Subject: RISKS DIGEST 14.79 REPLY-TO: risks@csl.sri.com RISKS-LIST: RISKS-FORUM Digest Tuesday 10 August 1993 Volume 14 : Issue 79 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator Contents: Industrial espionage (Mich Kabay) Criminal record data leakage and tampering (Mich Kabay) Billion-dollar tax bills (Mich Kabay) More data remanence (Mich Kabay) Pizza RISK (Dale Drew) Yet another lottery screwup (Reva Freedman) "Terminal Compromise" by Winn Schwartau, on the Net (A. Padgett Peterson) ATM modem insecure? (Andrew Marchant-Shapiro) Jurassic Park Networks (Mich Kabay) Intrusion Detection workshop (Teresa Lunt) Computers, Freedom and Privacy (cfp'94) announcement (George Trubow) The RISKS Forum is a moderated digest discussing risks; comp.risks is its Usenet counterpart. Undigestifiers are available throughout the Internet, but not from RISKS. Contributions should be relevant, sound, in good taste, objective, cogent, coherent, concise, and nonrepetitious. Diversity is welcome. CONTRIBUTIONS to RISKS@CSL.SRI.COM, with appropriate, substantive "Subject:" line. Others may be ignored! Contributions will not be ACKed. The load is too great. **PLEASE** INCLUDE YOUR NAME & INTERNET FROM: ADDRESS, especially .UUCP folks. REQUESTS please to RISKS-Request@CSL.SRI.COM. Vol i issue j, type "FTP CRVAX.SRI.COMlogin anonymousAnyNonNullPW CD RISKS:GET RISKS-i.j" (where i=1 to 14, j always TWO digits). Vol i summaries in j=00; "dir risks-*.*" gives directory; "bye" logs out. The COLON in "CD RISKS:" is essential. "CRVAX.SRI.COM" = "128.18.10.1". =CarriageReturn; FTPs may differ; UNIX prompts for username, password. For information regarding delivery of RISKS by FAX, phone 310-455-9300 (or send FAX to RISKS at 310-455-2364, or EMail to risks-fax@vortex.com). ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. Relevant contributions may appear in the RISKS section of regular issues of ACM SIGSOFT's SOFTWARE ENGINEERING NOTES, unless you state otherwise. ---------------------------------------------------------------------- Date: 27 Jul 93 17:54:16 EDT From: "Mich Kabay / JINBU Corp." <75300.3232@compuserve.com> Subject: Industrial espionage Car wars: VW strikes back BONN (UPI, 27 Aug 1993) -- Volkswagen Tuesday fired back at General Motors, challenging its claims of industrial espionage and suggesting that evidence found by investigators may have been tampered with. [...] "This is a battle between two major auto firms against the background of a trade war. We did not start start it but we will fight back," Piech said. The language being used fits right in with the warnings of such experts as Winn Schwartau that information will be the battleground of the new millenium. Interpersonal, intercompany, and international hostilities are already including components of information warfare. In addition to the risks from accident, we must increase our countermeasures to reduce the risks from deliberate sabotage and data leakage. Michel E. Kabay, Ph.D., Director of Education, National Computer Security Assn ------------------------------ Date: 29 Jul 93 16:07:36 EDT From: "Mich Kabay / JINBU Corp." <75300.3232@compuserve.com> Subject: Criminal record data leakage and tampering Criminal Records, By LAWRENCE L. KNUTSON, Associated Press Writer WASHINGTON (AP, 29 July 1993) -- Data in the computer files of the FBI's National Crime Information Center is increasingly being misused by law enforcement insiders, often for personal gain, congressional auditors say. Criminal records are being sold to private detectives, lawyers and politicians in defiance of right-of-privacy laws. The article mentions the following specific cases: --In Arizona, an angry ex-policeman used FBI databanks to track down and murder a woman. [actually, his "estranged girlfriend" --- PGN] --In Pennsylvania, the friend of a drug-dealer used police computers to verify the background of potential new clients (tracking down police undercover agents). The III file includes 17 million records about criminal histories and is available to 19,000 law enforcement agencies [AGENCIES, not agents!] with over 97,000 terminals able to tap into the system directly. All the reported abuse was by inside workers, not criminal hackers. The GAO recommended that strong criminal sanctions be instituted to punish misuse of criminal records files. Michel E. Kabay, Ph.D., Director of Education, National Computer Security Assn ------------------------------ Date: 29 Jul 93 16:08:18 EDT From: "Mich Kabay / JINBU Corp." <75300.3232@compuserve.com> Subject: Billion-dollar tax bills 07/28 1143 IRS sends Midwesterners multibillion-dollar tax bills MINNEAPOLIS (UPI, 28 July, 1993) -- The Internal Revenue Service has some explaining