precedence: bulk Subject: Risks Digest 22.53 RISKS-LIST: Risks-Forum Digest Thursday 30 January 2003 Volume 22 : Issue 53 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at and by anonymous ftp at ftp.sri.com, cd risks . Contents: [Huge backlog remains.] Berliner S-Bahn has computer trouble again (Debora Weber-Wulff) Too much computing could give you a blood clot (NewsScan) Microsoft, heal thyself! (NewsScan) Slammer (PGN) Interaction between SQL Slammer & furnaces (Jeremy Epstein) Hacker insurance (NewsScan) Pete Lindstrom's parametric worm warning (Jeremy Epstein) 12 U.Maryland students accused of high-tech cheating (Monty Solomon) QUALCOMM Qsec-800 Secure CDMA phone (Monty Solomon) Satellite system seen as a key life saver (Monty Solomon) REVIEW: "Absolute PC Security and Privacy", Michael Miller (Rob Slade) REVIEW: "Information Security Best Practices", George L. Stefanek (Rob Slade) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Wed, 22 Jan 2003 23:00:56 +0100 From: Debora Weber-Wulff Subject: Berliner S-Bahn has computer trouble again The worst problem since the last time.... RISKS readers will remember RISKS-18.55 and .60 in which the new Berlin light-rail switching computers had themselves a little glitch when they hit real service in 1998 -- a stack overflow. *Tagesspiegel* (http://archiv.tagesspiegel.de/archiv/12.01.2003/389362.asp) of 12 Jan 2003 reports that a little power-out at 13:35 the day before caused all three of the switching computers governing the track between Zoo and Ostbahnhof (the line with the most daily traffic, of course) to crash. It took until around 16:00 to get the systems back in service. Because this section of track is also in use by the Deutsche Bahn, many trains were terminated at stations outside of the city. Around 100 light-rail trainsets were stranded on open track. People were kept in the cars for up to 90 minutes. Luckily, the electricity came back on right away, so the heaters were on and people didn't have to freeze. Those in charge have absolutely no explanation for the problem, etc. At least the fail-safe worked, and all the signals went to red. I suppose we have to be thankful for small blessings. Further reports just noted that there is no explanation for all of the computers (which are supposed to be on separate power lines) crashing at the same time. I had hoped to be able to give more information, but the papers have dropped the topic in favor of more racy topics.... Prof. Dr. Debora Weber-Wulff, FHTW Berlin FB 4, Treskowallee 8, 10313 Berlin +49-30-5019-2320 http://www.f4.fhtw-berlin.de/people/weberwu/ ------------------------------ Date: Thu, 30 Jan 2003 09:29:09 -0700 From: "NewsScan" Subject: Too much computing could give you a blood clot A research team in New Zealand has discovered a man who developed an almost-fatal blood clot after spending up to 18 hours a day at his computer workstation. The clot developed in his leg and traveled to his lungs. Researcher Richard Beasley of the Medical Research Institute of New Zealand said that the problem could be widespread, and advised people who spend long periods using computers to stretch their legs frequently. [*Globe News*/CNet New Zealand, 30 Jan 2003; NewsScan Daily, 30 January 2003] http://www.stuff.co.nz/stuff/0,2106,2226653a7144,00.html [... not to mention finger, hand, back, eye, and other problems. PGN] ------------------------------ Date: Tue, 28 Jan 2003 08:30:32 -0700 From: "NewsScan" Subject: Microsoft, heal thyself! Microsoft has been embarrassed by having to acknowledge that the SQL Slammer virus, which infected computer servers all over the world, also contaminated some of Microsoft's own servers, because system administrators had failed to heed the company's own advice to install a software patch months ago to fix a known system vulnerability. A Microsoft executive had to admit: "We, like the rest of the industry, struggle to get 100% compliance with our patch management. We recognize -- now more than ever -- that this is something we need to work on. And, like the rest of the industry, we're working to fix it." [*The New York Times*, 28 Jan 2003; NewsScan Daily, 28 January 2003] http://partners.nytimes.com/2003/01/28/technology/28SOFT.html ------------------------------ Date: Thu, 30 Jan 2003 12:27:42 PST From: "Peter G. Neumann" Subject: Slammer Of course, Microsoft's own SQL servers were victimized because they had not all been properly patched! Reports that the