precedence: bulk Subject: Risks Digest 20.78 RISKS-LIST: Risks-Forum Digest Sunday 6 February 2000 Volume 20 : Issue 78 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at and by anonymous ftp at ftp.sri.com, cd risks . Contents: CIA Director Deutch and MLS (Jeremy Epstein) CERT Advisory CA-2000-02 (CERT Advisory) NSA system inoperative for four days (PGN) Leak lets 64 get rich quick (David Shaw) EFIS failure main suspect in Crossair crash (Peter B. Ladkin) Terra spacecraft problems (Peter B. Ladkin) Patients will be able to wear their hearts on the Internet (NewsScan) Yahoo suit compares cookies to stalking (NewsScan) China to require encryption information (NewsScan) Study criticizes health sites for privacy intrusions (NewsScan) AT&T Business Internet Service DNS major outage 28 Jan 2000 (Randy Holcomb) More risks with MS Outlook (Jason Axley) Who is at risk with this virus advertisement? (Bob Heuman) Organisms do not adapt to their environment! (Bob Frankston) *Fatal Words* (Bob Frankston) abcnews.com manually updates copyright year (David Glicksberg) People For Internet Responsibility issues and status report (Lauren Weinstein) New Security Paradigms Workshop 2000: Call For Papers (Crispin Cowan) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Tue, 1 Feb 2000 09:40:14 -0500 (EST) From: Jeremy Epstein Subject: CIA Director Deutch and MLS An article in *The New York Times* 1 Feb 2000 details former CIA Director Deutch's use of unclassified Macintosh computers in his homes to store thousands of highly classified documents on the same computer he used to access AOL, Citibank's personal banking service, and other services. The investigation seems to have been delayed and perhaps limited as a result of Deutch's position. It's old hat that personal computers (be they Windows, Macintosh, or UNIX-based) are inherently unsuitable for Multi-Level Security (MLS). What we see here is that even though all the proper procedures were in place, the human element is sufficient to undermine all of the technical controls. As long as we have people, we'll have RISKS! Full article at http://www.nytimes.com/yr/mo/day/news/washpol/cia-impeach-deutch.html [Multilevel security may not seem to be an issue here *internally* because John Deutch had access to all of the information on his systems, considered as SYSTEM HIGH -- that is all logically at the highest level. However, surfing the (unclassified) Web is clearly a NO-NO from such a machine. RISKS readers are of course familiar with the risks of Web browsing. However, an added note in this case was the report that the visited sites included a porn site. Deutch apparently denied having accessed porn any sites, suggesting that it might have been done by one of his offspring? If that is indeed true, it would make the presence of highly classified information on a multiuser workstation even more untenable. (On one hand, even if such a PC claimed to be multilevel secure, that would be a VERY BAD misuse. On the other hand, RISKS readers know how one can be duped into visiting sites other than what was expected, as in clicking on whitehouse.com instead of whitehouse.gov, or in clicking on a Trojan-horsed URL.) PGN] ------------------------------ Date: Wed, 2 Feb 2000 12:23:25 -0500 (EST) From: CERT Advisory Subject: CERT Advisory CA-2000-02 CERT Advisory CA-2000-02 Malicious HTML Tags Embedded in Client Web Requests This advisory is being published jointly by the CERT Coordination Center, DoD-CERT, the DoD Joint Task Force for Computer Network Defense (JTF-CND), the Federal Computer Incident Response Capability (FedCIRC), and the National Infrastructure Protection Center (NIPC). Original release date: February 2, 2000 [Subsequently revised. Please pick up the latest version at http://www.cert.org/advisories/CA-2000-02.html and see http://www.cert.org/tech_tips/malicious_code_FAQ.html as well as a later note on disabling Java http://www.cert.org/tech_tips/malicious_code_FAQ.html#java . PGN] Systems Affected * Web browsers * Web servers that dynamically generate pages based on unvalidated input Overview A web site may inadvertently include malicious HTML tags or script in a dynamically generated page based on unvalidated input from untrustworthy sources. This can be a problem when a web server does not adequately ensure that generated pages are properly encoded to prevent unintended execution of scripts, and when input is not validated to prevent malicious HTML from being presented to the user. [This is referred to as "cross-site scripting". Note that executables in the URL itself can have nasty effects. PGN] ------------------------------ Date: Sun, 30 Jan 2000 04:31:15 -0500 From: "Peter G. Neumann" Subject: NSA system inoperative for four days For almost the entire work week of 24 Jan 2000, failures of NSA