Subject: RISKS DIGEST 13.84 REPLY-TO: risks@csl.sri.com RISKS-LIST: RISKS-FORUM Digest Monday 19 October 1992 Volume 13 : Issue 84 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator Contents: 15th National Computer Security Conference trip report (Rebecca Mercuri) Vote Early, Vote Often (Bear Giles) Toronto Teenager Charged in 911 Case (Nigel.Allen) Rutgers students charged with scholarship scam (PGN) A320 engine control problem at Gatwick (John Rushby) T* S* (anonymous) DEA mishandling of national security information (Philip R. Moyer) Using the DOT's computers to steal car stereos (Bill Marshall) Robot daydreaming (Les Earnest) Computing Research Association (CRA) seeks assocaite (Rick Weingarten via Lance Hoffman) The RISKS Forum is moderated. Contributions should be relevant, sound, in good taste, objective, coherent, concise, and nonrepetitious. Diversity is welcome. CONTRIBUTIONS to RISKS@CSL.SRI.COM, with relevant, substantive "Subject:" line. Others may be ignored! Contributions will not be ACKed. The load is too great. **PLEASE** INCLUDE YOUR NAME & INTERNET FROM: ADDRESS, especially .UUCP folks. REQUESTS please to RISKS-Request@CSL.SRI.COM. Vol i issue j, type "FTP CRVAX.SRI.COMlogin anonymousAnyNonNullPW CD RISKS:GET RISKS-i.j" (where i=1 to 13, j always TWO digits). Vol i summaries in j=00; "dir risks-*.*" gives directory; "bye" logs out. The COLON in "CD RISKS:" is essential. "CRVAX.SRI.COM" = "128.18.10.1". =CarriageReturn; FTPs may differ; UNIX prompts for username, password. For information regarding delivery of RISKS by FAX, phone 310-455-9300 (or send FAX to RISKS at 310-455-2364, or EMail to risks-fax@cv.vortex.com). ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. Relevant contributions may appear in the RISKS section of regular issues of ACM SIGSOFT's SOFTWARE ENGINEERING NOTES, unless you state otherwise. ---------------------------------------------------------------------- Date: Mon, 19 Oct 92 12:32:04 EDT From: mercuri@gradient.cis.upenn.edu (Rebecca Mercuri) Subject: 15th National Computer Security Conference trip report NCSC '92 -- Comment and Commentary Copyright (c) 1992 by Rebecca Mercuri. All Rights Reserved. Reposting and/or reprint not granted without prior written permission from the author. Address questions, response and corrections to: mercuri@gradient.cis.upenn.edu I attended the 15th National Computer Security Conference held October 13 - 16 in balmy Baltimore MD with the hope of coming away with some solutions for the security problems I had encountered and observed over the past few years. I left with a longer list of problems, and the vague feeling that our industry has become remiss in providing us with answers that we can use, or has answers and is either incapable or unwilling to yield them publicly. Let me state clearly here that this comment does not in any way reflect negatively on the conference organizers -- they should be commended for performing their task well, creating a superbly orchestrated event which covered a broad spectrum of topics. Indeed, "rookies" were liberally mixed on panels with esteemed "greybeards" and many women (sans beards) were in evidence as session chairs and presenters (although I was somewhat dismayed to note that females appeared to constitute less than 10% of the attendees, lower than in the computing community in general). The breadth and extent of the conference does not allow one reporter to describe it fully, so I offer these remarks merely as comment and commentary, perhaps to stimulate discussion among other attendees. The conference held an international flavor, with the keynote by Roland Hueber (Directorate General of the Commission of the European Communities) and the closing plenary on International Harmonization serving as bookends. There were repeated calls for cooperation in developing global security standards, with the primary advantages of such appearing to be in commerce. In the wake of the cold war, there seems to be a spirit of openness in this regard, but I offer the speculation that it may be foolhardy to enter into conformity of thought and solutions. Diversity, particularly in commerce, inspires creativity. Monopoly, or single-mindedness, often leaves one at risk of exploitation by a strong central power, or of attack by those who are close enough or who understand the system well enough to side-track it. We may need "fault- tolerant" and "diversified" answers. Surveying the Track Sessions: It is useful to juxtapose thoughts about covert channels with those about encryption systems. For the uninitiated, covert channels (to a first approximation on a definition) are created when internal intermittent polling is performed in an effort to conceal illicit data collection activities. Bob Morris provided the statistic that 1/10 of a bit per second is enough to expose a key in approximately 1 month. This is at current processing rates, but one can extrapolate out the Silicon Valley curve and surmise that