Subject: RISKS DIGEST 14.66 REPLY-TO: risks@csl.sri.com RISKS-LIST: RISKS-FORUM Digest Tuesday 1 June 1993 Volume 14 : Issue 66 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator Contents: Possible RISK in data retrieval? (Dale Drew) X application to finger (Nandakumar Sankaran) Re: Fake ATM Machine Steals PINs (Brinton Cooper) COMPASS '93 ANNOUNCEMENT (14-17 June) (Dolores Wallace) [Extended Early Reg] The RISKS Forum is a moderated digest discussing risks; comp.risks is its Usenet counterpart. Undigestifiers are available throughout the Internet, but not from RISKS. Contributions should be relevant, sound, in good taste, objective, cogent, coherent, concise, and nonrepetitious. Diversity is welcome. CONTRIBUTIONS to RISKS@CSL.SRI.COM, with appropriate, substantive "Subject:" line. Others may be ignored! Contributions will not be ACKed. The load is too great. **PLEASE** INCLUDE YOUR NAME & INTERNET FROM: ADDRESS, especially .UUCP folks. REQUESTS please to RISKS-Request@CSL.SRI.COM. Vol i issue j, type "FTP CRVAX.SRI.COMlogin anonymousAnyNonNullPW CD RISKS:GET RISKS-i.j" (where i=1 to 14, j always TWO digits). Vol i summaries in j=00; "dir risks-*.*" gives directory; "bye" logs out. The COLON in "CD RISKS:" is essential. "CRVAX.SRI.COM" = "128.18.10.1". =CarriageReturn; FTPs may differ; UNIX prompts for username, password. For information regarding delivery of RISKS by FAX, phone 310-455-9300 (or send FAX to RISKS at 310-455-2364, or EMail to risks-fax@vortex.com). ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. Relevant contributions may appear in the RISKS section of regular issues of ACM SIGSOFT's SOFTWARE ENGINEERING NOTES, unless you state otherwise. ---------------------------------------------------------------------- Date: Thu, 20 May 93 12:26:27 PDT From: d44758@druid.Tymnet.COM (Dale Drew) Subject: Possible RISK in data retrieval? Has anybody seen this? I can forsee many potential risks in an on-line data retrieval system involving Probationers. How do the Probation Officers call in to check or (:gasp:) update their data? I've asked BI Inc., but have not heard a reply: BOULDER, Colo., May 12 /PRNewswire/ -- BI Inc. (NASDAQ-NMS: BIAC), the nation's leading provider of electronically monitored systems for corrections, today announced receipt of notification from the United States Patent Office of issuance of a patent to BI on April 20, 1993. BI's newly granted patent includes the application presented in the BI PROFILE(TM) automated administrative caseload management system. At no cost to corrections agencies, BI PROFILE provides automated administrative caseload management via a computer located at BI Monitoring Corp.'s central station. Probationers are assigned individual PIN numbers and security passwords, and required to call a 900 number once a month to report any administrative changes. BI's computer asks the callers a series of questions (i.e., change in home telephone number, address, employment, etc.). Each call placed averages 2 or 3 minutes in duration and is charged to the probationer's home telephone bill. Considered exception reporting, BI PROFILE only provides reports to corrections agencies if probationers fail to call in on their pre-assigned monthly date or if any status changes are reported during the calls. Prior to BI PROFILE, administrative caseload management of probationers has been via a manual system which has put a significant burden on corrections agencies as the number of probationers continues to rise at the federal, state and local levels. Additional options available on BI PROFILE are features to insure that probationers are calling from the designated telephone number, that probationers have not previously called in for the month, collection of monthly probation supervision fees and 800 telephone service for the indigent population. BI has additional patents pending on these and other BI PROFILE options as well. BI PROFILE services are offered to the corrections market by BI through its wholly owned subsidiary, BI Monitoring Corp. (BIMCORP). "BI PROFILE is another service offering from BI Monitoring Corporation that is the direct result of BI's strategy to expand its recurring revenue base," said John K. Fulda, Jr., BI's corporate vice president in charge of BI Monitoring. "We believe that the BI PROFILE family of services offers tremendous growth potential for BI Monitoring Corporation in the years ahead," he concluded. CONTACT: Joanna Manley of BI, 303-530-2911; or Tom Dean of Innovative Research, 212-421-2543, for BI [Dale Drew, Sr. Information Security Specialist, BT North