Subject: RISKS DIGEST 14.20 REPLY-TO: risks@csl.sri.com RISKS-LIST: RISKS-FORUM Digest Thurs 31 December 1992 Volume 14 : Issue 20 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator Contents: [***** HAPPY NEW YEAR!!! *****] Another Jail Computer Glitch (PGN) Antiviral technology target of legal action Dutch chemical plant explodes due to typing error (Ralph Moonen) 911 in Massachussetts (Barry Shein) What about "little brother?" (Brian Seborg) Re: Electronic democracy (Barbara Simons) Re: Programming errors affect state lottery (Charles D. Ellis) Re: Bundestag speechless (Boris Hemkemeier, Markus U. Mock, Daniel Burstein) Latest (?) credit card scams (Jerry Leichter) Risks of satellite-controlled anti-theft devices (Jim Griffith) OECD Security Guidelines (Marc Rotenberg) The RISKS Forum is moderated. Contributions should be relevant, sound, in good taste, objective, coherent, concise, and nonrepetitious. Diversity is welcome. CONTRIBUTIONS to RISKS@CSL.SRI.COM, with relevant, substantive "Subject:" line. Others may be ignored! Contributions will not be ACKed. The load is too great. **PLEASE** INCLUDE YOUR NAME & INTERNET FROM: ADDRESS, especially .UUCP folks. REQUESTS please to RISKS-Request@CSL.SRI.COM. Vol i issue j, type "FTP CRVAX.SRI.COMlogin anonymousAnyNonNullPW CD RISKS:GET RISKS-i.j" (where i=1 to 14, j always TWO digits). Vol i summaries in j=00; "dir risks-*.*" gives directory; "bye" logs out. The COLON in "CD RISKS:" is essential. "CRVAX.SRI.COM" = "128.18.10.1". =CarriageReturn; FTPs may differ; UNIX prompts for username, password. For information regarding delivery of RISKS by FAX, phone 310-455-9300 (or send FAX to RISKS at 310-455-2364, or EMail to risks-fax@cv.vortex.com). ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. Relevant contributions may appear in the RISKS section of regular issues of ACM SIGSOFT's SOFTWARE ENGINEERING NOTES, unless you state otherwise. ---------------------------------------------------------------------- Date: Wed, 30 Dec 92 11:16:35 PST From: "Peter G. Neumann" Subject: Another Jail Computer Glitch Around 7pm on 27 December 1992, the new San Joaquin (California) County Jail computer system automagically unlocked all of the cell doors in a high-risk area, with a highly audible series of loud clicks, releasing about 120 potentially dangerous inmates who were being held in an "administrative segregation pod." Fortunately, the pod was itself isolated by other doors that remained locked. The glitch was attributed to a spurious signal from the "incoder card" whose responsibilities include opening those doors in emergencies. [Source: San Francisco Chronicle, 30 Dec 1992, p.A14, article by Peter Fimrite] Fimrite's article also noted other California cell-door problems. Less than a year after the supposedly escape-proof Pelican Bay State Prison near Crescent City CA opened, inmates learned how to pop open the pneumatic cell doors at will. A similar system in the Santa Rita Jail in Alameda County was also found to be pickable. [If it had required breaking DES, that situation might have been DES-pickable!] For those of you new to RISKS (or in case Fimrite or his Chron colleages see this in RISKS), our archives include the following computer-related cases. (Rather than grep-ing through the back issues, I give references to back issues of the ACM SIGSOFT Software Engineering Notes, containing material derived from the earlier issues of RISKS. S 10 1 is dated Jan 84, S 12 4 is Oct 87, S 13 4 is Oct 88, S 17 1 is Jan 92.) ..... Earlier prison problems Santa Clara prison data system (inmate altered release date) (S 10 1) Drug kingpin escapes LA County prison via bogus release message (S 12 4) Convicted forger released from Tucson jail via bogus fax (S 17 1) Seven Santa Fe inmates escaped; prison control computer blamed (S 12 4) Oregon prisoner escaped; frequent-false-alarm alarm ignored (S 12 4) New Dutch computer system frees criminals, arrests innocent; old system eliminated, and no backup possible! (S 12 4) New El Dorado jail cell doors won't lock -- computer controlled (S 13 4) ------------------------------ Date: Thu, 31 Dec 92 11:31:38 PST From: Peter G. Neumann Subject: Antiviral technology target of legal action The Washington Post has an article by John Burgess (at least some of which appears in today's San Francisco Chronicle) discussing a federal judge's order to McAfee Associates of Santa Clara CA, to stop distributing their Pro-Scan Version 2.31 and ViruCide Version 2.33 and derivative products. Imageline Inc. of Richmond VA (maker of PicturePak and ValuePak) has sued McAfee Associates for libel, fraud, and other misdeeds, because those antiviral products mistakenly identify Imageline products as containing viruses. Stay tuned for further details. ------------------------------ Date: Wed, 23 Dec 92 09:26 GMT From: rmoonen@ihlpl.att.com Subject: Dutch chemical plant explodes due to typing error In the first half of this year the chemical factory Cindu exploded causing several deaths and a chaos. It was confirmed yesterday that a simple typing error led to this tragic accident. Apparently the computerised chemical processing installation was fed with data in which