computers caused an information blackout for intercepted messages. The failure was blamed by one report on a ``system overload'', by another report on a software problem. [Sources: NSA System Inoperative for Four Days, by Walter Pincus, *The Washington Post*, 30 Jan 2000, Page A2, http://www.washingtonpost.com/wp-dyn/articles/A49286-2000Jan29.html; Kinder, gentler NSA admits human frailties, Thomas C. Greene, http://www.theregister.co.uk/000131-000001.html] ------------------------------ Date: Fri, 4 Feb 2000 11:54:27 +1100 From: David Shaw Subject: Leak lets 64 get rich quick On Wednesday, February 2, 2000, the Reserve Bank of Australia (RBA) formally announced an increase in the official interest rates of 0.5%. The formal announcement was made at 09:30. However, in what turned out to be an embarrassing mistake for the RBA, 64 people were sent an e-mail at 09:24 (i.e., 6 minutes early) advising them of the rate increase. This was quite remarkable in itself, as the RBA has a near-legendary record of security. The information proved to be very valuable for two reasons. Not only was the information available early to a very small segment of the market, the size of the rate increase was unexpected. Virtually the entire market had been expecting/predicting an increase of just 0.25%. In the 6 minutes prior to 09:30, approximately AUD$3 billion worth of bill and bond futures were dumped on the market. The record of trades at the Sydney Futures Exchange demonstrates the selling frenzy. When interest rates last rose, on November 3, 1999, 336 three-year bond futures contracts and 324 90-day bank bill futures were traded between 09:25 and 09:30. The corresponding trades preceding yesterday's announcement were 2,739 and 2,811. To quote an unnamed trader: "Some people made a lot of money in those few minutes." Source: *Sydney Morning Herald* (www.smh.com.au). Thursday Feb 3, 2000. David Shaw, Alcatel Australia Limited david.shaw@alcatel.com.au ------------------------------ Date: Wed, 02 Feb 2000 11:07:21 +0100 From: "Peter B. Ladkin" Subject: EFIS failure main suspect in Crossair crash Flight data displays such as airspeed and attitude indicators as well as navigation displays on modern commercial aircraft are nowadays electronic, replacing mechanical displays that were common until 10-15 years ago. Mechanical displays are often used as backup, although there are electronic backup displays available on the market. Mechanical displays were/are not susceptible to total outage. Airspeed indicators are basically differential barometers, and mechanical attitude indicators are gyroscopes. According to Flight International's David Learmount (01-07.02.2000, p12), Electronic Flight Instrument System (EFIS) failure is the "main possibility" being looked at by the Swiss accident investigation people (BEAA) in the crash of the Crossair Saab 340B just after takeoff from Zuerich on 10 January. This was Crossair's first accident. I emphasise that the causes of the accident have not been established. It is hoped that the non-volatile memory on the EFIS displays can be recovered and read, to determine how what the pilots were seeing corresponds (or not!) with the flight profile recorded by the flight data recorder. (This is a benefit not provided by mechanical displays, although it would hardly make up for the susceptibility of EFIS to outages!) EFIS failures have been noted in particular in incidents involving a Virgin A340 and a Martinair B767 (see the compendium Computer-Related Incidents With Commercial Aircraft on my WWW site). A Formosa Airlines Saab 340B descended into the ocean on 18 March 1998, and it has been rumored that one EFIS display was known before the flight not to be functioning. Peter Ladkin, University of Bielefeld http://www.rvs.uni-bielefeld.de ------------------------------ Date: Wed, 12 Jan 2000 11:06:42 +0100 From: "Peter B. Ladkin" Subject: Terra spacecraft problems *Flight International*, 11-17 Jan 2000, p29, reports that NASA has fixed "computer and antenna faults" on the Terra spacecraft, launched 18 Dec 1999. Terra is part of the Earth Observing System. "The main computer shut down shortly after launch because of a bug in the navigation software, according to NASA." The failure occurred a minute before the winter solstice, while the sun's position in the nav software was being updated. On the other side of things, the antenna "was repaired by alterations to the software", at which one can only marvel. Maybe Uri Geller is now programming for a living. Or maybe they meant the problem was worked around. Peter Ladkin ladkin@rvs.uni-bielefeld.de www.rvs.uni-bielefeld.de ------------------------------ Date: Mon, 24 Jan 2000 09:25:03 -0700 From: "NewsScan" Subject: Patients will be able to wear their hearts on the Internet In a venture with