- Email: [email protected]
Windows 95: a security flaw and bugs galore
September
1995
MARKETPLACE Amber Logic has launched, in the UK, a PCMCIA card for portable computers. The CryptaLine PCMCIA Type II data and fax modem is able to encrypt data transmitted from a portable computer over insecure public access/X.25 networks. All encryption is performed in the modem using an encryption key. The product, claims the company, provides a choice of internationally recognised data encryption techniques: DES-3 and IDEA. Encrypted data is sent point-to-point from one CryptaLine modem to another. Alternatively, it is transmitted to, or from, a central computer which uses a CryptaLine modem as a gateway encrypting or decrypting data before it enters/leaves the network. for further information contact: David Owens on t44 (0) 161236 7879. Response Computer Maintenance is launching a new service to help organizations recover from the theft of computer components such as easily removal processors and memory chips (SIMMs). Through their service, pcRecovery, the company provides on-site engineers to replace standard memory SlMMs and Intel processors within one working day anywhere on mainland UK. All eight of Response’s UK branches have engineers on call. For further information contact John Baker on: +44 (0) 18 1965 3225. New anti-virus software has been published in the UK by Nest Ltd. The software, AVP, was developed by a group of Kami Inc. programmers headed by the Russian mathematician, Eugene Kaspersky. The product can be used both by a conventional user for virus scanning/removing or professionally by a systems analyst using its other utilities. AVP has four main executable modules: Scanner/Disinfector, Database Editor, Resident Monitor and System Analysis Utilities. It also includes a powerful Polymorphic virus detection engine, a dynamic Heuristic detection engine and a System Integrity checking engine. The Scanner/Disinfector offers a wide range of setup options which allow the user to toggle between speed and reliability, to inspect types of file, to alter
01995
Elsevier Science Ltd
Computer Fraud & Security Bulletin
objects for inspection (memory, files etc.), to examine disk sectors etc. and to alter report layouts. The Database Editor allows a user to update the virus information databases. The Resident Monitor (or sentry) provides options to allow users to instruct AVP to test access to files, dangerous calls, writing to disk, formatting as well as checking for viruses. According to the developers, the product detects over 6000 known viruses and, by using its heuristic detection engine, will detect and remove about 80% of new and unknown viruses including self-encrypting ones. AVP detects and removes, they claim, viruses inside ZIP and ARJ archived files and also inside packed programs with utilities like PKLITE, LXEXE and DIET. For further information contact Vladimir Friedin on: +44 (0) 1223 565058. ESaSS and Reflex Magnetics Ltd have announced the formation of a strategic alliance to strengthen their partnership to fight computer viruses. The two companies, developers of ThunderBYTE and disknet are integrating their development teams in order to devise the next generation of utilities. An early example of this alliance will be the cross-integration of segments of code from one product line to another. Disknet from Reflex will include virus recognition technology from ESaSS’ Thunderbyte scanner, TbScan, where as TbFence Professional from ESaSS will contain core elements of Reflex’s disknet, such as the disk authorization routines. For further information contact Rae Sutton on: +44 (0) 771372 6666 or Dick Geh.&iau on: +3 1889 42 22 82.
REPORTS WINDOWS 95: A SECURITY AND BUGS GALORE
FLAW
Wayne Madsen Microsoft’s much awaited and tremendously hyped Windows 95 comes with many new features including a possible security ‘back door’ in its Registration Wizard. The Registration Wizard allows Windows 95 users to register their
5
Computer Fraud & Security Bulletin
programs with Microsoft online. However, the registration program apparently permits Microsoft to interrogate a user’s computer environment, yielding to the Redmond, Washington based firm, information on what PC applications are being run, other operating systems in use, and even data contained in the computer files themselves. One programmer for a large online information service, who did not want himself or his company identified, conceded that while many online service providers do the same thing when registering their clients, the Windows 95 Registration Wizard is “significantly more sophisticated in the way it gathers file information”. He stated that while Microsoft was primarily interested in identifying pirated copies of its software on users’ systems, such a security hole could permit abusive browsing of confidential information as well. The programmer added that most people outside Microsoft would probably not even be aware of the strength of the Wizard file management capabilities since “they [Microsoft] could be using unpublished Application Program Interfaces (APls)“, unknown to even the most seasoned Windows user. One knowledgeable software expert confirmed that the registration Wizard is only invoked at the discretion of the user. In case users do not wish to register online, they have the option of registering by using the traditional mail-in registration form. However, the expert claimed that Windows 95 users who want to avail themselves of Microsoft Network services would necessarily have to invoke the online Registration Wizard. Brian Wilson, the co-anchor for Washington’s Fox Television’s Morning News, reported on 29 August that his attempt to load Windows 95 on his PC resulted in a multitude of failures and system crashes over a five-hour period. While loading the 13 diskettes comprising Windows 95, Wilson’s computer repeatedly failed to recognize the second diskette. When loading the CD version of the Windows upgrade program, Wilson reported that his computer crashed 30 minutes into the set up routine. While it was reported that many Windows 95 users claimed flawless successes at upgrading their systems, a frustrated Wilson emphasized that he “has yet to meet one”.
