LISTWATCH: items from security-related mailing lists (April 17, 2001)

by Mary Ellen Zurko (

This issue's highlights are from DCSB, CRYPTO-GRAM, ACM TechNews, and cypherpunks.


War Driving is being called the next big thing in hacking.  It's driving around looking for unsecured 802.11 wireless networks.  Even installations using Wired Equivalent Protocol (WEP) for security may be vulnerable if, for instance, they have the encryption key set to one of several well-known default values. The name of the activity is derived from the movie "War Games".


According to the March 19th Newsweek, one of the secrets Robert Hanssen told the Russians was that the U.S. tunnel under the Soviet embassy in Washington was used so that "laser beams could pick up vibrations from the keystrokes of Soviet ciphering machines -- helping to decode their signals."


VBS Worm Generator, the kit used to create the Anna Kournikova worm, has a new V2,1282,42375,00.html. The creator says that any harm done with worms created using his kit is not his responsibility. The documentation (which is said to be very good) says that testing with Norton anti-viral 2001, Kaspersky Anti-Virus (AVP), McAfee and F-Secure's "Fprot" indicates they will not detect new worms created with this kit.


Office XP will have a new anti-piracy feature that will require an activation key and keep any instance from running on more than one PC. However, someone has stolen a corporate version that doesn't require an activation key, and posted it as warez.,1367,42402,00.html


A report on web bugs  has some data on who has the most web pages bugged, and who generates the most bugged traffic.


Here's a great NT error message. We should have a contest to guess what it actually means
The maximum number of secrets that can be stored in a single system was exceeded. The length and number of secrets is limited to satisfy the United States State Department export restrictions.


There's another object lesson on why not to release documents in Word format. This one is about the security implications of an Alcatel DSL modem product


TRUSTe is seeking public comment on its privacy guidelines for companies undergoing mergers, acquisitions and bankruptcies. See


Speculation abounds about NSA's Security-Enhanced Linux (SELinux) prototype. Will it be freely available? Will it provide actual security? Will it be usable?,,1367,42972,00.html.


A patch to IE to keep MIME handlers from incorrectly launching attachments ran into a second problem. Users who had not upgraded their IE to the appropriate service pack level were told by the patch installation process that they did not need to apply the patch, even though they were vulnerable. Unfortunately, this happened around April 1 as well.


And also around April 1, "DOJ STEPS UP CHILD PORNOGRAPHY FIGHT; Proposal makes digital cameras 'childsafe'"


IE will be supporting P3P, with a target release date of this summer. The interface is a privacy thermostat. Some privacy advocates object to this interface, on the grounds that it encourages trading off privacy for convenience.


On January 29 and 30, 2001, VeriSign, Inc. issued two certificates for Authenticode signing to an individual fraudulently claiming to be an employee of Microsoft Corporation. Any code signed by these certificates will appear to be legitimately signed by Microsoft. Users who try to run code signed with these certificates will generally be presented with a warning dialog, but of course who wouldn't trust a certificate that was validly issued from VeriSign, and claimed to be for Microsoft? The certificates are on a Certificate Revocation List (CRL) now, but I gather the code that checks the signatures for ActiveX controls, Office Macros, and so on, doesn't do any CRL processing. Microsoft adds that since the certificates don't have a CRL Distribution Point (DP), it's not possible to find and use the CRL. 

Rumor has it that the folks got the certificates by knowing the credit card information that Microsoft used to legitimately purchase certificates in the past. This would make sense, because even though I actually work for Iris Associates, Verisign shouldn't go issuing me certificates that claim I speak for Iris Associates on that basis alone. And Microsoft's claim that no one could possible check a CRL without a CRL DP seems wrong to me too. If you hard code trusted roots you can certainly hard code where a CRL is (or configure it somewhere).


A Gallery of CSS Descramblers includes one in a new language without a compiler, one in plain English, one in haiku form, one transformed into music, a movie version, and a greeting card.


The Aimster pig encoder that translated titles into pig latin to hide them from Napster title monitoring has been removed


Claude Shannon died on February 24, at age 84.


From ACM TechNews: 

"Chinese Suspected of Hacking U.S. Sites" 
Washington Post (04/13/01) P. A13; Cha, Ariana E. 

