Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
[risks] Risks Digest 22.88
From: RISKS List Owner (riskocsl.sri.com)
Date: Wed Aug 27 2003 - 13:51:59 CDT
RISKS-LIST: Risks-Forum Digest Wednesday 27 August 2003 Volume 22 : Issue 88
FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator
***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at http://www.risks.org as
The current issue can be found at
California accepts completely unverified updates (Geoff Kuenning)
BlackBerry reveals sensitive Morgan Stanley data (Mark Feit)
Cingular wants me to pay negative balance (Ulf Lindqvist)
'Entrepreneur' a trademarked word, court rules (Christine Van Dusen via
Slammer worm hits system within Davis-Besse nuclear power plant (Fuzzy Gorilla)
Sobig affects Amtrak trains, Air Canada (Marty Leisner)
Some observations on e-mail phenomenology (Peter B. Ladkin)
Update on Sobig stage 2 (Rob Slade)
Thank you for [...] (Rob Slade)
Organized crime behind Sobig mess? (NewsScan)
Re: Send PIF files in ZIP attachment to avoid virus detectors? (Robert de Bath)
Re: Pilot fixes faulty jet (Peter B. Ladkin)
Satellite photo of Eastern North America during blackout (John Oram)
2004 IEEE Symposium on Security and Privacy, Call for Papers (David Wagner)
Abridged info on RISKS (comp.risks)
Date: Mon, 25 Aug 2003 16:52:57 -0700 (PDT)
Subject: California accepts completely unverified updates
I own a tiny California corporation for consulting purposes. Each year, I
am required to file a "statement by domestic stock corporation" with
information such as my address and the names of corporate officers.
This year, it is possible file electronically (a necessity for me because
the state reverted to a 5-year-old address, which is another story of
incompetence). The Web form tends to crash browsers, but I eventually
succeeded with Mozilla. You type in the name of the corporation, fill out
the forms, and pay your $25 via credit card.
All of this is done with NO VERIFICATION WHATSOEVER. If I had a stolen
credit card, I could change the addresses and officers of Microsoft, Bank of
America, and a zillion other corporations. Straightening out the mess would
probably cost the state far more than the $25 per instance that they
wouldn't be able to collect from the credit card company anyway.
Geoff Kuenning geoffcs.hmc.edu http://www.cs.hmc.edu/~geoff/
Date: Tue, 26 Aug 2003 09:23:37 -0400
From: Mark Feit <mfeitnotonthe.net>
Subject: BlackBerry reveals sensitive Morgan Stanley data
We've seen this before with hard disks. The article goes on to point out
that this has started to happen more frequently as people are synchronizing
their mobile devices with their desktops.
The eBay ad read "BlackBerry RIM sold AS IS!" So Eugene Sacks (not his
real name), a Seattle computer consultant who always wanted one of the
pager-size devices to check his e-mail, sent in a bid. For just $15.50, he
bought the wireless device with 4 MB of memory. The BlackBerry didn't
come with a cable, synching station, software or a manual. But it did come
with something even more valuable: a trove of corporate data.
Date: Fri, 22 Aug 2003 21:24:07 -0700 (PDT)
From: Ulf Lindqvist <ulfsdl.sri.com>
Subject: Cingular wants me to pay negative balance
This item seems tragically funny. I canceled my service from Cingular
Wireless some months ago, and in the final bill it turned out that I had
paid $3.36 too much. After some time they sent me a check, which I cashed.
After another couple of weeks, I received the e-mail below. I hope they
keep charging late fees for a negative balance, and I hope the fees will be
> Dear ULF LINDQVIST,
> Your current Cingular Wireless statement for account number [...] is
> now available for viewing on the Cingular Web Site at
> https://myaccount.cingular.com. The statement amount of $-3.36 is due and
> payable immediately. A late fee will be assessed after 07/28/2003.
Also note that the message was sent on 08/22/2003...
Date: Mon, 25 Aug 2003 09:48:11 -0400
From: Monty Solomon <montyroscom.com>
Subject: 'Entrepreneur' a trademarked word, court rules
Be careful if you use the word "entrepreneur." You might get sued.
