LISTWATCH: items from security-related mailing lists (February 16, 2001)

by Mary Ellen Zurko (mzurko@iris.com)


This issue's highlights are from Risks, Politech, Privacy Forum Digest, Crypto-Gram, DCSB, ACM technews, and cypherpunks.

____________________________________________________________

The 20-year-old Dutch student arrested for creating the "Anna Kournikova" virus claimed that he intended only to issue the sites effected a warning to tighten their Internet security, and "after all it's their own fault they got infected."
<partners.nytimes.com/aponline/technology/AP-Tennis-Virus.html>
____________________

The Children's Advertising Review Unit (CARU) of the Council of Better Business Bureaus, Inc. (CBBB) has found Altavista in violation of CARU's Self-Regulaory Guidelines for Children's Advertising (the Guidelines) and the federal Children's Online Privacy Protection Act (COPPA).  AltaVista"has closed down all of its community services, which includes all interactive services, such as chat rooms, bulletin boards and free email.  AltaVista is committed to screening children under the age of 13 from accessing adult content on the AltaVista Web site."  The violations are 1.   Use of registration language that encourages children under age 13 to misstate their ages and 2. Failure to adequately prevent children from accessing altavista.com clubs (chat rooms) with "adult only" content.  In the former case, the site didn't do anything to either keep the adult testing the system from figuring out that they needed to change their date
of birth, or to reject or question the change.  In the latter case, matchmaking chat rooms were not requiring the collection of personal information verify age.
____________________

Network Solutions, Inc. is promoting the availability of their domain registration database and related activity tracking services for direct marketing uses <www.dotcom.com/services/index.html>.  Someone  wishing to opt-out of NSI's use of their data should send email with "remove bulk access" and/or "remove domain" in the subject lines to privacy@networksolutions.com, with a list in the body of the message detailing the domains (for which they are the registrant) that they wish to opt-out.
____________________

CPRM (Content Protection for Recordable Media) is a system for enforcing copy protection on personal computers, using digital rights management.   It requires specially designed copying software that communicates directly with the disk drive. Schneier has a good overview on how it works in Crypto-Gram 2/15/2001 (in fact, that issue of Crypto-Gram was particularly good in terms of interesting content).   Although CPRM is only supposed to be for flash memory, Scheneier claims that it is planned for IBM's tiny hard drive.
____________________

The Information Technology Information Sharing and Analysis Center (IT-ISAC) was formed, from nineteen technology companies, to share data  on system vulnerabilities and Internet threats and work with the government  to head off future cyber attacks on the group's members. <www.msnbc.com/local/rtar/m8943.asp>
____________________

Princeton University's Ed Felten is not going to publish details about  how he broke the Secure Digital Music Initiative (SDMI) watermark challenge, because of the prosecution provisions of 1998 Digital Millennium  Copyright Act (DMCA). <www.theregister.co.uk/content/6/16107.html>
____________________

A Linux worm called Ramen is working its way through the Internet.  Default installations of Red Hat Linux are insecure, just like default installations of Windows (when you're dealing with consumers, you tend to make the same tradeoffs). Humorously, someone asked on cypherpunks how to get rid of the 'W32/Hybris-B' virus, and was told to install Linux. <news.cnet.com/news/0-1003-200-4508359.html>
____________________

Over the course of a few months, DirecTV surreptitiously broadcast, byte by byte, a program that allowed it to permanently disable pirate DirecTV access cards.  On January 21st, they triggered the program, which wrote "GAME OVER" into an affected area of memory.  It was supposed to knock out 98% of cracked cards.  The attack was directed at the "H"-type smartcards, which were discontinued in 1999.  The currently shipped cards, "HU"-type, are somewhat more difficult to hack, but hacked versions are
available, and were not affected by the attack.   Neither were emulation-based systems, where a PC with the appropriate hardware connector impersonates a hacked smart card. <www.theregister.co.uk/content/6/16377.html>, <www.securityfocus.com/news/143>

____________________

The Java 1.1 security database exposes the private keys used to sign applets, since it is generally left around unencrypted. <www.amug.org/~glguerin/security/jdk-1.1/exposure.html>
____________________

