Subject: RISKS DIGEST 13.64 REPLY-TO: risks@csl.sri.com RISKS-LIST: RISKS-FORUM Digest Tuesday 14 July 1992 Volume 13 : Issue 64 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator Contents: RISKS (and CSL.SRI.COM) outage (RISKS) Phreaking/Blue Box program (Klaus Brunnstein) Five `Hackers' Indicted (PGN) Huge credit card record theft uncovered (Norm deCarteret) Risks quotation (Jonathan Bowen) Re: Newsweek Vincennes article (Dan Sorenson) Re: Airbus (Mark Brader and Keith Barr) Re: When Cryptography is Outlawed... (Fran Litterio, Arthur L. Rubin) The RISKS Forum is moderated. Contributions should be relevant, sound, in good taste, objective, coherent, concise, and nonrepetitious. Diversity is welcome. CONTRIBUTIONS to RISKS@CSL.SRI.COM, with relevant, substantive "Subject:" line. Others may be ignored! Contributions will not be ACKed. The load is too great. **PLEASE** INCLUDE YOUR NAME & INTERNET FROM: ADDRESS, especially .UUCP folks. REQUESTS please to RISKS-Request@CSL.SRI.COM. Vol i issue j, type "FTP CRVAX.SRI.COMlogin anonymousAnyNonNullPW CD RISKS:GET RISKS-i.j" (where i=1 to 13, j always TWO digits). Vol i summaries in j=00; "dir risks-*.*" gives directory; "bye" logs out. The COLON in "CD RISKS:" is essential. "CRVAX.SRI.COM" = "128.18.10.1". =CarriageReturn; FTPs may differ; UNIX prompts for username, password. If you cannot read RISKS on-line, try FAX! For info, phone 310-455-9300 (or send FAX to RISKS at 310-455-2364, or EMail to risks-fax@cv.vortex.com). ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. Relevant contributions may appear in the RISKS section of regular issues of ACM SIGSOFT's SOFTWARE ENGINEERING NOTES, unless you state otherwise. ---------------------------------------------------------------------- Date: Tue, 14 Jul 92 17:19:10 PDT From: RISKS Forum Subject: RISKS (and CSL.SRI.COM) outage Due to a major disk crisis early Saturday from which RISKS has just recovered, some mail to CSL.SRI.COM may have been rejected. Please resubmit NOW if that was the case with anything you sent to RISKS or RISKS-REQUEST. When I finally was able to check my mail, a big gap on send dates is evident. Thanks. PGN ------------------------------ Date: Mon, 6 Jul 1992 21:42:49 +0200 From: brunnstein@rz.informatik.uni-hamburg.dbp.de Subject: Phreaking/Blue Box program CAPITAL, a German monthly specialized in financial aspects of economy, had a story, in it's July edition, about a phone phreak "Kimble" who offers an AMIGA-based program with built-in frequencies to switch your telecom connection over more than 20 countries. In June, he demonstrated this program in CAPITAL's office in Duesseldorf, in the presence of some experts from a criminal agency and an IT security experts. German Telecom was informed days ahead the presentation but could not trace his dialling experiments which lead him from Duesseldorf to Canada (known as normal entry of European Phreaks to the New World), and so on. Kimble said that non-traceability be a major new feature of this blue-boy program "Unlimited Assess (Multi-Frequency Dialler)". Phreaking was practiced, for some time, also in Hamburg's Chaos Club. In last year's Chaos Congress, they once more held a seminar on Phreaking (given by the Dutch Hac-Tic group; the German report on this part is available, with the Chaos Congress' documentation, either from CCC or from Virus Test Center's ftp site). CCC and Hac-Tic freely distributed information on blue box programs for PCs and 68000 systems. Due to this action, the price of a blue box program went down significantly (from about 500 DM to about 100 DM), and one can upload blue box programs together with games from ordinary BBS. But German Telecom said that the holes which these programs exploit have been patched. When CAPITAL first contacted me (before the experiment), I was not very impressed. But the the experiment continued, and some really shocking results were reported: when German Telecom could also neither trace nor intercept a second experiment, they reportedly asked some Canadian experts for assistance. When they watched and tried to close the hole, they observed that somebody just worked in their "system" to implant some Trojan horse (don't ask me how, because if I believe Telecom, there is ***no connection to the outside*** When they patched the holes in changing some frequencies, this evidently was immediately "mediated" (path