precedence: bulk Subject: Risks Digest 22.88 RISKS-LIST: Risks-Forum Digest Wednesday 27 August 2003 Volume 22 : Issue 88 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at http://www.risks.org as http://catless.ncl.ac.uk/Risks/22.88.html The current issue can be found at http://www.csl.sri.com/users/risko/risks.txt Contents: California accepts completely unverified updates (Geoff Kuenning) BlackBerry reveals sensitive Morgan Stanley data (Mark Feit) Cingular wants me to pay negative balance (Ulf Lindqvist) 'Entrepreneur' a trademarked word, court rules (Christine Van Dusen via Monty Solomon) Slammer worm hits system within Davis-Besse nuclear power plant (Fuzzy Gorilla) Sobig affects Amtrak trains, Air Canada (Marty Leisner) Some observations on e-mail phenomenology (Peter B. Ladkin) Update on Sobig stage 2 (Rob Slade) Thank you for [...] (Rob Slade) Organized crime behind Sobig mess? (NewsScan) Re: Send PIF files in ZIP attachment to avoid virus detectors? (Robert de Bath) Re: Pilot fixes faulty jet (Peter B. Ladkin) Satellite photo of Eastern North America during blackout (John Oram) 2004 IEEE Symposium on Security and Privacy, Call for Papers (David Wagner) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Mon, 25 Aug 2003 16:52:57 -0700 (PDT) From: Subject: California accepts completely unverified updates I own a tiny California corporation for consulting purposes. Each year, I am required to file a "statement by domestic stock corporation" with information such as my address and the names of corporate officers. This year, it is possible file electronically (a necessity for me because the state reverted to a 5-year-old address, which is another story of incompetence). The Web form tends to crash browsers, but I eventually succeeded with Mozilla. You type in the name of the corporation, fill out the forms, and pay your $25 via credit card. All of this is done with NO VERIFICATION WHATSOEVER. If I had a stolen credit card, I could change the addresses and officers of Microsoft, Bank of America, and a zillion other corporations. Straightening out the mess would probably cost the state far more than the $25 per instance that they wouldn't be able to collect from the credit card company anyway. Geoff Kuenning geoff@cs.hmc.edu http://www.cs.hmc.edu/~geoff/ ------------------------------ Date: Tue, 26 Aug 2003 09:23:37 -0400 From: Mark Feit Subject: BlackBerry reveals sensitive Morgan Stanley data We've seen this before with hard disks. The article goes on to point out that this has started to happen more frequently as people are synchronizing their mobile devices with their desktops. The eBay ad read "BlackBerry RIM sold AS IS!" So Eugene Sacks (not his real name), a Seattle computer consultant who always wanted one of the pager-size devices to check his e-mail, sent in a bid. For just $15.50, he bought the wireless device with 4 MB of memory. The BlackBerry didn't come with a cable, synching station, software or a manual. But it did come with something even more valuable: a trove of corporate data. http://www.wired.com/news/print/0,1294,60052,00.html ------------------------------ Date: Fri, 22 Aug 2003 21:24:07 -0700 (PDT) From: Ulf Lindqvist Subject: Cingular wants me to pay negative balance This item seems tragically funny. I canceled my service from Cingular Wireless some months ago, and in the final bill it turned out that I had paid $3.36 too much. After some time they sent me a check, which I cashed. After another couple of weeks, I received the e-mail below. I hope they keep charging late fees for a negative balance, and I hope the fees will be negative too! > Dear ULF LINDQVIST, > > Your current Cingular Wireless statement for account number [...] is > now available for viewing on the Cingular Web Site at > https://myaccount.cingular.com. The statement amount of $-3.36 is due and > payable immediately. A late fee will be assessed after 07/28/2003. Also note that the message was sent on 08/22/2003... ------------------------------ Date: Mon, 25 Aug 2003 09:48:11 -0400 From: Monty Solomon Subject: 'Entrepreneur' a trademarked word, court rules Be careful if you use the word "entrepreneur." You might get sued. Christine Van Dusen, *The Atlanta Journal-Constitution*, 25 Aug 2003 A federal judge recently ruled that the owner of Entrepreneur Magazine, a small-business publication with about 2 million readers nationwide, has dibs on the term. Entrepreneur Media, based in California, trademarked the word after starting its magazine in 1978. And that, according to the court's decision, means the firm has "exclusive right to use the mark in commerce." http://www.ajc.com/business/content/business/0803/20entrepreneur.html ------------------------------ Date: Fri, 22 Aug 2003 17:53:25 -0400 From: "Fuzzy Gorilla" Subject: Slammer worm hits system within Davis-Besse nuclear power plant *The Register* (and other sites) are reporting that a PC associated with the safety monitoring system at Davis-Besse nuclear power plant in Ohio. This happened in January 2003, and there was no safety hazard because the plant was offline and "the monitoring system, called a Safety Parameter Display System, had a redundant analog backup that was unaffected by the worm" but helps to illustrate the risks of having "a crunchy shell around a soft, chewy center." The plant had a firewall but... "The Slammer worm entered the Davis-Besse plant through a circuitous route. It began by penetrating the unsecured network of an unnamed Davis-Besse contractor, then squirmed through a T1 line bridging that network and Davis-Besse's corporate network. The T1 line, investigators later found, was one of multiple ingresses into Davis-Besse's business network that completely bypassed the plant's firewall, which was programmed to block the port Slammer used to spread." http://www.theregister.co.uk/content/56/32425.html [H. Ludwig Hausen noted this as well: http://www.securityfocus.com/news/6767] ------------------------------ Date: Sat, 23 Aug 2003 13:36:34 -0400 From: Marty Leisner Subject: Sobig affects Amtrak trains, Air Canada Read about the impacts of Sobig on Amtrak and Air Canada!! In the *Wall Street Journal*, 21 Aug 2003, there was an article "Computer Viruses Disrupt Railroad and Air Traffic" It said: "A variant of the Blaster virus on Tuesday affected about half of Air Canada's phone-reservation capacity and some of its airport check-in operations, said spokesman John Rebel. In general, the virus simply slowed the process of taking reservations, but in a small number of cases, the problems caused flights to be delayed or canceled altogether, he said. Service was returned to normal by Wednesday." It also said: "Dan Murphy, a spokesman for CSX, said the company noticed Wednesday at about 1:15 a.m. that a variant of the Blaster virus was interfering with its train operations and dispatching system. The company curtailed rail service throughout the CSX network while its technicians tried to fix the problem. CSX operates about 1,600 freight, Amtrak and commuter trains a day on its 23,000-mile route network east of the Mississippi River." The first case I just consider business stupidity -- the second case I consider much more serious -- it affected the signaling on rails. I find it hard to understand why general purpose computers are used in such specialized applications -- and ones that are easily compromised. I have to wonder what the requirements for these systems are (assuming they have requirements!!) [Air Canada case also noted by Amos Shapir and Fuzzy Gorilla. PGN] ------------------------------ Date: Wed, 27 Aug 2003 11:48:22 +0200 From: "Peter B. Ladkin" Subject: Some observations on e-mail phenomenology I have seen many technical proposals arising from the changing phenomenology of e-mail (e.g., Garfinkel, Anti-spam technology, RISKS-19.24, Tripoli in RISKS-22.83), and increasingly many political proposals (e.g., Lincoln, RISKS-22.86). In order to evaluate the social worth of any of these, it is necessary to understand the changing phenomenology of e-mail, just as political scientists must base their analyses and projections on concrete data. In contrast to technical and political proposals, I have seen relatively few public comments on the phenomenology (qualitative assessment) and phenomenography (quantitative assessment) of e-mail traffic. A look at the RISKS archives may serve as a sample. Peter Neumann was already talking about the situation being "out of hand" six years ago (a June 1997 example of phenomenology in his editorial comment on Garfinkel, RISKS-19.24). Mike Hogsett's recent server data (RISKS-22.87) contributes to the phenomenography. As others have remarked, e-mail traffic has markedly increased in recent weeks, due apparently to proliferation of the Sobig virus and the e-mail it generates. It seems certain that significant changes will be made at many organisations because of it. Some phenomenological comments are in order. Like many contributors to RISKS, I have been using e-mail as a major professional tool for twenty years, and have been running my own server for the last nine. In this time, we have made three substantial technical changes. Two of those were to accommodate client facilities, namely a change to POP to accommodate portables, and a change to IMAP to accommodate PDAs + mobile phones. Until recently, I accommodated the changing phenomenology of e-mail by changing my working practices. However, our