precedence: bulk Subject: Risks Digest 21.17 RISKS-LIST: Risks-Forum Digest Tuesday 26 December 2000 Volume 21 : Issue 17 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at and by anonymous ftp at ftp.sri.com, cd risks . Contents: Martin Minow (PGN) Australian Ansett B767 fleet grounded due to maintenance breaches (Mike Martin) Interference forces RAF to abandon ILS (David Kennedy) Risks of automatic firmware upgrades (Marc Roessler) IBM and Intel push copy protection into ordinary disk drives (John Gilmore) CERT's ActiveX security report (Richard M. Smith) Privacy/quality risks in Quicken Online Billing (Clay Jackson) Credit report lists ex-spouse's address (Beth Roberts) Wanna know my salary ? (John C Haselsberger) Re: Spam as a denial of service attack? (Steve Wildstrom) Armageddon scenario near-miss (Scott Rainey) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Tue, 26 Dec 2000 15:18:39 PST From: "Peter G. Neumann" Subject: Martin Minow It is with deep sadness that we note here the sudden passing of Martin Minow last Thursday. He was a long-standing, noble, insightful contributor to RISKS, dating back to Volume 1, number 33, on 1 Jan 1986. A quick search shows that he had 172 messages in RISKS over the past 15 years, including translations of some otherwise inaccessible news items that appeared in Swedish sources. He was a delightful person, and will be sorely missed by many of us. Thanks to all of you who forwarded the e-mail message from his brother, Robtminow@aol.com. Greg Marriott added URLs for Martin's Web pages: http://www.vmeng.com/minow/ http://homepage.mac.com/k6mam/ http://www.ag.ohio-state.edu/~natres/faculty/homepage.html PGN ------------------------------ Date: Sun, 24 Dec 2000 08:52:40 +1100 From: "mike martin" Subject: Australian Ansett B767 fleet grounded due to maintenance breaches On 23 Dec 2000, Ansett Airlines, Australia's second national airline, grounded six of its fleet of seven B767-200 aircraft (its largest domestic aircraft) when "it realised that important maintenance inspections had not been carried out". (The seventh aircraft was already out of service for maintenance.) See http://www.abc.net.au/news/2000/12/item20001224050838_1.htm and http://www.smh.com.au/news/0012/24/national/national1.html. This, at perhaps the busiest travel weekend of the year, and when Ansett has been steadily losing market share to Qantas. Oddly enough, while this inconvenienced thousands of passengers, it was reported that only 18 flights were cancelled (what do these aircraft do all day then?). It appears that a mandatory 25,000-cycle maintenance check was completely overlooked, but the good news (if true) is that an Ansett spokesperson was reported by the Australian ABC network as saying that "the decision to take the aircraft out of service was entirely [Ansett's] own". So, if there were risks introduced by cost cutting or other measures by management of Ansett, owners Air New Zealand, or part shareholder Singapore Airlines, the system corrected itself. Albeit, likely with huge commercial pain. One Ansett customer was quoted by the *Sun Herald* Sunday newspaper as saying, "I haven't flown Ansett for 20 years and it's only now that I remember why." http://www.smh.com.au/news/0012/24/national/national2.html While there is no reason to consider that Australian airline travel is more risky than it used to be, the landing of a Qantas B747 in a Bangkok golf course last year http://www.theage.com.au/news/20000430/A31680-2000Apr29.html was the first of a number of breakdowns of types we have not hear about before. Earlier this year, the new Sydney Airport control tower was blacked out by electrical supply failures twice within a few days. The result was short term chaos. Last week the control tower was evacuated due to smoke from burning computer equipment. However, backup procedures cut in quickly and the old control tower took over. Conclusion? Positive... I think. It seems that maybe organisations are becoming more transparent about risks, and improving measures to deal with them. While passengers inconvenienced by the Ansett grounding might have a different view, it was, from the information publicly available, a brave decision. Even so, the threads at www.pprune.org abound with contrary suspicions. Neither the regulator, Civil Aviation Safety Authority Australia, nor the Australian Transport Safety Board has yet posted any comment on the event on their web sites. We shall see. Mike Martin, Sydney mike_martin@altavista.net ------------------------------ Date: Tue, 26 Dec 2000 13:50:33 -0500 From: David Kennedy