(A Javascript-enabled browser is required to email me.)
TBTF logo

TBTF for 1997-04-04: Shocked, shocked

Keith Dawson (dawson dot tbtf at gmail dot com)
Fri, 4 Apr 1997 08:02:03 -0500


Microsoft security problems pile up: exploit #8

TBTF for 1997-03-21 [1], 1997-03-09 [2]

After the publication of TBTF for 1997-03-21 [1] I updated the archive three times in five days with breaking developments in the Microsoft security situation, including a quick Microsoft response to a note I sent to their security email alias <secure at microsoft dot com>. Please do catch up if you haven't visited the 1997-03-21 issue [1] recently.

The magazine EE Times reports [3] a new Windows NT vulnerability (I will call this security flaw #8 -- see table). Jeremy Allison <jra at cygnus dot com> developed PWdump [4] by reverse-engineering the hashing algorithm (Microsoft's API documentation refers to it as "obfuscation") used by the Windows NT Security Accounts Manager, the heart of the NT security system. PWdump lets a system administrator generate a Unix-style account and password file from the SAM to help administrators manage sites where NT and Unix systems coexist. But Allison called it "a double-edged sword... this is a useful utility for migrating users to Unix systems from Windows NT, but it can also enable people to see all the actual passwords, which until now wasn't possible." To get passwords in plaintext you need to run a "crack" tool on the output of PWdump. One now exists [5]. As Yobie Benjamin <ybenja at ctp dot com> said when Allison sent him the PWdump code, "If somebody wanted to crack an NT server today, the pieces of the puzzle are now all there... all that's missing is intent." Benjamin broke into an NT network in his own lab using a "Trojan Horse" application attached to an email message and sent decoded NT passwords back to the attacking machine. He claims that any computer-literate adolescent with a 386 and a modem could do the same.

BugFound byDate MSIE vers.W-95 W-NTDamage Attacks via
#1 Paul Greene 2/27 3.0, 3.01 yes 4.0 Can run arbitrary program on your PC .url or .lnk file
#2 David Ross 3/4 3.0, 3.01, 3.01a no 4.0 w/SP 1 or 2 Can run program if you double-click, w/no firewall CIFS
#3 Chris Rioux 3/7 3.01 yes no Can run arbitrary program on your PC .isp file
#4 Aaron Spangler 3/14 any, or NNnoyes Obtains username, hashed password SMB
#5 Paul Ashton 3/17 anynoyes Obtains username, hashed password, more NTLM
#6 Steve Birnbaum3/15 anyno yes Obtains plaintext password SMB

Found by Date MSIE vers. W-95 W-NT Damage Attacks via
not a bug #7 Tea Vui Huang 3/14 any no yes Can disable IE security if you agree .reg file
not a bug #8 Jeremy Allison, Jonathan Wilkins 3/31 -- no yes Can be used to obtain plaintext passwords if security policy is lax SAM (PWdump, NTcrack)

Note added 1997-06-06: See this table for a summary of all Microsoft security exploits covered by TBTF in 1997.
Microsoft has published a response [6] to the EE Times piece in which they dismiss #8 as a serious threat. They stress that basic security practices suffice to defend against an attack based on PWdump/NTcrack, noting for instance that an attacker needs Administrator privilege to run PWdump. The company's position is bolstered by Russ Cooper <russ.cooper at rc dot on dot ca>, owner of the NTBugTraq mailing list, in two articles linked from Microsoft's security page [6a], [6b]. This New York Times piece [8] summarizes the EE Times controversy nicely. (You will need to set up a free membership account to visit this page.) The NT Security page [9] has, as usual, useful pointers to background material on this and other potential NT vulnerabilities.

Recently the Times posted an excellent summary article [10] on the Microsoft-targeted security exploits, current as of #5 (i.e., late March). The article states that

...security experts familiar with newly found holes in both
Microsoft's Internet Explorer Web browsing software and its
Windows operating systems suggest that Microsoft bungled its
attempt to integrate the Internet with the desktop... the
market is striving to provide exactly the kind of seamless
access to the data that this attack exploits.
Matthew D. Healy <Matthew.Healy at yale dot edu> of the Yale Center for Medical Informatics recently posted a cogent note to the RISKS newsgroup on the "metarisks" of "the steady stream of news reports about yet another security flaw in this or that Web program." His posting [11] appears on the TBTF archive by permission.