America, Inc. (408) 922-6004 d44758@druid.Tymnet.COM] ------------------------------ Date: Fri, 21 May 93 13:54:00 EDT From: nandu@cs.clemson.edu Subject: X application to finger Here is an interesting episode. I run an X application (public domain) that, given a list of remote sites and a list of userids, periodically "finger"s the sites, searching to see if the named users are logged on. If yes, they are updated on a small screen window. Following is a mail I received from the security officer at one of the sites...It was interesting to note that sys admins *are* on the lookout for even those minor chances of hacking -------- The mail -------- I assume since you're logged into the console, you have some responsibility for machine.cs.univ.edu: It appears that somebody may have cracked your system, and is using it as a base to attempt to break into other systems: every six minutes, some process on your machine contacts the finger daemon on cs.anotheruniv.edu and attempts to see who is logged on. This is generally taken as an attempt to extract usernames, preparatory to hacking the system. Strangely, this seems to be correlated to your being logged in. It appears to have started on May 12th. I've ignored it before now since until this point it has been only a minor annoyance. We would appreciate your looking into this matter, and seeing that it ceases. Nandakumar Sankaran, Graduate Student, Computer Science Department G34, Jordan Hall, Clemson University, Clemson, SC 29634 (803) 656 6979 nandu@cs.clemson.edu ------------------------------ Date: Wed, 19 May 93 17:13:49 EDT From: Brinton Cooper Subject: Re: Fake ATM Machine Steals PINs describes the now-well-known fake ATM scam for capturing account and PIN numbers for subsequent forging in order to relieve consumers of the burden of large account balances. Recall that the ATM "scam artists" obtained permission from officials of the shopping Mall where the scam took place. He asks, "How are you supposed to stop this new trick???" Like many RISKS, you don't "stop" the trick but you minimize the RISK: 1. You needn't be the first in your block to use the new ATM. 2. Watch for announcements from your bank or credit union of new locations. Our credit union announces in its newsletter *every* new ATM which it owns/installs (i.e., were members pay no fee for access). One could have been suspicious of the (around here) then-uncommon installation in local groceries, but they were announced as mentioned. 3. You could always phone the bank whose name appears on the ATM. If there's no name, who's running the machine? _Brint ------------------------------ Date: Tue, 1 Jun 93 11:37:52 EDT From: Dolores Wallace Subject: COMPASS '93 ANNOUNCEMENT [FOR SOME REASON THE CONFERENCE MANAGEMENT DID NOT SEND THIS ANNOUNCEMENT TO RISKS UNTIL 1 JUNE, WHICH IS AFTER THE ANNOUNCED DEADLINE FOR DISCOUNTED REGISTRATION. Karen Ferraiolo (see below) has agreed to give a special deal to RISKS SUBSCRIBERS, SO THAT YOU MAY REGISTER UNTIL THE END OF THIS WEEK AT THE REDUCED RATE. However, she asks that you let her know ASAP. We do not generally run conference announcements in full, but in light of the closeness of the date and the special consideration for RISKS readers, it seemed appropriate. This conference has always been closely related to the RISKS subject matter. PGN] COMPASS '93 Eighth Annual Conference On Computer Assurance: Systems Integrity, Software Safety, and Process Security June 14-17, 1993 Gaithersburg, MD U.S. Department of Commerce Technology Administration National Institute of Standards and Technology COMPASS IEEE Aerospace and Electronics Systems Society Sponsors IEEE National Capital Area Council In Cooperation with British Computer Society Conference Arca Systems, Inc. Sponsors ARINC Research Corporation Control Systems Analysis, Inc. CTA, Inc. IBM Logicon, Inc. National Institute of Standards and Technology Naval Research Laboratory Naval Surface Warfare Center Systems Safety Society TRW Systems Division U.S. General Accounting Office The goal of COMPASS, an acronym formed from COMPuter ASSurance, is to advance the theory and practice of the creation and use of critical systems through the medium of scientific and engineering meeting and publications. COMPASS expresses the idea of "Pointing the Way" and of "enCOMPASSing" many technologies and technical disciplines. The logo, a variation of yin-yang overlaying a compass rose, symbolizes both of these ideas. We invite you to participate in COMPASS activities and increase the benefits of COMPASS. Monday, 14 June 1993 -------------------- 8:00 am