CISSP Subject: Interference forces RAF to abandon ILS RAF to abandon faulty landing system, by Mark Henderson, science correspondent excerpted from http://www.thetimes.co.uk/article/0,,2-58265,00.html ROYAL AIR FORCE pilots will stop using a bad-weather navigation system from January 1 because new commercial radio frequencies have made it unreliable, the Ministry of Defence said yesterday. Pilots of military planes and helicopters fitted with the Instrument Landing System (ILS) will not be allowed to use it to land in poor weather in the new year. Instead they will have to ask air traffic controllers to talk down their flights. o Commercial FM growth cited as cause. o Commercial ILS on different frequencies has not been affected. o Affected aircraft are Nimrod reconnaissance and search and rescue helicopters. RAF transport a/c have already been upgraded and tactical aircraft do not use ILS. "There is no operational impact whatsoever," a ministry of Defense spokeswoman said. "It is a worldwide problem which affects all countries." "New landing assistance systems use more reliable technology, such as global positioning satellites, which are not affected by radio frequencies. ILS can also be disrupted by signals from mobile telephones." Dave Kennedy CISSP Director of Research Services TruSecure Corp. http://www.trusecure.com ------------------------------ Date: Fri, 22 Dec 2000 18:11:30 +0100 From: Marc Roessler Subject: Risks of automatic firmware upgrades In 1992 (RISKS-14.06), David Honig reported that a "certain very-popular-workstation-tape-storage-device will reload its firmware upon finding a firmware-reconfiguration tape within its maw upon power-cycling." Funny how history keeps repeating.. seems the same technique is now used for upgrading the firmware of dolby digital sound processors. Those are used in movie theaters for processing the stream of digital data which is read optically from the 35mm film. Citing http://www.dolby.com/cinema/cp500bro.html: [..] Moreover, updates to the audio coding used for Dolby Digital soundtracks, which are included from time to time right on Dolby Digital release prints, download automatically into the CP500 the first time such a print is played in the cinema. [..] In a German discussion forum dedicated to the projection of cinema movies (http://www.filmvorfuehrer.de/forum/) on 9 Nov 2000, the following was posted by Stefan Mueller: (translated from German) The trailer of "Billy Elliott" has got some nasty bug: If the trailer is being cut right behind start mark three, the CP500 will do a software reset with data upload as the trailer runs through the machine. Either Dolby Digital crashes completely or the Cat 673 is set to factory default, which means setting the digital soundhead delay to 500 perforations, i.e. the digital sound lags 5.5 seconds behind the picture. [..] Nice, isn't it? Concerning David Honig's report: I own a streamer which seems to have been built in 1995 (same company? maybe same streamer?), and according to the manual it has this "feature", too. Though no power-cycling is necessary, the firmware upgrade will happen right after inserting the "Firmware Upgrade Tape" into the drive. I guess this barrier (the need to power-cycle the device) was removed for better user friendliness.. (or it is some different kind of streamer and it never had this barrier, which is just as bad). I won't go into the evil details of what to do to a streamer's firmware in order to maximize the devastating effect as i am sure you all can make up some nice ideas yourself. It seems this "auto-firmware-upgrade" feature is making its way in more and more products. I just can't wait for cars to be firmware upgraded by refueling them at the gas station. *irony* ------------------------------ Date: Thu, 21 Dec 2000 13:16:03 -0800 From: John Gilmore Subject: IBM and Intel push copy protection into ordinary disk drives [From cryptography@c2.net; Source: Stealth plan puts copy protection into every hard drive http://www.theregister.co.uk/content/2/15620.html] *The Register* has broken a story of the latest tragedy of copyright mania in the computer industry. Intel and IBM have invented and are pushing a change to the standard spec for PC hard drives that would make each one enforce "copy protection" on the data stored on the hard drive. You wouldn't be able to copy data from your own hard drive to another drive, or back it up, without permission from some third party. Every drive would have a unique ID and unique keys, and would encrypt the data it stores -- not to protect YOU, the drive's owner, but