to do. An IRS computer developed a glitch and sent out tax bills for as much as $68 billion to about 1,000 people in Minnesota, Wisconsin, Illinois, Missouri and Iowa. The IRS was trying to remove the names of Midwest flood victims from its tax rolls. In an unexpected side-effect, other people got enormous random tax bills. I wonder if we could convince the IRS of the value of quality assurance methodologies if they issued billion-dollar _refunds_ instead of bills? Michel E. Kabay, Ph.D., Director of Education, National Computer Security Assn ------------------------------ Date: 02 Aug 93 06:11:16 EDT From: "Mich Kabay / JINBU Corp." <75300.3232@compuserve.com> Subject: More data remanence Canadian Press report on page 1 of _Globe and Mail_ on Monday, 2 Aug 93: Summary follows: DISK SLIPPED INTO WRONG HANDS. A used hard disk sold to an Edmonton man contained two years of detailed and confidential personnel files about 166 employees of the Alberta land-titles employees. An investigation is to be ordered by the Deputy Justice Minister. Another example of failing to consider information as an asset requiring protection.... Michel E. Kabay, Ph.D., Director of Education, National Computer Security Assn ------------------------------ Date: Tue, 3 Aug 93 12:24:57 PDT From: ddrew@Tymnet.COM (Dale Drew) Subject: Pizza RISK The RISKs of propagating databases used by companies has been covered many, many times. It is a fairly well known fact that companies are massing great amounts of information on individuals for marketing purposes. For the past several years, I have been identifying the numerous companies that create, pass, trade, sell, distribute, and correlate my information. During this process I identified several possible RISKs. One of which I thought I'd pass along: I discovered that an individual was attempting to gain access to my personal information by calling Pizza Hut and attempting to order a pizza under my name. Pizza Hut just happens to maintain a database of all its customers to make deliveries easier. The culprit identified himself as me and ordered a small pizza, and then attempted to verify my mailing address. Fortunately, I had taken advanced precautions and the information was not accessible. However, it raises the question of identification and authorization when it comes to releasing confidential and/or sensitive information. This process does not exist in the industry, and opens a wide area of exposure for individuals wishing to gain information for whatever use. It also raises the question of liability. Most companies make no attempt to inform the "end user" that they are collecting "such-and-such" information and intend on using it in "such-and-such" manner, it is up to the individual to go on a mass writing campaign to identify where, exactly his/her information is, and what it's being used for. If the information had been released, and was used against me in some manner, would Pizza Hut be liable for that release? Probably not. What motivation do they have in performing identification and authorization checks? Probably nothing. [I wonder if Pizza Hut would deliver to a PO box?] Dale Drew, BT North America, Inc., Global Network Security Business Information Security (408) 922-6004 ddrew@druid.Tymnet.COM ------------------------------ Date: Fri, 6 Aug 93 14:46:24 CDT From: Reva Freedman Subject: Yet another lottery screwup Even if you're opposed to state lotteries, if we're going to have them, don't you wish they'd design the hardware and software better? Here follows a summary of an incident in Illinois based on a Chicago Tribune article by Peter Kendall (8/4/93, sec. 2, p.3). The only sure winners of last weekend's $11 million lottery drawing are the lawyers. The other winners are likely to be determined in court. The story started last week when office worker Carol Stonecipher attempted to buy a lottery ticket from the mini-mart at a Pride Petroleum gas station. She marked off six numbers on a card and handed it to the clerk, who was supposed to stick it into the lottery terminal. But the terminal was temporarily inactive, so the clerk, John Warford, kept re-inserting the card to print Ms. Stonecipher's ticket. When the terminal became active again a few seconds later, it printed out six tickets, one for each stored request. According to state lottery regulations, the store is required to pay for tickets printed by mistake unless someone else pays for them. The clerk gave Stonecipher the opportunity to buy the extra tickets, but she declined. None of this would have been of any importance except that Stonecipher holds the only winning number for last weekend's drawing. Stonecipher says that the clerk told her that he was going