LISTWATCH: items from security-related mailing lists (September 7, 2001)
by Mary Ellen Zurko (mzurko@iris.com)
This issue's highlights are from Privacy Forum Digest, ACM TechNews, dcsb, and Risks.
____________________________________________________________
Fact Squad www.factsquad.org, set up by People for Internet
Responsibility (PFIR) is set up to provide jargon free information about
technology and its effects on society. Topics currently listed include
Privacy and Digital Copyright and other Rights Issues.
____________________
The title of the article ("In a Dangerous World, Internet Security Cannot
Be Left to Technologists Alone", specials.ft.com/ftit/FT34WRFC6RC.html) is dopey and self serving
(consultants say that they should be called in more). But the first part is
an interesting read for those of us interested in the continuing debate of
PKI's place in the universe. Are current problems from the economic
slowdown, an architecture over hyped as a solution, over centralization,
lack of consultants, lack of applications integration, or lack of web
services standards? I've been hearing all these and more lately.
____________________
DMCA tidbits:
The DMCA can be used to shut down any web site for at least 10 days www.salon.com/tech/log/2001/08/31/dmca_animals/index.html. A
British medical research firm shut down an animal-rights group that has
been protesting the firm's treatment of animals by sending a letter
claiming that the protest site violates the DMCA to the ISP. The ISP can be
cleared of any legal responsibility if they shut down the site, and don't
bring it up until they're provided with a counter-notification swearing
under penalty of perjury that the person accused of violating DMCA believes
the site not to be a copyright violation. After the ISP waits 10 days.
A US cryptography expert has broken Microsoft's e-book encryption, to get
around it's 2 persona limit, but is staying anonymous and not publishing
how to do it www.techreview.com/web/roush/roush083001.asp.
Russia warned its computer experts of the dangers of visiting the US, since
Sklyarov was arrested while visiting a hackers' convention in the United
States. dailynews.yahoo.com/htx/nm/20010831/tc/tech_russia_usa_dc_1.html
The US Copyright Office says the DMCA is just fine (in part because its
early days), though the law should be amended to allow backups and
archiving www.washingtonpost.com/wp-dyn/articles/A16744-2001Aug29.html.
Dimitri Sklyarov and his employer ElcomSoft of Moscow pleaded not guilty to
the charges of conspiracy and trafficking in technology for use in
copyright circumvention. www.nytimes.com/2001/08/31/technology/31HACK.html?todaysheadlines=&pagewanted=print
The EFF has been gathering stories about the lawful use of the program.
At the USENIX security symposium, one student asked the SDMI panel, "Can I
get in trouble with the DMCA for summarizing this session for my thesis
advisor?" The panel unanimously agreed, "Yes" because the SDMI group only
authorized presentation of Felten's paper at USENIX. No where else.
Fred Cohen is canceling the aspects of his research covered by DMCA and
has withdrawn his forensic products from the market. His products were
previously sold to law enforcement. He is discussing whether he needs to
cancel classes that teach forensics and cryptanalysis.
A Risks reader posited that a blind person could sue the publisher under
the Americans with Disabilities Act.
Matt Blaze's declaration regarding the Felton DMCA case is a good,
straightforward read that makes a compelling case www.crypto.com/papers/mab-feltendecl.txt.
____________________
From pgp-users: "A vulnerability in PGP's display of key validity has been
discovered that could allow an attacker to fool users into thinking that a
valid signature was created by what is actually an invalid user ID. If the
attacker can obtain a signature on their key from a trusted third party,
they can then add a second user ID to their key which is unsigned. The
attacker must then switch the unsigned false user ID to primary and
convince the victim to place the key on their key ring. In such a case, some
of the displays in PGP do not properly identify the false user ID as
invalid [unsigned? Mez] because the second user ID is fully valid. Whenever
PGP displays validity information on a per-user ID basis [a different
display mode? Mez], the display is correct. Thus, attentive users who
examine the user IDs of all public keys which they import to their key rings
will immediately notice this problem before it could have any impact [and
how easy/likely is that to happen? Mez]."
www.bluering.nl/pgp/ has the thesis and a picture of the exploit,
though I can't quite match the picture to the description. Am I supposed to
be looking at the "Unsigned" toggle as opposed to the nice green ball under
"Validity" or the nice date under "Signed"?
___________________
Legal scholars say that lawsuits suing the companies and network providers
of vandalized web sites for damages may be coming partners.nytimes.com/2001/08/24/technology/24CYBERLAW.html.
____________________
Cross scripting techniques were used to demonstrate breaking Hotmail and
stealing Passport IDs and credit card data. www.usatoday.com/life/cyber/tech/2001-08-31-hotmail-security.htm
____________________
Surveys sez:
A Computer Security Institute study reports a large increase in cybercrime
reports. The increase is attributed to the tightening economy and the lack
of resources to pursue these breaks. There is also a claim of greater
cooperation between private companies and law enforcement agencies www.usatoday.com/usatonline/20010831/3594670s.htm.
The Confederation of British Industry (CBI) survey said that 2/3 of the
companies responding had fallen victim to cybercrime in the past year. 69
percent said the financial loss was negligible. The companies still fear
their reputations could be tarnished. 53 percent of businesses felt safe
trading online with other businesses, but confidence dropped to 32 percent
when it came to dealing with consumers via the web. www.siliconvalley.com/docs/news/reuters_wire/1444131l.htm
____________________
Sitting in the Morristown (N.J.) Memorial Hospital, AT&T Labs' Avi Rubin
noticed that his laptop wireless connection card was blinking, and then
discovered that the hospital's wireless network was open to his laptop,
using 802.11b (Wi-Fi) and automatically granting him access. My favorite
quote from Avi: "Fortunately, I'm married to a lawyer, who advised me
against looking [at the hospital traffic]." When he alerted the hospital,
they said that it was a "temporary situation" during an overhaul.
www.nytimes.com/2001/08/19/technology/19WIRE.html
____________________
Almost a month after the SirCam virus was first spotted, the virus is still
pouring into e-mail inboxes. According to Sophos, an antiviral software
company, SirCam accounted for a whopping 65 percent of all reported virus
infections in July, a record unmatched by any other virus since Sophos
started tracking them in 1998. I got more copies of this virus than any other,
and most I viruses I never even saw a copy of. For others, they were caught at
our routers and support notified me that I been the target recipient of one
(usually through the cypherpunks mailing list :-). www.wired.com/news/technology/0,1282,46087,00.html
I also felt the effects of the variants of Code Red for several days while
I and others had various web based services disabled. I was shocked to see
claims of over-hype targeted at the virus, since it had been many virus
iterations since one disrupted my work life. Maybe it struck enterprises
the hardest.
____________________
Pompiliu Donescu, Virgil D. Gligor, and David Wagner, in "A Note on NSA's
Dual Counter Mode of Encryption,'' (www.cs.berkeley.edu/~daw/papers/dcm-prelim.ps)
show that both
variants of the Dual Counter Mode of encryption (DCM) submitted for
consideration as an AES mode of operation to NIST by NSA staffers are
insecure with respect to both secrecy and integrity in the face of
chosen-plaintext attacks.