Subject: RISKS DIGEST 12.66 REPLY-TO: risks@csl.sri.com RISKS-LIST: RISKS-FORUM Digest Tuesday 26 November 1991 Volume 12 : Issue 66 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator Contents: Pentagon computers vulnerable Risks of hardcoded hexadecimal instead of symbolic constants? (Tom Blinn) Re: Leaves cause railway signal failure (Geraint Jones) Re: Termination (David Lamb, anonymous) Proposed Antivirus Certification (Klaus Brunnstein) Call for Papers: IFIP World Congress'92/Vulnerability (Klaus Brunnstein) The RISKS Forum is moderated. Contributions should be relevant, sound, in good taste, objective, coherent, concise, and nonrepetitious. Diversity is welcome. CONTRIBUTIONS to RISKS@CSL.SRI.COM, with relevant, substantive "Subject:" line. Others may be ignored! Contributions will not be ACKed. The load is too great. REQUESTS please to RISKS-Request@CSL.SRI.COM. For vol i issue j, type "FTP CRVAX.SRI.COMlogin anonymousAnyNonNullPW CD RISKS:GET RISKS-i.j" (where i=1 to 12, j always TWO digits). Vol i summaries in j=00; "dir risks-*.*" gives directory; "bye" logs out. The COLON in "CD RISKS:" is essential. "CRVAX.SRI.COM" = "128.18.10.1". =CarriageReturn; FTPs may differ; UNIX prompts for username, password. ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. Relevant contributions may appear in the RISKS section of regular issues of ACM SIGSOFT's SOFTWARE ENGINEERING NOTES, unless you state otherwise. ---------------------------------------------------------------------- Date: Mon, 25 Nov 91 12:03:44 PST From: "Peter G. Neumann" Subject: pentagon computers vulnerable Pentagon Computers Vulnerable DELFT, Netherlands (AP, 21 Nov 91) A leading Dutch computer security expert Friday said any computer whiz around the world "who is a bit clever" can break into a Pentagon computer and cover his tracks. Prof. Bob Herschberg, who teaches hacking at the Delft University of Technology, said the teen-age hackers who allegedly penetrated U.S. military computers during the Gulf War most likely represent only the tip of the iceberg of such intrusions. And he questioned a U.S. congressional investigation's finding that the hackers that penetrated the Pentagon systems were Dutch. "Anyone who is a bit clever can do it using detours such that their number is untraceable," said Herschberg. "They could have been from anywhere in the world including the United States itself." Camouflaging a hacker's trail is so easy via interlinked global computer networks that an adept hacker would have to be "naive" not to escape detection, Herschberg said. U.S. congressional investigators told a Senate subcommittee this week that a group of Dutch teen-age hackers broke into U.S. military computers at 34 sites over about a one-year period ending last May. The information the hackers retrieved was described as crucial, but not secret. Herschberg acknowledged that there have been instances of Dutch computer operators breaking into American computer mainframes. But he called the allegations of Dutch break-ins in this case "fishy," suggesting it was an attempt to use the Dutch as a scapegoat since hacking has not been outlawed here. Herschberg suggested that American investigators may be trying to cover up what may be a far more serious problem. "Why else would they make all this fuss?" he said. Herschberg, a professor of computer science at this nation's top engineering school, teaches his students hacking techniques as part of a course on computer security. He regularly assigns students to break into corporate computer systems, with prior authorization, to identify security gaps. "It's a good practical exercise," he said. Initial reports surfaced last April that Dutch hackers had broken into U.S. defense systems computers via a worldwide computer research retrieval system. In the wake of those disclosures, an official at Utrecht University, who was told by students of the intrusion, defended it as a legitimate learning exercise and said it was up to the U.S. military to take precautions. ------------------------------ Date: Wed, 20 Nov 91 22:39:01 GMT Apparently-To: comp-risks@uunet.uu.net Subject: DNA Dog Tags Army May Issue "DNA Dog Tags" (Federal Computer Week, 19 Nov 91) In a world without computers this would be a nice use of biotechnology to unambiguously identify casualties in the event of disfiguring injury. In a world with databases and computers it represents a tremendous potential threat to personal privacy. Background: Although all humans share a common set of genes, if you look closely there are many small variations (polymorphisms) in our genes. As a result, we are each unique. By taking a sample of DNA and analyzying a set