Registration Opens 9:00 am - 4:00 pm Tutorials (Parallel Sessions) 1. "Formal Methods with Automated Support Using PVS", John Rushby, SRI International This tutorial provides an introduction to formal methods with special focus on the use of automated support tools such as PVS, a Prototype "next generation" Verification System that attempts to provide the benefits of powerful and effective automation for an expressive specification language. Worked examples will be demonstrated "live" and include examples from hardware design, fault tolerance, and real-time. 2. "Federal Criteria (New Orange Book)", Janet Cugini, NIST This tutorial, on the preliminary draft of the Federal Criteria for Information Technology Security, will cover background, future work, protection profiles, TCB functional components, development assurance requirements, and evaluation assurance requirements. It includes constructing a protection profile and the seven defined protection profiles. Tuesday, 15 June 1993 --------------------- 8:00 am Registration Opens 9:00 am Welcome James H. Burrows Director, Computer Systems Laboratory, NIST Opening Remarks Judith Bramlage, COMPASS '93 General Chair 9:15 am Program Information John J Marciniak, COMPASS '93 Program Chair 9:30 am Keynote Peter Neumann, SRI International "Myths of Dependable Computing: Shooting the Straw Herrings in Midstream" 10:30 Break 11:00 am Technical Session 1 "Verification Technology" Moderator: Connie Heitmeyer, Naval Research Laboratory "A Tool for Reasoning about Software Models", Sidney Bailin, CTA, Inc. "An Incremental Protocol Verification Method for ECFSM-based Protocols", C. Huang, National Cheng Kung University "A Verifier for Distributed Real-Time Systems with Bounded Integer Variables", Farn Wang and Al Mok, University of Texas 1:00 pm Lunch 2:00 pm Special Topics (Invited talks) Moderator: Peter Neumann "Global Protection against Limited Strikes (Trusted Software Methodology)", Carol Taylor, National Security Agency "Application of the High Trust Process Model to Complexity Management and System Architecture in the SDI", John McHugh, University of North Carolina, and Greg Chisholm, Argonne National Laboratory 3:00 pm Break 3:30 pm Special Topics continued "Using Ada in Secure Systems", Roberta Gotfried, Hughes Aircraft Company "A Risk-Based Approach to Cost-Benefit Analysis of Software Safety Activities", Stephen C. Fortier, Intermetrics, and James Bret Michael, Argonne National Laboratory 4:30 Adjourn from NIST 7:00 pm Birds of a Feather (Parallel Sessions; held at Marriott) "Processes (Capability Maturity Model)", John Baumert, CSC "Standards for Formal Methods", Roger Fujii, Logicon, Inc. (Dessert will be provided) Wednesday, 16 June 1993 ----------------------- 8:00 am Registration Opens 9:00 am Keynote Address Rona Stillman, Chief Scientist, U.S. GAO 10:00 am Break 10:30 am Technical Session 2 "Reliability Measurement" Moderator: Reginald Meeson, Institute for Defense Analyses "Rare Conditions - An Important Cause of Failures", Herb Hecht, SoHaR, Inc. "Experimental Evidence of Sensitivity Analysis Predicting Minimum Failure Probabilities", Jeffrey Voas, Jeffrey Payne, and Chris Michael, Reliable Software Technologies, Corp. and Keith Miller, College of William and Mary "Assigning Probabilities for Assurance in MLS Data Base Design", Lucien Russell, Argonne National Laboratory 1:00 pm Lunch 2:00 pm Technical Session 3 "System Safety" Moderator: Michael L. Brown, Naval Surface Warfare Center "Risk and System Integrity Concepts for Safety-Related Control Systems", Ron Bell, Health and Safety Executive (UK) "Identifying Generic Safety Requirements", Jarrellann Filsinger, Booz-Allen & Hamilton and J.E. Heaney, The Mitre Corporation "Software Safety and Program Slicing", Keith B. Gallagher, Loyola College and NIST, and James R. Lyle, NIST 3:30 pm Break 4:00 pm Debate Moderator: Emilie J. Siarkiewicz, Rome Laboratory Resolved: "Productivity & Techniques of Assurance Can Co-exist" Debaters: Peter Neumann (SRI), Charles Bonneau (Mitre), Phil Parker (CTA, Inc.), John McHugh (UNC), and Jon Dehn (IBM) 5:00 pm Adjourn 6:30 pm Banquet (at Marriott Hotel) Speaker: Dorothy Denning, Georgetown University Thursday, 17 June 1993 ---------------------- 8:00 am Registration Opens 9:00 am Technical Session 4 "Management and Developmental Issues" Moderator: Charles Payne, NRL "Developing Secure Systems in a Modular Way", Qi Shi and John McDermid, University of York "On Security Policy Modeling", James Freeman, CTA, Inc. "Management Aspect of Software Safety", Stephen Cha, Aerospace Corporation 10:30 am Break 