precedence: bulk Subject: Risks Digest 22.91 RISKS-LIST: Risks-Forum Digest Thurs 18 September 2003 Volume 22 : Issue 91 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at http://www.risks.org as http://catless.ncl.ac.uk/Risks/22.91.html The current issue can be found at http://www.csl.sri.com/users/risko/risks.txt Contents: VeriSign's Site Finder profits from typos (NewsScan) VeriSign change to .com/.net behavior (Matt Larson via Monty Solomon) VeriSign DNS change broke my HP printer (John Leyden via Lindsay Marshall) London blackout caused by incorrect relay fitting (Phil Thornley) Lockheed Martin accident with satellite (Gerrit Muller, Craig S. Bell) E-Voting Audit Ready for Public (Kim Zetter via Monty Solomon) Instant message: you're under arrest (NewsScan) Yahoo requests ATM card pin nos.!! (Chris J. Brady) Utterly amazing spam/scam? (Drew Dean) How to Steal $65 Billion: Why Identity Theft is a Growth Industry (Robert X. Cringely via Dave Farber) Dave Barry column results in denials of service to telemarketers (Max) Cehck tihs out! (Jim Schindler) Call for papers: IWIA 2004 (Stephen D.B. Wolthusen) REVIEW: "Desktop Witness", Michael A. Caloyannides (Rob Slade) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Tue, 16 Sep 2003 09:22:06 -0700 From: "NewsScan" Subject: VeriSign's Site Finder profits from typos Internet registrar VeriSign has launched a new service, Site Finder, that offers users who mistype a URL a list of alternative Web sites that they might be trying to reach. Several ISPs do the same thing -- most notably AOL and MSN -- but critics say that because VeriSign controls the directory computers for ".com" and ".net" names, they could easily reroute all queries to Site Finder. "We put so much of our research into developing this AOL search result page," says an AOL spokesman. "We are reviewing our potential options. We are strongly opposed to them interjecting themselves into our members' search experience." Site Finder's suggestions include both standard search results and pay-for-placement advertisements, which are identified as such. But while VeriSign VP Ben Turner says the new service is designed to "improve overall usability of the Internet," Danny Sullivan, editor of Search Engine Watch, warns that Site Finder's capabilities could also be abused -- by directing users only to pay-for-placement sites, for instance. Meanwhile, the new service provides a much-needed new revenue stream for the Internet registrar. "Right now, VeriSign's business is not a growing business, and anything that they do to add the slightest amount of growth is going to be positive," says an analyst with U.S. Bancorp Piper Jaffray. [AP 15 Sep 2003; NewsScan Daily, 16 September 2003] http://apnews.excite.com/article/20030915/D7TJ2U5O0.html [This move by VS has caused huge reactions within the Internet community. We include just a few items here from among what is available on the Net, as a sample. The list of reasons why this is a very foolish move by VS is enormous. Apparently, the folks who really should have known that this was going to happen did not, and were blindsided. DNS disablers are being developed to circumvent the VS strategy, but the net results are ugly. See the People For Internet Responsibility (PFIR) statement by Lauren Weinstein, PGN, and Dave Farber: http://www.pfir.org/statements/vs-domain-abuse PGN] ------------------------------ Date: Mon Sep 15 19:32:04 2003 From: Matt Larson (via Monty Solomon) Subject: VeriSign change to .com/.net behavior [http://www.merit.edu/mail.archives/nanog/msg13603.html] Today VeriSign is adding a wildcard A record to the .com and .net zones. The wildcard record in the .net zone was activated from 10:45AM EDT to 13:30PM EDT. The wildcard record in the .com zone is being added now. We have prepared a white paper describing VeriSign's wildcard implementation, which is available here: http://www.verisign.com/resources/gd/sitefinder/implementation.pdf By way of background, over the course of last year, VeriSign has been engaged in various aspects of Web navigation work and study. These activities were prompted by analysis of the IAB's recommendations regarding IDN navigation and discussions within the Council of European National Top-Level Domain Registries (CENTR) prompted by DNS wildcard testing in the .biz and .us top-level domains. Understanding that some registries have already implemented wildcards and that others may in the future, we believe that it would be helpful to have a set of guidelines for registries and would like to make them publicly available for that purpose. Accordingly, we drafted a