unknown) to the phreaks (organised in a group "Dope", evidently working internationally). Unlimited Access comes with a 1-year guarantee of free updates of frequencies: this is different from other blue-boy programs and may verify the unusual price (15,000 DM, about 10,000 $), but remember that this program excludes being traced by Telecoms! And the group evidently "received" the updated frequencies immediately and distributed them to their "clients". Just for *caution and clarification*: due to the stress of end-of-semester, I couldnot personally observe the experiment. My report is based on some telephone discussions (not bluebox-dialled) with the journalist, on the assessment of a participating colleague which I trust, as well as on some discussions which I had with Telecom on related matters, and with some phreaks in my neighbourhood *:) Klaus Brunnstein ------------------------------ Date: Thu, 9 Jul 92 11:36:11 PDT From: "Peter G. Neumann" Subject: Five `Hackers' Indicted Articles in the NY Times, Washington Post, and elsewhere on 9 July 1992 gave details of federal grand jury indictments on 8 July of five New York City area computer ``hackers''. The five, who call themselves ``Masters of Disaster'' and ``Masters of Deception'' (MOD), are Julio Fernandez, 18 (``Outlaw'' -- Bronx), John Lee, 21 (``Corrupt'' -- Brooklyn), Mark Abene, 20 (``Phiber Optik'' -- Queens), Elias Ladopoulos, 22 (``Acid Phreak'' -- Queens), and Paul Stira, 22 (``Scorpion'' -- Queens). The 11-count indictment accuses the defendants of computer tampering, computer fraud, wire fraud, illegal wiretapping and conspiracy -- including system disruptions and stealing data, including 176 confidential reports on consumers' credit ratings (which they sold), and breaking into computer-communication systems (e.g., a Southwestern Bell 5ESS switch in El Paso, ITT, and TYMNET, Bank of America, Martin-Marietta), credit reporting services (TRW), databases (Trans Union Corp, Information America), and universities (NYU, U.Washington). On Nov. 28, 1989, they allegedly wiped out nearly all of the information in a computer used by the Educational Broadcasting Corp., public television station WNET, Channel 13 in New York. They face up to 5 years in prison for each count, or 55 years in total, plus a maximum fine of $250,000 for each count. Court-ordered wire-taps were used (apparently the first time for data transfers). The Times article included this: In the 11-count indictment, the men were accused of holding a conversation on Nov. 6, 1991, in which they discussed obtaining information on how to alter TRW credit reports adding or removing credit delinquency statements, for example to ``destroy peoples lives or make them look like saints.'' They are also accused of a conversation on Nov. 14, 1991, of discussing a lengthy list of institutions with computers that one of them said, ``We've just got to start hitting these left and right.'' These institutions included government offices, private companies and an Air Force base. The federal indictment was handed down in Manhattan and was the result of a joint investigation by the U.S. attorney's office, the Secret Service and the FBI. ------------------------------ Date: Sun, 12 Jul 92 19:45:05 EDT From: Norm deCarteret 813-878-3994 (TL 438) Subject: "Huge credit card record theft uncovered" Source: St Petersburg Times, 7/11/92, pg B1, Jane Meinhardt A Time Inc. employee offered detectives computer records on thousands of credit cards - for a price...on the street for $1 each Pinellas County sheriffs detectives on Thursday arrested a Time employee who they said had information on more than 3,000 credit cards, including account numbers, expiration dates...A tipster reported the fraud scheme mid-June to detectives who met the man 4 times...to buy computer discs and lists of credit card numbers...Detectives found additional computer discs and other credit card information in Ferguson's apartment...the data in his apartment would yield information on 80,000 more credit cardholders, Ferguson told Pinellas County's Lt. Rick Wilfong. "There were credit cards numbers from people all over the country. The detectives made certain requests for credit card numbers from certain regions. He told us he had to manipulate the Time system to get them, and he was able to produce them. He's not a polished criminal in this type of activity. But from what he sold us, he had unusual access to a lot of information he used fraudulently", Marianne Pasha, sheriffs office [...?]