of sites likely to be polymorphic, it is possible to "finger print" an individual and determine with very good reliability if another sample of DNA did or did not come from the same person. These polymorphisms can also be used to infer familial relationships (you inherit half of each of your parent polymorphisms), and to map and trace genetic disease genes like cytic fibrosis, and sickle cell anemia. When you have given a sample of your DNA, you have no control over how it will be analyzed. It could be used to define a set of polymorphic markers which are other anonymous (unlinked to any genes of known function). The same sample could also be used to see if you have or carry genetic diseases. If the military builds a database of soldier's genotypes, there is nothing to prevent them from including medically important markers as well as identification information. On the contrary, there is every reason to expect that they would want to include as much medical information as possible because many medical conditions do impact your ability to function as a soldier. The risks: Genetic privacy - Would you be forced to provide your military genotype data when you applied for health insurance after discharge? Would the local police have the right to search the military genotype database every time a DNA sample (spot of blood, hair follicle etc.) was found at a crime scene. How are you going to protect innocent soldiers against computer errors in that kind of a search? It affects people other than the soldier - because your relatives share your genes, if you find out that you carry a genetic disease, everyone in your family faces the questions of whether they also carry the gene, should they be tested, should they screen their children etc. Infered paternity - for about 5% of births the father of record is not the biological father. As a database of genotypes grew, cases would inevitably arise where the genotype data demonstrated that the bibliographic information being provided was wrong. How would the military handle this? We all carry genetic diseases - there is a concept called "genetic load" which is the number of heterozygous genes (differences in the copies of a gene inherited from your mother and father) where one of the copies would be lethal if you got it from both your mother and father. An average human carries about 6 such genes. This is why incest is such a universal taboo; if close relatives father a child there is greatly increased risk of getting two copies of such a lethal or nearly lethal gene. As medical science progresses and we enumerate more and more such genes, the insurance companies will have the "justification" to demand anyones genotype as a precondition for health insurance. Would insurance companies or the military have the right to screen and veto prospective marriage partners? The ethical implications of genotype databases are complex and potentially threatening. It would be a terrible mistake to proceed blindly into this area without considering the numerous implications. David States National Center for Biotechnology Information / National Library of Medicine ------------------------------ Date: Wed, 27 Nov 91 11:52:26 PST From: "Dr. Tom @MKO, CMG S/W Mktg, DTN 264-4865" Subject: Risks of hardcoded hexadecimal instead of symbolic constants? Re: "Phone outages expected to be tied to typing mistake" (from The Wall Street Journal, 25Nov91, p.B4) in RISKS-12.65 (Tuesday 26 November 1991): When you put together 'DSC officials admitted that three bits of information in a huge computer program were incorrect' with 'a "6" in a line of computer code should actually have been a "D"', you reach the inevitable conclusion that someone was coding in hexadecimal, unless the difference between a "6" and "D" in some symbolic names just happened, coincidentally, to result in a binary difference of three bits. It seems highly likely that the use of suitably named symbolic constants in place of cryptic hexadecimal constants would reduce the likelihood of such errors. Of course, many modern languages still make it easy to encode data using hexadecimal constants, not that using decimal or binary or octal would likely have avoided this error. Dr. Thomas P. Blinn, Digital Equipment Corp. Digital Drive -- MKO2-2/F10, Merrimack, New Hampshire 03054 (603) 884-4865 ------------------------------ Date: Wed, 13 Nov 91 14:58:59 GMT From: Geraint Jones Subject: Re: Leaves cause railway signal failure (RISKS-12.62) British Rail's problem with wet fallen leaves and electronic train detection is not caused by the lightness of the new Networker trains (and so is not fixed by the /weight/ of older heavier trains). The problem with