patches were available 6 months ago seem to be erroneous, because the patch for the Slammer exploit was apparently released only recently before the attacks. Although some folks are trying to put the blame on incompetent system administrators, I have heard that the service packs were poorly documented, and came in multiple versions depending on which SQL server software you were running, so that the SysAdmin burden was considerable. The worm affected many worldwide, including Bank of America's automatic teller machines, air-traffic control at Houston's Bush Intercontinental Airport, Cleveland, and New Jersey, American Express operations, and a Canadian Internet election.com vote in progress (which RISKS readers already know is not a great idea with respect to security). I had one out-of-band report that a major corporate research intranet was hosed because port 1434 accepted random UDP packets through the firewall. And once again, the payload on this worm was relatively benign compared with the damage it could have done. The fact that so many different exploits keep recurring suggests that something is fundamentally wrong with the software development and operational processes. As I said at the Homeland Security Town Meeting panel in San Diego on 28 Jan 2003, the chickens of neglect are coming home to roost. The folks who should be developing sound systems seem to have chickened out. Especially the non-bantam roost-ers who crow about their perfect security. ------------------------------ Date: Wed, 29 Jan 2003 11:55:42 -0800 From: Jeremy Epstein Subject: Interaction between SQL Slammer & furnaces With all the noise about SQL Slammer, I gave instructions on Monday to my staff to verify that all systems in our lab that run SQL Server were at the latest patch level. Not surprisingly, a few weren't, and so upgrades began. Several of the systems ended up dead, and we naturally blamed the patch install process, which is notoriously error prone. In this case, though, there was another explanation. Midway through the install process, the fuses on one of the furnaces in the building blew (the outside temperature has been much below usual in Virginia for the past few weeks). This apparently sent enough of an electrical spike into the computers that we ended up with file system corruption in a way that wasn't resolved by an ordinary reboot, despite our UPSs & surge protectors. It also caused the temperature in the building to drop to a point where we were uncomfortable and having difficulty thinking carefully, especially given the obvious explanation of a failed patch. We don't quite know how it happened, but the file system corruption was both on Windows & Solaris boxes, so we're sure it had nothing to do with the patch installation, and the electrical malfunction seems the most likely explanation. The RISK is assuming that a system failure which occurs in temporal proximity to a security patch is in fact caused by the security patch! ------------------------------ Date: Wed, 29 Jan 2003 10:25:22 -0700 From: "NewsScan" Subject: Hacker insurance The latest cyber attack (last weekend's SQL Slammer virus, which infected thousands of computer servers throughout the world) has given a new boost to "network risk insurance" (AKA "hacker insurance"), which is expected to grow from the $100 million industry it is now to a $2.5 billion industry by 2005. Bruce Schneier, the chief technology officer for Internet security at Counterpane, thinks that insurance is every bit as important as prevention: "I believe that within a few years hacking insurance will be ubiquitous. The notion that you must rely on prevention is just as stupid as building a brick wall around your house. That notion is just wrong." But getting "hacker insurance" is not as easy as one might think, because insurers typically require a third-party assessment of the insurance applicant's security system, which might cost as much as $50,000. [Reuters/*USA Today*, 28 Jan 2003; NewsScan Daily, 29 Jan 2003] http://shorl.com/bupimybristumu ------------------------------ Date: Thu, 30 Jan 2003 10:07:53 -0800 From: Jeremy Epstein Subject: Pete Lindstrom's parametric worm warning [From Pete Lindstrom, Spire Security, petelind@spiresecurity.com] * Computer Worm Internet* In the wee hours of , a computer worm spread throughout the Internet. Dubbed because , and also known as and , the worm has infected an estimated systems within . Experts are calling this worm