. Thomas Ferguson was charged with 4 counts of trafficking in credit cards. "We're reasonably sure he didn't sell to anyone else. He was making attempts to sell to others but we believe we were the first to buy." Wilfong Ferguson had no record of credit card [fraud]. He had been convicted of aggravated assault in 1988...and sentenced to 3 years in prison and one year probation. Peter Costiglio, Time VP and spokesman: - Ferguson was a computer analyst for Time for 1.5 years. - He's been suspended pending the outcome of the criminal investigation. - Costiglio refused to discuss Fergusons job or Time's security system. "Any company property has been recovered. There's been no breach of the security system." That's a reassuring statement? Sigh. Norm deCarteret ------------------------------ Date: Thu, 9 Jul 92 10:19:58 BST From: Jonathan.Bowen@prg.ox.ac.uk Subject: Risks quotation Recently I found the following quotation that may be of interest to RISKS readers: "To err is human but to really foul things up requires a computer." -- Farmers' Almanac for 1978 (1977) `Capsules of Wisdom' This is the only quotation on computers to have made it to `The Oxford Dictionary of Modern Quotations', Oxford University Press, 1991. Jonathan Bowen, Oxford University ------------------------------ Date: Thu, 9 Jul 1992 05:49:41 GMT From: viking@iastate.edu (Dan Sorenson) Subject: Re: Newsweek Vincennes article (Frankston, RISKS-13.63) In the modern battlefield, be it on land or at sea, there is little to no time for a positive visual ID of the incoming. A likely RISK is matching a flight profile or radar pattern to a known threat and firing before being fired upon. In this case, few real details have emerged for armchair analysis. I seem to remember the attacking Japanese flight at Pearl Harbor being dismissed as a flight of friendly, and unarmed, B-17's when spotted on radar. One wonders if the system designer remembered this incident when he wrote the software for the AEGIS system. When there are billions of warship to protect, and civilian lives in the area, which do you choose to protect at all costs? >One is the image of a technician madly scanning through a dog-eared issue of >the OAG (the article didn't mention a brand name) to find the Iranian flight. >It's hard enough to not miss an entry when in a quiet airport in a single time >zone. I realize that tracking civilian flights was not part of the normal >battle plan, but I presume that the system has still not been updated to link >to the civilian airline reservation systems or other such sources of >information. One change in warfare, which I think the Gulf War illustrated, >is how the commercial technology has, in many ways, surpassed the military. >Of course, the online airline info might not be accurate which means a delayed >flight could still have been missed. Do not forget that an F-14 or even a B-2 can be listed as a civilian 727 in normal civilian reservation logs. If it was my ship, I wouldn't trust that logbook farther than I could throw it. If it was on an attack profile, I'd open fire. Note that this profile was under investigation for quite a few days, but I don't remember any conclusive findings being published. >The other is that the tagging of the plane as an F-14 provided for no level >of ambiguity. Even in the heat of battle, can the system cope with multiple >interpretations of data or does it mindless lock in on a worst case and then >present it to the befuddled user as fact? In a military environment, I would hope so, given the caveat that the user knows it's a worst-case scenario. I always assume a worst-case scenario in my daily network maintainence; would you do less when a warship is at stake? NOTE: my experience in the Navy has not given me any knowledge of the AEGIS system beyond the general that may be found in Janes. Do not interpret my comments as being those of a technical expert in the AEGIS system. Dan Sorenson, DoD #1066 z1dan@exnet.iastate.edu viking@iastate.edu ------------------------------ Date: Thu, 9 Jul 92 16:50:00 MDT From: barr@hickory.mmm.ucar.EDU (Keith Barr) Subject: Re: Airbus Below is an excerpt from an article that I posted to rec.aviation, with a cross posting to rec.travel.air, which I didn't notice. The