Thu, 27 Jul 2000 15:45:22 -0400
According to an article at space.com, the cause of the failure in March was
"a single line of code" which allowed the rocket to be launched with a valve
open in the second stage, setting the stage (sorry) for a helium leak.
SeaLaunch is preparing for another launch tomorrow (July 28th).
(http://www.space.com/missionlaunches/sea_launch_000714.html)
Ken Basye
Outlook bug allows self-executing Trojan horses
Kevin Poulsen
Wed, 19 Jul 2000 21:09:06 -0700 (PDT)
http://www.securityfocus.com/news/62
A newly discovered vulnerability in Microsoft's Outlook and Outlook Express
programs leave thousands of computers open to attack from malicious e-mail,
and puts the lie to the conventional wisdom that you can't get a computer
virus if you don't open attachments.
Microsoft issued an advisory on the bug Wednesday morning, after a
programmer announced it to the world over the Bugtraq mailing list Tuesday.
In the advisory, Microsoft says Outlook users can eliminate the
vulnerability by upgrading to Internet Explorer 5.01 Service Pack 1, or,
Explorer 5.5. Either upgrade will patch the hole on Windows 95, 98 or NT.
Windows 2000 users must install the Service Pack to close the hole.
The bug is a classic "buffer overflow" error in the section of Outlook that
parses the Date field of each incoming e-mail. By padding the date with a
long string of characters, an attacker can escape from the area of memory
reserved for storing it, and into a section that executes instructions.
From there, the attacker's e-mail could secretly infect a victim computer
with a "back door" program like Back Orifice, or instruct it to send the
offending e-mail back out to the net like the LoveLetter virus.
The vulnerability doesn't require any attachment to the e-mail; Outlook users
need only read a message to be hit. Outlook Express users are even more
vulnerable, and can fall prey to malicious code without reading the message,
or even being at their computer when it comes in.
"This has the potential to be the worst one we've seen yet," said Brian
Martin, a senior security engineer at Maryland-based Digital Systems
International Corporation. "If this can execute as soon as the mail is
received, oh man, that's just perfect."
Based on a hurried analysis Tuesday night, Martin said that the bug could
likely be used to take control of vast numbers of machines at a time. "What
if you had a mail list with thousands of people and you posted to that?,"
said Martin. "One well-placed e-mail and you can probably infect thousands
of people with a Back Orifice or a NetBus."
Aaron Drew announced the bug to the Bugtraq mailing list on Tuesday, along
with code that ostensibly demonstrates the hole. MSNBC reported that the
hole was also discovered over a month ago by researchers at USSR Labs, which
also boasts working exploit code. Both the news service and the security
group kept it a secret while awaiting a Microsoft fix. The Microsoft
advisory credits USSR Labs for reporting the bug to them, "and working with
us to protect customers."
Outlook's vulnerability to running malicious code without any user
interaction raises the ominous threat that a virus writer might create a
fast spreading worm that would spread in the style of Melissa or last May's
"ILoveYou" virus, but without the need to trick people into running hostile
attachments. Experts fear that many users -- perhaps most -- will invariably
fail to close the hole and will thus remain open to attack. "Nobody
downloads their security patches," said Dan Schrader, an anti-virus expert
at Trend Micro Tuesday. "Which is unfortunate, because it's relatively
simple to do."
Martin warned that attackers won't be losing interest. "Between [USSR
Labs] already having the code, and someone else posting follow up code to
a public source, there are probably a dozen people working on their own
version. And they're probably each figuring out the best ways to exploit
this."
Powergen: More credit-card info exposed
Ursula Martin
Thu, 20 Jul 2000 21:03:48 -0700
The UK electricity utility Powergen advised all its online customers
to change credit-card numbers after details of 7000 customers were
mistakenly made available on the web in early July 2000.
[Source: http://www.guardianunlimited.co.uk/netprivacy/]
Civilian payroll problem
"Stan Niles"
Mon, 24 Jul 2000 13:40:04 -0400
``Civilian Payroll Problem: A major systems problem with the Automated
Time and Attendance Production System (ATAAPS) has resulted in a significant
loss of Time and Attendance (T&A) Report data. All transactions that were
entered into ATAAPS between Saturday, 8 July 2000 and Tuesday, 18 July 2000
have been lost and are not recoverable. The lost transactions include
leave, premium pay, tour of duty changes, default job order changes, and
corrections that were made between those dates.''