Since an American spy plane and a Chinese jet fighter collided on April 1, there have been at least nine attacks by hackers on U.S. government and business sites. Chinese portals such as and give hacking instructions and possible targets, and encourage citizens to vandalize American sites in retaliation for the death of the Chinese pilot. Users who tried to access a site for artists in Marin County, Calif., were greeted yesterday by a Chinese flag and an audio recording of their national anthem. Pa.-based Intelligent Direct's site's home page was also replaced by a flag, as well as the message "China have bomb, too," and some "profane comments about someone's mother." Many of the computer attacks were signed by the Hackers Union of China, who calls itself a "network security organization." Last year, after the president of Taiwan expressed the desire to speak with Chinese officials on a "state-to-state" level, Chinese residents launched more than 100,000 attacks on Taiwanese sites. Chinese hackers differ from most others because they are generally motivated by politics, and not the desire for monetary profit.  (

"UN Working Group Seeks Common Ground on Security" (03/23/01); Verton, Dan 

The United Nations on Thursday will host Global InfoSec 2001, a meeting of its 189 member countries and representatives from the U.S. tech industry to discuss matters of Internet security. "We want to sensitize diplomats to the importance of the implications of IT so that they are equipped to deal with the issues," says Percy Mangoaela, the UN ambassador from Lesotho and chair of the UN's Working Group on Informatics, which is co-sponsoring the conference. Among the issues to be highlighted at the conference is devising a framework for pursuing cybercrime across international borders. Tech executive Bill Crowell says this issue is highly problematic because no country wants to give up any of its national sovereignty. Other issues include the privacy of individuals online, with Mangoaela pointing out that developing countries can learn much from the struggles that the United States and the European Union are having with this issue.


Schneier's latest CRYPTO-GRAM is a particularly good one. It has an informative paragraph on the much trumpeted OpenPGP key file vulnerability, and a nice discussion of a security survey (as well as several other references I used above). I include both below verbatim: 

A vulnerability was found in the OpenPGP standard. If an attacker can modify the victim's encrypted private key file, he can intercept a signed message and then figure out the victim's signing key. (Basically, if the attacker replaces the public key parameters with weak ones, the next signature exposes the private key.) This is a problem with the data format, and not with the cryptographic algorithms. I don't think it's a major problem, since someone who can access the victim's hard drive is more likely to simply install a keyboard sniffer. But it is a flaw, and shows how hard it is to get everything right. Excellent cryptanalysis work here.


News reports:,1283,42553,00.html

The research paper:

** *** ***** ******* *********** *************

CSI's Computer Crime and Security Survey

For the past six years, the Computer Security Institute has conducted an annual computer crime survey. The results are not statistically meaningful by any stretch of the imagination -- they're based on about 500 survey responses each year -- but it is the most interesting data on real-world computer and network security that we have. And the numbers tell a coherent story. (I'm just going to talk about the 2001 numbers, but the numbers for previous years track pretty well.) 

64% of respondents reported "unauthorized use of computer systems" in the last year. 25% said that they had no such unauthorized uses, and 11% said that they didn't know. (I believe that those who reported no intrusion actually don't know.) The number of incidents was all over the map, and the number of insider versus outsider incidents was roughly equal. 70% of respondents report their Internet connection as a frequent point of attack (this has been steadily rising over the six years), 18% report remote dial-in as a frequent point of attack (this has been declining), and 31% report internal systems as a frequent point of attack (also declining). 

The types of attack range from telcom fraud to laptop theft to sabotage. 40% experienced a system penetration, 36% a denial of service attack. 26% reported theft of proprietary information, and 12% financial fraud. 18% reported sabotage. 23% had their Web sites hacked (another 27% didn't know), and over half of those had their Web sites hacked ten or more times. (90% of the Web site hacks were just vandalism, but 13% included theft of transaction information.) 

What's interesting is that all of these attacks occurred despite the wide deployment of security technologies: 95% have firewalls, 61% an IDS, 90% access control of some sort, 42% digital IDs, etc. Clearly the technologies are not working sufficiently well. 

The financial consequences are scary. Only 196 respondents would quantify their losses, which totaled $378M. From under 200 companies! In one year! This is a big deal. 

More people are reporting these incidents to the police: 36% this year. Those who didn't report were concerned about negative publicity (90%) and competitors using the incident to their advantage (70%).

This data is not statistically rigorous, and should be viewed as suspect for several reasons. First, it's based on the database of information security professionals that the CSI has (3900 people), self-selected by the 14% who bothered to respond. (The people responding are probably more knowledgeable than the average sysadmin, and the companies they work for more aware of the threats. Certainly there are some large companies represented here.) Second, the data is not necessarily accurate, but is only the best recollections of the respondents. And third, most hacks still go unnoticed; the data only represents what the respondents actually noticed. 

Even so, the trends are unnerving. It's clearly a dangerous world, and has been for years. It's not getting better, even given the widespread deployment of computer security technologies. And it's costing American businesses billions, easily. The survey (you have to give them your info, and they will send you a paper copy):