white paper describing guidelines for the use of DNS wildcards in top-level domain zones. This document, which may be of interest to the NANOG community, is available here: http://www.verisign.com/resources/gd/sitefinder/bestpractices.pdf Matt Larson VeriSign Naming and Directory Services ------------------------------ Date: Wed, 17 Sep 2003 12:48:37 +0100 From: "Lindsay Marshall" Subject: VeriSign DNS change broke my HP printer (John Leyden) http://www.theregister.co.uk/content/6/32872.html VeriSign DNS change broke my HP printer, By John Leyden, *The Register*, 17 Sep 2003 LettersReg readers have plenty of say about VeriSign's controversial move to direct surfers who get lost on the Web to a search site run by the company. Our coverage provoked a large number of letters, almost all hostile, about Versign's audacious typo-squatting land grab: "All your Web typos belong to us" Martin Ward is the first to fire brickbats at the company, which Reg readers have rechristened as "VeriSlime". VeriSign are essentially "squatting" on every unregistered domain name, and using them for profit. How many trademarked names does that include? What are the fines for squatting on just *one* trademark for commercial exploitation? Roger Thomas worries about the implications if other DNS providers adopt VeriSign's tactics. That's a worrying article, and just thinking about the issues raised I can see the following: 1) If it's good enough for VeriSign to mess about with the root servers I can see other DNS providers doing the same, by redirecting users to their own systems. 2) This will poison DNS servers across the world as they will end up caching the SOA records created by VeriSign for these 'dynamic' DNS entries. While the time to live on these records is short, real entries will be dropped as the junk entries are added to the database. There is now a new DNS attack were nodes on the Internet create vast numbers of random DNS look up requests so clearing the DNS caches of all the DNS servers they access. [...] ------------------------------ Date: Thu, 11 Sep 2003 11:00:28 +0000 From: Phil Thornley Subject: London blackout caused by incorrect relay fitting Britain's biggest blackout for 25 years, which plunged large parts of London into darkness, was the result of a one-amp fuse being fitted in place of a five-amp fuse at a substation. *The Guardian*, 11 Sep 2003: http://www.guardian.co.uk/transport/Story/0,2763,1039722,00.html The full report is available at: http://image.guardian.co.uk/sys-files/Guardian/documents/2003/09/10/ London28082003.pdf [An off-er they could not re-fuse! PGN] ------------------------------ Date: Thu, 11 Sep 2003 08:35:56 +0200 From: Gerrit Muller Subject: Lockheed Martin accident with satellite Goddard Space Flight Center: Earth Science Missions Anomaly Report: GOES/POES Program/POES Project: 6 Sep 2003 http://www.spaceref.com/news/viewsr.html?pid=10299 As the NOAA-N Prime spacecraft was being repositioned from vertical to horizontal on the "turn over cart" at approximately 7:15 PDT on 6 Sep 2003, it slipped off the fixture, causing severe damage. The 18' long spacecraft was about 3' off the ground when it fell. The mishap was caused because 24 bolts were missing from a fixture in the "turn over cart". Two errors occurred. First, technicians from another satellite program that uses the same type of "turn over cart" removed the 24 bolts from the NOAA cart on September 4 without proper documentation. Second, the NOAA team working today failed to follow the procedure to verify the configuration of the NOAA "turn over cart" since they had used it a few days earlier. IMPACT ON PROGRAM/PROJECT AND SCHEDULE: The shock and vibration of the fall undoubtedly caused tremendous damage. Significant rework and retest will be required. NOAA-N Prime is planned for launch in 2008. CORRECTIVE ACTION: Lockheed Martin formed an Accident Review Team in which GSFC is participating. The immediate actions concern safety (preventing the spacecraft from rolling, discharging the batteries, and depressurizing the propulsion system). NOAA-N Prime is under guard, all records have been impounded, and the personnel interviewed. After the safety issues are addressed, attention will focus on assessing the damage to NOAA-N Prime. ------------------------------ Date: Wed, 17 Sep 2003 02:40:22 GMT From: "Craig S. Bell" Subject: Lockheed Martin accident with satellite So, Lockheed Martin dropped my satellite! [I say "my" because I reckon that my U.S. tax dollars are paying for NOAA equipment.] Under-construction satellite drops to floor in mishap: http://www.sfgate.com/cgi-bin/article.cgi ?file=/news/archive/2003/09/09/state1637EDT0153.DTL Risks: Never move anything worth $239M (regardless of it's technological complexity, or overall robustness) without first making sure that you can do so without utterly dropping it! I imagine that it would be relatively easy to check for the presence or absence of a few load-bearing bolts beforehand. Also, because the poor thing was energized, they can't even go examine it to see how bad the damage is. It may be a number of days before we truly know the effects of dribbling satellites. Somebody is going to get a bad performance review this year. There is a purportedly exclusive photograph on Effed Company (most of you know the site I mean). I would include the link; but, I know that this would merely be filter-bait. =-) The photo can be easily found on the front page. Just how many companies are there building satellites these days? Could a relative lack of competition have anything to do with it; or, is the market healthy? This can't be good for business (even if the customer just awarded you some extra rocket launches that were surrendered by your misbehaving competitor). ------------------------------ Date: Thu, 18 Sep 2003 11:54:08 -0400 From: "monty solomon" Subject: E-Voting Audit Ready for Public By Kim Zetter, Wired.com, 18 Sep 2003 A security audit ordered by Maryland Gov. Robert Ehrlich on Diebold Election Systems' touch-screen voting machines is complete, and a version of it is ready for public consumption. Shareese DeLeaver of the governor's office said the 200-page report has been shown to Diebold officials and is now being reviewed by the state's Department of Budget and Management and the State Board of Elections. The report was commissioned by the governor after researchers at Johns Hopkins University and Rice University discovered serious security flaws (PDF) in code for the AccuVote-TS voting terminals. A redacted version of the report, with information useful to malicious crackers taken out, will be available on the state's Web site Friday or early next week. The severity of Hurricane Isabel and the amount of energy the governor's office must devote to recovery from the storm will determine the timing of the report's posting. Last month Gov. Ehrlich charged Science Applications International, or SAIC, in San Diego with conducting the audit before the state would proceed with a $55.6 million purchase and servicing contract for Diebold's electronic voting machines. Ehrlich said it was imperative the government ensure the integrity of the election process by conducting "a thorough, fully independent review of the Diebold system." Diebold has maintained that its system has no security vulnerabilities. ... http://www.wired.com/news/technology/0,1282,60486,00.html ------------------------------ Date: Thu, 18 Sep 2003 09:00:30 -0700 From: "NewsScan" Subject: Instant message: you're under arrest The investigation of a Wall Street trading scandal (in which a former Bank of America broker has been charged with grand larceny and securities fraud) is the first case that has used a chain of evidence derived from the instant messaging records of licensed brokers and dealers. Instant messaging (IM) systems are now widely used on Wall Street and to a large extent have replaced traditional e-mail. One attorney who consults on electronic communications said a New York Stock Exchange executive's question about instant messaging was: "Wait a minute, is that what my 13-year-old daughter uses at home?" The answer: "I said yes -- and your traders." [*USA Today*, 18 Sep 2003; NewsScan Daily, 18 Sep 2003] http://www.usatoday.com/tech/techinvestor/techcorporatenews/ 2003-09-18-ims_x.htm ------------------------------ Date: Wed, 17 Sep 2003 13:06:41 +0100 From: chris.j.brady@britishairways.com Subject: Yahoo requests ATM card pin nos.!! There's a scam e-mail going round purporting to come from Yahoo. It is a bulk e-mail stating that anyone with a Premium Account (that is one where you pay by credit card for extra e-mail storage) needs to update their account details or else the account will be closed. The e-mail links to the following page: http://yahoo-wallet.com/ When you click on the link you get a form requesting your: Yahoo E-mail address, Password, First Name, Last Name, ZIP code, Debit or Credit Card no,. Expiration Date AND - Debit / ATM Pin. no. <==== NOTE THIS !! The form has the Yahoo logo and appears innocuous, but .... why do they want passwords and pin nos.? The risks are obvious - but this e-mail is either the most stupidest yet and if it comes from Yahoo then they have learned nothing