11:00 am Panel 1 "Developing Standards and Issues" Moderator: Dolores Wallace, NIST "MIL-STD-SDD (Software Development and Documentation)", Raghu Singh, SPAWAR, U.S. Navy "Software Safety Standards - A European Perspective", Robin Bloomfield, Adelard "ISO 9000 Standards", Taz Daughtrey, Babcock & Wilcox "MIL-STD-882C", Michael L. Brown, Naval Surface Warfare Center 1:00 pm Lunch 2:00 pm Panel 2 "Results of Workshops/Studies" Moderator: H.O. Lubbes, Naval Research Laboratory "Mitre Critical Assurance Workshop", Chuck Howell, Mitre Corporation "An International Survey of the Industrial Applications of Formal Methods", Susan Gerhart, National Science Foundation "Federal Criteria (Report on Comments Workshop)", Eugene Troy, NIST 3:30 pm Awards and Closing Ceremony Location NIST, located in Gaithersburg, MD, is approximately 25 miles northwest of Washington, D.C. The meeting will be held in the Green Auditorium of the Administration Building. Social Functions ---------------- Birds of a Feather (Dessert) will be held at the Gaithersburg Marriott on Tuesday, June 15th at 7:00 pm. A banquet with a cash bar and banquet speaker will be held at the Gaithersburg Marriott on Wednesday, June 16th at 6:30 pm. Transportation -------------- BWI Limo, 301/441-2345, offers commercial van service from Baltimore-Washington Airport to Gaithersburg area. Call for reservations. Airport Transfer Van Service, 301/948-4515, is available from Dulles International and Washington National Airports to Gaithersburg. The Washington Metro has subway service to Gaithersburg. Metro can be boarded at Washington National Airport. Take a Yellow Line train marked "Mount Vernon Square" to Gallery Place and transfer to a Red Line train marked "Shady Grove" to Shady Grove. Service is every 6 to 15 minutes depending on the time of day. The Shady Grove station is approximately four miles from the Marriott Hotel. Contact Marriott for shuttle information. Accommodations -------------- Conference registration does not include your hotel reservation. A block of rooms has been reserved at the Gaithersburg Marriott Hotel, 620 Perry Parkway, Gaithersburg, MD 20877. The hotel phone number is 301/977-8900. The special room rate is $70.00 single or double. To register for a room, please use the enclosed hotel reservation form and send it directly to the hotel no later than May 31, 1993. After that date the rooms will be released for general sale at the prevailing rates of the hotel. [PERHAPS KAREN CAN HELP NEGOTIATE A LATER DATE HERE... PGN] Registration Karen Ferraiolo Information COMPASS '93 Registration Contact Arca Systems, Inc 8229 Boone Blvd, Suite 610 Vienna, VA 22172 Phone: 703/734-5611 Fax: 703/790-0385 Technical Judith Bramlage Information U.S. General Accounting Office Contact 441 G Street NW Washington, DC 20548 Phone: 202/512-6210 Fax: 202/512-6451 Driving Instructions -------------------- >From northbound I-270 take Exit 10, Rt. 117 West, Clopper Road. At the first light on Clopper Road, turn left on to the NIST grounds. >From Southbound I-270 take Exit 11B, Route 124 West, Quince Orchard Road. At the second light turn left on to Clopper Road. At the first light on Clopper Road, turn right on to the NIST grounds. To reach the Administration Building, turn left after passing the guard office. Signs will direct you to visitor parking. Transportation will be provided to and from the Gaithersburg Marriott and NIST Monday through Thursday. ============================== Conference Registration Card Advance Registration (Before 30 May 1993) [4 JUNE FOR RISKS READERS] Conference Registration (includes 1 copy of proceedings)_____ Proceedings Only _____ Extra Proceedings _____ copies _____ Tutorial #1 - Formal Methods _____ Tutorial #2 - Federal Criteria _____ Name_________________________________________________________ Company______________________________________________________ Street Address_______________________________________________ Rm. No./Mail Code____________________________________________ City, State, ZIP_____________________________________________ Country______________________________________________________ Business Telephone___________________________________________ IEEE Membership Nbr__________________________________________ Co-Sponsor Name______________________________________________ Total Amount US $____________________________________________ _____ Check here is you will be using the shuttle to and from the Marriott and NIST (free!). Form of Payment _____ Check enclosed made payable to COMPASS '93. (Checks from outside the USA must be written on a USA bank.) _____ MasterCard No.