I just got back from being away from work without checking in on my e-mail
for a whole week (yippee!). This is what greeted me. I don't really know
their process and I too busy digging out from the accumulated pile of mail
etc. to find out. But ten days of lost payroll data? Haven't they ever
heard of "backups"?
Stan Niles Army Research Lab
The Least Mail Online
Rob Slade
Fri, 21 Jul 2000 09:07:26 -0800
E-mail generally works so well that we have started to take its successful
operation for granted, forgetting that delivery is still not guaranteed. As
a case in point, Sprint Canada's The Most Online service had one of its
regularly unscheduled outages last week, this time affecting incoming e-mail.
The timing was particularly unsettling to me, as a group of us were in the
final stages of negotiation with a publisher, and the discussions were being
conducted via e-mail.
From the date stamps on some late e-mail that is starting to dribble in, the
outage probably started late Wednesday night. I didn't notice anything
until late Thursday, when I expected to download the usual 150 messages that
would have built up in the time I had been away from Net access. Instead I
couldn't get anything. Calling the Sprint support line got a recorded
announcement that "some subscribers may experience some problems in
obtaining incoming e-mail." Friday a dribble of e-mail started to come
through, but the announcement persisted over the weekend. Wednesday a fair
number of old messages started to come through, so it seems that some of the
backlog is starting to clear.
However, there is no indication that I am going to get all my e-mail. In
addition, during this whole outage I was sending mail from others of my
accounts to the Sprint account. Of all the messages sent, some of the
delayed at least six days before delivery, only one generated any kind of a
bounce message or notification. (That bounce, generated at least five days
after the original message was sent, stated that delivery had been
impossible for at least 4 hours.) Therefore, it's quite possible that a
number of people are mad at me for not responding to mail I've never seen.
Once again, the risk is that we are seeing the Internet system, dependable
though it may be, as completely reliable.
(As usual, I submitted this to Sprint for their reaction before sending it
out. They replied within about eight hours--confirming that the outage had
occurred, and pointing out that their terms don't guarantee any minimum
level of service at all :-)
In the meantime, you know where to reach me. But maybe you'd better copy more
than one address, just to be sure :-)
rslade@vcn.bc.ca rslade@sprint.ca slade@victoria.tc.ca p1@canada.com
http://victoria.tc.ca/techrev or http://sun.soci.niu.edu/~rslade
AT&T exposes account info
John Chapin
Mon, 24 Jul 2000 20:00:37 -0400
I recently had occasion to call the AT&T Credit Management Center,
1-800-532-7486.
You can type a home phone number into their voice menu system and it will
answer back with the account standing, recent payment amounts and dates,
without any password or other authentication. Perhaps this only applies to
delinquent accounts (mine was, temporarily).
AT&T only recently began billing residential long distance customers
directly here in the Boston area, rather than through Bell Atlantic. They
appear to be new to the privacy management side of customer accounts too.
John Chapin, Assistant Professor, MIT Laboratory for Computer Science
545 Technology Square, Cambridge, MA, 02139, 617/253-3538, fax 617/258-8607
jchapin@lcs.mit.edu http://sdg.lcs.mit.edu/~jchapin
Re: Sliced fiber-optic cable ... (RISKS-20.93)
"Mark Richards"
Thu, 6 Jul 2000 09:57:16 -0400
The same thing happened in our town - a much smaller scale - but the poor
response of our phone service semi-monopoly Bell Atlantic is worth noting:
Here in Massachusetts, and perhaps in other states in the US, we have
something called "Dig Safe". It's both an admonition for the brain dead and
an actual service for identifying buried utilities. With a simple phone
call, Dig Safe coordinates the identification and marking of buried
utilities so that excavators are not electrocuted or blown up.
In our small community someone either forgot to call them or the marking was
incorrect. They plunged a backhoe through a Bell Atlantic buried phone
cable and "disrupted" service to a few thousand customers for several days.
It was an "old" cable - the wires weren't colour-coded - making the
wire-matching task extremely impossible.
The really ugly part of the story is that no one, particularly Bell
Atlantic, bothered to notify the local public-safety agencies. Their lame
excuse, following this debacle, was that "the police should have known,
considering we requested an officer at the scene for traffic control". The
"accident" left thousands without access to emergency services and the
emergency services were not given proper notification to employ a backup
plan.