to protect unnamed third parties AGAINST you. The same guy who leads the DVD Copy Control Association is heading the organization that licenses this new technology -- John Hoy. He's a front-man for the movie and record companies, and a leading figure in the California DVD lawsuit. These people are lunatics, who would destroy the future of free expression and technological development, so they could sit in easy chairs at the top of the smoking ruins and light their cigars off 'em. The folks at Intel and IBM who are letting themselves be led by the nose are even crazier. They've piled fortunes on fortunes by building machines that are better and better at copying and communicating WHATEVER collections of raw bits their customers desire to copy. Now for some completely unfathomable reason, they're actively destroying that working business model. Instead they're building in circuitry that gives third parties enforceable veto power over which bits their customers can send where. (This disk drive stuff is just the tip of the iceberg; they're doing the same thing with LCD monitors, flash memory, digital cable interfaces, BIOSes, and the OS. Next week we'll probably hear of some new industry-wide copy protection spec, perhaps for network interface cards or DRAMs.) I don't know whether the movie moguls are holding compromising photos of Intel and IBM executives over their heads, or whether they have simply lost their minds. The only way they can succeed in imposing this on the buyers in the computer market is if those buyers have no honest vendors to turn to. Or if those buyers honestly don't know what they are being sold. So spread the word. No copy protection should exist ANYWHERE in generic computer hardware! It's up to the BUYER to determine what to use their product for. It's not up to the vendors of generic hardware, and certainly not up to a record company that's shadily influencing those vendors in back-room meetings. Demand a policy declaration from your vendor that they will build only open hardware, not covertly controlled hardware. Use your purchasing dollars to enforce that policy. Our business should go to the honest vendors, who'll sell you a drive and an OS and a motherboard and a CPU and a monitor that YOU, the buyer, can determine what is a valid use of. Don't send your money to Intel or IBM or Sony. Give your money to the vendors who'll sell you a product that YOU control. John ------------------------------ Date: Fri, 22 Dec 2000 13:25:20 -0500 From: "Richard M. Smith" Subject: CERT's ActiveX security report This past summer, CERT sponsored a two-day workshop on security issues with ActiveX controls. The final report was just released today and is available as a PDF file at the CERT Web site: http://www.cert.org/reports/activeX_report.pdf There is a lot of good information in the report about how individuals and organizations can reduce security risks in Internet Explorer when using ActiveX controls. In addition, there is a section aimed at software developers on how to create safer controls. A good bit of the technical information in the report has not been made public before. Richard ------------------------------ Date: Fri, 22 Dec 2000 16:34:34 -0800 From: "Clay Jackson" Subject: Privacy/quality risks in Quicken Online Billing I'm a pretty trusting fellow, and a very early adopter of new technology, but the disclaimer in Quicken 2001's Online Billing agreement gave even me pause: "....USER ACKNOWLEDGES THAT HE OR SHE BEARS THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE ONLINE BILLING SERVICE" I'm currently a 'wage slave', but have done my share of consulting - I sure wish I could get this blatant a disclaimer in MY contracts. To add possible injury to the insult, the NEXT page (when I clicked 'Accept' on this) asked me for my SSN, birthdate, place of birth and mother's maiden name, with NO indication as to where and how this information might be used, or even if the transmission would be 'secure' or encrypted in any way. Needless to say, I cancelled out of THAT agreement. Clay Jackson ------------------------------ Date: Sun, 24 Dec 2000 12:22:18 -0500 (EST) From: Beth Roberts Subject: Credit report lists ex-spouse's address Having recently decided to clear up any erroneous black marks on my credit rating, I ordered reports from both Trans Union and Equifax. Both informed me that they could not send my credit report because they could not verify my current address (where I have resided for over a year). To my surprise, I did receive a copy of my credit report, from a company called CSC Credit