[iwar] From Risks
From: Fred Cohen
From: fc@all.net
To: iwar@egroups.com
Tue, 30 May 2000 19:23:10 -0700 (PDT)
fc Tue May 30 19:35:18 2000
Received: from 207.222.214.225
by localhost with POP3 (fetchmail-5.1.0)
for fc@localhost (single-drop); Tue, 30 May 2000 19:35:18 -0700 (PDT)
Received: by multi33.netcomi.com for fc
(with Netcom Interactive pop3d (v1.21.1 1998/05/07) Wed May 31 02:35:11 2000)
X-From_: sentto-279987-385-959739796-fc=all.net@returns.onelist.com Tue May 30 21:23:14 2000
Received: from mu.egroups.com (mu.egroups.com [207.138.41.151]) by multi33.netcomi.com (8.8.5/8.7.4) with SMTP id VAA28776 for ; Tue, 30 May 2000 21:23:14 -0500
X-eGroups-Return: sentto-279987-385-959739796-fc=all.net@returns.onelist.com
Received: from [10.1.10.36] by mu.egroups.com with NNFMP; 31 May 2000 03:23:19 -0000
Received: (qmail 16770 invoked from network); 31 May 2000 02:23:14 -0000
Received: from unknown (10.1.10.142) by m2.onelist.org with QMQP; 31 May 2000 02:23:14 -0000
Received: from unknown (HELO all.net) (24.1.84.100) by mta3 with SMTP; 31 May 2000 02:23:12 -0000
Received: (from fc@localhost) by all.net (8.9.3/8.7.3) id TAA24210 for iwar@onelist.com; Tue, 30 May 2000 19:23:10 -0700
Message-Id: <200005310223.TAA24210@all.net>
To: iwar@egroups.com
Organization: I'm not allowed to say
X-Mailer: don't even ask
X-Mailer: ELM [version 2.5 PL1]
From: Fred Cohen
MIME-Version: 1.0
Mailing-List: list iwar@egroups.com; contact iwar-owner@egroups.com
Delivered-To: mailing list iwar@egroups.com
Precedence: bulk
List-Unsubscribe:
Date: Tue, 30 May 2000 19:23:10 -0700 (PDT)
Reply-To: iwar@egroups.com
Subject: [iwar] From Risks
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Date: Mon, 22 May 2000 16:32:55 -0400
From: "Edelson, Doneel"
Subject: Top-secret stolen UK laptop recovered
A stolen laptop computer holding details of a top secret 250-billion-pound
Anglo-US super-lethal stealth Strike fighter project has been recovered by
*The Mirror*. The laptop was stolen from a naval intelligence officer at a
London station two weeks before. [Source: *Mirror* article 22 May 2000
; PGN-ed]
--------------------------
Date: Fri, 26 May 2000 11:30:11 -0400
From: Declan McCullagh
Subject: Venezuela cites computer glitch, postpones elections
CARACAS, VENEZUELA -- Citing technical woes, Venezuela's high court on
Thursday suspended this weekend's general elections, saying fair balloting
is impossible until the problems are resolved. Conditions for "credibility
and transparency" in Sunday's presidential, congressional and regional
elections do not exist, said Ivan Rincon of the Supreme Tribunal of Justice.
[...] President Hugo Chavez had earlier blamed an Omaha (Neb.)-based
company for the technical problems, saying it was part of an overall plan to
"destabilize" the country's electoral process. [Source: Citing major
computer woes, high court delays elections *Chicago Tribune*, 26 May 2000
http://www.chicagotribune.com/news/printedition/article/0,2669,SAV-0005260364,FF.html;
PGN-ed; see also:
http://www.washingtonpost.com/wp-dyn/articles/A7231-2000May25.html
http://www.foxnews.com/world/0523/i_ap_0523_111.sml
http://news.bbc.co.uk/low/english/world/americas/newsid_764000/764372.stm]
[Contrast the controversy over the recent election in Peru. PGN]
--------------------------
Date: Mon, 29 May 2000 09:14:13 +0100
From: Kevin Connolly
Subject: Study shows mobile phones do interfere with avionics
See http://www.newscientist.com/nsplus/insight/phones/dangersignals.html
The study showed that mobiles caused problems for older generation
avionics during tests in a parked jet.