Christine Van Dusen, *The Atlanta Journal-Constitution*, 25 Aug 2003
A federal judge recently ruled that the owner of Entrepreneur Magazine, a
small-business publication with about 2 million readers nationwide, has dibs
on the term. Entrepreneur Media, based in California, trademarked the word
after starting its magazine in 1978. And that, according to the court's
decision, means the firm has "exclusive right to use the mark in commerce."
Date: Fri, 22 Aug 2003 17:53:25 -0400
From: "Fuzzy Gorilla" <fuzzygorillaeuroseek.com>
Subject: Slammer worm hits system within Davis-Besse nuclear power plant
*The Register* (and other sites) are reporting that a PC associated with the
safety monitoring system at Davis-Besse nuclear power plant in Ohio.
This happened in January 2003, and there was no safety hazard because the
plant was offline and "the monitoring system, called a Safety Parameter
Display System, had a redundant analog backup that was unaffected by the
worm" but helps to illustrate the risks of having "a crunchy shell around a
soft, chewy center."
The plant had a firewall but...
"The Slammer worm entered the Davis-Besse plant through a circuitous route.
It began by penetrating the unsecured network of an unnamed Davis-Besse
contractor, then squirmed through a T1 line bridging that network and
Davis-Besse's corporate network. The T1 line, investigators later found,
was one of multiple ingresses into Davis-Besse's business network that
completely bypassed the plant's firewall, which was programmed to block the
port Slammer used to spread."
[H. Ludwig Hausen noted this as well:
Date: Sat, 23 Aug 2003 13:36:34 -0400
From: Marty Leisner <leisnerrochester.rr.com>
Subject: Sobig affects Amtrak trains, Air Canada
Read about the impacts of Sobig on Amtrak and Air Canada!!
In the *Wall Street Journal*, 21 Aug 2003, there was an article
"Computer Viruses Disrupt Railroad and Air Traffic"
It said: "A variant of the Blaster virus on Tuesday affected about half of
Air Canada's phone-reservation capacity and some of its airport check-in
operations, said spokesman John Rebel. In general, the virus simply slowed
the process of taking reservations, but in a small number of cases, the
problems caused flights to be delayed or canceled altogether, he said.
Service was returned to normal by Wednesday."
It also said: "Dan Murphy, a spokesman for CSX, said the company noticed
Wednesday at about 1:15 a.m. that a variant of the Blaster virus was
interfering with its train operations and dispatching system. The company
curtailed rail service throughout the CSX network while its technicians
tried to fix the problem. CSX operates about 1,600 freight, Amtrak and
commuter trains a day on its 23,000-mile route network east of the
The first case I just consider business stupidity -- the second case I
consider much more serious -- it affected the signaling on rails. I find it
hard to understand why general purpose computers are used in such
specialized applications -- and ones that are easily compromised. I have to
wonder what the requirements for these systems are (assuming they have
[Air Canada case also noted by Amos Shapir and Fuzzy Gorilla. PGN]
Date: Wed, 27 Aug 2003 11:48:22 +0200
From: "Peter B. Ladkin" <ladkinrvs.uni-bielefeld.de>
Subject: Some observations on e-mail phenomenology
I have seen many technical proposals arising from the changing phenomenology
of e-mail (e.g., Garfinkel, Anti-spam technology, RISKS-19.24, Tripoli in
RISKS-22.83), and increasingly many political proposals (e.g., Lincoln,
RISKS-22.86). In order to evaluate the social worth of any of these, it is
necessary to understand the changing phenomenology of e-mail, just as
political scientists must base their analyses and projections on concrete
data. In contrast to technical and political proposals, I have seen
relatively few public comments on the phenomenology (qualitative assessment)
and phenomenography (quantitative assessment) of e-mail traffic.
A look at the RISKS archives may serve as a sample. Peter Neumann was
already talking about the situation being "out of hand" six years ago (a
June 1997 example of phenomenology in his editorial comment on Garfinkel,
RISKS-19.24). Mike Hogsett's recent server data (RISKS-22.87) contributes to
As others have remarked, e-mail traffic has markedly increased in recent
weeks, due apparently to proliferation of the Sobig virus and the e-mail it
generates. It seems certain that significant changes will be made at many
organisations because of it. Some phenomenological comments are in order.