________________________Exp._____ _____ VISA Card No._________________________Exp._____ _____ Diners Club No._______________________Exp._____ _____ American Express No.__________________Exp._____ Authorized Signature_________________________________________ Request for refunds after 30 May 1993 will be subject to a $15 administrative fee. See below for registration fees and mailing instructions. "In reviewing the Institute for Electrical and Electronics Engineers' plans for COMPASS Conferences, The Assistant Secretary of Defense (Public Affairs) finds this event meets the standards for participation by DoD personnel under instruction 5410.20 and DoD Standards of Conduct Directive 5500.7. This finding does not constitute DoD endorsement of attendance which must be determined by each DoD component." Registration Fees NOTE: Members belong to sponsoring or cosponsoring organizations. Advanced (before 30 May 1993) [4 JUNE FOR RISKS READERS] ----------------------------- Speakers, Non- One-Day & Members Members Students Conference 250 315 100 Tutorial 50 70 50 Proceedings Only 20 30 20 On-Site (after 30 May 1993) [4 JUNE FOR RISKS READERS] --------------------------- Speakers, Non- One-Day & Members Members Students Conference 300 375 100 Tutorial 70 90 50 Proceedings Only 20 30 20 Fee includes coffee breaks, lunches, and social functions Place Conference Registration Card in envelope and mail to : Karen Ferraiolo COMPASS '93 Registration Arca Systems, Inc 8229 Boone Blvd, Suite 610 Vienna, VA 22172 Phone: 703/734-5611 Fax: 703/790-0385 ============================== Hotel Registration Card Marriott Hotel, 301/977-8900 Name________________________________________________________ Company_____________________________________________________ Street Address______________________________________________ Rm. No./Mail Code___________________________________________ City, State, ZIP____________________________________________ Country_____________________________________________________ Business Telephone__________________________________________ Arrival Date________________________________________________ Departure Date______________________________________________ Number of Persons___________________________________________ Rate $70 single or double (apply 12% tax to rate). All reservations must be received by 30 May 1993. All room reservations must be guaranteed by a one-night deposit. Deposit will guarantee first night availability, and will be credited to last night of reservation. Deposit refunded if request received 48 hours prior to reserved arrival. Form of Payment _____ Check enclosed made payable to The Gaithersburg Marriott _____ One night deposit enclosed $___________________ Guaranteed by_______________________________________Exp._____ Card No._____________________________________________________ Authorized Signature_________________________________________ Please place in envelope and mail to: The Gaithersburg Marriott 620 Perry Parkway Gaithersburg, MD 20877 ============================== Board of Directors ------------------ Chair: Dolores R. Wallace, NIST Vice-Chair: Anthony Shumskas, Logicon, Inc. Treasurer: Dario DeAngelis, Logicon, Inc. Secretary: Michael L. Brown, Naval Surface Warfare Center IEEE AESS: Robert Ayers, ARINC, Inc. IEEE NCAC: Arthur Cotts Members: Judy Bramlage, U.S. General Accounting Office John Cherniavsky, National Science Foundation Frank Houston, Weinberg Associates H.O. Lubbes, Naval Research Laboratory Juan Zumbado, IBM Conference Committee -------------------- General Chair: Judith L. Bramlage, U.S. General Accounting Office Program Chair: John J. Marciniak, CTA, Inc. Arrangements: Laura M. Ippolito, NIST Publications: Ann Boyer, Control Systems Analysis Publicity: Paul Anderson, Space and Naval Warfare Systems Command Registration: Karen Ferraiolo, Arca Systems, Inc. Treasurer: Bonnie P. Danner, TRW Systems Division Tutorials: Michael L. Brown, Naval Surface Warfare Center Program Committee ----------------- Paul Ammann, George Mason University Michael L. Brown, Naval Surface Warfare Center Albert Mo Kim Cheng, University of Houston Jarrellann Filsinger, Booz-Allen & Hamilton John J. Marciniak, CTA, Inc. Reginald N. Meeson, Jr, Institute for Defense Analyses Matthew Morgenstern, Xerox Design Research Institute Adam Porter, University of Maryland James Purtilo, University of Maryland Marvin Schaefer, CTA, Inc. Cynthia Wright, Defense Information Systems Agency Tony Zawilski, The Mitre Corporation ------------------------------ End of RISKS-FORUM Digest 14.66 ************************