[1] <http://www.tbtf.com/archive/1997-03-21.html>
[2] <http://www.tbtf.com/archive/1997-03-09.html>
[3] <http://techweb.cmp.com/eet/news/97/947news/hack.html>
[4] <ftp://samba.anu.edu.au/pub/samba/pwdump/>
[5] <http://www.secnet.com/ntinfo/ntcrack.html>
[6] <http://www.microsoft.com/security/eetimes.htm>
[6a] <http://ntbugtraq.rc.on.ca/response.htm>
[6b] <http://ntbugtraq.rc.on.ca/response2.htm>
[8] <http://nytsyn.com/live/Latest/091_040197_122206_16003.html>
[9] <http://www.ntsecurity.net/security/passworddll.htm>
[10] <http://www.nytimes.com/library/cyber/week/032897microsoft.html>
[11] <http://www.tbtf.com/resource/metarisks-mh.html>


This is not an Internet story

The suicide of 39 Heaven's Gate cult members last week generated a worldwide media feeding frenzy. In the U.S. at least much of the early coverage cast a baleful and unwarrented light on the Net's role in the affair -- see this early story from CNN [12] for example. In recent days there has been a palpable backlash from Netizens who are stone tired of the media villainizing.
Note added 1997-04-08: Reader G. J. Poronsky <gporonsk at ford dot com> commented:

Those fools. Anyone in their right mind can see that triangular-shaped fabric placed over the face and partial torso combined with Nike(TM) sneakers while laying on your back in a western state is the real cause and not the Internet.

The Red Rock Eater News Service on 3/28 carried a historical analysis by William Sims Bainbridge of the cult's pre-Net roots. (It's not available on the Web.) RRE's proprietor, Phil Agre <pagre at weber dot ucsd dot edu>, introduced Bainbridge's note thus:
Remember: Everything that happens in society happens on the
Internet too. This is not an Internet story.
This note from Edupage (1997-03-30) conveys some of the flavor of the backlash:
Does Net play role in cult activities? Although many Internet
enthusiasts argue that the Internet isn't creating cults like
Heaven's Gate... others see a dark side to the Net... Paul
Saffo of the Institute for the Future says: "The Web is a
compelling new medium being put to all kinds of uses, by ev-
eryone from banks to Cub Scouts to flying saucer cults... it
can also be a powerful amplifier."... But the Internet has
large numbers of defenders, one of whom says: "I hate to
watch news people talk about the Net... One 'expert' on CNN
mentioned that cults often recruit on the Net because 'tech-
nical people are often more gullible and more trusting.'...
This time it's a cult. Usually, it's that we're all child
That last quote was from Mike Emke <varak at highersource dot org>, one of a group of webmasters who put up a spoof site [13] and rated the media coverage for its degree of cluefulness using a scale of one to four toe-tags. While this graphic choice is in breathtakingly poor taste (as is their Nike-like comet logo labelled "Just did it!"), the site is credited by c|net's Margie Wylie [14] with hastening a turnaround in media emphasis. See for example this writeup [15] from the Irish Times, which was awarded four toe-tags [16] (maximally sensitive to Net issues) by highersource.org. Those not yet maxed out on the Heaven's Gate story can study the cult's original "suicide note" site as mirrored by the spoofers [17].

I sincerely hope the wider media obtain a clue about what the Net is and is not before Main Street gets terminally rattled and backs away from the whole phenomenon. This month's Internet Surveys [18] show no sign of such a trend, but chew on this straw in the wind: at a party recently I mentioned to a computer-naive acquaintence that I had started a consulting busines focusing on the Internet. The next words out of his mouth were "Oh, I had no idea you were into pornography!"