Like many contributors to RISKS, I have been using e-mail as a major
professional tool for twenty years, and have been running my own server for
the last nine. In this time, we have made three substantial technical
changes. Two of those were to accommodate client facilities, namely a change
to POP to accommodate portables, and a change to IMAP to accommodate PDAs +
Until recently, I accommodated the changing phenomenology of e-mail by
changing my working practices. However, our third major change, just over a
year ago, was the introduction of heavy filtering, because the level of spam
and resulting cost in time and connect charges precluded continued use of my
Nokia Communicator to read e-mail on the road.
Sobig is something else. We are a Unix/Linux shop, so we don't contribute
ourselves to the proliferation. The phenomenon will cause us to make
changes, but because of the observations that follow, it is not clear yet
what they will be.
My personal e-mail traffic has increased by up to an order of magnitude in
the last weeks. My wanted e-mail has been 2-5% of the total, contrasted with
the previous (estimated) 20%. All of the increase is unwanted mail
generated by Sobig. The surprise is how it has been generated. The extra
traffic is of five kinds:
1. Instances of Sobig-generated e-mail;
2. Bounce messages from e-mail servers unable to deliver an
instance of a Sobig-generated mail and which reply to the
address on the From header line;
3. Bounce messages from e-mail servers which have detected
instances of Sobig with my e-mail address on the From header line;
4. Sobig-generated messages whose contents have been modified
by our university computer center filter;
5. Personal inquiries by genuine correspondents who have
received a message of type 3 with my e-mail address on
the From header line.
We don't filter for Sobig. We haven't needed to - I can accommcoodate
messages of type 1 under my normal working practice (a guarded thank you
to everybody else!). Servers generating messages of type 2 don't filter,
either. Messages of types 3 and 4 are causing the most traffic, and the
The general phenomenology of Sobig-generated e-mails has been
known for a while. Relevant are
i. The e-mails, header and content, are entirely automatically
generated; there is no piggy-backing on genuine e-mail;
ii. The sender address is falsified, and ultimately derived
from address-book entries on some infected machine;
iii. There are technically easily-recognisable distinguishing
syntactic features of these virally-generated e-mails.
Effective counters (programs which recognise the features in
iii) have been known for a while, and details have been published
in sources of record for at least a week, e.g., in German,
Because of feature i, there is no disadvantage to anyone if a
server deletes Sobig-generated e-mails. Because of feature ii,
there is neither advantage nor necessity in informing either
falsified "sender" or receiver. I would have thought that
these observations would have been obvious to any system
But if they were uniformly (rationally) acted on, I would be receiving
no mails of types 3 and 4, whereas mails of these types are causing
me by far the biggest problem. If this observation generalises,
then the major problem would appear to be generated not by the
virus itself, but by the reactions of e-mail-server administrators.
I would have thought that e-mail service providers would be motivated to
minimise the traffic generated by malware. This is apparently not so. Major
ISPs such as AOL have been responsible for many messages of type 3.
I conclude that some work needs to be done to attempt to understand the
organisational motivations and behavior of system administration, and to
devise ways of preventing the collective behavior of professional
administrators from making problems a lot worse than they otherwise would
Peter B. Ladkin, University of Bielefeld, Germany
Date: Fri, 22 Aug 2003 13:08:18 -0800
From: Rob Slade <rsladesprint.ca>
Subject: Update on Sobig stage 2
About 4 hours before it was due to trigger, F-Secure found an encrypted
section of code in the Sobig virus that indicated an unsuspected payload.
At 1900H UTC (noon, PDT) on Friday, infected computers would try to connect
to a number of servers, download a program, and run it.
Within that four hour period, F-Secure, possibly with the assistance of
other institutions, was able to contact the ISPs for these machines, and
have them all shut down. (One remains up. Presumably it has been turned
into a honeypot, a form of trap for the people who intended to use it for
At this time, we do not know what the intention of the so-called "Stage 2"
payload was, but the plan shows evidence of very careful planning, and,
given the extreme number of Sobig infections, it could have been very
rsladevcn.bc.ca sladevictoria.tc.ca rsladesun.soci.niu.edu
http://victoria.tc.ca/techrev or http://sun.soci.niu.edu/~rslade
Date: Mon, 25 Aug 2003 13:01:06 -0800
From: Rob Slade <rsladesprint.ca>
Subject: Thank you for [...]