our current key encryption systems will be inadequate within the end of the century (if not now, perhaps). In the quest for tools one encounters the debate on provability and formal top level specification. Virgil Gligor referred to "formal top level specification as an unmitigated waste of time," saying that data structures and source may not map to the top level, there may not be enough relevant details provided, and excessive false illegal flows may occur. Earl Boebert stated that formal proving methods have worth in analysis of specifications, but have failed utterly in spec/code, code/object, and code/behavior correspondence. Still, formal methods have their supporters, most notably SRI, as indicated by John Rushby, one of their directors (who also publicly revealed that there had been a major successful break-in at the lab last month). Interestingly, the panel on Intrusion Detection was chaired by SRI's Teresa Lunt, who discussed the use of expert systems to encode vulnerabilities, attack methods and known suspicious behaviors. Steve Snapp expressed the divide and conquer approach, saying that there may be no single generalizable model of intrusion, and that static, incidence/existence, and data driven methods should all be used. The matter of viruses was explored throughout various sessions. The general consensus of opinion seemed to be that rigorous procedures and policies need to be implemented so that recovery is possible to some level following contamination or invasion. In the talks I attended, no clear method for handling the recovery from a "new" virus (that can not be eradicated with existing software) was offered. This was not consoling to someone who had just last week left a client's law office with the admonishment "don't use any of the text files that you've created in the last 6 months until I can find out what the new virus strain is that appears to have adhered to some unknown quantity of them." Here too, the standardization on certain operating systems and environments (such as Microsoft Windows(TM)), and uniform acceptance of specific tools (such as the legal community's reliance on Word Perfect(TM)) encourages the proliferation of attacks that could potentially disable large sectors of the user base. Losses seem to be tied heavily to the bottom line. In banking, it may not be advantageous to implement a $10M or more security system that still does not assure total impenetrability when insurance coverage can be obtained at a cost of $1M (even if this price only remains low until there is a hit). In health care, as described in Deborah Hamilton's award- winning paper, the bottom line may indeed be one or more people's lives. As true with drug approvals, it is easy to see that holding back an inadequately tested computer system may cost more lives than providing it while continuing to make improvements and corrections. How does one weigh security, reliability and verifiability issues when there is a crying need for access to the developing technology? We are faced with a moral dilemma without a governing body to set policies. The area of privacy was eloquently addressed by Attorney Christine Axsmith who said that our reasonable expectations of privacy, as expressed by the 4th Amendment, protect people, not just places. But she went on to say that with regard to the computer industry, the Privacy Act and other legislation efforts still suffer from a lack of court rulings necessary to define their interpretations. Will our efforts to improve security undermine privacy? Curt Symes (from IBM) stated that "we'll all be using smart cards in the future, for a higher level of authentication." Does this mean that I will eventually be required to be bioidentified (DNA, fingerprint, retinal scan, voiceprint) in order to obtain access to my own data and research? A chilling thought. In conclusion, to paraphrase Peter Neumann (which seems only fitting, as he "scooped" my Nov. 92 CACM Inside Risks column on voting machines by referring to some of its salient points in his banquet address, without citation) -- perhaps the conference theme "Information Systems Security: Building Blocks to the Future" should be read not as "building-blocks" (the small bricks), but as "building BLOCKS" or obstacles to our future as security professionals. There is a sense of urgency now -- many of us need more than a foundation of toy blocks, requiring true solutions which appear to not be forthcoming. What we don't want are systems and design structures that are so cumbersome as to impede computational progress. Discussion may be fruitful, but let us all get our noses to the grindstone and provide functional tools and answers, rather than guidelines and assertions. Some are working in this direction, others are needed. ------------------------------ Date: Thu, 8 Oct 1992 10:35:12 -0600 From: Bear Giles Subject: Vote Early, Vote Often A local proponent of voting-by-phone keeps pointing to the 'safety' of absentee ballots as