a comma was placed at a wrong digit, causing the wrong amount of chemicals to be mixed in the installation. This led to an enormous explosion and the closure of the factory. The Dutch news said that the responsible person has been found and he will be charged with negligible conduct causing death. BTW: This year has been disaster-year for the Netherlands. We have had 2 serious plane crashes: the well-known El al 747 that crashed into two apartment buildings, the DC10 with 300 Dutchmen aboard that crashed in Faro this week. We had the Cindu explosion, an earthquake (yes, in Holland) 2 major train-accidents, and quite a few lesser accidents. I hope the next year will have some mercy on us :-) --Ralph Moonen ------------------------------ Date: Wed, 30 Dec 1992 01:24:42 -0500 From: bzs@world.std.com (Barry Shein) Subject: 911 in Massachussetts I assume you have already been inundated with the issue of the woman who was murdered by (her ex-husband I believe) here in Boston. It seems she dialed 911 when she heard him at the door but unfortunately her exchange was a Brookline exchange (a neighboring township a few blocks away, not politically part of Boston), so the 911 call went to the Brookline Police. On hearing her address the Brookline police informed her she needed to call the Boston Police. I am not certain of the exact details of what ensued (I'm not sure anyone outside of the Police departments is certain yet), the Brookline police claim the delay would not have made any difference in the outcome (her murder), but of course that's a fairly convenient position for them to take. This has been a front-page story in the Boston Globe these last few days. Makes one want to pick up their phone and dial 911 and see exactly who you get and ask whether they would actually come should you need them. -Barry Shein Software Tool & Die bzs@world.std.com uunet!world!bzs 617-739-0202 ------------------------------ Date: Wed, 23 Dec 92 12:28:17 EST From: Brian Seborg Subject: What about "little brother?" In the past we have tried to control information collected by "Big Brother" or the Federal Government. I believe that this has for the most part been accomplished. What has not been done, and what seriously needs to be addressed is the collection and dissemination of information by numerous "Little Brothers." Specifically, additional guidance is needed to protect information maintained by credit reporting agencies, State Government agencies, retail stores, and other entities which routinely collect information that can be linked to an individual by name or other unique identifier. Since I teach a computer security class at a local college, the issue of privacy seems even more important once you know how many ways the information can be compromised. After a lecture on privacy one of my students mentioned that he worked with some private investigators, and he mentioned that they routinely had access to all kinds of information on people, and that agencies such as the state department of motor vehicles routinely sold access to their records to just about anyone. To illustrate the problem I asked the student to initiate an inquiry and to see what he could find out with only my name as information. The next class he brought me the results of his spending about 30 minutes at a computer terminal. Here is a partial list of what he provided me in printed form: my current address, the addresses of all my previous residences, a list of all of the automobiles I have ever owned, my social security number, my drivers license number, a list of all of the credit cards I have ever owned including cancelled cards, their credit limits, the credit card numbers, and the current balance, the name and address of my employer, my father and brother's name and address, the name of my wife, the name address and phone numbers of all of my neighbors, their date of residence, and the type of home they had, my criminal record (blank) along with any pending cases, my traffic record (not blank unfortunately! :-)), my race, my income, the amount of my mortgage, my credit rating, etc. I imagine that most people have no idea that such information about them is so easily accessible. Imagine the potential for coming up with a detailed profile of a person once you begin associating individuals to the groceries they buy if the current trend of using check cashing cards or bank-cards to pay for groceries really catches on! For example, could you imagine who might want to have access to lists of customers which bought specific products? Giant supermarkets (a large chain in our area) already has the computer printing out coupons based on the purchases you have made, what would they do with this information if they could associate you with the groceries you bought? One could imagine the following phone call after purchasing a bladder control product: "Yes, Mr. Seborg, this is the office of Dr. Nosey, Urologist, we are offering five dollars off your initial consultation, when can we schedule you for your first appointment?" Or worse, you could have someone inferring some personal profile based on your patterns of consumption. Far fetched, maybe, but I bet you may think before