Subject: RISKS DIGEST 15.35 REPLY-TO: risks@csl.sri.com RISKS-LIST: RISKS-FORUM Digest Weds 22 December 1993 Volume 15 : Issue 35 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator Contents: [HAPPY HOLIDAYS!!!] Airport lessons for InfoSec (Mich Kabay) Sham CD-ROMs (Mich Kabay) Smart Cars and Highways (Mich Kabay) Risky Demo Offer (Rex Wheeler) "Re-Chipping" Stolen Mobile Phones (Brian Randell) Interactive TV: electronic democracy, risks to privacy, etc. (John Gray) Trouble with funny place names (Mark Brader) Mexico Turns Off Quake Warning System (Frank Carey) Wireless Laptop Eavesdropping (Andrew Duane) Re: Harry Erwin on Digital Woes (Lauren Wiener) Question About Singapore Lottery Crime (Sanford Sherizen) ISOC Symposium on Network and Distributed System Security (Dan Nessett) The RISKS Forum is a moderated digest. Its USENET equivalent is comp.risks. Undigestifiers are available throughout the Internet, but not from RISKS. Contributions should be relevant, sound, in good taste, objective, cogent, coherent, concise, and nonrepetitious. Diversity is welcome, but not personal attacks. CONTRIBUTIONS to risks@csl.sri.com, with appropriate, substantive "Subject:" line; others may be ignored! Contributions will not be ACKed; the load is too great. **PLEASE** include your name & legitimate Internet FROM: address, especially .UUCP folks. If you cannot read RISKS locally as a newsgroup (e.g., comp.risks), or you need help, send requests to risks-request@csl.sri.com (not automated). BITNET users may subscribe via your favorite LISTSERV: "SUBSCRIBE RISKS". Vol i issue j, type "FTP CRVAX.SRI.COMlogin anonymousYourName CD RISKS:GET RISKS-i.j" (where i=1 to 15, j always TWO digits). Vol i summaries in j=00; "dir risks-*.*" gives directory; "bye" logs out. The COLON in "CD RISKS:" is vital. CRVAX.SRI.COM = [128.18.30.65]; =CarriageReturn; FTPs may differ; UNIX prompts for username, password. WAIS and bitftp@pucc.Princeton.EDU are alternative repositories. IF YOU CANNOT GET RISKS ON-LINE, you may be interested in receiving it via fax; phone +1 (818) 225-2800, or fax +1 (818) 225-7203 for info regarding fax delivery. PLEASE DO NOT USE THOSE NUMBERS FOR GENERAL RISKS COMMUNICATIONS; as a last resort you may try phone PGN at +1 (415) 859-2375 if you cannot E-mail risks-request@CSL.SRI.COM . ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. Relevant contributions may appear in the RISKS section of regular issues of ACM SIGSOFT's SOFTWARE ENGINEERING NOTES, unless you state otherwise. ---------------------------------------------------------------------- Date: 14 Dec 93 05:48:02 EST From: "Mich Kabay / JINBU Corp." <75300.3232@compuserve.com> Subject: Airport lessons for InfoSec >From the Associated Press newswire through Executive News Service (GO ENS) on CompuServe: Airport Security, By JAMES H. RUBIN (Associated Press Writer) WASHINGTON (AP, 11 Dec 1993) -- Security is so poor at some of the nation's airports considered vulnerable to terrorists that federal investigators easily slipped past checkpoints and wandered around unchallenged. The article goes on to state that investigators were rarely challenged as they walked through restricted areas even though they dressed informally and tried to draw attention to themselves. One agent successfully brought a grenade through metal detectors and inspection procedures. The inspectors often saw other unauthorized people in restricted zones. Apparently security regulations are not taken seriously at many airports; there are few if any consequences for breaches of security. Although this story has nothing to do with computer security, I cite it as yet another example of how important human factors are to security in general. Management must take security (including information security) seriously and apply rewards for compliance and punishment for failures. Employees need security awareness training and security drills. I would like to see intrusions as a normal part of security testing. Michel E. Kabay, Ph.D. Director of Education National Computer Security Assn ------------------------------ Date: 14 Dec 93 05:48:35 EST From: "Mich Kabay / JINBU Corp." <75300.3232@compuserve.com> Subject: Sham CD-ROMs >From the United Press International newswire via Executive News Service (GO ENS) on CompuServe: Woman indicted in CD-ROM scam SAN JOSE, Calif. (UPI, 10 Dec 1993) -- Federal officials said Friday a grand jury has indicted a San Jose woman for allegedly importing more than 900 counterfeit CD-ROMs from Hong Kong with the intent