third major change, just over a year ago, was the introduction of heavy filtering, because the level of spam and resulting cost in time and connect charges precluded continued use of my Nokia Communicator to read e-mail on the road. Sobig is something else. We are a Unix/Linux shop, so we don't contribute ourselves to the proliferation. The phenomenon will cause us to make changes, but because of the observations that follow, it is not clear yet what they will be. My personal e-mail traffic has increased by up to an order of magnitude in the last weeks. My wanted e-mail has been 2-5% of the total, contrasted with the previous (estimated) 20%. All of the increase is unwanted mail generated by Sobig. The surprise is how it has been generated. The extra traffic is of five kinds: 1. Instances of Sobig-generated e-mail; 2. Bounce messages from e-mail servers unable to deliver an instance of a Sobig-generated mail and which reply to the address on the From header line; 3. Bounce messages from e-mail servers which have detected instances of Sobig with my e-mail address on the From header line; 4. Sobig-generated messages whose contents have been modified by our university computer center filter; 5. Personal inquiries by genuine correspondents who have received a message of type 3 with my e-mail address on the From header line. We don't filter for Sobig. We haven't needed to - I can accommcoodate messages of type 1 under my normal working practice (a guarded thank you to everybody else!). Servers generating messages of type 2 don't filter, either. Messages of types 3 and 4 are causing the most traffic, and the greatest difficulty. The general phenomenology of Sobig-generated e-mails has been known for a while. Relevant are i. The e-mails, header and content, are entirely automatically generated; there is no piggy-backing on genuine e-mail; ii. The sender address is falsified, and ultimately derived from address-book entries on some infected machine; iii. There are technically easily-recognisable distinguishing syntactic features of these virally-generated e-mails. Effective counters (programs which recognise the features in iii) have been known for a while, and details have been published in sources of record for at least a week, e.g., in German, http://www.heise.de/security/news/meldung/39589 Because of feature i, there is no disadvantage to anyone if a server deletes Sobig-generated e-mails. Because of feature ii, there is neither advantage nor necessity in informing either falsified "sender" or receiver. I would have thought that these observations would have been obvious to any system administrator. But if they were uniformly (rationally) acted on, I would be receiving no mails of types 3 and 4, whereas mails of these types are causing me by far the biggest problem. If this observation generalises, then the major problem would appear to be generated not by the virus itself, but by the reactions of e-mail-server administrators. I would have thought that e-mail service providers would be motivated to minimise the traffic generated by malware. This is apparently not so. Major ISPs such as AOL have been responsible for many messages of type 3. I conclude that some work needs to be done to attempt to understand the organisational motivations and behavior of system administration, and to devise ways of preventing the collective behavior of professional administrators from making problems a lot worse than they otherwise would be. Peter B. Ladkin, University of Bielefeld, Germany http://www.rvs.uni-bielefeld.de ------------------------------ Date: Fri, 22 Aug 2003 13:08:18 -0800 From: Rob Slade Subject: Update on Sobig stage 2 About 4 hours before it was due to trigger, F-Secure found an encrypted section of code in the Sobig virus that indicated an unsuspected payload. At 1900H UTC (noon, PDT) on Friday, infected computers would try to connect to a number of servers, download a program, and run it. Within that four hour period, F-Secure, possibly with the assistance of other institutions, was able to contact the ISPs for these machines, and have them all shut down. (One remains up. Presumably it has been turned into a honeypot, a form of trap for the people who intended to use it for the attack.) At this time, we do not know what the intention of the so-called "Stage 2" payload was, but the plan shows evidence of very careful planning, and, given the extreme number of Sobig infections, it could have been very serious. http://www.f-secure.com/news/items/news_2003082200.shtml http://www.f-secure.com/v-descs/sobig_f.shtml rslade@vcn.bc.ca slade@victoria.tc.ca rslade@sun.soci.niu.edu http://victoria.tc.ca/techrev or http://sun.soci.niu.edu/~rslade ------------------------------ Date: Mon, 25 Aug 2003 13:01:06 -0800 From: Rob Slade Subject: Thank you for [...] Thank you for the details about that movie regarding my application for the approved wicked screensaver! Given that Sobig.F seems to have subsided from its weekend peak (from my numbers, it was doubling every day last week up until Sunday and then suddenly dropped off--to a rate that is still roughly as high as Klez at its worst) and that "Stage 2" seems to have been averted, a few thoughts. Blaster, a worm, infected relatively few machines but inconvenienced (and in some cases worse) companies, so it gets it's name in the paper. Sobig surpasses all records in terms of number of e-mail messages generated, and almost nobody (outside of our little security circle) is paying attention. Spoofing of e-mail headers in virus messages goes back to Hybris or before. Most of the successful e-mail viruses have used some form of spoofing. Yet antivirus companies, in their mail server based products, are continuing to generate bounce messages to the nominal sender, probably in an attempt to market their products. I got a lot of bounced Sobig over the past week. None, of course, had been sent from me. What these bounces are actually doing is aiding the virus: the bounce messages send the virus (a full copy of the original message is often included) to yet another machine. Spammers have also been using spoofed e-mail addresses for some time. Bounced spam is therefore also helping spammers to spread their messages. Two spam for the price of one, thanks to bounces. (Occasionally I hear of a server being inundated by a faked sender address on spam, but this seems to be rare. Which would seem to indicate that spammers are deliberately using random addresses, possibly for reasons of multiplication through bounces.) One of the interesting points to come out the height of the Sobig numbers on Saturday, was that I saw relatively *few* bounces, in proportion to what one might have thought was the case. My address is obviously on enough infected machines for me to get huge numbers of infected messages: due to the way the virus spoofs addresses, a large number of the Sobig messages would have been sent "from" me. Given that the majority of server based antiviral packages do bounce messages, the penetration of server based virus scanning would therefore seem to be quite low. (Interesting, the indirect things you can learn in the aftermath of an attack. Consider the subject line of this message a test of content scanners still doing simplistic subject line rejections.) I have been warning about the type of convergence of malware technologies involved in the "stage 2" situation for a few years now. Will it be taken seriously after Sobig? (Listen to the sound of me *not* holding my breath.) Sobig seems to have been planned and designed with much greater care than is usually the case with viruses and malware. Up until now, we have been spared what viruses *could* do primarily by the fact that we have been facing a bunch of disorganized amateurs. A number of comments about Sobig have raised the possibility of an involvement with spammers and/or organized crime. (We already know that "red guest" groups in China are much more organized and disciplined than traditional blackhats.) Sobig may simply be the result of an isolated creative mind, but relying on that supposition as fact is dangerous security planning. Buried in the investigations into Sobig.F, you will find reference to the fact that it stops reproducing after September 10th. I'm afraid it took my wife pointing it out to make me realize that this is one day before September 11th. Sobig.G, anyone? rslade@vcn.bc.ca slade@victoria.tc.ca rslade@sun.soci.niu.edu http://victoria.tc.ca/techrev or http://sun.soci.niu.edu/~rslade ------------------------------ Date: Tue, 26 Aug 2003 08:28:20 -0700 From: "NewsScan" Subject: Organized crime behind Sobig mess? Antivirus specialist Peter Simpson warns that the Sobig.F virus is the latest in a series of attempts on the part of organized crime to shift some of their illicit activities online. "Sobig smashed all the records in terms of pure numbers, but that's not nearly the whole story. This is the sixth in a series of controlled experiments. This isn't about some kiddy writing viruses in his bedroom -- this is really a very sophisticated example of organized crime," says Simpson, a manager at Clearswift's ThreatLab. Simpson explained that the purpose of a virus such as Sobig isn't to cause damage, but to gain control of the machine in order to access information such as financial details for the purpose of fraud. It also comes in handy for disguising the source of spam by hijacking the