A crypto break of the IEEE 802.11 wireless LAN encryption protocol (WEP) shows that real-time decryption of traffic is possible. <www.isaac.cs.berkeley.edu/isaac/wep-faq.html>   A response from the IEEE 802.11 Chair on WEP Security does not dispute the main facts. He  says that WEP is designed to provide an equivalent level of privacy as is ordinarily present with a wired LAN, that the WEP attack would likely be more expensive than alternative attacks on the physical security of a facility, and that the choice of encryption algorithms by IEEE 802.11 are not purely technical decisions but they are limited by government export law restrictions as well.
____________________

The CIA wants to use Triangle Boy, a program by SafeWeb, to mask its movements on the Internet, so it can gather information incognito.  The system can turn a personal computer into a surrogate Web server.  It also allows users to navigate to any number of those PC addresses, and then go to the Web site they are seeking.  The CIA wants a custom version so it can handle the CIA's encryption. It also wants to ensure that only its own employees and contacts can communicate via its version of Triangle Boy.  Some observers suggest that the CIA's real interest is figuring out how to crack Triangle Boy and to thwart its use among the public. Seems like they could do that without a custom version.
____________________

University of California at Davis tech economist Frank Bernhard studied 3,000 U.S. firms and found that they lose 6 cents of each $1 of revenue because of hackers, which adds up to billions of dollars each year <www.ecommercetimes.com/perl/story/7349.html>.
____________________

USA Today reported that terrorist Osama bin Laden is using the Internet to scramble messages for his network of operatives.  Sixty Minutes II did a report featuring Phil Zimmerman, indicating that allowing people to encrypt their credit cards meant that this sort of use by terrorists also happened.  I have no idea why Phil didn't start talking about PGP's use by freedom fighters and whistle blowers.
____________________

Daniel Bleichenbacher at Bell Labs determined that the DSA's random number generator is two times more likely to select a group of numbers from one range over the other. Attacking the flaw would take an immense amount of computing power. Bleichenbacher has developed a remedy for the DSA algorithm that would correct the bias. <www.infoworld.com/articles/hn/xml/01/02/05/010205hndsa.xml>
____________________

mast.mcafee.com/mast/mass_map.asp?track=1&period=3 is an entertaining map of density of virus infections. Unfortunately, it's not in percentages (just overall numbers of files or computers), and the USA is treated differently than all other countries (broken down by state).
____________________

Authorities used hidden cameras and face-recognition software as a security measure in Tampa during the week of the Superbowl.  A police spokesman said 19 matches were made, of people who had not committed "significant" crimes.  No arrests were made. <www.washingtonpost.com/ac2/wp-dyn/A9757-2001Jan31?language=printer>
____________________

The Privacy Foundation is publicizing the possibility of using Javascript to "bug" a mail message that you send. There are at least two techniques to get a message to send it's current contents back to the originator. <www.nytimes.com/2001/02/05/technology/05JAVA.html>
____________________

David Farber (dave@farber.net) has completed his one year term as Chief Technologist at the FCC and is looking for his successor.  It would be a person with a strong technical background in modern communications including the Internet who would like to spend a year (or so) in Washington. Academics are particularly welcome since there is a IPA path which can be used. A strong interest in interacting with economist, lawyers and policy people is really needed.  The exposure is considerable since they would often be called upon to give speeches at key places.
____________________

SearchSpace claims that cell phone usage (the phone number, length of time, and time of day of a call) can be used to spot unusual usage and prevent cell phone fraud.  Their system has pattern-recognition software built into intelligent agents.  It reminds me a bit of the expert systems work American Express did for fraud detection <www.newscientist.com/news/newsletter.jsp?id=ns9999370>
____________________

Simo-Pekka Parviainen of the University of Helsinki has written a master of law thesis entitled "Cryptographic Software Export Controls in the EU" (it is 144 pages PDF,  in
English)  <ethesis.helsinki.fi/julkaisut/oik/julki/pg/parviainen/>.
____________________

Hide your messages using spam steganography <www.spammimic.com/decode.shtml>. I wonder if spam can beat traffic analysis as well?
____________________

HotMail has been blocking their users from sending e-mail to peacefire.org addresses.  If a user tried to send mail to a peacefire.org address from HotMail, they got a fake error message a day later saying that there was a problem on the recipient's end, when it was really HotMail blocking the message from being delivered.  I had problems following the reasons for this in the Risks post; something about being in the same IP block as some
other sites involved in a boycott.
____________________

A Cleveland company plans on opening the International Spy Museum in Washington in February 2002. <ap.tbo.com/ap/breaking/MGAK4J6H0IC.html>
____________________