Thank you for the details about that movie regarding my application for
the approved wicked screensaver!
Given that Sobig.F seems to have subsided from its weekend peak (from my
numbers, it was doubling every day last week up until Sunday and then
suddenly dropped off--to a rate that is still roughly as high as Klez at its
worst) and that "Stage 2" seems to have been averted, a few thoughts.
Blaster, a worm, infected relatively few machines but inconvenienced (and in
some cases worse) companies, so it gets it's name in the paper. Sobig
surpasses all records in terms of number of e-mail messages generated, and
almost nobody (outside of our little security circle) is paying attention.
Spoofing of e-mail headers in virus messages goes back to Hybris or before.
Most of the successful e-mail viruses have used some form of spoofing. Yet
antivirus companies, in their mail server based products, are continuing to
generate bounce messages to the nominal sender, probably in an attempt to
market their products.
I got a lot of bounced Sobig over the past week. None, of course, had been
sent from me. What these bounces are actually doing is aiding the virus:
the bounce messages send the virus (a full copy of the original message is
often included) to yet another machine. Spammers have also been using
spoofed e-mail addresses for some time. Bounced spam is therefore also
helping spammers to spread their messages. Two spam for the price of one,
thanks to bounces. (Occasionally I hear of a server being inundated by a
faked sender address on spam, but this seems to be rare. Which would seem
to indicate that spammers are deliberately using random addresses, possibly
for reasons of multiplication through bounces.)
One of the interesting points to come out the height of the Sobig numbers on
Saturday, was that I saw relatively *few* bounces, in proportion to what one
might have thought was the case. My address is obviously on enough infected
machines for me to get huge numbers of infected messages: due to the way the
virus spoofs addresses, a large number of the Sobig messages would have been
sent "from" me. Given that the majority of server based antiviral packages
do bounce messages, the penetration of server based virus scanning would
therefore seem to be quite low. (Interesting, the indirect things you can
learn in the aftermath of an attack. Consider the subject line of this
message a test of content scanners still doing simplistic subject line
I have been warning about the type of convergence of malware technologies
involved in the "stage 2" situation for a few years now. Will it be taken
seriously after Sobig? (Listen to the sound of me *not* holding my breath.)
Sobig seems to have been planned and designed with much greater care than is
usually the case with viruses and malware. Up until now, we have been
spared what viruses *could* do primarily by the fact that we have been
facing a bunch of disorganized amateurs. A number of comments about Sobig
have raised the possibility of an involvement with spammers and/or organized
crime. (We already know that "red guest" groups in China are much more
organized and disciplined than traditional blackhats.) Sobig may simply be
the result of an isolated creative mind, but relying on that supposition as
fact is dangerous security planning.
Buried in the investigations into Sobig.F, you will find reference to the
fact that it stops reproducing after September 10th. I'm afraid it took my
wife pointing it out to make me realize that this is one day before
September 11th. Sobig.G, anyone?
rsladevcn.bc.ca sladevictoria.tc.ca rsladesun.soci.niu.edu
http://victoria.tc.ca/techrev or http://sun.soci.niu.edu/~rslade
Date: Tue, 26 Aug 2003 08:28:20 -0700
From: "NewsScan" <newsscannewsscan.com>
Subject: Organized crime behind Sobig mess?
Antivirus specialist Peter Simpson warns that the Sobig.F virus is the
latest in a series of attempts on the part of organized crime to shift some
of their illicit activities online. "Sobig smashed all the records in terms
of pure numbers, but that's not nearly the whole story. This is the sixth in
a series of controlled experiments. This isn't about some kiddy writing
viruses in his bedroom -- this is really a very sophisticated example of
organized crime," says Simpson, a manager at Clearswift's ThreatLab.