to invalidate the extra tickets. Both the mini-mart owners and the clerk are claiming that they are the true owners of the extra tickets. Gives new meaning to the term "printing money," huh? Reva Freedman Dept. of EECS, Northwestern University, Evanston, IL ------------------------------ Date: Thu, 22 Jul 93 10:06:17 -0400 From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson) Subject: "Terminal Compromise" on the Net Though commercial in nature, I find this an important announcement since the novel is an excellent read about potential RISKS of widespread computer use and possible terrorism attacks AND since it is available electronically (ARCHIE found the 617K/560 page novel at knot.queensu.ca as /wuarchive/doc/misc/termcomp.zip. More sites are probably available by now). Note that the novel also predates (1991) "Rising Sun". Padgett !!!!POST EVERYWHERE!!!! THE WORLD'S FIRST NOVEL-ON-THE-NET (tm) SHAREWARE!!! By Inter.Pact Press "TERMINAL COMPROMISE" by Winn Schwartau A high tech thriller that comes from today's headlines! "The Tom Clancy of computer security." Assoc. Prof. Dr. Karen Forcht, James Madison University "Terminal Compromise" is a highly praised novel about the invasion of the United States by computer terrorists. Since it was first published in conventional print form, (ISBN: 0-962-87000-5) it has sold extremely well world-wide, but then again, it never hit the New York Times Bestseller List either. But that's OK, not many do. Recently, someone we know very well came up with a real bright idea. They suggested that INTER.PACT Press take the unprecedented, and maybe slightly crazy, step to put "Terminal Compromise" on the Global Network thus creating a new category for book publishers. The idea is to offer "Terminal Compromise," and perhaps other titles at NOVEL-ON-THE-NET SHAREWARE(tm) rates to millions of people who just don't spend a lot of time in bookstores. After discussions with dozens of people - maybe even - more than a hundred - we decided to do just that. We know that we're taking a chance, but we've been convinced by hackers and phreakers and corporate types and government representatives that putting "Terminal Compromise" on the net would be a fabulous step forward into the Electronic Age, (Cyberspace if you will) and would encourage other publishers to take advantage of electronic distribution. (It's still in the bookstores, though.) NOVEL-ON-THE-NET SHAREWARE Fees For The People: The suggested donation for individuals is $7. If you hate Terminal Compromise after reading it, then only send $6.50. If you're really, really broke, then tell a hundred other people how great it was, send us a rave review and post it where you think others will enjoy reading it, too. If you're only a little broke, send a few dollars. After all, this is how we stay in business. With each registration, we will also send a FREE! issue of "Security Insider Report," a monthly security newsletter also published by Inter.Pact Press. Please forward all NOVEL-ON-THE-NET SHAREWARE fees to: INTER.PACT PRESS 11511 Pine St. N. Seminole, FL., 34642 Communications: Phn: 813-393-6600 Fax: 813-393-6361 E-Mail: p00506@psi.com wschwartau@mcimail.com [Archie only reported TERMCOMP.ZIP at knot.queens.ca but the opening screen there recommends that outsiders use wuarchive.wustl.edu. I can verify that right now it is there as /doc/misc/termcomp.zip . Padgett] ------------------------------ Date: 22 Jul 93 13:40:00 EST From: "MARCHANT-SHAPIRO, ANDREW" Subject: ATM MODEM INSECURE? Hey, how hard can it be to break into an ATM? It's easier than you think... Today, needing a little cash, I wandered over to the College Center (nope, they don't call it a UNION here) to use the ATM. To my surprise, there was a little box sitting on top of the ATM with a lot of blinking lights -- a modem. A General Datacom NMS 2400, to be specific. It had a standard DB-25 on the back and was plugged into the ATM's serial port. I should note that I've been out of town for a couple of months, and, when I left, there was no modem sitting on top of the box like that. So this MAY be temporary (let's hope). Anyway. I do not believe that this modem is a secure device... It had no obvious security system, and there was no one around watching. Had I needed a 2400 baud modem, I could have picked it up and walked away with it (it wasn't screwed down). Far more interesting, however, would be the possibility of opening the box while it was running, attaching a wire or two, and getting a nice record of the codes sent from and received by the ATM. I didn't do it, of course. I suppose there must be some kind of internal security in the ATM so that it will only dispense cash when it has a card in