to sell them in the United States. U.S. Attorney Mike Yamaguchi said an indictment for software piracy had been handed down against Clare Waioi Sham, 29, of San Jose, and her company, C-88 International Corp. The article mentions that this is the first software theft indictment involving CD-ROMs. Personally, I think the best part of this story is that the person accused of preparing to sell counterfeit CD-ROMs is named "Sham." Michel E. Kabay, Ph.D. Director of Education National Computer Security Assn ------------------------------ Date: 14 Dec 93 05:47:43 EST From: "Mich Kabay / JINBU Corp." <75300.3232@compuserve.com> Subject: Smart Cars and Highways >From the Washington Post newswire, 12 Dec 1993, through Executive News Service (GO ENS) on CompuServe: Smart Car 54, Where Are You?; Washington's Latest Billion Dollar Boondoggle: Does Anyone Care? (By Marcia D. Lowe) COMPUTER-EQUIPPED cars driving themselves on automated highways. A scene out of "The Jetsons?" Not exactly. Smart cars and highways have quietly emerged as the latest and most expensive proposal to solve the nation's traffic problems. Government spending on the little-known Intelligent Vehicle and Highway Systems (IVHS) program is expected to exceed $40 billion over the next 20 years. (By comparison, in the first 10 years of the Strategic Defense Initiative, Washington spent $30 billion.) Even more astonishing is the total lack of organized opposition to the idea, despite evidence that smart cars and highways may well exacerbate the very problems they are supposed to solve. IVHS would put computers in charge of everything from timing the traffic signals to deciding which route each car should take - and, eventually, to doing the actual driving. In the early stages, a dashboard screen would display maps while a synthesized voice would purr directions to the driver. Later would come the crowning glory of IVHS, the Automated Highway System. Once commuters keyed in their destination, they could just sit back and enjoy the ride - maybe even take a nap. Cars would hurtle along, bumper to bumper, at speeds measured in miles per minute. The article continues with the following key points: o $218 million of federal funding in 1993 o claims of improved safety are unproven o central computer failures could lead to massive accidents o proponents concerned with limiting liability for failures o proposed fuel savings from smoother driving could be lost through higher speeds o main proponent of scheme is IVHS America, supported by 500 organizations including IBM, AT&T, Rockwell, General Motors, Chrysler, Ford o minor attention given to smart public transport, priorities for high-occupancy vehicles Participants in RISKS will shudder at the thought of testing computer programs design to control thousands of cars in lockstep at 200 kph. I wouldn't enjoy being part of the beta-test population. I wonder how much attention will be paid to deliberate or accidental interference? o Presumably information will be transmitted through radio-frequency modems. What will the unique identifiers be for each car. What happens if two cars have the same identifier? o How will partial or total breakdown of the control systems be handled? Car-to-car signalling? o What methods will be put into place to prevent spurious instructions from being accepted by car controllers? I find the concern with legal liability an alarming indication of where we're headed. Good fun for those interested in reliability and security; not so good fun for early users, I fear. Michel E. Kabay, Ph.D. Director of Education National Computer Security Assn ------------------------------ Date: Thu, 16 Dec 93 13:10 EST From: Rex Wheeler <0003658705@mcimail.com> Subject: Risky Demo Offer I received an interesting thing in the mail yesterday. It was an unsolicited advertisement/demo for a mail system to run on a Novel PC LAN. It came with a disk that included the instructions: 1) Log into your server as SUPERVISOR, 2) Create a directory for the mail software (In SYS:PUBLIC), 3) copy the contents of the floppy to the new directory, and 4) Run the install program. There is also a postcard that you can send in to receive a free t-shirt. All you have to do is provide your Name, Title, Company, Address, Telephone, Fax, Signature, and your "unique code number" (which presumably the software will provide you.) To sweeten the offer there is another card you can send in to enter to win a Jeep and other prizes. This card asks for similar information. If you run the demo and