LISTWATCH: items from security-related mailing lists (April 17, 2001)
by Mary Ellen Zurko (mzurko@iris.com)
This issue's highlights are from DCSB, CRYPTO-GRAM, ACM TechNews, and cypherpunks.
____________________________________________________________
War Driving is being called the next big thing in hacking. It's driving
around looking for unsecured 802.11 wireless networks. Even installations
using Wired Equivalent Protocol (WEP) for security may be vulnerable if,
for instance, they have the encryption key set to one of several well-known
default values. The name of the activity is derived from the movie "War
Games".
www.theregister.co.uk/content/8/17976.html
____________________
According to the March 19th Newsweek, one of the secrets
Robert Hanssen told the
Russians was that the U.S. tunnel under the Soviet embassy in Washington
was used so that "laser beams could pick up vibrations from the
keystrokes of Soviet ciphering machines --
helping to decode their signals."
____________________
VBS Worm Generator, the kit used to create the Anna Kournikova worm, has a new V2
www.wired.com/news/technology/0,1282,42375,00.html.
The creator says that any harm done with worms
created using his kit is not his responsibility.
The documentation (which is said to be very good) says that testing
with Norton anti-viral 2001, Kaspersky Anti-Virus (AVP), McAfee and
F-Secure's "Fprot" indicates they
will not detect new worms created with this
kit.
____________________
Office XP will have a new anti-piracy feature that will
require an activation key and
keep any instance from running on more than one PC. However,
someone has stolen a corporate version that doesn't require an activation
key, and posted it as warez.
www.wired.com/news/business/0,1367,42402,00.html
___________________
A report on web bugs www.securityspace.com/s_survey/data/man.200102/webbug.html
has some
____________________
Here's a great NT error message. We should have a
contest to guess what it actually means
support.microsoft.com/support/kb/articles/q155/0/12.asp
____________________
There's another object lesson on why not to release documents in Word
format. This one is about the security implications of an Alcatel DSL modem
product morons.org/articles/1/188.
____________________
TRUSTe is seeking public comment on its privacy guidelines for companies
undergoing mergers, acquisitions and bankruptcies. See www.truste.org.
____________________
Speculation abounds about NSA's Security-Enhanced Linux (SELinux) prototype. Will
it be freely available? Will it provide actual security?
Will it be usable? www.nsa.gov/releases/selinux_01022001.html,
www.wired.com/news/business/0,1367,42972,00.html.
____________________
A patch to IE to keep MIME handlers from incorrectly launching attachments
ran into a second problem. Users who had not upgraded their IE to the
appropriate service pack level were told by the patch installation process
that they did not need to apply the patch, even though they were
vulnerable. Unfortunately, this happened around April 1 as well. www.microsoft.com/windows/ie/download/critical/Q290108/default.asp
____________________
And also around April 1, "DOJ STEPS UP CHILD PORNOGRAPHY FIGHT; Proposal
makes digital cameras 'childsafe'" www.cluebot.com/article.pl?sid=01/04/01/2155249
____________________
IE will be supporting P3P, with a target release date of this summer. The
interface is a privacy thermostat. Some privacy advocates object to this
interface, on the grounds that it encourages trading off privacy for
convenience.
____________________
On January 29 and 30, 2001, VeriSign, Inc. issued two certificates for
Authenticode signing to an individual fraudulently claiming to be an
employee of Microsoft Corporation. Any code signed by these certificates
will appear to be legitimately signed by Microsoft.
Users who try to run code signed with these certificates will generally be
presented with a warning dialog, but of course who wouldn't trust a
certificate that was validly issued from VeriSign, and claimed to be for
Microsoft? The certificates are on a Certificate Revocation List (CRL)
now, but I gather the code that checks the signatures for ActiveX
controls, Office Macros, and so on, doesn't do any CRL processing. Microsoft adds
that since the certificates don't have a CRL Distribution Point (DP),
it's not possible to find and use the CRL.
Rumor has it that the folks got the certificates by
knowing the credit card information that Microsoft used to legitimately purchase
certificates in the past. This would make sense, because even though I
actually work for Iris Associates, Verisign shouldn't go issuing me
certificates that claim I speak for Iris Associates on that basis alone. And
Microsoft's claim that no one could possible check a CRL without a CRL DP seems
wrong to me too. If you hard code trusted roots you can certainly hard
code where a CRL is (or configure it somewhere).
____________________
A Gallery of CSS Descramblers www.cs.cmu.edu/~dst/DeCSS/Gallery/
includes one in a new language without a compiler, one
in plain English,
one in haiku form, one transformed into music, a movie
version, and a
greeting card.
____________________
The Aimster pig encoder that translated titles into pig latin to hide them
from Napster title monitoring has been removed www.aimster.com/pigencoder.phtml.
____________________
Claude Shannon died on February 24, at age 84.