the most since . The worm exploits a hole in that was first identified months ago by . In an attempt to secure the planet, released detailed information about the vulnerability and how to exploit it. They also mentioned how to fix it, but apparently listened. Coincidentally, the worm that exploited this hole was also first identified by . Even more coincidentally, they make a product to protect against . "Actually, it's not really a , it's a ," said . " A true works by ." The worm's payload every system by the . Comparatively speaking, this is much worse than but not as bad as . The computers of were hit the hardest. Current damage is estimated at . " This worm has the potential to ," said . " It just goes to show you that ." Though there is no way to protect against this particular bug, experts recommend trying or , neither of which matter, since nobody will do it anyway. ------------------------------ Date: Sun, 26 Jan 2003 21:24:58 -0500 From: Monty Solomon Subject: 12 U.Maryland students accused of high-tech cheating By Stephanie Hanes, Sun Staff, 26 Jan 2003 Twelve University of Maryland undergraduates have been accused of using Web-equipped cell phones or handheld organizers to cheat on a business school final exam last month, according to the school's student-run Honor Council. Six of them have admitted to misconduct during that same test, the council said. The allegations prompted Provost William W. Destler to issue a warning to faculty members about the potential misuse of cell phones and other common handheld electronics, said J. Andrew Cantor, a 20-year-old senior and chairman of the Honor Council. ... http://www.sunspot.net/news/education/bal-md.cheating26jan26,0,3792093.story ------------------------------ Date: Wed, 29 Jan 2003 17:57:00 -0500 From: Monty Solomon Subject: QUALCOMM Qsec-800 Secure CDMA phone QUALCOMM's CDMA Technology Enhances Security Measures at Super Bowl XXXVII Regional Homeland Security Agencies and Technology Partners Teamed Up To Provide Security Assistance for the Super Bowl - SAN DIEGO, Jan. 29 /PRNewswire-FirstCall/ -- QUALCOMM Incorporated (NASDAQ:QCOM), pioneer and world leader of Code Division Multiple Access (CDMA) digital wireless technology, joined forces with regional homeland security agencies and technology partners to augment existing security measures for Super Bowl XXXVII. QUALCOMM, in partnership with the San Diego Regional Network on Homeland Security (RNHS) and other technology companies, assisted the San Diego Police Department (SDPD) with security preparations for Super Bowl XXXVII by providing technology and products based on CDMA technology. QUALCOMM provided wireless phones capable of carrying government- classified information over commercial cellular networks to federal law enforcement agencies and federal task force entities. These phones, referred to as the Qsec-800(R), are National Security Agency certified cellular phones developed through a U.S. Government contract with QUALCOMM. The phones represent a first step in securing the nation's cellular communications using the extensive CDMA network that is commercially available. In addition to the secure wireless handsets, QUALCOMM had worked out an architecture that allowed the SDPD to access data, such as real time video as supplied by cameras, using digital technology from cVideo, at QUALCOMM Stadium, over commercial CDMA2000 1X networks. QUALCOMM's expertise in security ensured these data capabilities met the high standards set by the United States Department of Justice and local law enforcement. ... http://finance.lycos.com/home/news/story.asp?story=31220472 ------------------------------ Date: Mon, 27 Jan 2003 08:30:51 -0500 From: Monty Solomon Subject: Satellite system seen as a key life saver Tracking device crucial in rescues: Environmental satellites with search-and-rescue tracking capability helped save 171 sailors, hikers, downed pilots, and others across the country last year, including 15 people in five incidents off the New England coast. The Coast Guard requires all commercial fishing vessels and merchant ships to carry an Emergency Position Indicating Radio Beacon, which sends out a distress signal that NOAA satellites pick up and relay to the appropriate emergency response agency. Since it was launched in 1982, the satellite system is estimated to have saved 4,500 lives in the United States, said NOAA administrator Conrad C. Lautenbacher. ... [Source: Jim Geraghty, States