LISTWATCH: items from security-related mailing lists (February 16, 2001)
by Mary Ellen Zurko (mzurko@iris.com)
This issue's highlights are from Risks, Politech, Privacy Forum Digest, Crypto-Gram,
DCSB, ACM technews, and cypherpunks.
____________________________________________________________
____________________
The 20-year-old Dutch student arrested for creating the "Anna Kournikova" virus claimed that he intended only to issue the sites effected a warning
to tighten their Internet security, and "after all it's their own fault they got infected."
<partners.nytimes.com/aponline/technology/AP-Tennis-Virus.html>
____________________
The Children's Advertising Review Unit (CARU) of the Council of Better Business Bureaus, Inc. (CBBB) has found Altavista in
violation of CARU's Self-Regulaory Guidelines for Children's Advertising (the Guidelines) and
the federal Children's Online Privacy Protection Act (COPPA). AltaVista"has closed down all of its community services, which includes all
interactive services, such as chat rooms, bulletin boards and free email. AltaVista is committed to screening children under the age of 13 from
accessing adult content on the AltaVista Web site." The violations are 1.
Use of registration language that encourages children under age 13 to misstate their ages and 2. Failure to adequately prevent children from
accessing altavista.com clubs (chat rooms) with "adult only" content. In the former case, the site didn't do anything to either keep the adult
testing the system from figuring out that they needed to change their date
of birth, or to reject or question the change. In the latter case, matchmaking chat rooms were not requiring the collection of personal
information verify age.
____________________
Network Solutions, Inc. is promoting the availability of their domain registration database and related activity tracking services for direct
marketing uses <www.dotcom.com/services/index.html>.
Someone wishing to opt-out of NSI's use of their data should send email with "remove bulk
access" and/or "remove domain" in the subject lines to privacy@networksolutions.com, with a list in the body of the message
detailing the domains (for which they are the registrant) that they wish to opt-out.
____________________
CPRM (Content Protection for Recordable Media) is a system for enforcing copy protection on personal computers, using digital rights management.
It requires specially designed copying software that communicates directly with the disk drive. Schneier has a good overview on how it works in
Crypto-Gram 2/15/2001 (in fact, that issue of Crypto-Gram was particularly good in terms of interesting content).
Although CPRM is only supposed to be for flash memory, Scheneier claims that it is planned for IBM's tiny hard
drive.
____________________
The Information Technology Information Sharing and Analysis Center (IT-ISAC) was formed, from nineteen technology companies, to share data
on system vulnerabilities and Internet threats and work with the government
to head off future cyber attacks on the group's members. <www.msnbc.com/local/rtar/m8943.asp>
____________________
Princeton University's Ed Felten is not going to publish details about how
he broke the Secure Digital Music Initiative (SDMI) watermark challenge, because of the prosecution provisions of 1998 Digital Millennium
Copyright Act (DMCA). <www.theregister.co.uk/content/6/16107.html>
____________________
A Linux worm called Ramen is working its way through the Internet. Default
installations of Red Hat Linux are insecure, just like default installations of Windows (when you're dealing with consumers, you tend to
make the same tradeoffs). Humorously, someone asked on cypherpunks how to get rid of the
'W32/Hybris-B' virus, and was told to install Linux. <news.cnet.com/news/0-1003-200-4508359.html>
____________________
Over the course of a few months, DirecTV surreptitiously broadcast, byte by
byte, a program that allowed it to permanently disable pirate DirecTV access cards.
On January 21st, they triggered the program, which wrote "GAME OVER" into an affected area of memory.
It was supposed to knock out 98% of cracked cards. The attack was directed at the "H"-type
smartcards, which were discontinued in 1999. The currently shipped cards,
"HU"-type, are somewhat more difficult to hack, but hacked versions are
available, and were not affected by the attack. Neither were emulation-based systems, where a PC with the appropriate hardware
connector impersonates a hacked smart card. <www.theregister.co.uk/content/6/16377.html>, <www.securityfocus.com/news/143>
The Java 1.1 security database exposes the private keys used to sign applets, since it is
generally left around unencrypted. <www.amug.org/~glguerin/security/jdk-1.1/exposure.html>
____________________
A crypto break of the IEEE 802.11 wireless LAN encryption protocol (WEP) shows that real-time decryption of traffic is possible.
