for unabridged version of RISKS information] There seems to be an occasional glitch in the confirmation process, in which case send mail to RISKS with a suitable SUBJECT and we'll do it manually. .MIL users should contact (Dennis Rears). .UK users should contact . => The INFO file (submissions, default disclaimers, archive sites, copyright policy, PRIVACY digests, etc.) is also obtainable from http://www.CSL.sri.com/risksinfo.html ftp://www.CSL.sri.com/pub/risks.info The full info file will appear now and then in future issues. *** All contributors are assumed to have read the full info file for guidelines. *** => SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line. => ARCHIVES are available: ftp://ftp.sri.com/risks or ftp ftp.sri.comlogin anonymous[YourNetAddress]cd risks [volume-summary issues are in risks-*.00] [back volumes have their own subdirectories, e.g., "cd 21" for volume 21] http://catless.ncl.ac.uk/Risks/VL.IS.html [i.e., VoLume, ISsue]. Lindsay Marshall has also added to the Newcastle catless site a palmtop version of the most recent RISKS issue and a WAP version that works for many but not all telephones: http://catless.ncl.ac.uk/w/r http://the.wiretapped.net/security/info/textfiles/risks-digest/ . http://www.planetmirror.com/pub/risks/ ftp://ftp.planetmirror.com/pub/risks/ ==> PGN's comprehensive historical Illustrative Risks summary of one liners: http://www.csl.sri.com/illustrative.html for browsing, http://www.csl.sri.com/illustrative.pdf or .ps for printing ------------------------------ End of RISKS-FORUM Digest 22.06 ************************