Simpson explained that the purpose of a virus such as Sobig isn't to cause
damage, but to gain control of the machine in order to access information
such as financial details for the purpose of fraud. It also comes in handy
for disguising the source of spam by hijacking the victim's machine and
identity. "The real question here has to be about the motives of the virus
writer. This isn't just about writing a virus that will spread rapidly and
break records; the motives here are very different and are clearly
criminal. It's all about the hidden agenda." [ZDNet/Silicon.com 25 Aug
2003; NewsScan Daily, 26 August 2003]
Date: Sat, 23 Aug 2003 08:00:26 +0100 (BST)
From: Robert de Bath <robert$mayday.cix.co.uk>
Subject: Re: Send PIF files in ZIP attachment to avoid virus detectors?
> How long until a virus sends itself in a ZIP file attachment [...]
Already done, I recently had a copy of 'W32/Mimail.Amm' on the 15th in my
linux mailbox (virus are normally filtered like other junk) and it's even
worse than you think.
The outer message was from the sysadmin of _my_ domain, there was a zip that
contained an html file. The html file was a mis-labeled file containing a
MIME content type at the start and a PE executable at the end so IE would
(presumably) run the executable ...
Hmm, I need to check that my "html cleaner" will (at least!) break one
of those files.
PIFs are some weird windows hack yes, as for file extensions, personally
I _always_ do a websearch if I intend to use an unusual extension in
a program on any OS. Just suppose you choose an extension that's also
used by the "super dooper porn hunter" for your "work control system" :)
Robert de Bath <robert$ debath.co.uk> <http://www.cix.co.uk/~mayday>
[Also commented on by Steve VanDevender. PGN]
Date: Mon, 25 Aug 2003 09:48:32 +0200
From: "Peter B. Ladkin" <ladkinrvs.uni-bielefeld.de>
Subject: Re: Pilot fixes faulty jet (Wienstock, Risks 22.85)
This incident was reported on-line also by the BBC, citing
The Times, at http://news.bbc.co.uk/1/low/world/europe/3143237.stm
Thanks to Harold Thimbleby for pointing it out to me.
It is important to get things right, and these news reports, from
what are supposedly the best of British journalism, fail to do so.
The Times apparently suggested a bug in the computer providing a false
The incident occurred on 8 Aug 2003 after a Boeing 757 run by British tour
operator MyTravel was found to have a faulty onboard computer that
insisted the aircraft was airborne when it was in fact parked on the
tarmac. Covered in oil after resetting a sensor in the aircraft's
nosewheel, the pilot [asked passengers......] [RISKS 22.85, PGN-ing The
The BBC suggests a "faulty warning light":
The tourists had waited ... while the pilot fixed a faulty warning light
... The light had indicated the plane was airborne when it was still on
the ground. After repairing it, the plane's captain [asked the
[A company spokesperson said] " He (the pilot) was confident that it was
simply an indication error ......
In these brief reports there are three mutually incompatible hypotheses
concerning the origin of the problem: a "faulty warning light", an
ill-adjusted nosewheel sensor, and a "faulty onboard computer". The Times
contradicts itself concerning the origin of the fault (citing two of the
three above) and the BBC, supposedly reporting on The Times, contradicts
both of The Times's hypotheses.
The BBC includes reader opinions on its news page. One may notice how ready
people are to express opinions on the appropriateness of the captain's
action, without having enough information to judge it. For the
appropriateness of hisher gesture depends crucially on what was said,
cf. the following two examples (for speech 2, I choose one of the three
hypothesised causes and make some assumptions. This should not be
taken to mean that I judge that this was the most likely interpretation of
events. For I do not know).
1. "The airplane thinks it's in the air when it's on the ground. We think
we've fixed what we guess the problem might be. We're going to risk it.
Who wants to come with us?";
2. "We are getting a false air/ground indication. The consequences of that
are that two of our three braking systems might not operate as intended
on landing. The aircraft will stop safely on the runway with just wheel
brakes; indeed the manufacturer had to prove that it would do so, and
provide us with the performance figures, before we could fly anyone in
the airplane. So the worst case outcome would be that we take a little
longer to stop when we arrive at the destination.