By the way, the backup plan has already been thoroughly tested. Thanks to
the incompetence of Bell Atlantic, our 911 emergency service has been
knocked out twice in the past several months. Each time it's blamed on
"defective equipment".
These problems continue, while our Public Utilities Commission sleeps at the
switch. The only time they wake up is when Bell wants a raise.
Mark Richards
Re: London Underground magnetic ticket bug (Boyd Roberts, RISKS-20.95)
"Clive D.W. Feather"
Thu, 27 Jul 2000 10:27:24 +0100
Actually, the risk here is in misunderstanding the system. The system as
a whole (not just the automated gate) worked exactly as designed.
The ticketing gates have 40 or 50 heuristics for detecting problems and
fraud. If the gate is unhappy with the ticket presented, it displays the
message "Seek Assistance" and a code number that the staff can use to
determine what the problem is.
The staff member at the barrier line can apply much more intelligence to the
situation than a machine can. In particular, if you talk to railway staff
you'll discover that they soon acquire a "sixth sense" of when people are
trying to fiddle and when they are being honest. There are also various
"trick" questions they can ask.
Mr Roberts was caught by the "in-out-in" detector. This applies *at a
station*. It is quite possible to exit at a *different* station before
the timer (15 minutes, I think) expires, because this detector will not
then apply.
>It could be even worse; say there's a fire and you need to get out and the
>station is not staffed.
The barrier line *MUST* be staffed at all times. If the member of staff
has to leave for some reason, he or she *MUST* deactivate the system,
which opens all the gates. This is a Health and Safety issue, and LU
would be fined heavily if caught breaking it.
>The Paris Metro, RER and SNCF does this right. There's an entry timer, but
>it's not used to control exiting.
The Paris Metro is a flat fare system, so there's no need for ticket checks
on exit. The situation isn't exactly comparable.
Clive D.W. Feather <http://www.davros.org>
Trust and Risk in Internet Commerce, Jean Camp
<"Peter G. Neumann">
Mon, 24 Jul 2000 16:59:48 -0400
Trust and Risk in Internet Commerce
L. Jean Camp
MIT Press, 2000
292 pp., ISBN 0-262-03271-6
http://mitpress.mit.edu/promotions/books/CAMTHF99
As Internet-based commerce becomes commonplace, it is important that we
examine the systems used for these financial transactions. Underlying each
system is a set of assumptions, particularly about trust and risk. To
evaluate systems, and thus to determine one's own risks, requires an
understanding of the dimensions of trust: security, privacy, and
reliability.
In this book Jean Camp focuses on two major yet frequently overlooked issues
in the design of Internet commerce systems--trust and risk. Trust and risk
are closely linked. The level of risk can be determined by looking at who
trusts whom in Internet commerce transactions. Who will pay, in terms of
money and data, if trust is misplaced? When the inevitable early failures
occur, who will be at risk? Who is "liable" when there is a trusted third
party? Why is it necessary to trust this party? What exactly is this party
trusted to do? To answer such questions requires an understanding of
security, record-keeping, privacy, and reliability.
The author's goal is twofold: first, to provide information on trust
and risk to businesses that are developing electronic commerce systems;
and second, to help consumers understand the risks in using the
Internet for purchases and show them how to protect themselves. Rather
than propose a single model of an Internet commerce system, the author
provides the information and insights needed by merchants and consumers
as they develop the Internet for commerce.
L. Jean Camp is Assistant Professor at Harvard University's Kennedy
School of Government.
9th USENIX Security Conference 2000
Hali McGrath
Wed, 26 Jul 2000 18:57:04 GMT
9th USENIX Security Symposium 2000 Conference August 14 - 17, 2000 Denver,
Colorado, USA Conference URL: http://www.usenix.org/events/sec2000
Presentations by top notch instructors and industry experts such as: Avi
Rubin, Daniel Geer, Tina Bird, Brad Cox, Char Sample, Jim Duncan, Rik
Farrow, and Marcus Ranum, Ian Goldberg, Suelette Dreyfus, Mudge, and
Mark Chen. Keynote Speaker Dr. Blaine Burnham, Director of the Georgia
Tech Information Security Center and former NSA program manager.
Full program details and registration are available online at
http://www.usenix.org/events/sec2000.
Report problems with the web pages to the maintainer
House hearing on FBI's "Carnivore"