evidence that phone-voting would be safe. So it was with more than passing interest that I read the lead article in the _Rocky Mountain News_ today.... (Main headline [1]) Vote fraud riddles Colorado County 'Vote early, vote often' was Costilla County pattern, judge rules. Non-residents used absentee ballots to help pals win office (Article headline) Judge finds Costilla County riddled with election fraud Non-residents marked absentee ballots to help friends, relatives wind elections, court rules by Dick Foster Rocky Mountain News Southern Bureau Widespread election fraud has been uncovered in Costilla County [in south-central Colorado abutting New Mexico], where evidence shows people cast absentee ballots for friends and relatives seeking public office back to 1984. One of those who cast an absentee ballot in the southern Colorado county was not even a U.S. citizen. Another was an imprisoned felon, evidence shows. Another 106 people who had cast ballots in one or more of the last four elections lived nowhere near Costilla County and had no claim to an absentee vote, Chief District Judge Robert Ogburn of Monte Vista ruled. It took the action of citizens banding together to file a civil lawsuit to halt the abuses after their complaints were rebuffed by the Colorado secretary of state's office and the local district attorney. Office holders felt "entitled" to collect as many absentee votes as possible from children who had long ago left the county "as well as from nieces and nephews and anyone else who bore the slightest resemblance to being a relative," said Ogburn. "Over the years, the practice expanded to include friends who had left the community to live elsewhere." One Mexican national with a green card testified that a county commissioner solicited his vote and gave him an absentee ballot. Many of the absentee voters gave fake addresses in the county. Others simply used local post office box numbers as their claim to local residence. Ogburn called one box "famous" -- it had been claimed by several absentee voters. Costilla County had 254 absentee ballots in the 1990 general election, about 14% of the county's total vote of 1,827. In neighboring counties, only 5% to 7% of the votes were absentee. At least once, absentee ballots meant the difference between victory and defeat for incumbents. In 1988, a resident named Lillian Maestas ran against county clerk and recorder Roy D. Martinez. She led in election day returns, but lost when the absentee votes were counted, said Wilmer Pacheco, a Maestas campaign worker. "Some of these people haven't lived here since World War II and they're voting here. When you have that many votes in a small county it's going to throw the election," said Stephanie Kimbrel, one resident who helped organize Citizens for Better Government after the August primary election. The group launched its own investigation and civil lawsuit to stop voting abuse. Urcilia Auth joined the group after returning to San Luis to retire and serving as a poll watcher during the August primary. "I saw people I knew from Alamosa [in a different county] come in here and cast ballots," she said. "But the county clerk hadn't given us a challenge list so we couldn't challenge them. And names appeared on the registration list of some people I know who live in Colorado Springs." The residents said they grew angrier when their calls for an investigation of election abuse where turned aside by the secretary of state's office and Alamosa County District Attorney Douglas Primavera. "When I took this to Donetta Davidson, the elections director at the secretary of state's office, after the August primary, she told me that we should hire a lawyer because their office has no responsibility at all in these matters," said Kimbrel. Secretary of State Natalie Meyer told the _Rocky Mountain News_ Wednesday "the law does not give me any authority to do anything" to investigate election abuses. Such matters are for the district attorney to investigate, she said. Primavera told the _Rocky Mountain News_ his office lacked the staff to conduct an investigation into the residents' allegations. "They all just passed the buck," Pacheco said. The residents hired Alamosa attorney Martin Gonzales, who filed a civil lawsuit in September challenging 108 names of absentee voters in the county. The residents themselves gathered records and witnesses to prove the voters were not county residents. "I think the secretary of state's office could have stepped in," Gonzales said. "They didn't." [1] The _Rocky_ is printed in tabloid format, not broadsheet. The front page is a collection of headlines and a large photo; the lead story can appear anywhere in the paper. The _Rocky_ is _not_ a tabloid paper in the style of the Weekly World News_ -- it is one of two leading newspapers in Colorado and choose the tabloid format for marketing reasons around 50 years ago. Bear Giles bear@fsl.noaa.gov ------------------------------ Date: Wed, 7 Oct 1992 21:51:00 GMT From: Nigel.Allen@lambada.oit.unc.edu (Nigel Allen) Subject: Toronto Teenager Charged in 911 Case Here is a press release that I received from the Metropolitan Toronto Police. The Toronto Star ran a story (based on the press release) on its front page today (October 7). 