about such scams in the years that they have they been in the Internet business. And if it is a scam then it is the most blatant fraud on the Internet yet. Of course e-mail to abuse@yahoo.com remain ignored. ------------------------------ Date: Thu, 11 Sep 2003 17:03:37 -0700 (PDT) From: Drew Dean Subject: Utterly amazing spam/scam? I've recently received 2 spams from the same people. In one message, they offer: (1) heroin, (2) "Tomohawk" [sic] rockets, (3) cocaine, (4) (sex) slaves, (5) counterfeit currency, and (6) child pornography, among other commodities. Their "special offers" are rather beyond belief, too. The mail itself appears to have been sent from Japan, based on Received: headers added by SRI's mailservers. (Or they're perfect forgeries, which is extremely unlikely for reasons I won't go into here.) The URL in the message goes to a Web site for which the whois database gives contact info in Thailand, but the server itself physically appears to be in Florida (at least according to traceroute). (Why I am not surprised that these people are downstream from Global Crossing?) Tracking down contact e-mail info takes a detour via Latin America, but would seem to eventually end up in Missouri, although with Arizona contact information. There's a US toll-free number to call the spam-list manager, and a mailing address in Florida. Now, I can't imagine anyone actually responding to this: (1) it could be a sting operation, although that's kind of hard to imagine. "Your Honor, I didn't really expect a missile, but I wanted to see what they'd send me instead...." (2) As you'd be committing a felony, you can't go to law enforcement if the deal goes wrong, hence the prevalence of violent crime among criminals. However, this requires that you be able to find the other party.... It's also worth noting that the price of illegal narcotics depends greatly on where you are in the world: smugglers demand risk pay. It's not at all clear where these people are offering delivery. Meta-RISK: How many e-mail filters will this message trip? Drew Dean, Computer Science Laboratory, SRI International ------------------------------ Date: Sat, 13 Sep 2003 08:51:35 -0400 From: Dave Farber Subject: How to Steal $65 Billion: Why Identity Theft is a Growth Industry [excerpt from an article by Robert X. Cringely, PGN] Recently my mail was stolen. It wasn't supposed to be stolen, which is a given, but it also wasn't supposed to be able to be stolen because I was out of town for two weeks and had the Post Office hold my mail. Only it turns out that in Santa Rosa, California at least, holding mail means different things to different mail carriers. Someone -- a substitute carrier I'm told -- saw that big old pile of mail down at the post office (the pile with the big "vacation hold" sign above it) and thought what the heck I'll just deliver that mail anyway. And so they did. That big old pile of mail sat in my big old mail box on my little old country road under a walnut tree and across from a pond and sometime in the next few days it was stolen. The only reason I know any of this is because a neighbor eventually found some of my mail and some of a lot of other people's mail strewn along the road like errant unmarked bills after a bank heist. Here is something you probably didn't know. If you have the Post Office hold your mail and they do something stupid like NOT hold it for some reason, as happened to me, you have no recourse. [...] ------------------------------ Date: Thu, 11 Sep 2003 12:51:03 -0700 From: Max Subject: Dave Barry column results in denials of service to telemarketers Dave Barry column gives telemarketers headaches, 11 Sep 2003 http://www.thekcrachannel.com/news/2474750/detail.html Now it's the telemarketers who are refusing to answer their phones, thanks to a weekend column by *Miami Herald* columnist Dave Barry. The American Teleservices Association was targeted by Barry in his 31 Aug 2003 column. Barry urged readers to call the ATA and "tell them what you think" about telemarketers. Thousands have done so, forcing the association to stop answering its phones. Callers now hear a recording, which says that because of "overwhelming positive response to recent media events, we are unable to take your call at this time." ATA director Tim Searcy said the added calls will be costly to his group because of toll charges and staffing issues. Barry's only response is to sarcastically say he feels "just terrible, especially if they were eating or anything." [American Teleservices Association: (877) 779-3974] ------------------------------ Date: Wed, 17 Sep 2003 10:44:28 -0700 