Services. The report gives no clues as to whether this company is affiliated with Trans Union, Equifax, or neither. At the top, I see why they had such trouble believing that I live where I do - all three of the addresses they have listed for me (one current, two previous) are completely unfamiliar to me. Since they also have my name listed incorrectly as my married name, I can only assume that they had surmised I was still living with my ex-husband, and that any address applying to his last name also applied to me. We have been willfully ignoring each other since the divorce, but it could be dangerous if I were a stalking or vindictive type. This would be an easy way for me to find out where he is, regardless of any measures he might have taken to safeguard his privacy. Alternatively, if I were seeking child support from him, it might come in handy for me. We had no children, so this doesn't apply. I am not sure whether the same type of mistake is possible in the reverse direction - that is, listing an ex-wife's post-divorce addresses in an ex-husband's credit report. This privacy problem may only occur when there is confusion as to the ex-wife's last name, so it may only potentially reveal the ex-husband. For me, it's just yet another piece of data I have to get them to correct, in addition to the three (out of ten) incorrect credit history entries that still show a balance due, even though I paid them off. Beth Roberts ------------------------------ Date: Fri, 22 Dec 2000 10:34:33 -0500 From: John C Haselsberger Subject: Wanna know my salary ? I work for a large corporation that has recently outsourced "employment verification" (for use in credit applications and such) to a Web-based service, http://www.theworknumber.com . This system works as follows: You log into the system with a company code, a Social Security number, and a PIN. You then can generate single-use keys to distribute to those who need your credit or employment verification; then they log onto the same web site with that key and have access to your salary and I believe duration of employment. To make the system easy-to-use, you can look up a company code given a company name so that this tiny security barrier is useless. The default PIN is the last 4 digits of your Social Security number. Strike two for Security. My company has the unfortunate habit of using Social Security numbers, even though each employee has a unique employee number, for identification. Over the years, I have been exposed to many other employees' Social Security numbers, and I can only assume the reverse is true. Strike three. While we are given the opportunity to change our PIN, the timing of this situation while many people are off on vacation, coupled with human nature, barely lessens this RISK. I called their customer support number, and there is no way to "opt out" of their system. Whereas they DO use SSL to protect the web transactions, the real risks lie elsewhere. John Haselsberger ------------------------------ Date: Fri, 22 Dec 2000 10:09:18 -0500 From: Steve Wildstrom Subject: Re: Spam as a denial of service attack? (Bellovin, RISKS-21.15) Interestingly, Verizon has failed to come up, at least in public, with any evidence that this was in fact an attack. Given the company's dubious service record, a lot of folks suspect this may be a pretty lame attempt to blame a popular bogeyman for an inability to handle traffic. Sometimes, I feel that I personally get millions of spam messages a day, but our system generally handles it. An attack would almost certainly have involved a large number of messages from a small number of sources and at least the mail relays that the messages were sent through would have ben identifiable, if not the ultimate source. Steve Wildstrom, Technology & You Editor, *Business Week*, 1200 G St. NW #1100 Washington DC 20005 1-202-383-2203 steve_wildstrom@businessweek.com ------------------------------ Date: Sun, 24 Dec 2000 11:21:46 +0000 From: Scott Rainey Subject: Armageddon scenario near-miss It seems our favorite planet - Earth - barely missed yet another pyrotechnic run-in with a city-killer sized asteroid. It was early Xmas Eve 2000. Nobody saw it till it had already gone past. Range: 800,000 km. That's barely double the distance of earth to the moon. When you figure that we've got some serious gravity constantly inviting passing space rocks to to pay us a visit, I'd say that it's awful dang close. Although the collision probabilities for us and all known space rocks are officially listed as < 1e-9, I really don't trust that math. The risk is in insufficient