the newer units is that they use disc brakes. That means that the running surfaces of the wheels only ever touch the rails and the insulating paste of crushed leaf builds up on the /wheels/. The problem is therefore not cured by running track-clearing vehicles. The (clever) fix employed is to attach a single clutch-braked vehicle to each of the new trains (in many cases, this would be a heavier clutch-braked multiple unit, but just a carriage will do). That car has clean wheels, makes good electrical contact with the rails and so makes the train visible. Modifications to clean the running surfaces of the wheels will probably be the longer-term fix. It is a classic systems problem: who would have thought that changing from external clutch brakes to better-protected disc brakes would undermine the signalling system? ------------------------------ Date: 27 Nov 91 23:27:07 GMT From: dalamb@umiacs.umd.edu (David Lamb) Subject: Re: Termination (Bartelt, RISKS-12.65) I don't see that the "computer system" makes things significantly different. I've known of companies whose method of laying someone off was essentially a Friday pink slip saying "Hand in your badge now, here's the contents of your desk in this box, don't come back Monday, and here's K (>=2) weeks' pay in lieu of notice" - which in some jurisdictions at least is considered to satisfy statutory requirements about due notice. Computer security concerns might make such practices more widespread - but if you're going to get paid anyway, why is it important to be allowed to continue to have access to the company's property? I suppose you might have personal files on the company computers, which complicates things a bit. [The COMPUTER-RELATED RISK from the company's viewpoint is that ANY access whatever could lead to retributional acts. On one hand, assuming an employee is reliable and responsible, there might be a lot of benefits to allowing computer accounts to be cleaned up by the individual in question. On the other hand, ``friendly termination'' may be oxymoronic in many situations... PGN] ------------------------------ Date: Wed, 27 Nov 91 12:22:53 XST From: [anonymous] Subject: Re: Termination (Bartelt, RISKS-12.65) A certain medium-sized software vendor recently went through the second set of layoffs in six months. How did people find out that they were laid off? They came into work Wednesday morning, and found all of the machines shut off. So, they waited, and talked to each other, and talked in the halls, until managers came by and picked people off one by one. Their accounts had been disabled the night before, you see, and management didn't want people finding out by not being able to log in. (I never said this company was intelligent.) For the previous set of layoffs, the dial-in modems were shut down for a day or so, because some of the system administrators were fired. Is there a RISK in all of this? I'm not sure. The firings (excuse me, ``layoffs'') were not done in a friendly manner, as near as I can find out. Since there were indications a couple of weeks in advance (some of the people I knew were positive they would be going before they were told to leave), the precautions were pretty useless in my opinion -- and the treatment of the employees in question did not seemed designed to incur goodwill. ------------------------------ Date: 22 Nov 91 14:49 +0100 From: Klaus Brunnstein Subject: Proposed Antivirus Certification Computer-Anti-MalWare Certification. A Proposal Vesselin Bontchev Dr. Klaus Brunnstein Morton Swimmer Faculty for Informatics, Virus Test Center, University of Hamburg Submitted to: NCSA Antivirus Conference Washington D.C, November 25-26, 1991 Abstract: To assure and enhance the quality of antiviral products, academic, user and industry organisations (e.g., EICAR, NCSA) should initiate a process of cooperation and standardization to lead to a process in which a "certification" service is offered by a volunteer cooperative of interested parties and organisations (here described as Anti-MalWare Certification Institutions, AMCI). It is hoped that this certificate may become an accepted, respected and expected indicator of quality and function for software and hardware. Evaluation shall be based on published methodology and a collection of malware (short for: malicious software) both known to exist or to be feasible. The tasks of AMCIs are described. Virus Test Center at the University of Hamburg is undertaking a pilot project to evaluate and describe the capabilities of existing antiviral products. Future research will try to advance the development and understanding of the methodology of antiviral products, including detection, prevention, repair of damages as well as side-effects. 