<www.isaac.cs.berkeley.edu/isaac/wep-faq.html>
A response from the IEEE 802.11 Chair on WEP Security does not dispute the main facts. He
says that WEP is designed to provide an equivalent level of privacy as is ordinarily present with a wired LAN, that the
WEP attack would likely be more expensive than alternative attacks on the physical
security of a facility, and that the choice of encryption algorithms by IEEE 802.11 are
not purely technical decisions but they are limited by government export law restrictions as well.
____________________
The CIA wants to use Triangle Boy, a program by SafeWeb, to mask its movements on the Internet, so it can gather information incognito.
The system can turn a personal computer into a surrogate Web server. It also
allows users to navigate to any number of those PC addresses, and then go to the Web site they are seeking.
The CIA wants a custom version so it can handle the CIA's encryption. It also wants to ensure that only its
own employees and contacts can communicate via its version of Triangle Boy.
Some observers suggest that the CIA's real interest is figuring out how to crack Triangle Boy and to thwart its use among the public. Seems like
they could do that without a custom version.
____________________
University of California at Davis tech economist Frank Bernhard studied 3,000 U.S. firms and found that they lose 6 cents of each $1 of revenue
because of hackers, which adds up to billions of dollars each year <www.ecommercetimes.com/perl/story/7349.html>.
____________________
USA Today reported that terrorist Osama bin Laden is using the Internet to scramble messages for his network of operatives.
Sixty Minutes II did a report featuring Phil Zimmerman, indicating that allowing people to
encrypt their credit cards meant that this sort of use by terrorists also happened.
I have no idea why Phil didn't start talking about PGP's use by freedom fighters and whistle blowers.
____________________
Daniel Bleichenbacher at Bell Labs determined that the DSA's random number generator is two times more likely to select a group of numbers from one
range over the other. Attacking the flaw would take an immense amount of computing power.
Bleichenbacher has developed a remedy for the DSA algorithm that would correct the bias.
<www.infoworld.com/articles/hn/xml/01/02/05/010205hndsa.xml>
____________________
mast.mcafee.com/mast/mass_map.asp?track=1&period=3 is an
entertaining map of density of virus infections. Unfortunately, it's not in percentages (just overall numbers of files or computers), and the USA is
treated differently than all other countries (broken down by state).
____________________
Authorities used hidden cameras and face-recognition software as a security measure in Tampa during the week of the Superbowl.
A police spokesman said 19 matches were made, of people who had not committed "significant"
crimes. No arrests were made. <www.washingtonpost.com/ac2/wp-dyn/A9757-2001Jan31?language=printer>
____________________
The Privacy Foundation is publicizing the possibility of using Javascript to "bug" a mail message that you send. There are at least two techniques
to get a message to send it's current contents back to the originator. <www.nytimes.com/2001/02/05/technology/05JAVA.html>
____________________
David Farber (dave@farber.net) has completed his one year term as Chief Technologist at the FCC and is looking for his successor.
It would be a person with a strong technical background in modern communications
including the Internet who would like to spend a year (or so) in Washington. Academics are particularly welcome since there is a IPA path
which can be used. A strong interest in interacting with economist, lawyers and policy people is really needed.
The exposure is considerable since they would often be called upon to give speeches at key places.
____________________
SearchSpace claims that cell phone usage (the phone number, length of time, and time of day of a call) can be used to spot unusual usage and prevent
cell phone fraud. Their system has pattern-recognition software built into
intelligent agents. It reminds me a bit of the expert systems work American
Express did for fraud detection <www.newscientist.com/news/newsletter.jsp?id=ns9999370>
____________________
Simo-Pekka Parviainen of the University of Helsinki has written a master of law thesis entitled
"Cryptographic Software Export Controls in the EU" (it is 144 pages PDF, in
English) <ethesis.helsinki.fi/julkaisut/oik/julki/pg/parviainen/>.
____________________
Hide your messages using spam steganography <www.spammimic.com/decode.shtml>. I wonder if spam can beat traffic
analysis as well?
____________________
HotMail has been blocking their users from sending e-mail to peacefire.org addresses.
If a user tried to send mail to a peacefire.org address from HotMail, they got a fake error message a day later saying that there was
a problem on the recipient's end, when it was really HotMail blocking the message from being delivered.
I had problems following the reasons for this in the Risks post; something about being in the same IP block as some
other sites involved in a boycott.
____________________
A Cleveland company plans on opening the International Spy Museum in Washington in February 2002. <ap.tbo.com/ap/breaking/MGAK4J6H0IC.html>
____________________