funding for early warning systems and sub-zero funding for deploying solutions. If we are REALLY lucky a smallish rock like this one will touch down in a sparsely populated corn field, crating an instant tourist mecca and a kick in the pants for policy wonks.... not to mention a big ratings week for CNN. news.com.au has the first story of which I am aware @ http://news.com.au/common/story_page/0,4057,1550084%255E1702,00.html For fresh info on what we claim to know about the sky falling, click to the JPL news page: http://neo.jpl.nasa.gov/news.html [Somewhat off your normal news beat, but I'd bet it is something with high interest for your audience. SR] [Certainly has risks to computers and related systems, as well as to people. TNX. PGN] ------------------------------ Date: 26 Dec 2000 (LAST-MODIFIED) From: RISKS-request@csl.sri.com Subject: Abridged info on RISKS (comp.risks) The RISKS Forum is a MODERATED digest. Its Usenet equivalent is comp.risks. => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) if possible and convenient for you. Alternatively, via majordomo, SEND DIRECT E-MAIL REQUESTS to with one-line, SUBSCRIBE (or UNSUBSCRIBE) [with net address if different from FROM:] or INFO [for unabridged version of RISKS information] .MIL users should contact (Dennis Rears). .UK users should contact . => The INFO file (submissions, default disclaimers, archive sites, copyright policy, PRIVACY digests, etc.) is also obtainable from http://www.CSL.sri.com/risksinfo.html ftp://www.CSL.sri.com/pub/risks.info The full info file will appear now and then in future issues. *** All contributors are assumed to have read the full info file for guidelines. *** => SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line. => ARCHIVES are available: ftp://ftp.sri.com/risks or ftp ftp.sri.comlogin anonymous[YourNetAddress]cd risks [volume-summary issues are in risks-*.00] [back volumes have their own subdirectories, e.g., "cd 20" for volume 20] http://catless.ncl.ac.uk/Risks/VL.IS.html [i.e., VoLume, ISsue]. http://the.wiretapped.net/security/info/textfiles/risks-digest/ . ==> PGN's comprehensive historical Illustrative Risks summary of one liners: http://www.csl.sri.com/illustrative.html for browsing, http://www.csl.sri.com/illustrative.pdf or .ps for printing ------------------------------ End of RISKS-FORUM Digest 21.17 ************************ Date: Sun, 24 Dec 2000 13:57:53 -0500 From: Monty Solomon Subject: Stealth plan puts copy protection into every hard drive http://www.theregister.co.uk/content/2/15620.html Stealth plan puts copy protection into every hard drive By: Andrew Orlowski in San Francisco Posted: 20/12/2000 at 18:54 GMT Hastening a rapid demise for the free copying of digital media, the next generation of hard disks is likely to come with copyright protection countermeasures built in. Technical committees of NCTIS, the ANSI-blessed standards body, have been discussing the incorporation of content protection currently used for removable media into industry-standard ATA drives, using proprietary technology originating from the 4C Entity. They're the people who brought you CSS2: IBM, Toshiba Intel and Matsushita. The scheme envisaged brands each drive with a unique identifier at manufacturing time. The proposals are already at an advanced stage: three drafts have already been discussed for incorporating CPRM (Content Protection for Recordable Media) into the ATA specification by the NCTIS T.13 committee. The committee next meets in February. If, as expected, the CPRM extensions become part of the ATA specification, copyright protection will be in every industry-standard hard disk by next summer, according to IBM. However, what's likely to create a firestorm of industry protest is that the proposed mechanism introduces problems to moving data between compliant and non-compliant hard drives. Modifications to existing backup programs, imaging software, RAID arrays and logical volume managers will be required to cope with the new drives, The Register has discovered. The ramifications are enormous. Although the benefit to producers is great - bringing the holy grail of secure content one step closer - the costs to consumers will be significant. For example, corporate IT departments will be unable to mix compliant and non-compliant ATA drives as they try to enforce uniform back up policies, we've discovered. Restoring personal backups to a different physical drive - a common enough occurrence when a disk has failed - will require authentication with a central server. Imaging software used by OEMs and large corporates to