News Service, 26 Jan 2003; PGN-ed] http://www.boston.com/dailyglobe2/026/nation/Satellite_system_seen_as_a_key_life_saver+.shtml ------------------------------ Date: Thu, 30 Jan 2003 08:05:48 -0800 From: Rob Slade Subject: REVIEW: "Absolute PC Security and Privacy", Michael Miller BKAPCSPR.RVW 20021216 "Absolute PC Security and Privacy", Michael Miller, 2002, 0-7821-4127-7, U$34.99/C$55.95/UK#25.99 %A Michael Miller %C 1151 Marina Village Parkway, Alameda, CA 94501 %D 2002 %G 0-7821-4127-7 %I Sybex Computer Books %O U$34.99/C$55.95/UK#25.99 800-227-2346 info@sybex.com %O http://www.amazon.com/exec/obidos/ASIN/0782141277/robsladesinterne %P 530 p. %T "Absolute PC Security and Privacy: Defend Your Computer Against Outside Intruders" Miller never knew much about viruses, or took them seriously, until a friend got infected and it turned out to be more of a nuisance than he thought. So he decided to write a book about them. And also about spam, since he was annoyed by that, too. Part one is about viruses, and other stuff. There are so many errors in the introduction, chapter one, that I don't know where to start. Since this book is obviously not written for professionals, is it important that it was Fred Cohen, and not Len Adleman, who did the first academic research on viruses? No. Is it important that the book constantly contradicts itself (for example, promoting the idea that virus writers are technically competent, and then pointing out that virus creation kits require no expertise at all)? Possibly not, but it doesn't inspire any confidence. Is it important that policies to prevent 95% of current viruses are dismissed in a single paragraph, buried in 150 pages of procedures (like the old "use only commercial software" myth--and the book also notes that commercial software has been distributed in an infected state) that might help protect you from some of the remaining 5%? Yeah, that could turn out to be significant. Chapter two talks about some high risk activities, but the relevant points are hidden in a mass of relatively low peril particulars. Boot sector and file infectors are discussed in chapter three, but aren't important to users any more. Chapter four talks about macro viruses, but the suggested actions, such as manually deleting macros, are mostly ineffective. The material on script viruses, in chapter five, is quite confused: ActiveX is *not* a scripting system, and it is pushing the facts to say that Internet Explorer is a safe browser. (The procedures for disabling Windows Script Host could be useful.) The definitions, and particularly examples, of trojans, viruses, and worms are very confused in chapter six. Chapter seven examines e-mail and IRC (Internet Relay Chat) viruses, but concentrate on minor dangers and issues. Chapter eight warns against virus hoaxes, but does not tell how to identify them. The discussion of antiviral software in chapter nine deals *only* with scanning, and does not properly advise on limitations and weaknesses (such as the fact that real time, on-access, or firewall-based scanning may be 20% less effective than manual scanning). The other forms of antiviral software are mentioned in chapter ten, but so briefly as to be useless. "Preventing Virus Attacks," in chapter eleven, repeats earlier content. The suggested responses to a virus infestation, in chapter twelve, are seriously overblown. Part two is concerned with Internet attacks. Given the preceding material, it is surprising that chapter thirteen provides reasonably good background on intrusion. But, given the tone and audience of the book, the attacks described are not relevant to the readership: most home users would not be able to do anything about the offensives described. The assaults listed in chapter fourteen are different, but the mentions are too terse to provide any means of defence. Chapter fifteen suggests some good precautions, but does not explain the implications of following them. Chapter sixteen says that peer-to- peer systems are dangerous, but is quite reserved given the level of the threat and the scare tactics used elsewhere. Network protection systems are briefly listed in chapter seventeen. "Choosing a Firewall," in chapter eighteen, describes the various types too poorly for the user to make an informed choice. Chapter nineteen's advice on dealing with an attack is too short to provide identification of a real incident, and the response advice is unhelpful. Part three