place (I don't know much about how they work), but it scares me to realize just how unsecure the link really is. For a few dollars, I could have had a printout (or a file) of the data stream between the ATM and its masters. Even if the stream were encoded, it would be a simple matter to watch what was being done by ATM customers and match it to the codes. I had been getting complacent about RISKs lately -- "oh, yeah, another scare story about (phones, ATMs, aircraft, you name it)." Maybe it shouldn't, but this shook me out of that. Again an avid reader... Andrew Marchant-Shapiro Depts of Sociology and Political Science USmail: Union College, Schenectady NY 12308 AT&T: (518) 388-6225* INTERNET: marchana@gar.union.edu BITNET: marchana@union.bitnet ------------------------------ Date: 29 Jul 93 16:09:39 EDT From: "Mich Kabay / JINBU Corp." <75300.3232@compuserve.com> Subject: Jurassic Park Networks The following text is Copyright (c) 1993 by Network World. All rights reserved. Permission is granted by the copyright holder and the author to distribute this file electronically or otherwise as long as the entire file is printed without modification (other than cosmetic or formatting changes). The following is the text as submitted to Network World. It was slightly edited and then published as "Jurassic Park's net security policies are prehistoric," _Network World_ 10(30):89 [26 July 93]. Velocihackers and Tyrannosaurus superior by M. E. Kabay, Ph.D., Director of Education National Computer Security Association 10 South Courthouse Avenue, Carlisle, PA 17013 Tel 717-258-1816 Fax 717-243-8642 The current hit movie "Jurassic Park" stars several holdovers from 65 million years ago. It also shows errors in network security that seem to be as old. For those of you who have just returned from Neptune, "Jurassic Park" is about a dinosaur theme park that displays live dinosaurs created after scientists cracked extinct dinosaur DNA code recovered from petrified mosquitos. The film has terrific live-action dinosaur replicas and some heart-stopping scenes. It also dramatizes awful network management and security. Unfortunately, the policies are as realistic as the dinosaurs. Consider a network security risk analysis for Jurassic Park. The entire complex depends on computer-controlled electric fences and gates to keep a range of prehistoric critters from eating the tourists and staff. So at a simple level, if the network fails, people turn into dinosaur food. Jurassic Park's security network is controlled by an ultramodern Unix system, but its management structures date from the Stone Age. There is only one person who maintains the programs which control the security network. This breaks Kabay's Law of Redundancy, which states, "No knowledge shall be the property of only one member of the team." After all, if that solitary guru were to leave, go on vacation, or get eaten by a dinosaur, you'd be left without a safety net. Jurassic Park's security system is controlled by computer programs consisting of two million lines of proprietary code. These critical programs are not properly documented. An undocumented system is by definition a time bomb. In the movie, this bomb is triggered by a vindictive programmer who is angry because he feels overworked and underpaid. One of the key principles of security is that people are the most important component of any security system. Disgruntled and dishonest employees cause far more damage to networks and computer systems than hackers. The authoritarian owner of the Park dismisses the programmer's arguments and complaints as if owning a bunch of dinosaurs gives him the privilege of treating his employees rudely. He pays no attention to explicit indications of discontent, including aggressive language, resentful retorts, and sullen expressions. If the owner had taken the time to listen to his employee's grievances and take steps to address them, he could have prevented several dinosaur meals. Bad housekeeping is another sign of trouble. The console where the disgruntled programmer works looks like a garbage dump; it's covered in coffee-cup fungus gardens, historically significant chocolate bar wrappers, and a treasure trove of recyclable soft drink cans. You'd think that a reasonable manager would be alarmed simply by the number of empty calories per hour being consumed by this critically important programmer. The poor fellow is so overweight that his life expectancy would be short even if he didn't become dinosaur fodder. Ironically, the owner repeats, `No expense spared' at several points during the movie. It doesn't seem to occur to him that with hundreds of millions of dollars spent on hardware and software--not to mention the