6
September
1995
Repeated telephone messages left at Microsoft headquarters for their comments on the security and privacy problems with Registration Wizard all went unanswered. Many computer industry observers have commented that once again it seems that Microsoft has released yet another program that is rife with bugs and flaws. The computer giant also seems to be continuing its efforts to ensure that true and trustworthy security mechanisms are not present in their programs. The head of security development for Microsoft’s Windows NT program once conceded at a video conference, “There is no security culture here at Microsoft, Redmond.” Indeed, that may be one of the most truthful statements a representative of Microsoft has ever uttered.
STATES LOOK INTO CODIFYING STATUS OF ‘ELECTRONIC SIGNATURES’ Chris Bucholtz Spurred by the emergence of online commerce and electronic filing of court documents, legislators in several states are proposing that electronic signatures be given the same legal status as the old-fashioned pen-and-ink variety. In July, Utah became the first state to legally recognize digital signatures. Under Utah law, any transactions involving money would first have to be validated by a transaction authority - a sort of ‘cyber-notary’ which would guarantee the transaction. The authority would run the program to issue the private and public keys to encode and decode the signature. When the signer wanted to send an electronically signed document, he would run the agreement and the private key through the security program, using the text to generate a document-specific ‘signature’. Other states, including California, New York, Florida, Oregon, Washington and Texas, are considering legislation to legally recognize these signatures. The American Bar Association is drafting model legislation similar to Utah’s law to help guide law-makers in creating laws to regulate electronic signatures.
01995
Elsevier Science Ltd
1995
MARKETPLACE Amber Logic has launched, in the UK, a PCMCIA card for portable computers. The CryptaLine PCMCIA Type II data and fax modem is able to encrypt data transmitted from a portable computer over insecure public access/X.25 networks. All encryption is performed in the modem using an encryption key. The product, claims the company, provides a choice of internationally recognised data encryption techniques: DES-3 and IDEA. Encrypted data is sent point-to-point from one CryptaLine modem to another. Alternatively, it is transmitted to, or from, a central computer which uses a CryptaLine modem as a gateway encrypting or decrypting data before it enters/leaves the network. for further information contact: David Owens on t44 (0) 161236 7879. Response Computer Maintenance is launching a new service to help organizations recover from the theft of computer components such as easily removal processors and memory chips (SIMMs). Through their service, pcRecovery, the company provides on-site engineers to replace standard memory SlMMs and Intel processors within one working day anywhere on mainland UK. All eight of Response’s UK branches have engineers on call. For further information contact John Baker on: +44 (0) 18 1965 3225. New anti-virus software has been published in the UK by Nest Ltd. The software, AVP, was developed by a group of Kami Inc. programmers headed by the Russian mathematician, Eugene Kaspersky. The product can be used both by a conventional user for virus scanning/removing or professionally by a systems analyst using its other utilities. AVP has four main executable modules: Scanner/Disinfector, Database Editor, Resident Monitor and System Analysis Utilities. It also includes a powerful Polymorphic virus detection engine, a dynamic Heuristic detection engine and a System Integrity checking engine. The Scanner/Disinfector offers a wide range of setup options which allow the user to toggle between speed and reliability, to inspect types of file, to alter
01995
Elsevier Science Ltd
Computer Fraud & Security Bulletin
objects for inspection (memory, files etc.), to examine disk sectors etc. and to alter report layouts. The Database Editor allows a user to update the virus information databases. The Resident Monitor (or sentry) provides options to allow users to instruct AVP to test access to files, dangerous calls, writing to disk, formatting as well as checking for viruses. According to the developers, the product detects over 6000 known viruses and, by using its heuristic detection engine, will detect and remove about 80% of new and unknown viruses including self-encrypting ones. AVP detects and removes, they claim, viruses inside ZIP and ARJ archived files and also inside packed programs with utilities like PKLITE, LXEXE and DIET. For further information contact Vladimir Friedin on: +44 (0) 1223 565058. ESaSS and Reflex Magnetics Ltd have announced the formation of a strategic alliance to strengthen their partnership to fight computer viruses. The two companies, developers of ThunderBYTE and disknet are integrating their development teams in order to devise the next generation of utilities. An early example of this alliance will be the cross-integration of segments of code from one product line to another. Disknet from Reflex will include virus recognition technology from ESaSS’ Thunderbyte scanner, TbScan, where as TbFence Professional from ESaSS will contain core elements of Reflex’s disknet, such as the disk authorization routines. For further information contact Rae Sutton on: +44 (0) 771372 6666 or Dick Geh.&iau on: +3 1889 42 22 82.