1992 October 06, 1950 hours Teenage Computer Hacker Nabbed by Police Detectives from the Major Crime Squad at Police Headquarters have arrested a 15-year-old North York boy and charged him with a number of computer-related crimes. Investigations have revealed that on some occasions his pranks paralyzed the Metropolitan Toronto 911 emergency telephone system. Last July, a young man called the 911 emergency number from a location in the west end of Metropolitan Toronto and reported a number of medical emergencies which caused units from the Metropolitan Toronto Police, ambulance services and local fire departments to respond. All of these calls were determined to be false. On one occasion, he totally monopolized the 911 system and rendered it inoperable thereby denying citizens access to the 911 lifeline throughout the Metropolitan Toronto area. Bell Canada security officers assisted police in their search for the source of the calls. Acting on a Criminal Code search warrant, police today entered a North York home, seized a quantity of computers and arrested a teen-age boy. He is to appear in Youth Court, 47 Sheppard Avenue East, North York, Friday, November 6, 1992, charged with theft of telecommunications, 24 counts of mischief and 10 counts of convey false message. Investigations are continuing. (end of press release) Note from NDA: More information may be available from the public affairs office of the Metropolitan Toronto Police at (416) 324-2222 or from Detective W. Johnston of the Major Crime Squad at (416) 324-6245. [The usual disclaimers: No connection with any police agency, telephone company or obnoxious teenagers who think false alarms are amusing. The opinions expressed are not necessarily those of the University of North Carolina at Chapel Hill, the Campus Office for Information Technology, or the Experimental Bulletin Board Service. internet: bbs.oit.unc.edu or 152.2.22.80] ------------------------------ Date: Sun, 11 Oct 92 15:45:15 PDT From: "Peter G. Neumann" Subject: Rutgers students charged with scholarship scam NEW BRUNSWICK, N.J. (UPI) -- Three Rutgers University students have been charged with trying to bilk their fellow students with a fake scholarship scam. The trio allegedly placed fliers around campus advertising ``New Jersey Scholarship and Grant Search Services,'' directing applicants to send Social Security and bank account numbers and credit card data to a mailing address. Police say they used the information to apply for duplicate birth certificates. Police say they have located only one victim who actually lost money, a Livingston College student who had $1,000 withdrawn from her bank account. But another women allegedly reported that she had received notices from credit card companies that someone was trying to obtain cards using her name. Police have charged Justin Okieze, 18, of North Brunswick; Robert Harrell, 21, of New Brunswick; and Lisa Young, 20, of Edison, with theft by deception. ------------------------------ Date: Sat 10 Oct 92 10:41:43-PDT From: John Rushby Subject: A320 engine control problem at Gatwick Source: dp:DPA:Deutsche Press-Agentur LONDON (OCT. 8) DPA - A fully-laden Airbus A 320 lost power in one engine for no accountable reason while approaching London's Gatwick airport, necessitating emergency procedures, it was reported Thursday. This suggested that computers controlling the engine 'could be capable of developing a mind of their own and countermanding decisions made by the crew', The Times newspaper said. The aircraft of the Air 2000 charter company was on its way from Venice to Gatwick with 135 Passengers and seven crew September 26 when the starboard engine continued to 'wind down' until well below the required flight idle speed, the newspaper said. The captain had to shut the engine down completely - a routine operation that did not affect safety - and then restarted the engine at 14,000 feet to make a normal two-engined landing. 'Despite a detailed check of all the systems, the fault has not been traced, but it is believed to involve the engine overspeed valve which restricts the flow of fuel to the engine as power is cut,' the newspaper said. ------------------------------ Date: Mon, 12 Oct 92 6:33:26 PDT From: Anonymous Bosh Subject: T* S* Today in a meeting, it was brought up that some one had emailed a message and most likely added the words T** Sec**t in jest or fun. The message body was apparently one of those systems which can include the bitmap for a military service which will remain nameless. Some how or other the DoD got this message and started an investigation. Needless to say, the DoD was not amused, this despite system wide disclaimers that said systems are not to