buildings and grounds and an entire private island--modest raises for the staff would be trivial in terms of operating expenses but significant for morale. In the movie, the network programmer is bribed by competitors to steal dinosaur embryos. He does so by setting off a logic bomb that disrupts network operations completely. The network outage causes surveillance and containment systems to fail, stranding visitors in, well, uncomfortable situations. Even though the plot is not exactly brilliant, I'd like to leave at least something to surprise those who haven't seen the movie yet. When the systems fail, for some reason all the electric locks in the park's laboratory are instantly switched to the open position. Why aren't they automatically locked instead? Normally, when a security controller fails, the default should be to keep security high, not eliminate it completely. Manual overrides such as crash bars (the horizontal bars that open latches on emergency exits) can provide emergency egress without compromising security. As all of this is happening, a tropical storm is bearing down on the island. The contingency plan appears to consist of sending almost everyone away to the mainland, leaving a pitifully inadequate skeleton crew. The film suggests that the skeleton crew is not in physical danger from the storm, so why send essential personnel away? Contingency plans are supposed to include redundancy at every level. Reducing the staff when more are needed is incomprehensible. At one point, the systems are rebooted by turning the power off to the entire island on which the park is located. This is equivalent to turning the power off in your city because you had an application failure on your PC. Talk about overkill: why couldn't they just power off the computers themselves? Where were the DPMRP (Dinosaur Prevention, Mitigation and Recovery Planning) consultants when the park was being designed? Surely everybody should know by now that the only way to be ready for dinosaurs, uh, disasters, is to think, plan, rehearse, refine and update. Didn't anyone think about what would happen if the critters got loose? Where are the failsafe systems? The uninterruptible power supplies? The backup power generators? Sounds like Stupidosaurians were in charge. We may be far from cloning dinosaurs, but we are uncomfortably close to managing security with all the grace of a Brontosaurus trying to type. I hope you see the film. And bring your boss. Best wishes, Mich Michel E. Kabay, Ph.D. Director of Education National Computer Security Association ------------------------------ Date: Thu, 5 Aug 93 11:05:26 -0700 From: Teresa Lunt Subject: Intrusion Detection workshop TWELFTH INTRUSION DETECTION WORKSHOP CALL FOR PARTICIPATION SRI is holding a one-day workshop on intrusion detection at the Baltimore Convention Center in Baltimore MD on Thursday, September 23, 1993, which is the final day of the 15th National Computer Security Conference. This will be the twelfth in a series of intrusion-detection workshops. The NCSC conference organizers have kindly provided us with a room at the convention center. If you and/or your colleagues wish to attend, please let us know using the attached reply form. For other questions, please call Liz Luntzel at 415-859-3285 or send us a fax at 415-859-2844 or email at luntzel@csl.sri.com. The workshop will consist of several short presentations as well as discussion periods. To help me in preparing the agenda, I would be interested in knowing whether you have any progress to report on an intrusion-detection project or some related work that would be appropriate for a brief presentation. If so, please indicate the title and a paragraph describing your proposed talk on the enclosed form. Please also indicate there your suggestions for discussion topics. Please mail the completed form to Liz Luntzel at the address below: Liz Luntzel EL250 SRI International Computer Science Laboratory 333 Ravenswood Avenue Menlo Park, California USA 94025 You may also email the completed form to: luntzel@csl.sri.com There is no charge for the workshop, and meals are not included. There are numerous places in the surrounding Baltimore Harbor area for breakfast and lunch. The workshop will begin at 9am and will conclude at 4pm. At the request of the organizers of the National Computer Security Conference, we will break at 11am to allow you to attend the closing plenary session of the conference, and resume at 2pm after lunch. I look forward to seeing you at the workshop! Teresa Lunt lunt@csl.sri.com ------------------------------ cut here --------------------------------- TWELFTH INTRUSION DETECTION WORKSHOP Yes! I will attend the Intrusion-Detection Workshop