victim's machine and identity. "The real question here has to be about the motives of the virus writer. This isn't just about writing a virus that will spread rapidly and break records; the motives here are very different and are clearly criminal. It's all about the hidden agenda." [ZDNet/Silicon.com 25 Aug 2003; NewsScan Daily, 26 August 2003] http://zdnet.com.com/2100-1105_2-5067494.html ------------------------------ Date: Sat, 23 Aug 2003 08:00:26 +0100 (BST) From: Robert de Bath Subject: Re: Send PIF files in ZIP attachment to avoid virus detectors? > How long until a virus sends itself in a ZIP file attachment [...] Already done, I recently had a copy of 'W32/Mimail.A@mm' on the 15th in my linux mailbox (virus are normally filtered like other junk) and it's even worse than you think. The outer message was from the sysadmin of _my_ domain, there was a zip that contained an html file. The html file was a mis-labeled file containing a MIME content type at the start and a PE executable at the end so IE would (presumably) run the executable ... Hmm, I need to check that my "html cleaner" will (at least!) break one of those files. PIFs are some weird windows hack yes, as for file extensions, personally I _always_ do a websearch if I intend to use an unusual extension in a program on any OS. Just suppose you choose an extension that's also used by the "super dooper porn hunter" for your "work control system" :) Robert de Bath [Also commented on by Steve VanDevender. PGN] ------------------------------ Date: Mon, 25 Aug 2003 09:48:32 +0200 From: "Peter B. Ladkin" Subject: Re: Pilot fixes faulty jet (Wienstock, Risks 22.85) This incident was reported on-line also by the BBC, citing The Times, at http://news.bbc.co.uk/1/low/world/europe/3143237.stm Thanks to Harold Thimbleby for pointing it out to me. It is important to get things right, and these news reports, from what are supposedly the best of British journalism, fail to do so. The Times apparently suggested a bug in the computer providing a false indication: The incident occurred on 8 Aug 2003 after a Boeing 757 run by British tour operator MyTravel was found to have a faulty onboard computer that insisted the aircraft was airborne when it was in fact parked on the tarmac. Covered in oil after resetting a sensor in the aircraft's nosewheel, the pilot [asked passengers......] [RISKS 22.85, PGN-ing The Times]. The BBC suggests a "faulty warning light": The tourists had waited ... while the pilot fixed a faulty warning light ... The light had indicated the plane was airborne when it was still on the ground. After repairing it, the plane's captain [asked the passengers] [A company spokesperson said] " He (the pilot) was confident that it was simply an indication error ...... In these brief reports there are three mutually incompatible hypotheses concerning the origin of the problem: a "faulty warning light", an ill-adjusted nosewheel sensor, and a "faulty onboard computer". The Times contradicts itself concerning the origin of the fault (citing two of the three above) and the BBC, supposedly reporting on The Times, contradicts both of The Times's hypotheses. The BBC includes reader opinions on its news page. One may notice how ready people are to express opinions on the appropriateness of the captain's action, without having enough information to judge it. For the appropriateness of hisher gesture depends crucially on what was said, cf. the following two examples (for speech 2, I choose one of the three hypothesised causes and make some assumptions. This should not be taken to mean that I judge that this was the most likely interpretation of events. For I do not know). 1. "The airplane thinks it's in the air when it's on the ground. We think we've fixed what we guess the problem might be. We're going to risk it. Who wants to come with us?"; 2. "We are getting a false air/ground indication. The consequences of that are that two of our three braking systems might not operate as intended on landing. The aircraft will stop safely on the runway with just wheel brakes; indeed the manufacturer had to prove that it would do so, and provide us with the performance figures, before we could fly anyone in the airplane. So the worst case outcome would be that we take a little longer to stop when we arrive at the destination. I have tried to find the source of the problem. I checked the nosewheel sensor, which determines whether the nosewheel is in full contact with the ground. It was clearly out of adjustment, and that alone would have caused the problem we have been seeing. I have adjusted the sensor so that it now operates correctly. After checking everything else that we can, I assume that that is the only