TBTF for 1997-03-21 [1], 1997-03-09 [2]

After the publication of TBTF for 1997-03-21 [1] I updated the archive three times in five days with breaking developments in the Microsoft security situation, including a quick Microsoft response to a note I sent to their security email alias <secure at microsoft dot com>. Please do catch up if you haven't visited the 1997-03-21 issue [1] recently.

The magazine EE Times reports [3] a new Windows NT vulnerability (I will call this security flaw #8 -- see table). Jeremy Allison <jra at cygnus dot com> developed PWdump [4] by reverse-engineering the hashing algorithm (Microsoft's API documentation refers to it as "obfuscation") used by the Windows NT Security Accounts Manager, the heart of the NT security system. PWdump lets a system administrator generate a Unix-style account and password file from the SAM to help administrators manage sites where NT and Unix systems coexist. But Allison called it "a double-edged sword... this is a useful utility for migrating users to Unix systems from Windows NT, but it can also enable people to see all the actual passwords, which until now wasn't possible." To get passwords in plaintext you need to run a "crack" tool on the output of PWdump. One now exists [5]. As Yobie Benjamin <ybenja at ctp dot com> said when Allison sent him the PWdump code, "If somebody wanted to crack an NT server today, the pieces of the puzzle are now all there... all that's missing is intent." Benjamin broke into an NT network in his own lab using a "Trojan Horse" application attached to an email message and sent decoded NT passwords back to the attacking machine. He claims that any computer-literate adolescent with a 386 and a modem could do the same.

Bug	Found by	Date	MSIE vers.	W-95	W-NT	Damage	Attacks via
#1	Paul Greene	2/27	3.0, 3.01	yes	4.0	Can run arbitrary program on your PC	.url or .lnk file
#2	David Ross	3/4	3.0, 3.01, 3.01a	no	4.0 w/SP 1 or 2	Can run program if you double-click, w/no firewall	CIFS
#3	Chris Rioux	3/7	3.01	yes	no	Can run arbitrary program on your PC	.isp file
#4	Aaron Spangler	3/14	any, or NN	no	yes	Obtains username, hashed password	SMB
#5	Paul Ashton	3/17	any	no	yes	Obtains username, hashed password, more	NTLM
#6	Steve Birnbaum	3/15	any	no	yes	Obtains plaintext password	SMB

Microsoft has published a response [6] to the EE Times piece in which they dismiss #8 as a serious threat. They stress that basic security practices suffice to defend against an attack based on PWdump/NTcrack, noting for instance that an attacker needs Administrator privilege to run PWdump. The company's position is bolstered by Russ Cooper <russ.cooper at rc dot on dot ca>, owner of the NTBugTraq mailing list, in two articles linked from Microsoft's security page [6a], [6b]. This New York Times piece [8] summarizes the EE Times controversy nicely. (You will need to set up a free membership account to visit this page.) The NT Security page [9] has, as usual, useful pointers to background material on this and other potential NT vulnerabilities.

Recently the Times posted an excellent summary article [10] on the Microsoft-targeted security exploits, current as of #5 (i.e., late March). The article states that

Matthew D. Healy <Matthew.Healy at yale dot edu> of the Yale Center for Medical Informatics recently posted a cogent note to the RISKS newsgroup on the "metarisks" of "the steady stream of news reports about yet another security flaw in this or that Web program." His posting [11] appears on the TBTF archive by permission.

[1] <http://www.tbtf.com/archive/1997-03-21.html>
[2] <http://www.tbtf.com/archive/1997-03-09.html>
[3] <http://techweb.cmp.com/eet/news/97/947news/hack.html>
[4] <ftp://samba.anu.edu.au/pub/samba/pwdump/>
[5] <http://www.secnet.com/ntinfo/ntcrack.html>
[6] <http://www.microsoft.com/security/eetimes.htm>
[6a] <http://ntbugtraq.rc.on.ca/response.htm>
[6b] <http://ntbugtraq.rc.on.ca/response2.htm>
[8] <http://nytsyn.com/live/Latest/091_040197_122206_16003.html>
[9] <http://www.ntsecurity.net/security/passworddll.htm>
[10] <http://www.nytimes.com/library/cyber/week/032897microsoft.html>
[11] <http://www.tbtf.com/resource/metarisks-mh.html>