September 23 at the Baltimore Convention Center. Please complete the following: Name: Title: Affiliation: Address: Indicate one: I am / am-not interested in presenting a talk. If your are interested, please complete the following: Title of Proposed Talk: Abstract: Suggestions for Discussion Topics: ------------------------------ Date: Wed, 4 Aug 1993 10:51:52 -0700 From: /G=G/S=TRUBOW/O=COMPMAIL/ADMD=TELEMAIL/C=US/@sprint.com Subject: cfp'94 announcement Conference Announcement Computers, Freedom, and Privacy 1994 23-26 March 1994 The fourth annual conference, "Computers, Freedom, and Privacy," (CFP'94) will be held in Chicago, Il., March 23-26, 1994. The conference is hosted by The John Marshall Law School; George B. Trubow, professor of law and director of the Center for Informatics Law at John Marshall, is general chair of the conference. (E-Mail: 7trubow@jmls.edu). The program is sponsored jointly by these Association for Computing Machinery (ACM) Special Interest Groups: Communications (SIGCOMM); Computers and Society (SIGCAS); Security, Audit and Control (SIGSAC). The advance of computer and communications technologies holds great promise for individuals and society. From conveniences for consumers and efficiencies in commerce to improved public health and safety and increased participation in government and community, these technologies are fundamentally transforming our environment and our lives. At the same time, these technologies present challenges to the idea of a free and open society. Personal privacy is at risk from invasions by high-tech surveillance and monitoring; a myriad of personal information data bases expose private life to constant scrutiny; new forms of illegal activity may threaten the traditional barriers between citizen and state and present new tests of Constitutional protection; geographic boundaries of state and nation may be recast by information exchange that knows no boundaries in global data networks. CFP'94 will present an assemblage of experts, advocates and interest groups from diverse perspectives and disciplines to consider freedom and privacy in today's "information society." A series of preconference tutorials will be offered on March 23, 1994, with the conference program beginning on Thursday, March 24, and running through Saturday, March 26, 1994. The Palmer House, a Hilton hotel located in Chicago's "loop," and only about a block from The John Marshall Law School, is the conference headquarters. Room reservations should be made directly with the hotel after September 1, 1993, mentioning John Marshall or "CFP'94" to get the special conference rate of $99.00, plus tax. The Palmer House Hilton 17 E. Monroe., Chicago, Il., 60603 Tel: 312-726-7500; 1-800-HILTONS; Fax 312-263-2556 Communications regarding the conference should be sent to: CFP'94 The John Marshall Law School 315 S. Plymouth Ct. Chicago, IL 60604-3907 (Voice: 312-987-1419; Fax: 312-427-8307; E-mail: CFP94@jmls.edu) CALL FOR CFP'94 PARTICIPATION AND PROGRAM SUGGESTIONS It is intended that CFP'94 programs will examine the potential benefits and burdens of new information and communications technologies and consider ways in which society can enjoy the benefits while minimizing negative implications. Proposals are requested from those who desire to present an original paper in a relevant area of technology, policy analysis or law, or to suggest a program presentation. Any proposal (1) should not exceed three typewritten double-spaced pages; (2) must state the title of the paper or program; (3) briefly describe its theme and content; and (4) set out the name, address, credentials and experience of the author or suggested speakers. If a proposed paper has already been completed a copy should be attached to the proposal. STUDENT PAPER COMPETITION Full time college or graduate students are invited to enter the student paper competition. Papers must not exceed 2500 words and should address the impact of computer and telecommunications technologies on freedom and privacy in society. Winners will receive a scholarship to attend the conference and present their papers. All papers should be submitted by November 1, 1993 (either as straight text via e-mail or 6 printed copies) to: Prof. Eugene Spafford Department of Computer Science Purdue University West Lafayette, IN 47907-2004 E-Mail: spaf@cs.purdue.edu; Voice: 317-494-7825 REGISTRATION Registration information and fee schedules will be announced by September 1, 1993. Inquiries regarding registration should be directed to RoseMarie Knight, Registration Chair, at the JMLS address above; her voice number is 312-987-1420. ------------------------------ End of RISKS-FORUM Digest 14.79 ************************