be used for classified work. Ah! The electronic future is going to be an interesting one. ------------------------------ Date: Mon, 12 Oct 92 14:23:47 -0500 From: "Philip R. Moyer" Subject: DEA mishandling of national security information This is a brief overview of a General Accounting Office (GAO) review of computer security procedures at the Drug Enforcement Administration (DEA). The results of the GAO investigation showed that DEA is not adequately protecting national security information in its computer systems, and that though the DEA knows of no unauthorized disclosures, revelations of this national security information would endanger lives and hinder US drug enforcement and interdiction programs. The Department of Justice requires that all of its component agencies identify all computers used to process national security information. DEA, however, has failed to do so. DEA's report was produced by the Office of Security Programs based on a survey. Ommisions in DEAs report were caused because the headquarters was not surveyed, and because one field division did not respond to the request for information. Another field division reported that they did not have any computers processing national security information when in fact, the GAO found that they do. DEA was in violation of National Security Guidelines by - using the office automation system to process classified data. This system has not been approved or safeguarded for processing classified data. - not conducting a risk analysis of the system. - operating said office automation workstations in open, unshielded work areas. - using non-TEMPEST rated workstations to process national security information. - using unencrypted data communications lines. Additional problems occur because DEA uses the Office Automation system to process national security information. For example, any DEA employee, regardless of clearance, has access to any information stored in any of the office automation workstations. Also, vendor-issued system passwords have not been changed, so the vendor and other knowledgable individuals would have complete access to the system (which was installed in 1987). Some DEA personnel were processing classified information on microcomputers that had fixed hard disks, which, in some cases, results in the inadvertant storage of classified information on that disk, where it can later be revealed to individuals without clearance (see GAO/T-IMTEC-91-6 for examples). In addition to the information security problems outlined above, DEA has the following physical security problems, which increase the risk from the above problems: - inadequately controlled access to sensitive areas - individuals without national security clearances working unescorted in sensitive areas - unattended computers left logged on - computer-generated printouts and disks being left unattended and unsecured - documents left unattended and unsecured - safes left open and unattended A specific example mentioned was that janitors are left unattended in areas where computers were used to process national security information, and that those computers were left logged on at the time. These janitors had neither a clearance nor a need to know. Non-computer related physical security problems include - electronic card key devices are disabled during working hours and doors are propped open - security staff fail to review card-key logs - stolen or lost keycards are not deactivated - non-DEA employes have key cards that open sensitive areas within DEA - locks on division offices have not been changed since 1985, even though 17 keys have been lost or stolen, including masters to computer areas - DEA employees are not required to wear identification badges The report concludes that these security weaknesses endanger the lives of federal agents and need to be corrected immediately. The document summarized in this article is GAO/IMTEC-92-31. The GAO makes one copy of each report available for free; additional copies are $2.00. Orders can be sent to U.S. General Accounting Office P.O. Box 6015 Gaithersburg, MD 20877 or phone them in at 202-275-6241. Phil ------------------------------ Date: Wed, 14 Oct 1992 00:25:13 GMT From: marshall@cs.iastate.edu (Bill Marshall) Subject: Using the DOT's computers to steal car stereos >From the Des Moines (Iowa) Register, Friday, October 9, 1992, page 1M Car break-in ring cracked; youth shows the way By Tom Alex - Register Staff Writer [I have only entered the paragraphs that containted computer information] Des Moines police this week broke a sophisticated youth theft ring that was using license plate numbers and state records to locate cars for late-night break-ins. The youths would spot cars with expensive stereo gear in parking lots during the day and then use Iowa Department of Transportation computer records to determine where cars would be parked at night. With the license plate numbers, the teen-ager went to an Iowa Department of Transportation office