supposedly deals with theft of privacy. Chapter twenty's overview of threats against privacy is not bad, although it does confuse cookies, packet sniffing, and keystroke logging in the course of a single paragraph. A discussion of online fraud, in chapter twenty one, is mostly about eBay, and mostly generic advice. A reasonable, if not extensive, set of explanations of harassment, spyware, and cookies are given in chapters twenty two, twenty three, and twenty four, respectively. However, the background and suggestions in regard to passwords and encryption, in chapter twenty five, are weak. The section finishes with anonymous surfing, in chapter twenty six. Part four covers spam. Chapter twenty seven presents a good overview of the basic concepts, but betrays a very weak technical understanding of the subject. The recommended actions for protection and prevention are not very effective. A more serious look at anti-spam activities is in chapter twenty eight, but it boils down to a recommendation not to tell anyone your e-mail address: a suggestion that the book itself admits is not completely effective since spammers regularly generate random addresses to try. In addition, the information about tracking down and fighting against spammers is too brief to be of any use. Chapter twenty nine recommends against forwarding chain letters, but probably should have more information about items such as the technical impossibility of the messages that supposedly reward you for the number of missives you forward, and the variations on "advance fee" (aka "419" or "Nigerian scam") frauds. It is unclear why "Web-Based Intrusions" could not have been covered elsewhere without creating a part five. Chapter thirty deals sensibly with pop-up ads, although I am not sure why disabling JavaScript is considered an extreme action, particularly in view of some of the other recommendations in the book. The advice about the use of the hosts file, though, could be very helpful. Inappropriate content and filtering, in chapter thirty one, is handled rationally (if curtly), but does not mention the hidden agendae that filtering software or organizations may have. Although some of the points in the book can be good, a great deal of the material is either too short to be really useful, or questionable, or wrong. In terms of security guides for the average user, Crume's "Inside Internet Security" (cf. BKININSC.RVW) is much better, and so is "Access Denied" (cf. BKACCDEN.RVW) by Cronkhite and McCullough, even though the latter is directed at managers. copyright Robert M. Slade, 2002 BKAPCSPR.RVW 20021216 rslade@vcn.bc.ca rslade@sprint.ca slade@victoria.tc.ca p1@canada.com http://victoria.tc.ca/techrev or http://sun.soci.niu.edu/~rslade ------------------------------ Date: Wed, 29 Jan 2003 08:24:09 -0800 From: Rob Slade Subject: REVIEW: "Information Security Best Practices", George L. Stefanek BKISBPBR.RVW 20021215 "Information Security Best Practices", George L. Stefanek, 2002, 1-878707-96-5 %A George L. Stefanek %C 225 Wildwood Street, Woburn, MA 01801 %D 2002 %G 1-878707-96-5 %I Butterworth-Heinemann/CRC Press/Digital Press %O 800-366-BOOK fax: 1-617-933-6333 dp-catalog@bh.com www.bh.com/bh/ %O http://www.amazon.com/exec/obidos/ASIN/1878707965/robsladesinterne %P 194 p. + CD-ROM %T "Information Security Best Practices: 205 Basic Rules" The preface states that this book contains rules for a, possibly novice, system administrator and manager to provide a basic level of security for an organization. Chapter one lists a few (well, eleven) attacks on information systems. These are rather simple; the virus definition is quite old (there is no mention of macro or e-mail viruses) and worms are depicted in terms of memory exhaustion; and it is difficult to see what purpose they serve. The generic structure of an attack or intrusion is described in chapter two. The initial discussion of policy, in chapter three, is limited to the advice that you have one. This recommendation is expanded in chapter four, which does provide some reasonable points on creating a policy. A few of the "rules" have been given in the earlier chapters, but chapter five, on network architecture and design, begins what is obviously the body of the book. Some of the advice is questionable, such as the commandment to limit firewall selection to those products that carry the NCSA stamp of approval. (The NCSA approval has some value, but is far from definitive, and, in any