Microsoft and IBM, Minneapolis-based medical device company Medtronic will invest more than $230 million to develop a system that will allow heart patients to send cardiac data to cardiologists via the Internet, from their homes or remote locations worldwide. The company's medtronic.com division will be the focal point of a new Patient Management Business. [http://www.sjmercury.com/svtech/news/breaking/merc/docs/082323.htm, Reuters in *San Jose Mercury News*, 24 Jan 2000, via NewsScan Daily, 24 Jan 2000] [And what about the reverse direction? Would you like to have YOUR heart interactively controllable by doctors and insurance companies and everyone else on the Internet? PGN] ------------------------------ Date: Mon, 31 Jan 2000 08:09:56 -0700 From: "NewsScan" Subject: Yahoo suit compares cookies to stalking A lawsuit filed by Dallas-based Universal Image Inc. accuses Yahoo! of violating Texas law when it collects "cookies" from Web site visitors. "We think the court will declare the use of cookies illegal in Texas," says Universal attorney Lawrence Friedman. "It is electronic stalking. It violates the eavesdropping statutes, and from a civil aspect it's an invasion of privacy." Friedman says he plans to file a class-action lawsuit against the company. Meanwhile, DoubleClick was sued last week by a California woman who claims the online ad company illegally collected and sold her personal and demographic data. [ZDNet/MSNBC 28 Jan 2000) http://www.msnbc.com/news/363455.asp; NewsScan Daily, 31 Jan 2000] ------------------------------ Date: Tue, 25 Jan 2000 08:18:19 -0700 From: "NewsScan" Subject: China to require encryption information [On 31 Jan 2000] China's government plans to institute a rule requiring foreign firms in China to disclose what type of software they use for encrypting their electronic messages. Eventually, the companies must divulge details about employees using the software, making it easier for authorities to monitor personal and commercial Internet use. The new rules also bar Chinese companies from buying products containing foreign-designed encryption software, a move that could stymie the growth of Internet use in that country. Diplomatic missions are exempted, but the regulations cover the routers and servers that make up the backbone of China's networks, most of which came from foreign companies. "If IBM or Hewlett-Packard wants to sell an e-commerce Web server to China, it might have to isolate which parts relate to security" and find a Chinese company to write the software, says the director of the U.S. Information Technology Office's Beijing branch. "I don't think Chinese companies have that ability." [*Wall Street Journal*, 25 Jan 2000 http://interactive.wsj.com/articles/SB948739893578536271.htm via NewsScan Daily, 25 Jan 2000] [According to later reports, very few are signing up. PGN] ------------------------------ Date: Wed, 02 Feb 2000 09:39:09 -0700 From: "NewsScan" Subject: Study criticizes health sites for privacy intrusions In a study conducted for the California HealthCare Foundation, the Georgetown University's Health Privacy Project has found that drkoop.com, webmd.com, ivillage.com, yahoo.com, onhealth.com, and other Web sites that provide information on health matters are cavalier about privacy practices: "The privacy policies of health Web sites do not match up with their own practices." Example: some companies share e-mail addresses and other visitor data even though their Web sites promised they would do no such thing. The companies are disputing the study findings. [Reuters/*San Jose Mercury News* 1 Feb 2000, http://www.sjmercury.com/svtech/news/breaking/internet/docs/160309l.htm; NewsScan Daily, 2 Feb 2000] ------------------------------ Date: Fri, 28 Jan 2000 23:24:58 -0600 From: "Randy Holcomb" Subject: AT&T Business Internet Service DNS major outage 28 Jan 2000 At 1400 EDT AT&T Business Internet Services (formerly IBM Global Network Internet Services) lost both primary and backup Domain Name Servers; resulting in the inability of AT&T Business Internet Customers to use the service. The DNS's were back online a few minutes short of 2300 EDT. ------------------------------ Date: Tue, 1 Feb 2000 10:05:34 -0800 (PST) From: Jason Axley Subject: More risks with MS Outlook The recent threads about information hiding in MS Outlook are quite timely as I've just recently discovered an interesting information hiding "feature" of MS Outlook. I received an e-mail from an MS Outlook user that was transmitted to me via SMTP. The e-mail was in MIME multipart/alternative format and, as such, had two attachments: a plain text version of the e-mail content and another attachment with the exact same message in HTML format. Outlook has settings that let users control which format they sent Internet users e-mail in