From: Jim Schindler Subject: Cehck tihs out! Cehck tihs out. Aoccdrnig to a rscheearch at Cmabrigde Uinervtisy, it deosn't mttaer in waht oredr the ltteers in a wrod are, the olny iprmoetnt tihng is taht the frist and lsat ltteer be at the rghit pclae. The rset can be a total mses and you can sitll raed it wouthit porbelm. Tihs is bcuseae the huamn mnid deos not raed ervey lteter by istlef, but the wrod as a wlohe. Amzanig huh? [This has been circulating around the Net. I'm not sure wehre it orginitaed. Apogolies to nonEgnilsh sepakres. PGN] ------------------------------ Date: Tue, 16 Sep 2003 19:57:03 +0200 From: wolt@igd.fhg.de (Stephen D.B. Wolthusen) Subject: Call for papers: IWIA 2004 Call for Papers, Second IEEE International Information Assurance Workshop 8-9 April 2004 -- University of North Carolina at Charlotte, NC, USA Sponsored by the IEEE Computer Society Task Force on Information Assurance in cooperation with the ACM Special Interest Group on Security, Audit, and Control Full paper submissions due: October 10th, 2003 Full CfP as well as PostScript and PDF versions of the call: http://www.iwia.org/2004/ Accepted papers will be published by IEEE Press in a proceedings volume. Program Chair, Stephen D. Wolthusen, Fraunhofer-IGD, Fraunhoferstr. 5, 64283 Darmstadt GERMANY Tel +49 (0) 6151 155 539 | Fax: +49 (0) 6151 155 499 ------------------------------ Date: Tue, 9 Sep 2003 12:27:44 -0800 From: Rob Slade Subject: REVIEW: "Desktop Witness", Michael A. Caloyannides BKDSKWTN.RVW 20030819 "Desktop Witness", Michael A. Caloyannides, 2002, 0-471-48657-4 %A Michael A. Caloyannides %C 5353 Dundas Street West, 4th Floor, Etobicoke, ON M9B 6H8 %D 2002 %G 0-471-48657-4 %I John Wiley & Sons, Inc. %O 416-236-4433 fax: 416-236-4448 %P 366 p. %T "Desktop Witness: The Do's and Don'ts of Personal Computer Security" The title and the subtitle of this book are somewhat at odds. Is this text about the evidence that can be extracted from desktop machines? Or is it about protecting yourself and your personal computer or information? Caloyannides would seem to be making the point that the answer is both: that there is an overwhelming need to ensure that your computer isn't finking on you, and that you must make every effort to ensure that the government cannot obtain the information on your desktop. While he is clearly on the personal side of the privacy versus national security debate, even those who agree with him may find the arguments shrill and extreme. The subtitle of chapter one; indicating that the material is the author's opinion; should warn the reader that the discussion is editorial rather than closely reasoned. Caloyannides may, however, have hurt his own case by taking an anarchistic and almost paranoid position in stating the need for privacy against government encroachment. He does make a number of valid points, but misses other grounds that might have been convincing to a much wider audience, such as the point that the responsibility of protecting your own information is recognized in such legal areas as the difference between patent and trade secret. (A patent offers control over a device for a limited time as long as the technology is disclosed, whereas a trade secret offers protection for unlimited time as long as reasonable efforts are made to protect the information from disclosure.) The major point of chapter two appears to be that the use of encryption could, in and of itself, land you in trouble, and you should prepare to either hide the fact that encryption is taking place, or have a diversionary explanation ready for the authorities. (The recommended use of one-time-pad technology and variant keys is technically interesting, but is unlikely to survive beyond a first use. Ironically, it seems to support a point that the author made earlier: "clever" tricks that rely on obscurity provide very poor protection.) The types of information that might be available from your computer, or Internet connection, are discussed in chapter three. The material ranges over a number of topics and has a difficult structure: some points are raised more than once and there are a number of related issues that are not mentioned at all. Means of recovering some of the data, and of getting rid of it, are reported, but not consistently. Chapter four lists a vast array of protective measures. Most are very useful. Depending upon your situation, many will be considered overkill. Some are questionable: Caloyannides makes a blanket recommendation to install all operating system patches, but notes that doing so for some versions of Windows requires you to give away