Security-Related News Items from Various Mailing Lists

by Mary Ellen Zurko

Here are this month's highlights from www-security, libernet, tbtf, risks, sig-security and e$pam.

There are guidelines around on how to write CGI programs so that they don't allow a client to invoke arbitrary OS calls on the server side. Adam Shostack has pointed out several times on www-security that programs should check that only legal characters are used in user input. However, another example of a CGI script that checks that no _illegal_ characters were input has caused a CERT advisory. It's a CGI example found in recent version of NCSA and APACHE httpd servers.

The Communications Decency Act is already having a chilling effect on even the medium of print. Jim Warren, a journalist for BoardWatch (a print and online magazine) has resigned over it. His editor excised an intentionally crude reference from his column in both media. The editor sent e-mail to Warren saying the change was made because it could "deliberately implicate" the publisher in a felony.

It's been a big month for bugs in Java and Javascript. Javascript is only related to Java by some syntactical overlap. It's not an open, scrutinized standard, and it can be placed directly in an HTML page. A Java bug that caused a lot of discussion this month involved using DNS to subvert the restriction that an applet can only connect to its originating host. The browser verifies this by doing a DNS lookup on the name of the originating host to get the TCP address, and comparing that address to a requested connection. However, a DNS name can refer to more than one TCP address. There is no strong security on DNS to make sure that a name only points to the "right" TCP address.

Javascript bugs were reported that allow script to monitor and transmit the URLs that a browser visits and transmit the directory listings of the local host file system. A Javascript feature that has raised some eyebrows is the ability to send mail under a user's name when a form is submitted. The user can have no knowledge of the content of the mail, or even that it was sent.

On 3/5/96 Senator Patrick Leahy (D-VT) introduced the Encrypted Communications Privacy Act of 1996 in the Senate. The bills would waive export restrictions on "generally available" encrypting software. They would impose criminal penalties for the use of encryption in the commission of a crime or to hide evidence of a crime.

An article in the Denver Post claims that CellPort Labs, Inc., has come up with a device called MobileWeb that would allow users to browse the web from their cars. From the article:

Basically, MobileWeb links your vehicle's electronic devices via a wireless cellular or personal communications service network to the Web, [...] "In essence, we're marrying the wireless service to the automotive electronic system," Kennedy said.
I find the idea of hooking my car up to the Internet pretty darn scary.

A report on a location-based authentication method by Dorothy E. Denning and Peter F. MacDoran outlines an authentication mechanism that "utilizes space geodetic methods to form a time-dependent location signature that is virtually impossible to forge."

Another public-key infrastructure working group has started in the IETF (SPKI). This group has formed to explore public-key certificates that are attribute-based instead of name-based, for use in a variety of Internet applications.

The COAST Laboratory at Purdue discovered a vulnerability in the pseudo-random number generating code of Kerberos V4 that allowed an unprivileged user to impersonate another user.

The Department of State now allows encryption software to be temporarily exported for certain personal uses.

China ordered all users of international computer networks to register with the police.