REPORTS WINDOWS 95: A SECURITY AND BUGS GALORE
FLAW
Wayne Madsen Microsoft’s much awaited and tremendously hyped Windows 95 comes with many new features including a possible security ‘back door’ in its Registration Wizard. The Registration Wizard allows Windows 95 users to register their
5
Computer Fraud & Security Bulletin
programs with Microsoft online. However, the registration program apparently permits Microsoft to interrogate a user’s computer environment, yielding to the Redmond, Washington based firm, information on what PC applications are being run, other operating systems in use, and even data contained in the computer files themselves. One programmer for a large online information service, who did not want himself or his company identified, conceded that while many online service providers do the same thing when registering their clients, the Windows 95 Registration Wizard is “significantly more sophisticated in the way it gathers file information”. He stated that while Microsoft was primarily interested in identifying pirated copies of its software on users’ systems, such a security hole could permit abusive browsing of confidential information as well. The programmer added that most people outside Microsoft would probably not even be aware of the strength of the Wizard file management capabilities since “they [Microsoft] could be using unpublished Application Program Interfaces (APls)“, unknown to even the most seasoned Windows user. One knowledgeable software expert confirmed that the registration Wizard is only invoked at the discretion of the user. In case users do not wish to register online, they have the option of registering by using the traditional mail-in registration form. However, the expert claimed that Windows 95 users who want to avail themselves of Microsoft Network services would necessarily have to invoke the online Registration Wizard. Brian Wilson, the co-anchor for Washington’s Fox Television’s Morning News, reported on 29 August that his attempt to load Windows 95 on his PC resulted in a multitude of failures and system crashes over a five-hour period. While loading the 13 diskettes comprising Windows 95, Wilson’s computer repeatedly failed to recognize the second diskette. When loading the CD version of the Windows upgrade program, Wilson reported that his computer crashed 30 minutes into the set up routine. While it was reported that many Windows 95 users claimed flawless successes at upgrading their systems, a frustrated Wilson emphasized that he “has yet to meet one”.
6
September
1995
Repeated telephone messages left at Microsoft headquarters for their comments on the security and privacy problems with Registration Wizard all went unanswered. Many computer industry observers have commented that once again it seems that Microsoft has released yet another program that is rife with bugs and flaws. The computer giant also seems to be continuing its efforts to ensure that true and trustworthy security mechanisms are not present in their programs. The head of security development for Microsoft’s Windows NT program once conceded at a video conference, “There is no security culture here at Microsoft, Redmond.” Indeed, that may be one of the most truthful statements a representative of Microsoft has ever uttered.
STATES LOOK INTO CODIFYING STATUS OF ‘ELECTRONIC SIGNATURES’ Chris Bucholtz Spurred by the emergence of online commerce and electronic filing of court documents, legislators in several states are proposing that electronic signatures be given the same legal status as the old-fashioned pen-and-ink variety. In July, Utah became the first state to legally recognize digital signatures. Under Utah law, any transactions involving money would first have to be validated by a transaction authority - a sort of ‘cyber-notary’ which would guarantee the transaction. The authority would run the program to issue the private and public keys to encode and decode the signature. When the signer wanted to send an electronically signed document, he would run the agreement and the private key through the security program, using the text to generate a document-specific ‘signature’. Other states, including California, New York, Florida, Oregon, Washington and Texas, are considering legislation to legally recognize these signatures. The American Bar Association is drafting model legislation similar to Utah’s law to help guide law-makers in creating laws to regulate electronic signatures.
01995
Elsevier Science Ltd