you use that bank card, or check cashing card next time at the grocery store, eh? Brian Seborg, VDS Advanced Research Group seborg@csrc.ncsl.nist.gov ------------------------------ Date: Wed, 23 Dec 92 12:36:33 PST From: Barbara Simons Subject: Re: Electronic democracy (Agre, RISKS-14.19) >Now, some people argue that electronic open government will level the >playing field by giving The People access to the same information as special >interests. But maybe it doesn't work that way. .... Agre then goes on to ask if we should welcome or oppose electronic "open government" if our primary interest is in strengthening democracy. I agree that there are many pitfalls related to the question of electronic democracy as it is usually described. The one that I find most disturbing is the question of access. Users of the net tend to be white males from a certain age group and socio-economic class. There are very few representatives of the impoverished underclass on the net, and women are very much underrepresented. Also underrepresented are old people and very young people. If we were to increase access to government for users of the net, we would be increasing access for a relatively prosperous, well educated, and successful group, at the expense of much of the rest of the country. This is not a healthy situation for a democracy. There is a serious risk of disenfranchisement contained within the standard description of electronic democracy. While this may not be the sort of risk usually discussed in this forum, it is nonetheless significant, and it is possible only because of computers. Barbara Simons ------------------------------ Date: Fri, 18 Dec 1992 19:19:28 GMT From: cde@aplexus.jhuapl.edu (Charles D. Ellis) Subject: Re: Programming errors affect state lottery (Seecof, RISKS-14.18) GTECH, the company which got the mysteriously beneficial contract change indemnifying them from operational goofs is in the news big time here in Maryland. It seems that allofasudden/outoftheblue they were awarded a contract for Keno which was a total surprise to all, including the state legislature. The no-bid award was justified due to a "fiscal emergency". They must have one hell of a contracts department! Charlie Ellis cde@aplexus.jhuapl.edu ------------------------------ Date: Sun, 27 Dec 1992 20:01:46 +0100 From: Boris Hemkemeier Subject: Re: Bundestag speechless (Weber-Wulff, RISKS-14.19) The earlier report is only the half story. The president of the German Bundestag has a new priority button that switches off all microphones except his own. After resuming the debates in the new building, Johnny Klein put a heavy book on the button and didn't notice the effect. Security personal prevented technicians from entering the Bundestag. Then the parliament decided to move back to his old building, which incidentally is controlled by the same (working!) computer. (See the German newspaper, Die Zeit, "Johnny griff daneben", for details.) Boris Hemkemeier boris@mathematik.uni-bielefeld.de. [Eine KLEINe NICHTmusik! PGN] ------------------------------ Date: Wed, 23 Dec 92 15:39:43 MET From: "Markus U. Mock" Subject: Re: ... Bundestag speechless (Weber-Wulff, RISKS-14.19) [...] If this event shows the risks of complex technical systems, the light was actually cast on the un-informed 'user' community and the lack of information transfer to those who will use the systems. [...] Markus U. Mock, University of Karlsruhe, Dept. of Computer Science mock@ira.uka.de ukj6@dkauni2.bitnet ------------------------------ Date: Wed, 23 Dec 92 04:15 GMT From: Daniel Burstein <0001964967@mcimail.com> Subject: Bundestag sound problems (RISKS 14.19) Hmm, seems I recall seeing this problem demonstrated at length in the mid 1960's. Didn't Don Adams and Barbara Feldon (and Edward Platt) repeatedly run into problems of this sort when using the "Cone of Silence" over at "Control"? Since the show was a continuing news documentary describing actions of spy agencies, one would have thought that if anyone had studied it intensly, it would have been the (then) East and West Germans... Danny <----direct e-mail address (A quick note to our younger crowd: The television show in question was "Get Smart," which was kind of a spoof on the entire spy genre. It is currently in syndication throughout the United States, and quite a few other countries as well). ------------------------------ Date: Tue, 29 Dec 92 16:56:45 EDT From: Jerry Leichter Subject: Latest (?) credit card scams As I was paying for some magazines at a local bookstore today, I happened to notice two interesting bulletins to store owners - passed on to the people minding the cash registers - about the latest in credit card fraud. There are two closely related frauds involved: 1. Credit cards with their magnetic stripes re-recorded with a different, but valid, account number. Since these days pretty much the entire system runs on what is read off the magnetic stripe, with a complete receipt printed for you without a need to emboss anything from the original card, this is a great way to charge things to someone else. Their recommendation: Cross-check the information embossed on the card with the information printed on