follow the instructions, you will have executed unknown software from a fully privileged account, and told this company where to find you and your computers. Sounds like an great opportunity for a Trojan Horse. The "unique code number" could also easily contain information that indicates what else is on your system that may be of interest to this company. Rex Wheeler rwheeler@mcimail.com (365-8705) 70712.110@compuserve.com ------------------------------ Date: Wed, 15 Dec 1993 11:52:29 GMT From: Brian.Randell@newcastle.ac.uk Subject: "Re-Chipping" Stolen Mobile Phones [Following is the complete text of an article in the 15 Dec 1993 edition of the (UK)Independent. I am somewhat surprised at the claimed extent of "re-chipping" of stolen mobile phones, and at the fact of it being legal, but have no basis on which to dispute the facts as stated. Brian Randell, Dept. of Computing Science, University of Newcastle, Newcastle upon Tyne, NE1 7RU, UK Brian.Randell@newcastle.ac.uk +44 91 222 7923] LOOPHOLE ON STOLEN PHONES ATTACKED, Patricia Wynn Davies, Political Correspondent BRITAIN'S latest crime wave - the reprogramming of hundreds of thousands of stolen mobile telephones - is legal, while the necessary technology is openly advertised in newspapers and magazines. Telephones automatically barred from networks when a theft is reported are re-entering the system in their thousands after being "rechipped" by people the law does not treat as criminals. Robert Maclennan, the Liberal Democrat home affairs spokesman, has written to Michael Howard, the Home Secretary, urging the closure of the legal loophole. Organised rings of mobile phone thieves were getting "easy pickings" amounting to about 350M pounds a year, Mr Maclellan said. The rechipping process, involving the reprogramming of serial numbers so that the network no longer recognises the phone as the stolen original, can be easily accomplished using equipment that can be plugged into an ordinary home computer. Chipping services offered by dealers and openly advertised in trade magazines and newspapers have been defended as a necessary facility for honest customers buying second-hand telephones from previous owners who have run up bad debts during the recession. But the biggest beneficiaries appear to be criminals. The reprogramming racket has provided a ready outlet for small and big-time thieves - the black market price of up to (pounds) 150 for a stolen cellphone easily outstrips that of a stolen car stereo - while spawning a mini-industry of "phone chippers" turning out new sets of chipping software each time a new model is launched. Thefts are estimated by the industry to be running at 10,000 a month, more than 400 each day, while police forces around the country believe they account for 40 per cent of city-centre car break-ins. Mr Maclennan has told Mr Howard that the loophole could be easily closed with a minor amendment to the 1984 Telecommunications Act in the forthcoming Criminal Justice Bill. "This is straightforward counterfeit, but astonishingly it is not illegal," he said. "The police know who many of the crooks are, but cannot touch them." A similar process of "cloning" a subscribers' serial and telephone numbers into another person's phone results in innocent subscribers being billed for fraudulent calls. Both processes render the phone untraceable. ------------------------------ Date: Thu, 16 Dec 93 14:02:33 GMT From: John Gray Subject: Interactive TV: electronic democracy, risks to privacy, etc. On UK television last night, a regular evening programme, "The Late Show" was concerned with forthcoming developments in television. This centred around the potential for high bandwidth and bidirectional communications offered by the use of optical fibre for cable TV services. This increase in the number of channels, some with an interactive content (shopping channels, databases, computer games) would promote the concept of configurable TV ("MeTV" was the name they chose) which allows the user to decide what kind of things they wish to watch, and thus they will largely use only one channel: the one they have configured. Interestingly, one of the contributors raised the privacy issues: if you know exactly what TV programmes someone likes watching, then you (or your computer system) can tailor direct mail (and even TV adverts) to have the maximum impact. The difference between this and standard audience research is that the *viewer* builds a profile for the advertiser, when they configure the system. Also in the