"interference levels that exceed demonstrated susceptibility
levels for aircraft equipment approved against earlier standards"
Kevin Connolly
--------------------------
Date: Mon, 15 May 2000 08:17:29 -0700
From: Chris Adams
Subject: Widespread Web-Trojan alerts
The people at Zope found a problem with their admin interface
(http://www.zope.org/Members/jim/ZopeSecurity/ClientSideTrojan) that also
applied to just about any web-based admin tool. Basically, an attacker could
create a page that redirected to site's admin interface or a form that
submitted to it (possibly using JavaScript for automatic submission); in any
case, the effect was that any use who was logged in as a site administrator
could have an attacker execute arbitrary commands in their security context
merely by following a link. If this was carefully set up using JavaScript
and frames, it's more than possible that the admin would never notice what
had happened. This attack would be particularly effective against online
news sites and anyone else for whom it is common to receive many URLs every
day as submissions.
This story was picked up by LWN (http://www.lwn.net/2000/features/
Redirect.phtml) and spread rapidly to the usual security forums.
There's a very simple fix that prevents this attack from working in any of
the cases reported. The problem is that the form parameters can all be
guessed by the attacker, allowing them to generate a URL easily. Putting in
a random parameter prevents this from being true. Given that you need to
have a random identifier that is not leaked to third parties for meaningful
session management, an obvious step is to put in a parameter in the form
that must match the user's session ID (e.g. Confirm=346593045 instead of
Confirm=true).
(This is still vulnerable if the browser has a security hole which allows an
unrelated site to capture cookies. However, such a bug is really a separate
issue as it would allow an attacker to easily hijack the session directly. A
browser that buggy should not be used.)
What I've found disturbing is that there have been several people attempting
to get the news out since the original wave of reports (~5/10) about having
such a fix that will defang this entire class of attack in a single line of
code. These efforts don't seem to have achieved anything like the visibility
given to the original reports. There's a great deal of speculation about
convoluted, partial means of stopping such attacks and even suggestions
about disabling web-based admin interfaces entirely but, thus far, very
little word about what has to be one of the easiest fixes in the history of
computer security.
The risks? Besides the obvious security concerns, there's the risk that
people will do something rash or remain vulnerable despite the fact that,
contrary to some of the reports, there is a fix and it's quite simple. A
casual observer could easily get the impression that this problem is a major
threat.
------------------------------
Date: Wed, 24 May 2000 01:01:12 -0600
From: "s. keeling"
Subject: I did not say that! wrt deja.com
I don't know if this is a problem or if I'm over reacting. I just did
a search on my user id and chanced across a misquoted (by some usenet
newbie) news article that attributes statements I never said to me.
http://x69.deja.com/[ST_rn=fs]/getdoc.xp?AN=624428330&CONTEXT=959150860.1906835472&hitnum=6
Do people take deja/usenet with a grain of salt, or should I worry
about what anyone can say I said?
------------------------------
Date: 22 May 2000 23:25:38 -0400
From: uryse0d5@umail.furryterror.org (Zygo Blaxell)
Subject: Risky quotation
While at a bookstore the other day, my spouse was presented with a credit
card signature slip printed by an Interac point-of-sale terminal. It was
just like any other credit signature slip, except that the usual "customer
signature" line was printed twice, one on top of the other, with ample
space for the signature in both places--a harmless glitch, probably
due to an obvious and simple programming error.
We pointed the error out to the cashier, who was probably barely old
enough to be legally employed, and her response, if she speaks for her
generation, was ominous, even terrifying:
"It does that because ... because it's a computer."
An entire generation is growing up believing that the current sorry state
of affairs in information technology could ever be accepted as _normal_!
------------------------------------------------------------------------
Hot off the press- summer's here!
School's out and it's sizzling hot. Whether you're planning a
graduation party, a summer brunch, or simple birthday party,
shop GreatEntertaining.com before your next celebration.
http://click.egroups.com/1/4473/7/_/595019/_/959739797/
------------------------------------------------------------------------
------------------
http://all.net/