at Park Fair Mall and used public access computers to learn the home addresses of the owners of the vehicles. He and his cohorts didn't want to break into the vehicles when there were a lot of potential witnesses around, police said, so they found addresses from registration information and visited the victims at their leisure. Security problems with public access computers cropped up last year shortly after the computer terminals were installed, said Jan Hardy, assistant office director with vehicle registration. A case worked in the juvenile system reported having a client who had been using the terminals for illegal activities. Sortly afterward, officials developed a security system to help curtail illegal acts. People wishing to look up license plate numbers must identify themselves to the computer. "If they use the front counter terminal and sign on themselves, that does provide at least some tracking of inquires," said Hardy. marshall@cs.iastate.edu Bill Marshall, Computer Science Department, Iowa State University ------------------------------ Date: Sat, 10 Oct 92 11:39:50 -0700 From: Les Earnest Subject: Robot daydreaming Copyright 1992 by UPI. Reposted with permission from the ClariNet Electronic Newspaper newsgroup clari.news.interest.quirks. For more info on ClariNet, write to info@clarinet.com or phone 1-800-USE-NETS. STANFORD, Calif. (UPI) -- Stanford University Hospital removed its new robotic transportation devices from service Thursday after one of the units went awry and fell down a set of stairs. Associate hospital director Louis Saksen said no one was injured when the robot veered off course and tumbled down the steps. Stanford purchased three of the units to perform simple tasks, such as delivering food trays to patients and transporting X-rays and supplies around the hosptial. The facility has been phasing in the units for use this fall and has had no problems with the robots during their first weeks of the trial period. Officials said they had no idea what caused the robot to malfunction when it returned from delivering a food tray to a patient. Saksen said the robots are designed to free hosptial workers from routine duties to do other, more vital work. The battery-operated devices have been used for similar duties in several hospitals across the United States. [David Cheriton remarks that it was probably garbage collecting at the time. That's the logical thing to do after delivering food. -Les Earnest (les@cs.stanford.edu)] ------------------------------ Date: Wed, 14 Oct 92 11:38:51 EDT From: "Lance J. Hoffman" Subject: Announcement (fwd) [From Professor Lance J. Hoffman, Department of Electrical Engineering and Computer Science The George Washington University Washington, D. C. 20052 (202) 994-4955 fax: (202) 994-0227 hoffman@seas.gwu.edu] Forwarded message: Date: Wed, 14 Oct 92 09:10:37 -0400 From: rweingar@cs.UMD.EDU (Rick Weingarten) Subject: Announcement The Computing Research Association (CRA), a nonprofit association in Washington, DC, seeks a motivated staff policy associate with a computer science or engineering background and an interest in public policy. In conjunction with the Association for Computing Machinery (ACM), CRA will be significantly expanding its coverage of public policy issues affecting the computing community. This entry-level position offers an exciting opportunity to be involved in policy-making, as it relates to computers and information technology. Issues CRA currently is following include: * Long-term changes in the way government supports R&D; * The High-Performance Computing and Communications initiative, including the National Research and Education Network (NREN); * Digital libraries; and * Information policies, including privacy, security, intellectual property and public access to government information. The associate will track the development of issues, perform research, attend meetings and communicate with experts in the field. Through written and oral communications, the policy associate and the executive director will inform the computing community about important issues. The associate will work with CRA and ACM committees to set priorities and strategies for further action, such as drafting letters and testimony, convening workshops and seminars, and developing position papers. In addition to a computer science or engineering background, the associate must have excellent communication skills. Knowledge of the legislative process and public policy experience are a plus. A bachelor's degree is required. The salary for this entry-level position is commensurate with that of similar policy jobs in the Washington area. CRA offers a good benefits package. Send cover letter, salary requirements, resume and three appropriate writing samples to Fred W. Weingarten, Executive Director Computing Research Association 1875 Connecticut Ave. NW, Suite 718 Washington, DC 20009. ------------------------------ End of RISKS-FORUM Digest 13.84 ************************