The suicide of 39 Heaven's Gate cult members last week generated a worldwide media feeding frenzy. In the U.S. at least much of the early coverage cast a baleful and unwarrented light on the Net's role in the affair -- see this early story from CNN [12] for example. In recent days there has been a palpable backlash from Netizens who are stone tired of the media villainizing. The Red Rock Eater News Service on 3/28 carried a historical analysis by William Sims Bainbridge of the cult's pre-Net roots. (It's not available on the Web.) RRE's proprietor, Phil Agre <pagre at weber dot ucsd dot edu>, introduced Bainbridge's note thus: This note from Edupage (1997-03-30) conveys some of the flavor of the backlash: That last quote was from Mike Emke <varak at highersource dot org>, one of a group of webmasters who put up a spoof site [13] and rated the media coverage for its degree of cluefulness using a scale of one to four toe-tags. While this graphic choice is in breathtakingly poor taste (as is their Nike-like comet logo labelled "Just did it!"), the site is credited by c|net's Margie Wylie [14] with hastening a turnaround in media emphasis. See for example this writeup [15] from the Irish Times, which was awarded four toe-tags [16] (maximally sensitive to Net issues) by highersource.org. Those not yet maxed out on the Heaven's Gate story can study the cult's original "suicide note" site as mirrored by the spoofers [17].

I sincerely hope the wider media obtain a clue about what the Net is and is not before Main Street gets terminally rattled and backs away from the whole phenomenon. This month's Internet Surveys [18] show no sign of such a trend, but chew on this straw in the wind: at a party recently I mentioned to a computer-naive acquaintence that I had started a consulting busines focusing on the Internet. The next words out of his mouth were "Oh, I had no idea you were into pornography!"

[12] <http://www.cnn.com/US/9703/27/suicide/index.html>
[13] <http://www2.highersource.org/>
[14] <http://www.news.com/Perspectives/perspectives.html>
[15] <http://www.irish-times.com/irish-times/paper/1997/0331/cmp1.html>
[16] <http://www2.highersource.org/scrapbook/>
[17] <http://www2.highersource.org/mirror-1/index.htm>
[18] <http://www.nua.ie/surveys/WhatsNew.html>

A week after the Clinton administration floated draft legislation [19] to make government access to keys a requirement for participating in domestic electronic commerce, the 29-nation Organization for Economic Cooperation and Development pointedly refused to endorse the key-escrow approach [20]. There is no consensus among nations as to whether governments should have the right to eavesdrop on their citizens, so the OECD is giving its member nations latitude to adopt any encryption strategy they wish. The Clinton plan [21], which was shown to several members of Congress last week, would provide for

• Warrentless law-enforcement access to private communications
• New domestic controls on encryption technology
• Compelled use of key recovery domestically

There seems to be little sentiment in favor of this approach save in the U.S. law enforcement community (and in the British and French governments). Three other crypto-related bills now in Congress would take the country in another direction entirely.

[19] <http://www.crypto.com/clinton/>
[20] <http://www.oecd.org/dsti/iccp/crypto_e.html>
[21] <http://www.crypto.com/clinton/970312_admin.html>

On 1997-03-20 the offices of ViP, an ISP in Vienna, Austria were raided by police. All computer equipment, including customers' computers hosted with the provider, was unplugged and confiscated for evidence. The search warrant did not accuse ViP; based on a 1996-03-10 request for assistance from the public prosecutor's office in Munich, Germany, it alleged that a former customer of ViP had illegally transmitted child pornography on the Internet. Why the police acted against ViP and not against the alleged perpetrator -- whose identity and whereabouts had been known to authorities for a year -- was not explained.

In protest a group of 95 Austrian ISPs [22] shut down their systems for two hours on 1997-03-25 [23]. From 4:00 to 6:00 pm last Thursday Austria became a black hole in the Net. The page Ein Land geht offline [24] lists 3,613 people who have signed on as supporters of the boycott.

[22] <http://www.internet.at/>
[23] <http://www.via.at/a-offline/provider.htm>
[24] <http://www.ostry.com/a-offline/entry.html>

Net filtering programs such as CyberSitter and SurfWatch are under scrutiny because, while blocking various offensive or pornographic Web sites, they may also indiscriminately block innocent and valuable material: gay and lesbian resources, AIDS web sites, women's resources such as the soc.feminism newsgroup. Controversy swirled around Solid Oak Software's CyberSitter in particular last fall when various sites [25], [26] reported that Solid Oak had blocked them -- and even their ISPs -- for criticizing the company or its policies. (See [27] for links to press coverage of the controversy.) It has been difficult to know what is and isn't blocked; the software companies hold their banned lists closely and change them frequently. Anti-censorship activist Declan McCullagh <declan at pathfinder dot com> has obtained snapshots of the banned lists for five Net-filtering programs -- CyberSitter, NetNanny, SurfWatch, The Internet Filter, and CyberPatrol -- and last month put up a Web page [28] where you can search them.