case, the group morphed into the ICSA many years ago, and is now TruSecure.) By and large the material, and that which follows, is reasonable and would help to improve the security of any enterprise, although it is quite limited. The remaining chapters cover physical security, PCs (tersely), Internet security, application development, software validation, configuration management, network monitoring, maintenance and troubleshooting, and training. The advice about hardware selection (in chapter six), is restricted to "motherhood" type rules which are vague and would be hard to follow. The chapters on network hardware (eight) and operating systems (nine) both recommend that there be a C2 level rating for routers and servers, although the "orange book" specifications are no longer considered standards (and in spite of the fact that Windows NT 3.51 got a C2 rating--on condition that it was not connected to a network). Encryption, in chapter fourteen, is supposed to be "strong," although there is little information on how to measure strength. (In fact, a key length of 128 bits is mandated, despite the fact that this is far too short for asymmetric systems, and longer than triple DES [Data Encryption Standard].) The suggested actions in case of attack, in chapter nineteen, are rather drastic: spam should be addressed by killing e-mail service, and a denial of service attack should be responded to by disconnecting from the net. Overall, this does have value as a "quick and dirty" set of guidelines for administrators who do not have formal security training and experience. The book is short, and thus easily readable for busy people. While security professionals may cringe at the simplistic nature of some recommendations, the rules can help improve the security of a system that would otherwise have none ... as long as the reader does not gain a false sense that he has implemented proper security. copyright Robert M. Slade, 2002 BKISBPBR.RVW 20021215 rslade@vcn.bc.ca rslade@sprint.ca slade@victoria.tc.ca p1@canada.com http://victoria.tc.ca/techrev or http://sun.soci.niu.edu/~rslade ------------------------------ Date: 29 Mar 2002 (LAST-MODIFIED) From: RISKS-request@csl.sri.com Subject: Abridged info on RISKS (comp.risks) The RISKS Forum is a MODERATED digest. Its Usenet equivalent is comp.risks. => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) if possible and convenient for you. Alternatively, via majordomo, send e-mail requests to with one-line body subscribe [OR unsubscribe] which requires your ANSWERing confirmation to majordomo@CSL.sri.com . If Majordomo balks when you send your accept, please forward to risks. [If E-mail address differs from FROM: subscribe "other-address " ; this requires PGN's intervention -- but hinders spamming subscriptions, etc.] Lower-case only in address may get around a confirmation match glitch. INFO [for unabridged version of RISKS information] There seems to be an occasional glitch in the confirmation process, in which case send mail to RISKS with a suitable SUBJECT and we'll do it manually. .MIL users should contact (Dennis Rears). .UK users should contact . => The INFO file (submissions, default disclaimers, archive sites, copyright policy, PRIVACY digests, etc.) is also obtainable from http://www.CSL.sri.com/risksinfo.html ftp://www.CSL.sri.com/pub/risks.info The full info file will appear now and then in future issues. *** All contributors are assumed to have read the full info file for guidelines. *** => SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line. => ARCHIVES are available: ftp://ftp.sri.com/risks or ftp ftp.sri.comlogin anonymous[YourNetAddress]cd risks [volume-summary issues are in risks-*.00] [back volumes have their own subdirectories, e.g., "cd 21" for volume 21] http://catless.ncl.ac.uk/Risks/VL.IS.html [i.e., VoLume, ISsue]. Lindsay Marshall has also added to the Newcastle catless site a palmtop version of the most recent RISKS issue and a WAP version that works for many but not all telephones: http://catless.ncl.ac.uk/w/r http://the.wiretapped.net/security/info/textfiles/risks-digest/ . http://www.planetmirror.com/pub/risks/ ftp://ftp.planetmirror.com/pub/risks/ ==> PGN's comprehensive historical Illustrative Risks summary of one liners: http://www.csl.sri.com/illustrative.html for browsing, http://www.csl.sri.com/illustrative.pdf or .ps for printing ------------------------------ End of RISKS-FORUM Digest 22.53 ************************