1) Foreword: As problems of malicious software (malware) continue and spread worldwide and at fast pace (presently more than 10 per week in IBM-compatible PCs), enterprises, institutions and organisations find themselves more and more in danger to become a victim of a "computer accidents". Users must ever more rely on the quality of anti-malware measures whose producers depend on actual knowledge of new threats. With growing numbers and new virus methods, the "anti/viral gap" (understood as the time gap between detection of a new virus and the availability of an antiviral product recognising it) inevitably will also grow (as long, as inherently secure and safe architectures are not available). To improve the likelihood of success and reduce the potential for damage, we identify two possible efforts that deserve our increased attention: * secured and fast distribution of new malware knowledge to all parties with interest in anti-virus production, * evaluation and description of the capabilities of available anti-malware products by "credible" (and possibly "authoritative") individuals or organisations. Concerns have been raised, which we intend to give due considerations: (1) making (dangerous) knowledge about viral methods available only to trusted parties (both in regard to secure communications as in judging the intentions and likely actions of the intended recipient); (2) ensuring that decisions restricting the flow of knowledge of details of malware do not result in undesirable side-effects. Speedy and effective improvement of anti-malware products and the benefit of free-market competition is recognized as directly influenced by decisions as to what information is made available. 2) Mission of "Anti-Malware Certification": - To develop a process of "Anti-Malware Certification", several independent institutions or individuals shall be asked (and suitably funded) to perform regular tests and evaluations of anti-malware products or updates. - To inaugurate and assist in such a development, user or industry organisations with knowledge on malware problems and anti-malware software (e.g., NCSA/USA or EICAR/Europe) may charge institutions or individuals with assessed knowledge to perform specific assessments to assure the quality of anti-malware products. - Institutions charged with "Anti-Malware Certification" should not have commercial interests in production or distribution of anti-malware measures. - The test basis shall be a collection of known malware based upon precise knowledge about any essential detail, the contents of which must be suitably published. To minimize the dangers of such a collection, state-of-the-art security and safety measures shall be applied. - Each submitted anti-virus is tested for its detection, elimination or prevention capacity against the malware databank under a published methodology. The test for detection shall indicate, in a form understandable to users, correct, false and missing diagnosis. - To guarantee the quality of the test methods applied and of the secure malware collection, "Anti-Malware Certification Institutions" will discuss their methods in critical scientific discourse. Where feasible and possible without undue bureaucratization, they may also seek some form of certification by legally established institutions (e.g., NIST/USA, German Information Security Agency). - Generally, test results (protocol, remarks) shall be published as some sort of "Anti-Malware User Report"; the organisations supporting the certification institutions may publish statistical surveys. Only in cases of individual tests asked for by an anti-malware producer, results are confidential unless published by the submitter. - As independent individuals and academic institutions cannot develop and maintain such quality assurance mechanisms (including hardware, software, personnel and management), some adequate method of funding must be established. One suggestion is that "Anti-Malware Certification Institutions" may charge a fee to cover personal, managerial and machine costs; other suggestions may adapt established consumer report and product test procedures. The adequacy of the financial arrangements shall be controlled by public discussion with users, academia and industry (possibly via related organisations). 