____________________
From ACM TechNews:
"Chinese Suspected of Hacking U.S. Sites"
Since an American spy plane and a Chinese jet fighter
collided on April 1, there have been at least nine attacks by hackers on U.S.
government and business sites. Chinese portals such as Sina.com and
Sohu.com give hacking instructions and possible targets, and encourage
citizens to vandalize American sites in retaliation for the death of the
Chinese pilot. Users who tried to access a site for artists in Marin County,
Calif., were greeted yesterday by a Chinese flag and an audio recording of
their national anthem. Pa.-based Intelligent Direct's site's home page
was also replaced by a flag, as well as the message "China have bomb,
too," and some "profane comments about someone's mother." Many
of the computer attacks were signed by the Hackers Union of China, who calls
itself a "network security
organization." Last year, after the president of
Taiwan expressed the desire to speak with Chinese officials on a
"state-to-state" level, Chinese
residents launched more than 100,000 attacks on
Taiwanese sites. Chinese hackers differ from most others because they are
generally motivated by politics, and not the desire for monetary profit. (washingtonpost.com/wp-dyn/articles/A13431-2001Apr12.html)
"UN Working Group Seeks Common Ground on Security"
The United Nations on Thursday will host Global InfoSec
2001, a meeting of
its 189 member countries and representatives from the
U.S. tech industry to
discuss matters of Internet security. "We want to
sensitize diplomats to
the importance of the implications of IT so that they
are equipped to deal
with the issues," says Percy Mangoaela, the UN
ambassador from Lesotho and
chair of the UN's Working Group on Informatics, which is
co-sponsoring the
conference. Among the issues to be highlighted at the
conference is
devising a framework for pursuing cybercrime across
international borders.
Tech executive Bill Crowell says this issue is highly
problematic because
no country wants to give up any of its national
sovereignty. Other issues
include the privacy of individuals online, with
Mangoaela pointing out that
developing countries can learn much from the struggles
that the United
States and the European Union are having with this
issue. www.infoworld.com/articles/hn/xml/01/03/23/010323hnun.xml?0326mnam
____________________
Schneier's latest CRYPTO-GRAM is a particularly good one. It has an
informative paragraph on the much trumpeted OpenPGP key file vulnerability,
and a nice discussion of a security survey (as well as several other
references I used above). I include both below verbatim:
A vulnerability was found in the OpenPGP standard. If an
attacker can modify the victim's encrypted private key file, he can
intercept a signed message and then figure out the victim's signing key.
(Basically, if the attacker replaces the public key parameters with weak
ones, the next signature exposes the private key.) This is a problem
with the data format, and not with the cryptographic algorithms. I
don't think it's a major problem, since someone who can access the victim's
hard drive is more likely to simply install a keyboard sniffer. But it is a
flaw, and shows how hard it is to get everything right. Excellent
cryptanalysis work here.
Announcement: News reports: www.nytimes.com/2001/03/21/technology/21CODE.html securitygeeks.shmoo.com/article.php?story=20010320130246610#comments www.wired.com/news/politics/0,1283,42553,00.html news.cnet.com/news/0-1003-200-5208418.html?tag=mn_hd The research paper: www.i.cz/en/pdf/openPGP_attack_ENGvktr.pdf ** *** ***** ******* *********** ************* CSI's Computer Crime and Security Survey
For the past six years, the Computer Security Institute has conducted an
annual computer crime survey. The results are not statistically meaningful
by any stretch of the imagination -- they're based on about 500 survey
responses each year -- but it is the most interesting data on real-world
computer and network security that we have. And the numbers tell a
coherent story. (I'm just going to talk about the 2001 numbers, but the
numbers for previous years track pretty well.) 64% of respondents reported
"unauthorized use of computer systems" in the last year. 25% said
that they had no such unauthorized uses, and 11% said
that they didn't know. (I believe that those who
reported no intrusion
actually don't know.) The number of incidents was all
over the map, and
the number of insider versus outsider incidents was
roughly equal. 70% of
respondents report their Internet connection as a
frequent point of attack
(this has been steadily rising over the six years), 18%
report remote
dial-in as a frequent point of attack (this has been
declining), and 31%
report internal systems as a frequent point of attack
(also declining).
The types of attack range from telcom fraud to laptop
theft to
sabotage. 40% experienced a system penetration, 36% a
denial of service
attack. 26% reported theft of proprietary information,
and 12% financial
fraud. 18% reported sabotage. 23% had their Web sites
hacked (another 27%
didn't know), and over half of those had their Web sites
hacked ten or more
times. (90% of the Web site hacks were just vandalism,
but 13% included
theft of transaction information.)
What's interesting is that all of these attacks occurred
despite the wide
deployment of security technologies: 95% have firewalls,
61% an IDS, 90%
access control of some sort, 42% digital IDs, etc.
Clearly the
technologies are not working sufficiently well.
The financial consequences are scary. Only 196
respondents would quantify
their losses, which totaled $378M. From under 200
companies! In one
year! This is a big deal.
More people are reporting these incidents to the police:
36% this
year. Those who didn't report were concerned about
negative publicity
(90%) and competitors using the incident to their
advantage (70%). This data is not statistically rigorous, and should be
viewed as suspect
for several reasons. First, it's based on the database
of information
security professionals that the CSI has (3900 people),
self-selected by the
14% who bothered to respond. (The people responding are
probably more
knowledgeable than the average sysadmin, and the
companies they work for
more aware of the threats. Certainly there are some
large companies
represented here.) Second, the data is not necessarily
accurate, but is
only the best recollections of the respondents. And
third, most hacks
still go unnoticed; the data only represents what the
respondents actually noticed.
Even so, the trends are unnerving. It's clearly a
dangerous world, and has
been for years. It's not getting better, even given the
widespread
deployment of computer security technologies. And it's
costing American
businesses billions, easily.
The survey (you have to give them your info, and they
will send you a paper copy): www.gocsi.com/prelea_000321.htm
1381L ERROR_TOO_MANY_SECRETS
The maximum number of secrets that can be stored in a single system was
exceeded. The length and number of secrets is limited to
satisfy the United
States State Department export restrictions.
Washington Post (04/13/01)
P. A13; Cha, Ariana E.
InfoWorld.com (03/23/01); Verton, Dan