I have tried to find the source of the problem. I checked the nosewheel
sensor, which determines whether the nosewheel is in full contact with
the ground. It was clearly out of adjustment, and that alone would have
caused the problem we have been seeing. I have adjusted the sensor so
that it now operates correctly. After checking everything else that we
can, I assume that that is the only problem. Theoretically there could be
a second problem, but I think that is unlikely enough that I shall ignore
it, while remaining alert to potential signs of it when we fly. I am
content to fly this airplane. Remember that my health and safety is
on the line every bit as much as yours and I have family too. I recommend
you be content to fly in this airplane also. But I wish to give those of
you who think differently from us a choice."
Peter B. Ladkin, University of Bielefeld, Germany
Date: Thu, 21 Aug 2003 17:37:37 -0700 (PDT)
From: "John Oram" <risksoram.com>
Subject: Satellite photo of Eastern North America during blackout
The NOAA posted a few satellite photos of Northeastern North America
before and after last week's blackout.
The first photo seems a little supersaturated to me (and a little
misaligned, making for a poor flip-back-and-forth...) but clearly show
great swaths of New York, Ontario, Ohio and Michigan in the dark.
However, there is a surprising amount of light still on, especially in New
York and Long Island, in line with the NYT article quoted by Andrew Greene
in 22.87. Other major urban areas (Toronto, Detroit, Cleveland) seem much
darker in comparison. Maybe more cars and generators in NYC and thus more
[Clearly, some places were either better prepared or lucky (or both)
than others. PGN]
Date: Sun, 24 Aug 2003 17:26:28 -0700 (PDT)
From: David Wagner <dawcs.berkeley.edu>
Subject: 2004 IEEE Symposium on Security and Privacy, Call for Papers
2004 IEEE Symposium on Security and Privacy
9-12 May 2004, The Claremont Resort, Oakland, California, USA
IEEE Computer Society Technical Committee on Security and Privacy
in cooperation with
The International Association for Cryptologic Research (IACR)
Paper submissions due: 5 Nov 2003
For submission guidelines see
For questions, please contact the program chairs:
General Chair: Lee Badger (DARPA)
Vice Chair: Steve Tate (University of North Texas)
David A. Wagner (University of California, Berkeley, USA)
Michael Waidner (IBM Zurich Research Lab, Switzerland)
Date: 30 May 2003 (LAST-MODIFIED)
Subject: Abridged info on RISKS (comp.risks)
The RISKS Forum is a MODERATED digest. Its Usenet equivalent is comp.risks.
=> SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent)
if possible and convenient for you. Alternatively, via majordomo,
send e-mail requests to <risks-requestcsl.sri.com> with one-line body
subscribe [OR unsubscribe]
which requires your ANSWERing confirmation to majordomoCSL.sri.com .
If Majordomo balks when you send your accept, please forward to risks.
[If E-mail address differs from FROM: subscribe "other-address <xy>" ;
this requires PGN's intervention -- but hinders spamming subscriptions, etc.]
Lower-case only in address may get around a confirmation match glitch.
INFO [for unabridged version of RISKS information]
There seems to be an occasional glitch in the confirmation process, in which
case send mail to RISKS with a suitable SUBJECT and we'll do it manually.
.UK users should contact <Lindsay.Marshallnewcastle.ac.uk>.
=> SPAM challenge-responses will not be honored. Instead, use an alternative
address from which you NEVER send mail!
=> The INFO file (submissions, default disclaimers, archive sites,
copyright policy, PRIVACY digests, etc.) is also obtainable from
The full info file will appear now and then in future issues. *** All
contributors are assumed to have read the full info file for guidelines. ***
=> SUBMISSIONS: to risksCSL.sri.com with meaningful SUBJECT: line.
=> ARCHIVES: http://www.sri.com/risks
http://www.risks.org redirects you to the Lindsay Marshall's Newcastle archive
http://catless.ncl.ac.uk/Risks/VL.IS.html [i.e., VoLume, ISsue]
Lindsay has also added to the Newcastle catless site a palmtop version
of the most recent RISKS issue and a WAP version that works for many but
not all telephones: http://catless.ncl.ac.uk/w/r
==> PGN's comprehensive historical Illustrative Risks summary of one liners:
http://www.csl.sri.com/illustrative.html for browsing,
http://www.csl.sri.com/illustrative.pdf or .ps for printing
End of RISKS-FORUM Digest 22.88