3) Initialisation of the Anti-Malware Certification Process: Based on the current work of Computer Anti-Virus Research Organisation (CARO), a collection of annotated trojans and viruses in IBM- and compatible PCs has been established at the Virus Test Center, University of Hamburg. A test methodology is being developed and currently tested, to run antiviral products against the databank and to diagnose which malware (virus, trojan) is correctly or incorrectly recognized. The collection's content will be published periodically (Index of Established Malware (IBM-PCs); next edition: December 1991). The test methodology (in the first phase, with a multiplicity of files infected with known file viruses) will be published when validated with some experience. A first draft of this document has been initially discussed with the European Institute for Computer Antivirus Research (EICAR) at its meeting of chairpersons, on November 18, 1991 in Hamburg. Following suggestions from this meeting, Virus Test Center will perform experimental tests and evaluations of available anti-malware software and report on the results in spring 1992. After the EICAR meeting, the document had been refined; the authors wish especially to thank Werner Uhrig (Austin/Texas, major contributor to Macintosh antiviral activities) for his highly constructive contributions which helped to refine this paper. The authors submit this document to the user and academic public, and to interested organisations. Especially, this paper is submitted to National Computer Security Association (NCSA/USA) at it's first Antivirus Developers Conference, November 25-26, 1991 in Washington D.C. for discussion. Moreover, legal aspects of the proposed quality assurance procedure shall also be discussed with adequate institutions (e.g., NIST/USA, German Information Security Agency). 4) Future developments: Next scientific steps will undertake to assess also the reliability of eradication (esp. in multiple attacks) as well as preventive methods such as checksumming and integrity tools. Present experiences with shortcomings of antiviral software prove that there is a lack of knowledge in basic methods to assess such eradication or prevention of anti-viral methods. To certify also deletion and prevention methods, basic research will be needed. ------------------------------ Date: 22 Nov 91 17:11 +0100 From: Klaus Brunnstein Subject: Call for Papers: IFIP World Congress'92/Vulnerability Call for Papers 12th World Computer Congress IFIP Congress 92: From Research to Practice Madrid/Spain: September 7-11, 1992 especially for the Congress Stream: Diminishing the Vulnerability of Information Society Overview of the Congress: This IFIP Congress is composed of topical and interrelated conferences each organized by a separate subcommittee of the International Program Committee. Five parallel streams Stream Committee chairman ------------------------------------ ------------------------- Software Development and Maintenance A.N.Habermann,Pittsburgh Algorithms and Efficient Computation Jan van Leeuwen,Utrecht From Architectures to Chips Gerald L.Reijns,Delft Informatics and Education Peter Bollerslev, Copenhagen Diminishing the Vulnerability of the Information Society Klaus Brunnstein,Hamburg Two subconferences: Subconference Committee chairman ------------------------------- -------------------------------- Expanding the Power of the Personal Computer Friedrich Vogt,Hamburg Enhancing the Intelligence in Information Systems Gordon Davis,Minneapolis The Congress will also include one day workshops, tutorials and an exhibition. IFIP Congress 92 papers will be published in the conference proceedings (Elsevier's "Transactions in Informatics" series). International Program Committee: Chair: Wilfried Brauer, Technical University, Munich, Germany ViceChair:Carlos Delgado Kloos Universidad Politecnica de Madrid,Spain PastChair: Herve Gallaire gsi, Paris, France Organizing Committee: Chair: Rosa Alonso Alcatel Standard Electrica, Madrid, Spain ViceChair: Jaume Argila Spain ViceChair: Jose Ignacio Boixo Spain ViceChair:Fernando Saez Vacas Universidad Politecnica de Madrid,Spain Special Call for Papers Stream: Diminishing the Vulnerability of Information Society With worldwise use of Information Technology (IT), new opportunities arise but, likewise, new risks emerge through growing dependence on that same technology. This means all users become more vulnerable to attacks on and misuse of IT. New types of computer based crime have been reported while the efficient operation of both public and private enterprises has become susceptible to malfunction, deliberate or accidental, in the information technology itself. New concerns have arisen and older ones have been enhanced. Such concerns include both human and civil rights, privacy and freedom of the individual, leisure and education, the roles and design of work, quality and reliability of the technology, etc. The very existence and competitivity of enterprises has become, in many