text explains why I am forwarding it to you. Thanks. BTW the single > are me, and the doubles are [Mark Brader]. >From msb@sq.com Thu Jul 9 16:33:37 1992 To: barrk@tramp.Colorado.EDU Subject: A-320 > > I find it rather disappointing -- one has only to read comp.risks for > > a while to gain a distrust of the A-320, or at least its overdose of > > computerization. Starting in November of 1993, when UA's first A-320 > > will be delivered, I'll be watching more closely over just what they > > want to put me in. I think comp.risks readers would be interested in the message you posted in response to the above. I enclose a copy below in case you didn't keep one. You can post to comp.risks by mailing to risks@csl.sri.com. > As someone who is hoping and praying for a job with UAL someday, I too > am rather disappointed that United will soon be flying these computerized > aircraft. I much prefer the Boeing concept of let the computer fly, but > give the pilot the override capability. I was speaking with a UAL pilot > Tuesday night about the acquisition, and we chatted about the problems > of putting all of your eggs in one basket. He told me about two > Airbus occurences that were interesting, and since I haven't seen them > mentioned here before, I will post them. I apologize if they are repeats. > > #1 A Pan Am Airbus A300 or A310 (I don't remember which) was on final > approach in VMC conditions. All was looking well until the airplane > reached minimums. At that point the aircraft executed a go-around, and > flew the entire missed approach procedure. The pilots were not able > to disengage the autopilot until they were well established in the > hold. > > #2 Apparently as a safety feature derived from the crash of the > Air Florida flight into the Potomac, a feature was installed on Airbusses > to minimize/eliminate (hah!) the possibility of taking off without full > takeoff thrust. The system automatically pushes the throttles the > rest of the way forward if they are not already there when the nose-wheel > strut decompresses. One time (type and whereabouts unknown to me) an > Airbus was being pushed back from the gate after the pilots had started > both engines. As luck would have it the tow-bar snapped, and the airplane > coasted backwards. When the pilots realized they were just rolling backwards > they stomped on the brakes. The airplane of course, with its aft center of > gravity, tipped back onto it's tail, thus decompressing the nose gear. The > computer took over, and jammed the throttles forward, sending the airplane > racing towards the concourse. The pilots realized what was happening just > in time to avoid a nasty collision with the tug, and terminal building. > Keith Barr, COMM-AS&MEL/INST/IGI, University of Colorado, Aerospace Engineering > barrk@tramp.colorado.edu, barr_k@silver.colorado.edu, barr@mmm.ucar.edu ------------------------------ Date: Fri, 10 Jul 92 11:02:16 -0400 From: franl@centerline.com Subject: Re: When Cryptography is Outlawed... (Guntheroth, RISKS-13.63) Suppose the Federal Government doesn't have trouble decoding encrypted messages, but wants people to think it does. If so, what's to stop the U.S. from _loosening_ restrictions on cryptography? Imagine the risk to privacy in a world where encryption was legal, unrestricted, and widely used in the belief that not even the U.S. government could decipher encrypted messages. In the land of the blind, the one-eyed man is king. Fran Litterio, CenterLine Software R&D, 10 Fawcett St, Cambridge, MA, USA 02138-1110 franl@centerline.com uunet!centerline!franl 617-498-3255 ------------------------------ Date: Thu, 9 Jul 92 13:16:58 PDT From: a_rubin@dsg4.dse.beckman.com Subject: Re: When Cryptography is Outlawed... (Guntheroth, RISKS-13.63) >Perhaps what the Feds are looking for is a new weapon of prosecution; use of ^^^^^^^^^^^ persecution? >cryptography is by definition a felony, and widespread use of cryptography >is then by definition racketeering as defined by RICO. It's like bagging >Capone for tax evasion, when he was too slippery to be caught breaking the >law. I find this sloppiness unacceptable as a taxpayer. Arthur L. Rubin: a_rubin@dsg4.dse.beckman.com (work) Beckman Instruments/Brea 216-5888@mcimail.com 70707.453@compuserve.com arthur@pnet01.cts.com (personal) ------------------------------ End of RISKS-FORUM Digest 13.64 ************************