and this user has Outlook configured to send both versions (I believe that this is the default setting when sending to non-Exchange addresses). I replied to this individual using Pine but then this individual responded saying that my message was received, but that there wasn't any additional text in it. I thought this strange as I can see in my sent-mail that I did reply with additional text. So, I sent the message again and again was told that there wasn't any text in the message. It turns out that what was happening was that I had modified the plain text version of the multipart/alternative MIME message (which is the one that Pine opens as the actual message), but that when Pine sent the reply, it included the HTML "alternative" version as an attachment as well (although this was an alternative for the *original* message) Outlook then ignores the modified plain text version because it thinks that the attached HTML version is the same message, just in HTML. So, the recipient was seeing the original HTML message that I hadn't modified and was not able to see the plan text version. Outlook doesn't even list the plaintext version as an attachment so Outlook users cannot access the information there even if they wanted to! Ironically, the text that Exchange or Outlook puts in the message header for non-MIME-compliant MUAs says "This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible." Jason AT&T Wireless Services, IT Security UNIX Security Operations Specialist ------------------------------ Date: Sat, 29 Jan 2000 21:03:52 -0500 From: "R.S. \(Bob\) Heuman" Subject: Who is at risk with this virus advertisement? The following is a message I received via my subscription to this security jobs list. I have to wonder - if anyone answers it, what will happen... Will they get the job, or will they be investigated by the FBI, NSA, etc. I know that I would NOT answer it. Of course, I also have to wonder who the US Military will be targetting should they hire someone with the attributes desired. [Assuming they even can trust that individual...] What next? What is the risk to the rest of us? Does anyone really think a security jobs listserve has only US subscribers? R.S. (Bob) Heuman, Toronto, ON, Canada > FROM: Drissel, James W. > DATE: January 27, 2000 16:18 > TO: SECURITYJOBS@SECURITYFOCUS.COM > Subject: Virus coder wanted > Computer Sciences Corporation in San Antonio, TX is looking for a good > virus coder. Applicants must be willing to work at Kelly AFB in San > Antonio. Other exploit experience is helpful. > Send Resumes/questions to james.drissel@cmet.af.mil [Although RISKS generally avoids running job ads, and especially Advirusements, this one has some interesting RISKS-Related Ramifications. R-R&R? PGN] ------------------------------ Date: Mon, 31 Jan 2000 12:41:37 -0500 From: "Bob Frankston" Subject: Organisms do not adapt to their environment! (Was: Lessons of Y2K, Toby Gottfried, RISKS-20.77) This is backwards? ORGANISMS DO NOT ADAPT TO THEIR ENVIRONMENT. That is a fallacy called adaptionism!!! Evolution works by not anticipating the need for solutions but having enough disparate solutions so that, given a problem, it's likely that there will be a solution that works. This resiliency is the real reason that Y2K was a nonissue. Systems as brittle as the ones posited by the Y2K theorists don't work in practice and have largely been eliminated from the ecosystem. New brittleness will be discovered and some will be replaced by small scale alternatives and other failures may be larger scale. The big danger is the hubris associated with the notion that we must have a vision to avoid pitfalls. Of course we shouldn't be stupid and should anticipate obvious problems. But it is far more important to assume that we will continue to surprised and need to have enough "fat" available to survive problems. It's also foolish to posit that we must model safety on static systems and limit our possibilities to what we can do unaided and unenhanced. If we eschew mechanical aids, why should we be more tolerant of cognitive aids such as logic, reason and testing which often confound common sense and faith. In nature (to personify emergent behavior) systems only function in riskful dynamic states. The static state for an organism or other ecosystem is called death. The conversion of necessities into luxuries is most natural. Skin, for example, is no longer an option. Nature can't be fooled but we can do a fine job in deluding ourselves. ------------------------------ Date: Sun, 6 Feb 2000 01:54:47 -0500 From: "Bob Frankston" Subject: *Fatal Words* In an essay I'm writing, I was reminded of the book *Fatal Words* by Steven Cushing [ISBN 0-226-13201-3]. It's about misunderstandings between pilots and instructions from the ground and other consequences of the