a lot of information. He does not, though, detail the times that official patches have made the situation worse rather than better, nor the complexity of some patches: by mid-2002 one expert noted that an effective installation of the Windows NT operating system required twenty nine steps, including no less then three separate installations of the latest service pack at different points. Oddly, while this section is supposed to review measures for computers not connected to networks, some of the points relate to activities on the Internet. Protection for connected machines is discussed in chapter five, with a heavy emphasis on the usage of the PGP encryption system. There is also an interesting insistence that steganography *is* an effective means of hiding communications: while Caloyannides points out a number of pitfalls in the use of the technology he does not mention detection measures, such as the ease of determining excessive entropy in the low-order bits of graphic images used to hide files. Secure telephony is discussed in chapter six. The legal issues reviewed in chapter seven are mostly related to recent legislation providing for additional search authority. The author does include material and actions from outside the United States. The editorial finish in chapter eight warns against a society where everything must be homogenized in order to be safe. In many places the book suffers from very poor copy editing. There are a great many instances of improper punctuation, sentence fragments, and words or phrases dropped into apparently unrelated text. Generally speaking one can discern the meaning, but deciphering the organization and intention of a section can be difficult. (Given the thrust of the book, is the author embedding hidden messages?) While there are issues of general security in the book, it is, first and last, about privacy, and primarily personal privacy. The material could have been structured more usefully, and written less stridently, but a great deal of helpful content is included. Those interested in privacy will find it interesting, and computer forensic specialists may also find it to be a handy reference. copyright Robert M. Slade, 2002 BKDSKWTN.RVW 20030819 rslade@vcn.bc.ca slade@victoria.tc.ca rslade@sun.soci.niu.edu http://victoria.tc.ca/techrev or http://sun.soci.niu.edu/~rslade ------------------------------ Date: 30 May 2003 (LAST-MODIFIED) From: RISKS-request@csl.sri.com Subject: Abridged info on RISKS (comp.risks) The RISKS Forum is a MODERATED digest. Its Usenet equivalent is comp.risks. => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) if possible and convenient for you. Alternatively, via majordomo, send e-mail requests to with one-line body subscribe [OR unsubscribe] which requires your ANSWERing confirmation to majordomo@CSL.sri.com . If Majordomo balks when you send your accept, please forward to risks. [If E-mail address differs from FROM: subscribe "other-address " ; this requires PGN's intervention -- but hinders spamming subscriptions, etc.] Lower-case only in address may get around a confirmation match glitch. INFO [for unabridged version of RISKS information] There seems to be an occasional glitch in the confirmation process, in which case send mail to RISKS with a suitable SUBJECT and we'll do it manually. .UK users should contact . => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you NEVER send mail! => The INFO file (submissions, default disclaimers, archive sites, copyright policy, PRIVACY digests, etc.) is also obtainable from http://www.CSL.sri.com/risksinfo.html ftp://www.CSL.sri.com/pub/risks.info The full info file will appear now and then in future issues. *** All contributors are assumed to have read the full info file for guidelines. *** => SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line. => ARCHIVES: http://www.sri.com/risks http://www.risks.org redirects you to the Lindsay Marshall's Newcastle archive http://catless.ncl.ac.uk/Risks/VL.IS.html [i.e., VoLume, ISsue] Lindsay has also added to the Newcastle catless site a palmtop version of the most recent RISKS issue and a WAP version that works for many but not all telephones: http://catless.ncl.ac.uk/w/r http://the.wiretapped.net/security/info/textfiles/risks-digest/ . http://www.planetmirror.com/pub/risks/ ftp://ftp.planetmirror.com/pub/risks/ ==> PGN's comprehensive historical Illustrative Risks summary of one liners: http://www.csl.sri.com/illustrative.html for browsing, http://www.csl.sri.com/illustrative.pdf or .ps for printing ------------------------------ End of RISKS-FORUM Digest 22.91 ************************