programme, an executive for CBS raised the point that if everyone only subscribes to compilation services, where does the original material come from? If people select what they view in advance, will they miss out on things that might entertain and enlighten them. The suggestion was made that people will retreat much more into their own pursuits and that "community" will suffer. What happens to people who are too poor to have cable, either because their neighbourhood isn't cabled, or because they can't afford to subscribe. They also touched on electronic democracy in this context: if you can't afford to subscribe, will you have a voice on an equal footing with others? Finally, a contributor from the EFF suggested that the Internet be used as a model: the idea of providing these services to form communities controlled by users rather than by large companies or governments. Sadly, it seems as if the commercial attractions to advertisers and corporations will win out. John Gray ------------------------------ Date: Fri, 17 Dec 1993 22:50:00 -0500 From: msb@sq.com (Mark Brader) Subject: Trouble with funny place names In the Usenet newsgroup rec.puzzles, there has been a little discussion recently of place names with unusual characters. It was suggested that Westward Ho!, England, was unique for containing the punctuation mark "!", but then somebody topped this by calling attention to Saint-Louis-du-Ha! Ha!, Quebec, Canada. At this point I decided to look these places up in atlases to see where exactly they are. The one I found Saint-Louis-du-Ha! Ha! in was the Rand McNally Road Atlas, 1991 edition. In the index, the place is spelled... "St.-Louis-du-Ha90 Ha90". Mark Brader Toronto utzoo!sq!msb msb@sq.com (P.S.: Westward Ho! is on the north coast of Devon, more or less straight north of Plymouth. Saint-Louis-du-Ha! Ha! is about halfway between Riviere-du-Loup, Quebec, and Edmundston, New Brunswick.) ------------------------------ Date: Sun, 19 Dec 93 15:21:52 EST From: fec@arch4.ho.att.com (F E Carey +1 908 949 8049) Subject: Mexico Turns Off Quake Warning System Mexico's earthquake warning system has been turned off after failing at least twice since it went into operation in August. In October a quake measuring 6.8 on the Richter scale hit but the alarm didn't sound. In November a false alarm went out on a calm Tuesday evening. Technologically, the system is fairly simple. Solar powered seismic detectors signal a desktop Olivetti. Radio stations receive signal directly from the Olivetti system and broadcast warbling tones like something from a science fiction movie. Professor of Engineering Juan Manuel Espinosa Aranda, head of the warning system, said it was tested for two years before going into operation. He said the two failures resulted from simple, though lamentable, errors adding that it is better to have a warning - even if it might be false - than simply to let nature take its course. Not all share his view. Cinna Lomnitz, a seismology professor, said: "Basically, this is an experimental system that should not be broadcast to the public right off the bat. Indirectly, these people have damaged our reputation as seismologists." Luis Abraham Villa, an office assistant, said: "It creates collective hysteria. It really affects the older people. They go crazy." Reported in The New York Times, 12/19/93 Frank Carey at Bell Labs f.e.carey@att.com ------------------------------ Date: Mon, 20 Dec 93 15:47:00 EST From: duane@zk3.dec.com (Andrew Duane USG/PE) Subject: Wireless Laptop Eavesdropping I just saw a blurb on "The Computer Chronicles" about the last Comdex show, which focussed on portables, laptops, notebooks, and accessories for them. One new product, whose name I didn't catch ("AirLink"?) was a wireless device that automatically downloads all of your modified files as soon as you get within 30 meters of your PC. There is no user interface at all. It even works through walls. The possibilities for data theft are endless. Apparently, there is not even a warning that downloading is occurring. It seems that once these are common, an industrial spy could wander O'Hare airport and download a lot of files if he/she were so inclined. Does anyone have more information on this product? Andrew L. Duane, Digital Equipment Corporation USG Kernel Scalability Nashua, NH 03062-2698 603-881-1294 duane@zk3.dec.com ------------------------------ Date: Thu, 16 Dec 93 17:38:23 -0800 From: Lauren Wiener Subject: Re: Harry Erwin on Digital Woes (RISKS-15.34) I was certainly interested