[12] <http://www.cnn.com/US/9703/27/suicide/index.html>
[13] <http://www2.highersource.org/>
[14] <http://www.news.com/Perspectives/perspectives.html>
[15] <http://www.irish-times.com/irish-times/paper/1997/0331/cmp1.html>
[16] <http://www2.highersource.org/scrapbook/>
[17] <http://www2.highersource.org/mirror-1/index.htm>
[18] <http://www.nua.ie/surveys/WhatsNew.html>


White House floats mandated key escrow as the OECD disses it

A week after the Clinton administration floated draft legislation [19] to make government access to keys a requirement for participating in domestic electronic commerce, the 29-nation Organization for Economic Cooperation and Development pointedly refused to endorse the key-escrow approach [20]. There is no consensus among nations as to whether governments should have the right to eavesdrop on their citizens, so the OECD is giving its member nations latitude to adopt any encryption strategy they wish. The Clinton plan [21], which was shown to several members of Congress last week, would provide for

There seems to be little sentiment in favor of this approach save in the U.S. law enforcement community (and in the British and French governments). Three other crypto-related bills now in Congress would take the country in another direction entirely.

[19] <http://www.crypto.com/clinton/>
[20] <http://www.oecd.org/dsti/iccp/crypto_e.html>
[21] <http://www.crypto.com/clinton/970312_admin.html>


Austria unplugs in protest

On 1997-03-20 the offices of ViP, an ISP in Vienna, Austria were raided by police. All computer equipment, including customers' computers hosted with the provider, was unplugged and confiscated for evidence. The search warrant did not accuse ViP; based on a 1996-03-10 request for assistance from the public prosecutor's office in Munich, Germany, it alleged that a former customer of ViP had illegally transmitted child pornography on the Internet. Why the police acted against ViP and not against the alleged perpetrator -- whose identity and whereabouts had been known to authorities for a year -- was not explained.

In protest a group of 95 Austrian ISPs [22] shut down their systems for two hours on 1997-03-25 [23]. From 4:00 to 6:00 pm last Thursday Austria became a black hole in the Net. The page Ein Land geht offline [24] lists 3,613 people who have signed on as supporters of the boycott.

[22] <http://www.internet.at/>
[23] <http://www.via.at/a-offline/provider.htm>
[24] <http://www.ostry.com/a-offline/entry.html>



Net filtering programs such as CyberSitter and SurfWatch are under scrutiny because, while blocking various offensive or pornographic Web sites, they may also indiscriminately block innocent and valuable material: gay and lesbian resources, AIDS web sites, women's resources such as the soc.feminism newsgroup. Controversy swirled around Solid Oak Software's CyberSitter in particular last fall when various sites [25], [26] reported that Solid Oak had blocked them -- and even their ISPs -- for criticizing the company or its policies. (See [27] for links to press coverage of the controversy.) It has been difficult to know what is and isn't blocked; the software companies hold their banned lists closely and change them frequently. Anti-censorship activist Declan McCullagh <declan at pathfinder dot com> has obtained snapshots of the banned lists for five Net-filtering programs -- CyberSitter, NetNanny, SurfWatch, The Internet Filter, and CyberPatrol -- and last month put up a Web page [28] where you can search them.

[25] <http://www.peacefire.org/censorware/CYBERsitter.html>
[26] <http://www.spectacle.org/cs>
[27] <http://www.peacefire.org/censorware/CYBERsitter/articles.shtml>
[28] <http://cgi.pathfinder.com/netly/spoofcentral/censored/>


Online gambling goes live as a law is filed to ban it

The Global Casino [29] opened its virtual doors on 2/15 and has been rolling out its services since that time [30]; at present you can wager on international sports events or participate in a slots contest for real money. Interactive Gaming & Communications, the Global Casino's parent company, has spent $1.8M developing its site and hopes to reap some of the profits from a hoped-for $10B in online gambling by the turn of the century. (Estimates of annual U.S. outlay on all forms of gambling today range around $500B.) Current U.S. law prohibits gambling by wire, but its application to the Internet has been in doubt; and in any event most would-be Internet gambling sites operate from outside the U.S. On 3/19 Senator Jon Kyl and five co-sponsors introduced the Internet Gambling Prohibition Act of 1997 [31], which would make it illegal to send any gambling information over the Internet. Enforcement would center on ISPs, who would be required to block access to gaming sites on receiving written notice from a law-enforcement agency. ISPs would not be liable for any damages or penalties resulting from a gambling operation (unless of course they were running it).