distribute one-to-many disk images will also need to be modified. And the move casts a shadow over some of the hottest emerging business models: the network attached storage industry, which relies on virtualising media pools, the digital video recorder market currently led by TiVo and Replay, and the nascent peer-to-peer model all face technical disruption. How it works Today, CPRM is implemented on DVD and removable SD disks. But the SCSI and ATA/ATAPI proposals incorporate an extension of the scheme to allow the encryption to be used on hard drives, in addition to removable drives and ATAPI devices such as CD-ROMs and DVD drives. The proposal makes use of around a megabyte of read-only storage on each hard drive that isn't usually accessed by the end user for a "Media Key Block". According to research scientist Jeffrey Lotspiech of IBM's Almaden Research Lab, this is a matrix of 16 columns and some 3000 rows. A static "Media Unique Key" in a separate, hidden area of the drive, identifies the individual drive. Making use of broadcast encryption and one way key algorithms, would-be hackers face a daunting number of keys to break. CPRM adds new commands into the ATA specification. But because the system makes use of the physical location on the device of the encrypted item, software designed for non-compliant drives will break in some circumstance when encrypted data files are moved. "It requires both drives to be compliant when data is to move from one disk to another," says Lotspiech. "And a compliant application to get all that data to the new drive". So a hard drive containing small individual containing non-copyable files of say, Gartner reports, will essentially be unrestorable using existing backup programs. Similar problems arise with RAID arrays using IDE disks, acknowledges IBM. "This may help IT managers when auditing for copyright compliance," suggests IBM spokesman Mike Ross. However the decision to make an organisation CPRM compliant. Free copying is no longer an option:- "It's not up to us to determine or guess what the content provider might permit," says Ross. "Nothing will handcuff proper backup and restoring provided the content provider permits it. Some may not permit it - but what will the customers reaction be then?" Well, quite. Clearly key management becomes an urgent priority when CPRM-aware drives are introduced next year, as CPRM-aware content will surely follow. The decision to go with CPRM in an organisation is also an all or nothing proposition - it can't be introduced gradually. But for home users, the party's over. CRPM paves the way for CPRM-compliant audio CDs, and the free exchange of digital recordings will be limited to non-CPRM media. The Register understands there is fierce opposition to the plan from Microsoft and its OEM customers. Generating hundreds of thousands of images each week, the PC industry relies on data going from one master to many reliably and smoothly. Imaging programs face the same problem as restore software: the target disk isn't the same as the originator disk. Microsoft Redmond already has put in a counter-proposal that eschews low-level hardware calls. Where were you when they copy-protected the hardware, Daddy? The intellectual property is owned by the 4C Entity, and administered by License Management International, LLC - a limited liability company based in Morgan Hill, California. Company founder John Hoy told The Register that "LMI,LC holds no intellectual property. Entities are granted a master license." Per-device royalties are payable to LLI,LC. License fees of between 2c and 17c have been mooted for each device, according to documents circulated to the T.13 group. 5c is the current rate for a DVD device. Three possible paths lie ahead. CPRM may be bounced out of the T.x committees. Or manufacturers may choose not to implement it, and opt for an incomplete ATA or SCSI specification. This is deemed unlikely. Or thirdly, manufacturers may choose to implement the new command set, but not activate it. Although it hardly has a prominent media profile - yet - CPRM in hardware is the most comprehensive mechanism for enforcing rights protection the industry has seen, and is likely to be viewed by content producers as a magic bullet. Its progress depends on whether its proponents can overcome industry and consumer opposition. Which might be brewing right about ... now. ------------------------------ Date: Fri, 22 Dec 2000 17:02:55 -0800 From: Mike Hogsett Subject: More Credit Card Databases compromised http://www.msnbc.com/msn/506714.asp ------------------------------