to read Mr. Erwin's contribution. "Digital Woes" is intended to highlight a widespread problem to an audience that is essentially oblivious to such matters (certainly not the RISKS audience!). While the problem of unreliable and overly costly software is undeniably widespread, it would be simple-minded to insist that it is universal. Categories are ordinarily fuzzy; exceptions make life interesting, after all. (I myself am having the pleasure, at present, of working for folks who write specs!) It is entirely possible that the project Mr. Erwin describes is such an exception. If so, let me add my congratulations to Mr. Distaso's. However, I am curious to learn more about this project -- especially if it *was* exceptional. In particular, I am curious to learn: * What was the purpose of the software? * What was it supposed to do? * Was the product actually used in real-world situations, as opposed to testing? * Were the acceptance tests specified in advance? Were they available to the developers to use as they developed the software? * If the product was used beyond testing, did it satisfy the real-world requirements as well as the tests? * If the project was a contract with the U. S. gov't, was it in the interests of both the subcontractor and the government to declare the project a success? Did this equate to a big career win for all the parties involved? (Unfortunately, the incentives are often such that it is in the interests of neither party to point out weaknesses in the product. This kind of arrangement can make such congratulatory letters sound a bit hollow.) It is entirely possible, of course, that the project Mr. Erwin describes had none of these weaknesses, and was in fact a true and marvelous success. All the more reason to learn more about it, if possible. It would be wonderful to isolate even one factor that could help the rest of us. ------------------------------ Date: Mon, 20 Dec 93 19:03 EST From: Sanford Sherizen <0003965782@mcimail.com> Subject: Question About Singapore Lottery Crime I am trying to find some detailed information about a recent case in Singapore where a systems person who worked for the national lottery was able to fix or determine in advance the winning number and tip off a friend who placed a bet. The individuals were recently found guilty and sentenced. If anyone knows the details, please post on RISKS or send to me. Thanks. Sanford Sherizen Data Security Systems Natick, Massachusetts ------------------------------ Date: Mon, 20 Dec 1993 11:29:21 -0800 From: nessett@ocfmail.ocf.llnl.gov (Dan Nessett) Subject: ISOC Symposium on Network and Distributed System Security Wednesday, February 2 6:00 P.M. - 8:00 P.M. Registration and Reception Thursday, February 3 7:30 A.M. Continental Breakfast 8:30 A.M. Opening Remarks 9:00 A.M. Session 1: Electronic Mail Security Chair: Steve Kent (BBN) Certified Electronic Mail, Alireza Bahreman (Bellcore) and Doug Tygar (Carnegie Mellon University), USA Privacy Enhanced Mail Modules for ELM, Selwyn Russell and Peter Craig, Queensland University of Technology, Australia Management of PEM Public Key Certificates Using X.500 Directory Service: Some Problems and Solutions, Terry Cheung, Lawrence Livermore National Laboratory, USA 11:00 A.M. Session 2: Panel: Public Key Infrastructure, Santosh Chokhani (MITRE), Michael Roe (Cambridge University), Richard Ankney (Fischer, Intl.) Chair: Miles Smid (NIST) 2:00 P.M. Session 3: Protocols Chair: Tom Berson (Anagram Labs) Paving the Road to Network Security, or The Value of Small Cobblestones, H. Orman, S. O'Malley, R. Schroeppel, and D. Schwartz, University of Arizona, USA A Complete Secure Transport Service in the Internet, Francisco Jordan and Manuel Medina, Polytechnical University of Catalunya, Spain 3:30 P.M. Session 4: Internet Firewall Design and Implementation Chair: Jim Ellis (CERT) Inter-LAN Security and Trusted Routers, Pal Hoff, Norwegian Telecom Research, Norway Trusted to Untrusted Network Connectivity: Motorola Authenticated Internet Access -- MANIAC(TM), Bill Wied, Motorola, USA BAfirewall: A Modern Firewall Design, Ravi Ganesan, Bell Atlantic, USA A Network Perimeter With Secure External Access, Frederick Avolio and Marcus Ranum, Trusted Information Systems, USA 7:00 P.M. Banquet Friday, February 4 8:30 A.M. Session 5: Panel: All Along the Watchtower: Experiences and Firefights Managing Internet Firewalls, Bryan Boyle (Exxon Research), Brent Chapman (Great Circle Consulting), Bill Cheswick (AT&T Bell Labs), Allen Leibowitz (Warner-Lambert), Paul