[29] <http://www.gamblenet.com/>
[30] <http://www.news.com/News/Item/0%2C4%2C7930%2C00.html>
[31] <http://thomas.loc.gov/cgi-bin/bdquery/D?d105:1:./temp/~bdzlWt::|/bss/d105query.html|>


Online commerce in a large, grey box

From Edupage (1997-03-27):

Major expansion of Internet shopping: Wal-Mart, the nation's
largest retail company, will more than double the number of
items (to about 80,000) that will be available to persons who
shop on the Internet, making it possible for online shoppers
to find as many items as they would find in any of Wal-Mart's
2,000 out-of-town discount stores. (Financial Times 27 Mar 97)

A nice, speedy, efficient commerce site [32] (though it offers too many cookies for my taste). Full disclosure: I was one of the folks who, in 1995, resisted the coming of a physical Wal-Mart to the town where I live. When the tussle reached page 1 of the Wall Street Journal Wal-Mart withdrew its proposal to build; we were only the second town ever successfully to resist the company's expansive intentions. I'm all for their expansion in cyberspace though.

[32] <http://www.wal-mart.com/>


Alta Vista's tradeoffs

John Pike <johnpike at fas dot org> is webmaster for the Federation of American Scientists site [33], which has about 6,000 pages. Pike noticed that Alta Vista, the premiere search engine, seemed to have knowledge of only about 10% of them. He wrote to Alta Vista support and got this reply.

That is probably a good estimate...We have 600 pages from you
indexed in the system. You will probably not see much more than
that for any one domain. Geocities has 300... and they have
300,000 members.
Pike was shocked, shocked to learn that Alta Vista does not index the entire Web, or anything like it. He wrote a plaint [34] that was picked up by ZDnet's AnchorDesk. The flap led a Java-development firm, Melee, to post a page [35] that tracks various search engines for completeness and currency -- HotBot trumps Alta Vista on both counts. The architect of Alta Vista, Louis Monier <monier at pa dot dec dot com>, responded [36] to AnchorDesk describing the tradeoffs that Alta Vista has chosen. He first corrected the mistake made by the support person: Alta Vista's database contains more than 50,000 pages from Geocities, not 300. As to the search engine's incomplete coverage, the reality is that Alta Vista favors realtime response to tens of millions of queries per day over either completeness or currency. As Monier puts it:

Nobody can afford enough hardware to index the entire Web and
serve it back to the entire planet. In contrast, ... our
search products running on a workstation [can] index the
largest [intranet] to the last page and serve the results to
the entire employee population without even breathing hard.
[33] <http://www.fas.org/>
[34] <http://www5.zdnet.com/anchordesk/talkback/talkback_11638.html>
[35] <http://www.melee.com/mica/index.html>
[36] <http://www5.zdnet.com/anchordesk/talkback/talkback_13066.html>


one Captain Louis Renault muttered this week's TBTF title to Rick Blaine in the 1942 movie "Casablanca."

two The verb "to dis" (from "disrespect") is American urban slang meaning "to heap scorn upon."


bul For a complete list of TBTF's (mostly email) sources, see http://www.tbtf.com/sources.html>.

bul E.Commerce Today -- this commercial publication provided background information for some of the pieces in this issue of TBTF. For complete subscription details see <../resource/E.CT.txt>.

bul RISKS -- read the newsgroup comp.risks or mail risks-request@csl.sri.com without subject and with message: subscribe . Archive at <http://catless.ncl.ac.uk/Risks/>.

bul Red Rock Eater News Service -- mail rre-request@weber.ucsd.edu without subject and with message: subscribe Your Name . Archive at <http://communication.ucsd.edu/pagre/archive_help.html> (email-based). Web home at <http://communication.ucsd.edu/pagre/rre.html>.

bul Edupage -- mail listproc@educom.unc.edu without subject and with message: subscribe edupage Your Name . Web home at <http://www.educom.edu/>.

TBTF home and archive at <http://www.tbtf.com/>. To subscribe
send the message "subscribe" to tbtf-request@world.std.com. TBTF is
Copyright 1994-1997 by Keith Dawson, <dawson dot tbtf at gmail dot com>. Com-
mercial use prohibited. For non-commercial purposes please forward,
post, and link as you see fit.
Keith Dawson    dawson dot tbtf at gmail dot com
Layer of ash separates morning and evening milk.