[25] <http://www.peacefire.org/censorware/CYBERsitter.html>
[26] <http://www.spectacle.org/cs>
[27] <http://www.peacefire.org/censorware/CYBERsitter/articles.shtml>
[28] <http://cgi.pathfinder.com/netly/spoofcentral/censored/>

The Global Casino [29] opened its virtual doors on 2/15 and has been rolling out its services since that time [30]; at present you can wager on international sports events or participate in a slots contest for real money. Interactive Gaming & Communications, the Global Casino's parent company, has spent $1.8M developing its site and hopes to reap some of the profits from a hoped-for $10B in online gambling by the turn of the century. (Estimates of annual U.S. outlay on all forms of gambling today range around $500B.) Current U.S. law prohibits gambling by wire, but its application to the Internet has been in doubt; and in any event most would-be Internet gambling sites operate from outside the U.S. On 3/19 Senator Jon Kyl and five co-sponsors introduced the Internet Gambling Prohibition Act of 1997 [31], which would make it illegal to send any gambling information over the Internet. Enforcement would center on ISPs, who would be required to block access to gaming sites on receiving written notice from a law-enforcement agency. ISPs would not be liable for any damages or penalties resulting from a gambling operation (unless of course they were running it).

[29] <http://www.gamblenet.com/>
[30] <http://www.news.com/News/Item/0%2C4%2C7930%2C00.html>
[31] <http://thomas.loc.gov/cgi-bin/bdquery/D?d105:1:./temp/~bdzlWt::|/bss/d105query.html|>

A nice, speedy, efficient commerce site [32] (though it offers too many cookies for my taste). Full disclosure: I was one of the folks who, in 1995, resisted the coming of a physical Wal-Mart to the town where I live. When the tussle reached page 1 of the Wall Street Journal Wal-Mart withdrew its proposal to build; we were only the second town ever successfully to resist the company's expansive intentions. I'm all for their expansion in cyberspace though.

[32] <http://www.wal-mart.com/>

John Pike <johnpike at fas dot org> is webmaster for the Federation of American Scientists site [33], which has about 6,000 pages. Pike noticed that Alta Vista, the premiere search engine, seemed to have knowledge of only about 10% of them. He wrote to Alta Vista support and got this reply.

Pike was shocked, shocked to learn that Alta Vista does not index the entire Web, or anything like it. He wrote a plaint [34] that was picked up by ZDnet's AnchorDesk. The flap led a Java-development firm, Melee, to post a page [35] that tracks various search engines for completeness and currency -- HotBot trumps Alta Vista on both counts. The architect of Alta Vista, Louis Monier <monier at pa dot dec dot com>, responded [36] to AnchorDesk describing the tradeoffs that Alta Vista has chosen. He first corrected the mistake made by the support person: Alta Vista's database contains more than 50,000 pages from Geocities, not 300. As to the search engine's incomplete coverage, the reality is that Alta Vista favors realtime response to tens of millions of queries per day over either completeness or currency. As Monier puts it:

[33] <http://www.fas.org/>
[34] <http://www5.zdnet.com/anchordesk/talkback/talkback_11638.html>
[35] <http://www.melee.com/mica/index.html>
[36] <http://www5.zdnet.com/anchordesk/talkback/talkback_13066.html>

Captain Louis Renault muttered this week's TBTF title to Rick Blaine in the 1942 movie "Casablanca."

The verb "to dis" (from "disrespect") is American urban slang meaning "to heap scorn upon."

For a complete list of TBTF's (mostly email) sources, see http://www.tbtf.com/sources.html>.

E.Commerce Today -- this commercial publication provided background information for some of the pieces in this issue of TBTF. For complete subscription details see <../resource/E.CT.txt>.

RISKS -- read the newsgroup comp.risks or mail risks-request@csl.sri.com without subject and with message: subscribe . Archive at <http://catless.ncl.ac.uk/Risks/>.

Red Rock Eater News Service -- mail rre-request@weber.ucsd.edu without subject and with message: subscribe Your Name . Archive at <http://communication.ucsd.edu/pagre/archive_help.html> (email-based). Web home at <http://communication.ucsd.edu/pagre/rre.html>.

Edupage -- mail listproc@educom.unc.edu without subject and with message: subscribe edupage Your Name . Web home at <http://www.educom.edu/>.

TBTF home and archive at <http://www.tbtf.com/>. To subscribe
send the message "subscribe" to tbtf-request@world.std.com. TBTF is
Copyright 1994-1997 by Keith Dawson, <dawson dot tbtf at gmail dot com>. Com-
mercial use prohibited. For non-commercial purposes please forward,
post, and link as you see fit.
_______________________________________________
Keith Dawson    dawson dot tbtf at gmail dot com
Layer of ash separates morning and evening milk.