World War II communications and avionics still in use. A great example of what happens when certification and irrational fear of risk prevent improvements in technology and safety. Bob Frankston http://www.Frankston.com ------------------------------ Date: Wed, 2 Feb 2000 21:01:17 -0800 (PST) From: David Glicksberg Subject: abcnews.com manually updates copyright year Articles written during the first week or so of 2000 on abcnews.com have a misdated notice at the bottom of the page: "Copyright (C)1999 ABC News Internet Ventures." However, the dateline (which shows the place, month, and day, but usually omits the year) and the URL (which has an embedded date of the form YYMMDD) together clearly mark the article's date. One can still view articles exhibiting this glitch, for example: http://www.abcnews.go.com/sections/science/DailyNews/clone_cells000105.html I notified abcnews.com Tech Support on January 6, and within several days, all new articles had the correct copyright year. This leads me to believe that abcnews.com may use a hardcoded copyright year, which someone forgot to update in a timely fashion. I wonder how many programs and systems out there require manual year rollover ... in this case, the slipup was of little consequence. Dave Glicksberg -- glicksbergd@acm.org ------------------------------ Date: Sat, 5 Feb 2000 21:15 PST From: lauren@vortex.com (Lauren Weinstein; PRIVACY Forum Moderator) Subject: People For Internet Responsibility issues and status report Greetings. The current version of the PFIR (People For Internet Responsibility) "Issues" document, and a status report regarding PFIR activities, are now available via the PFIR Web site at: http://www.pfir.org The issues document covers a wide range of important Internet and Web topics. It is (and will continue to be) a work in progress, and while quite comprehensive is undergoing rapid expansion. Many of the topics relate to privacy issues, technology risks, and other matters that should be of interest to current and potential Internet users. Your input and comments regarding both of these documents would be very much appreciated via the e-mail addresses indicated within the docs themselves. Thanks very much. --Lauren-- lauren@vortex.com Lauren Weinstein Moderator, PRIVACY Forum - http://www.vortex.com Co-Founder, PFIR: People for Internet Responsibility - http://www.pfir.org Member, ACM Committee on Computers and Public Policy ------------------------------ Date: Sat, 29 Jan 2000 03:34:42 +0000 From: Crispin Cowan Subject: New Security Paradigms Workshop 2000: Call For Papers Call For Papers New Security Paradigms Workshop 2000 An ACM/SIGSAC sponsored workshop 19 - 21 September 2000 Ballycotton, County Cork, Ireland http://www.nspw.org/ [This is a very small but remarkably insightful workshop, in its 8th year. Registration is limited by acceptance of submitted papers and justifications for why you should attend. If you wish to participate, FIRST contact both Program Chairs -- Cristina Serban (cserban@att.com) and Brenda Timmerman (btimmer@ecs.csun.edu) soon. Final submissions are due toward the end of March. Some further information will be emerging at http://www.nspw.org/ . PGN] ------------------------------ Date: 13 Dec 1999 (LAST-MODIFIED) From: RISKS-request@csl.sri.com Subject: Abridged info on RISKS (comp.risks) The RISKS Forum is a MODERATED digest. Its Usenet equivalent is comp.risks. => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) if possible and convenient for you. Alternatively, via majordomo, SEND DIRECT E-MAIL REQUESTS to with one-line, SUBSCRIBE (or UNSUBSCRIBE) [with net address if different from FROM:] or INFO [for unabridged version of RISKS information] .MIL users should contact (Dennis Rears). .UK users should contact . => The INFO file (submissions, default disclaimers, archive sites, copyright policy, PRIVACY digests, etc.) is also obtainable from http://www.CSL.sri.com/risksinfo.html ftp://www.CSL.sri.com/pub/risks.info The full info file will appear now and then in future issues. *** All contributors are assumed to have read the full info file for guidelines. *** => SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line. => ARCHIVES are available: ftp://ftp.sri.com/risks or ftp ftp.sri.comlogin anonymous[YourNetAddress]cd risks [volume-summary issues are in risks-*.00] [back volumes have their own subdirectories, e.g., "cd 19" for volume 19] or http://catless.ncl.ac.uk/Risks/VL.IS.html [i.e., VoLume, ISsue]. Also, new AUSTRALIAN archives at http://mirror.aarnet.edu.au/risks/ and http://the.wiretapped.net/security/textfiles/risks-digest/ . PostScript copy of PGN's comprehensive historical summary of one liners: illustrative.PS at ftp.sri.com/risks . ------------------------------ End of RISKS-FORUM Digest 20.78 ************************