Vixie (Vixie Enterprises) Chair: Marcus Ranum (TIS) 10:30 A.M. Session 6: Issues in Distributed System Security Chair: Cliff Neuman (USC-ISI) CA-Browsing System -- A Supporting Application for Global Security Services, Denis Trcek, Tomas Klobucar, Borka Jerman-Blazic, and Franc Bracun, Jozef Stefan Institute, Slovenia The X.509 Extended File System, Robert Smart, CSIRO Division of Information Technology, Australia Auditing in Distributed Systems, Shyh-Wei Luan (VDG, Inc.) and Robert Weisz (IBM Canada Laboratory), USA/Canada 1:30 P.M. Session 7: Authentication Chair: Dave Balenson (TIS) The S/KEY(tm) One-Time Password System, Neil Haller, Bellcore, USA A Technique for Remote Authentication, William Wulf, Alec Yasinsac, Katie Oliver, and Ramesh Peri, University of Virginia, USA Remote Kerberos Authentication for Distributed File Systems: As Applied to a DCE DFS-to-NFS File System Translator, Thomas Mistretta and William Sommerfeld, Hewlett-Packard, USA 3:30 P.M. Session 8: Panel: IP Security Alternatives, K. Robert Glenn (NIST), Paul Lambert (Motorola), David Solo (BBN), James Zmuda (Hughes) Chair: Russell Housley (Xerox) PROGRAM CO-CHAIRS Russell Housley, Xerox Special Information Systems Robert Shirey, The MITRE Corporation GENERAL CHAIR Dan Nessett, Lawrence Livermore National Laboratory PROGRAM COMMITTEE Dave Balenson, Trusted Information Systems Tom Berson, Anagram Laboratories Matt Bishop, University of California, Davis Ed Cain, U.S. Defense Information Systems Agency Jim Ellis, CERT Coordination Center Steve Kent, Bolt, Beranek and Newman John Linn, OpenVision Technologies Clifford Neuman, Information Sciences Institute Michael Roe, Cambridge University Robert Rosenthal, U.S. National Institute of Standards and Technology Ravi Sandhu, George Mason University Jeff Schiller, Massachusetts Institute of Technology Peter Yee, U.S. National Aeronautics and Space Administration BEAUTIFUL SAN DIEGO The Symposium venue is the Catamaran Resort Hotel, providing 7 acres of gorgeous surroundings, facing Mission Bay and only 100 yards from beautiful Pacific Ocean beaches. Spouses and family members can catch a convenient Harbor Hopper for a quick trip to Sea World. After the Symposium, plan to spend the weekend visiting La Jolla, the world famous San Diego Zoo or Mexico, only 30 minutes by car or Trolley. A limited number of rooms have been reserved at the Catamaran for the very special rate of $77 single, $87 double. Reservations, on a space available basis, can be made by calling (800) 288-0770 and indicating you are attending the ISOC Symposium. Reservations must be made before Jan. 1, 1994 to ensure this rate. CLIMATE February weather in San Diego is normally very pleasant. Early morning temperatures average 51 degrees while afternoon temperatures average 67 degrees. Generally, a light jacket or sweater is adequate during February; although, occasionally it rains. TRANSPORTATION San Diego International Airport is 10 miles (15 minutes) from the Catamaran Hotel. Supershuttle operates a continuous service between the airport and the hotel: fare is $6.00. When you arrive at the airport, use the free Supershuttle phone. Taxi fare between the airport and the hotel is $20. The Catamaran charges $6 per day for parking. REGISTRATION FEES Postmarked Subsequent by Jan. 1 registration $305 $350 No refunds after Jan. 20. REGISTRATION INCLUDES - Attendance - Symposium Proceedings - Reception - Banquet - Luncheons - Coffee Breaks On-site registration is available Wednesday evening at the reception, and Thursday morning at the Symposium. For more information on registration and local arrangements contact Dan Nessett at (510) 422-4033 or nessett@llnl.gov. SYMPOSIUM REGISTRATION FORM Name ________________________________________________ Affiliation__________________________________________ Name on Badge _______________________________________ Vegetarian Meals?____________________________________ Mailing Address _____________________________________ _____________________________________________________ _____________________________________________________ (Area Code)Phone # ___________________________________ Email Address _______________________________________ Make check (credit cards not accepted) payable to SNDSS94. (Registration is not effective until payment is received). Mail to: ISOC Symposium, C/O Belinda Gish, L-68, Lawrence Livermore National Laboratory, Livermore, CA. 94550. ------------------------------ End of RISKS-FORUM Digest 15.35 ************************