cases, totally dependent upon the efficiency and reliability of IT. Moreover, the problem of complexity in contemporary system design may mean that some systems are uncontrollable by their users and even unfamiliar to systems experts. At the same time, the overall quality and reliability of the technology plays an important role in system selection and design. The Stream "Diminishing the Vulnerability of Information Society" will attempt to assess the degree of vulnerability to IT that has developed since the first discussions in the early 1980s. Moreover, this stream aims at identifying the ways and means by which this vulnerability may be reduced and how emerging problems may be solved in advance by anticipatory action. Specific areas of interest which may be addresses in submitted papers include: - Opportunities and risks in the adoption of Information Technology, particular at International levels, with special emphasis on developments in Latin America - Social Vulnerability and major Risks - Legal Aspects: Reducing Vulnerability through the Law - Enhancing IT to meet demands for Reliability and Security, with particular emphasis on Personal Computers and Local Area Networks - Hardware and software systems for identification and authentication of users and attached systems - Reliability and security in Personal Computers and Local Area Networks (LANs) - Computer Supported Work: Impact of Vulnerability of IT on groups and organisation in an enterprise - Human centered strategies to cope with Vulnerability: the role of participation, education, and task design - The Electronic Cottage: Delivering Information and Communic- ation Technologies at Home: For Better or Worse? - Women, Computers and Work - Computer Ethics and Professional Responsibility. Moreover, short presentations (posters) describing ongoing research projects are suggested esp. for the following topics (or others related to the topic): - The Electronic Cottage - Vulnerability of and through AI Systems - Enhancing the Security and Safety of IT, with special focus on Electronic Data Interchange (EDI) and Electronic Funds Transfer Systems (EFTS) Invited speakers in the stream: Professor Harold Highland New York/USA Professor Lance Hoffman Washington/USA Professor Herbert Kubicek Bremen/Germany Professor Bryan Niblett Abington/England Panel sessions on: Informatics and development Identification and authentification of users and systems The Electronic Cottage: How will daily life be affected Human, Man, Woman Ethics of Computing: Information Technology and professional responsibility Stream Program Committee: Klaus Brunnstein (chair) University of Hamburg William Caelli Queensland University of Technology, Brisbane Robert R.Moeller Sears & Roebock, Chicago Jose Pino University of Chile, Santiago de Chile Fernando Saez-Vacas Polytechnic University, Madrid Information for Authors: Six (6) copies of a full paper in English (no longer than 4500 words or 12 double-spaced pages, including figures, with 150 word abstract, full title, name and affiliation of author(s) as well as postal and electronic mail addresses, and telephone and fax numbers) should be submitted not later than 10 January 1992 to the Stream's chairman: Professor Klaus Brunnstein Faculty for Informatics University of Hamburg Vogt-Koelln-Str.30 2000 Hamburg 54 Germany email: Brunnstein@rz.informatik.uni-hamburg.dbp.de All papers will be reviewed by at least three, and relevance, originality and clarity will be considered. Accepted papers will be published in full in the Conference Proceedings. How to Submit a Poster: Three (3) copies of a one page abstract for a 10 minute presentation should be sent to the appropriate subcommittee chairman so as to arrive by April 15, 1992. The poster proposal will be judged for relevance and clarity. Acceptance/rejection will be notified by May 15, 1992. The final version of the abstract has to be sent to the organizing committee for inclusion into the poster brochure so as to arrive by June 20, 1992. Key Dates: January 10,1992: Deadline for submission of papers March 9,1992: Notification of acceptance/rejection of papers April 15,1992: Deadline for submission of posters April 24,1992: Camera ready paper at Program Committee May 15,1992: Notification of acceptance/rejection of posters June 20,1992: Camera ready poster at Organizing Committee September 7-11,1992: World Computer Congress, Madrid For more details, please contact: FESI (Federacion Espanola de Sociedades de Informatica) IFIP Congress '92 Hortaleza 104 E-28004 Madrid, Spain Fax: (+34-1) 2431003 E-mail: fesi@dit.upm.es ------------------------------ End of RISKS-FORUM Digest 12.66 ************************