problem. Theoretically there could be a second problem, but I think that is unlikely enough that I shall ignore it, while remaining alert to potential signs of it when we fly. I am content to fly this airplane. Remember that my health and safety is on the line every bit as much as yours and I have family too. I recommend you be content to fly in this airplane also. But I wish to give those of you who think differently from us a choice." Peter B. Ladkin, University of Bielefeld, Germany http://www.rvs.uni-bielefeld.de ------------------------------ Date: Thu, 21 Aug 2003 17:37:37 -0700 (PDT) From: "John Oram" Subject: Satellite photo of Eastern North America during blackout The NOAA posted a few satellite photos of Northeastern North America before and after last week's blackout. http://www.noaanews.noaa.gov/stories/s2015.htm http://www.noaanews.noaa.gov/nightlights/blackout081403-20hrsbefore-text.jpg http://www.noaanews.noaa.gov/nightlights/blackout081503-7hrsafter-text.jpg The first photo seems a little supersaturated to me (and a little misaligned, making for a poor flip-back-and-forth...) but clearly show great swaths of New York, Ontario, Ohio and Michigan in the dark. However, there is a surprising amount of light still on, especially in New York and Long Island, in line with the NYT article quoted by Andrew Greene in 22.87. Other major urban areas (Toronto, Detroit, Cleveland) seem much darker in comparison. Maybe more cars and generators in NYC and thus more ambient light? [Clearly, some places were either better prepared or lucky (or both) than others. PGN] ------------------------------ Date: Sun, 24 Aug 2003 17:26:28 -0700 (PDT) From: David Wagner Subject: 2004 IEEE Symposium on Security and Privacy, Call for Papers 2004 IEEE Symposium on Security and Privacy 9-12 May 2004, The Claremont Resort, Oakland, California, USA sponsored by IEEE Computer Society Technical Committee on Security and Privacy in cooperation with The International Association for Cryptologic Research (IACR) Paper submissions due: 5 Nov 2003 For submission guidelines see http://www.cs.berkeley.edu/~daw/oakland04-cfp.html For questions, please contact the program chairs: oakland-pcchairs04@zurich.ibm.com Symposium Committee: General Chair: Lee Badger (DARPA) Vice Chair: Steve Tate (University of North Texas) Program Co-Chairs: David A. Wagner (University of California, Berkeley, USA) Michael Waidner (IBM Zurich Research Lab, Switzerland) ------------------------------ Date: 30 May 2003 (LAST-MODIFIED) From: RISKS-request@csl.sri.com Subject: Abridged info on RISKS (comp.risks) The RISKS Forum is a MODERATED digest. Its Usenet equivalent is comp.risks. => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) if possible and convenient for you. Alternatively, via majordomo, send e-mail requests to with one-line body subscribe [OR unsubscribe] which requires your ANSWERing confirmation to majordomo@CSL.sri.com . If Majordomo balks when you send your accept, please forward to risks. [If E-mail address differs from FROM: subscribe "other-address " ; this requires PGN's intervention -- but hinders spamming subscriptions, etc.] Lower-case only in address may get around a confirmation match glitch. INFO [for unabridged version of RISKS information] There seems to be an occasional glitch in the confirmation process, in which case send mail to RISKS with a suitable SUBJECT and we'll do it manually. .UK users should contact . => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you NEVER send mail! => The INFO file (submissions, default disclaimers, archive sites, copyright policy, PRIVACY digests, etc.) is also obtainable from http://www.CSL.sri.com/risksinfo.html ftp://www.CSL.sri.com/pub/risks.info The full info file will appear now and then in future issues. *** All contributors are assumed to have read the full info file for guidelines. *** => SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line. => ARCHIVES: http://www.sri.com/risks http://www.risks.org redirects you to the Lindsay Marshall's Newcastle archive http://catless.ncl.ac.uk/Risks/VL.IS.html [i.e., VoLume, ISsue] Lindsay has also added to the Newcastle catless site a palmtop version of the most recent RISKS issue and a WAP version that works for many but not all telephones: http://catless.ncl.ac.uk/w/r http://the.wiretapped.net/security/info/textfiles/risks-digest/ . http://www.planetmirror.com/pub/risks/ ftp://ftp.planetmirror.com/pub/risks/ ==> PGN's comprehensive historical Illustrative Risks summary of one liners: http://www.csl.sri.com/illustrative.html for browsing, http://www.csl.sri.com/illustrative.pdf or .ps for printing ------------------------------ End of RISKS-FORUM Digest 22.88 ************************