the receipt. There's a reward offered to anyone who finds a "magnetically forged" card this way. In practice, don't bet the ranch. It's hard enough to find anyone who bothers to check the signature any more; how many people will bother to check long strings of digits? It's worth keeping in mind that unless the card IS checked, there is no good way to prove, or even reliably detect, the fraud later: The only information in the system is what came off the magnetic stripe. (Well, you do have the signature - but do stores even bother to keep all those signed, printed receipts? Finding any particular one would be a horrible job.) 2. Someone has apparently gone into business creating fake credit cards with valid (stolen) credit card numbers on them. They are currently easily detectable because they all bear the name of some particular non-existent bank. If the creator had thought about this a bit, he would have created fake Citibank or AT&T cards - even if it were hard to get them to look *exactly* like the real ones, they'd still be much, much harder to detect than cards "issued" by a specific "First Federal of Oshkosh", which since it doesn't exists has issued NO real cards. (I hope I haven't given anyone a new idea.) The potential losses here are staggering. I don't know who ends up stuck with the immediate bill for these losses - certainly not the owner of the valid, stolen credit card (though proving that a fraud has taken place could be time consuming and painful), most likely not the retailer (after all, he DID get a "valid card/good transaction" response from whatever agency he checks with). There should be some interesting finger-pointing between the issuing banks and the transaction approving agencies. In the end, of course, we all end up paying. Check your monthly bills carefully! -- Jerry ------------------------------ Date: Tue, 29 Dec 92 23:49:54 -0800 From: griffith@xcf.Berkeley.EDU (Jim "The Big Dweeb" Griffith) Subject: Risks of satellite-controlled anti-theft devices Here in the Bay Area, there has been a rash of carjacking crimes. In San Francisco alone, there have been around 60 carjackings in the past six months or so. Several people have been injured when resisting a carjacker - the latest being a young man who was shot in the head on Christmas Eve when he wouldn't give up his car. The police recommend that drivers should give up their cars to would-be car-jackers, since a life is more valuable than a car. Naturally, Silicon Valley has been working on the problem, the first solution being a remote-controlled ignition kill switch, operated from a fob such as those used with active car alarms. One of our local stations had a blurb about the latest innovation, which uses pager technology to allow a car owner to dial a 1-800 number, triggering a pager-like satellite signal which causes a particular car to kill its ignition. This way, car owners can calmly let a carjacker escape with the vehicle, then walk to the nearest telephone and stop the car in its tracks. I thought this was a rather clever use of technology, so I gleefully told one of my house-mates about it. His reaction was "gee Jim, now I can hassle you without ever leaving the house". This kind of stopped me in my tracks, and after having thought about it a bit, a number of risks seem evident. Basically, any kind of "wrong number" risk can potentially create a serious traffic hazard, as well as resulting in personal annoyance (depending on the mechanism used to re-allow ignition - especially when the user doesn't have a car-phone). You've then got yet another number that you must guard as closely as an ATM code, but which contains significantly more digits to remember (the 1-800 number plus a password-like code), and keeping track of that while keeping it away from others is hard. Plus, a single fault at a pager company can cause large-scale regional traffic disruptions (if the device becomes popular, which it probably will). Jim ------------------------------ Date: Wed, 30 Dec 1992 17:51:47 EST From: Marc Rotenberg Subject: OECD Security Guidelines The Organization for Economic Cooperation and Development (OECD) has adopted international Guidelines for the Security of Information Systems. The Guidelines are intended to raise awareness of the risks in the use of information systems and to establish a policy framework to address public concerns. The OECD Security Guidelines should be of special interest to RISKS readers. They are similar in form to the 1980 OECD Privacy Guidelines and will probably have a substantial impact on security policy. Of course, there are lots of issues left open by the Guidelines, including the relationship between privacy and security. But the principles offer a good starting point for public discussion on security and risks-related issues. A copy of the press release and an excerpt from the Guidelines follows. For additional information or for a copy of the Guidelines, contact Ms. Deborah Hurley, OECD, 2, rue Andre-Pascal, 75775 Paris Cedex 16, France 33-1-45-24-93-71 (tel) 33-1-45-24-93-32 (fax). Marc Rotenberg, Director, CPSR Washington office and Member, OECD Expert Group on Information System Security rotenberg@washoc.cpsr.org ============================================================= OECD ADOPTS GUIDELINES FOR THE SECURITY OF INFORMATION SYSTEMS The 24 OECD Member countries on 26th November 1992 adopted Guidelines for the Security of Information Systems, culminating almost two years' work by an OECD expert group composed of governmental delegates, scholars in the fields of law, mathematics and computer science, and representatives of the private sector, including computer and communication goods and services providers and users. The term information systems includes computers, communication facilities, computer and communication networks and the information that they process. These systems play an increasingly significant and pervasive role in a multitude of activities, including national economies, international trade, government and business operation, health care, energy, transport, communications and education. Security of information systems means the protection of the availability, integrity, and confidentiality of information systems. It is an international issue because information systems frequently cross national boundaries. While growing use of information systems has generated many benefits, it has also shown up a widening gap between the need to protect systems and the degree of protection currently in place. Society has become very dependent on technologies that are not yet sufficiently dependable. All individuals and organizations have a need for proper information system operations (e.g. in hospitals, air traffic control and nuclear power plants). Users must have confidence that information systems will be available and operate as expected without unanticipated failures or problems. Otherwise, the systems and their underlying technologies may not be used to their full potential and further growth and innovation may be prohibited. The Guidelines for the Security of Information Systems will provide the required foundation on which to construct a framework for security of information systems. They are addressed to the public and private sectors and apply to all information systems. The framework will include policies, laws, codes of conduct, technical measures, management and user practices, ad public education and awareness activities at both national and international levels. Several OECD Member countries have been forerunners in the field of security of information systems. Certain laws and organizational and technical rules are already in place. Most other countries are much farther behind in their efforts. The Guidelines will play a normative role and assist governments and the private sector in meeting the challenges of these worldwide systems. The Guidelines bring guidance and a real value-added to work in this area, from a national and international perspective. PRINCIPLES 1. Accountability Principle The responsibilities and accountability of owners, providers and users of information systems and other parties concerned with the security of information systems should be explicit. 2. Awareness Principle In order to foster confidence in information systems, owners, providers and users of information systems and other parties should readily be able, consistent with maintaining security, to gain appropriate knowledge of and be informed about the existence and general extent of measures, practices and procedures for the security of information systems. 3. Ethics Principle Information systems and the security of information systems should be provided and used in such a manner that the rights and legitimate interests of others are respected. 4. Multidisciplinary Principle Measures practices and procedures for the security of information systems should take into account of and address all relevant consideration and viewpoints, including technical, administrative, organizational, operational, commercial, educational and legal. 5. Proportionality Principle Security levels, costs, measures, practices and procedures should be appropriate and proportionate to the value of and degree of reliance on the information systems and to the severity, probability and extent of potential harm, as the requirements for security vary depending upon the particular information systems. 6. Integration Principle Measures, practices and procedures for the security of information systems should be co-ordinated and integrated with each other and with other measures, practices and procedures of the organization so as to create a coherent system of security. 7. Timeliness Principle Public and private parties, at both national and international levels, should act in a timely co-ordinated manner to prevent and to respond to breaches of information systems. 8. Reassessment Principle The security information systems should be reassessed periodically, as information systems and the requirements for their security vary over time. 9. Democracy Principle The security of information systems should be compatible with the legitimate use and flow of data ad information in a democratic society. [Source: OECD Guidelines for the Security of Information Systems (1992)] ------------------------------ End of RISKS-FORUM Digest 14.20 ************************