Subject: RISKS DIGEST 15.66 REPLY-TO: risks@csl.sri.com RISKS-LIST: RISKS-FORUM Digest Thursday 17 March 1994 Volume 15 : Issue 66 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator ***** See last item for information on RISKS (comp.risks) ***** Contents: Hit the Wrong Key, become a Verb... (Peter Wayner) Aldrich Ames, Master Hacker? (Peter Wayner) "Clipper Compromised?" brief in Network World 14 Mar 1992 (Christopher Wysopal) Sly Imposter Robs S.F. Man of Good Name (Mike Crawford) Fire knocks out phone service in LA (George Feil) Ease of Administering Phone Systems Leads to Risk of Sabotage (George Pajari) Nessy - same new trick (Bob Frankston) Super-ID and Surveillance (Mich Kabay) Caught with their pants down [de-picted by rabbit admirers] (Mich Kabay) Neo-nazi T.A.D. eavesdropping (Mich Kabay) Derivatives (Phil Agre) Followup report on TCAS incident in Portland (Lauren Wiener) Caller ID utility (Robert Morrell Jr.) New Security Paradigms Workshop: CFP and Correction (Catherine A. Meadows) Info on RISKS (comp.risks), contributions, subscriptions, FTP, etc. ---------------------------------------------------------------------- Date: Wed, 16 Mar 1994 15:40:25 -0500 From: Peter Wayner Subject: Hit the Wrong Key, become a Verb... The Wall Street Journal (3/16/94, pg 1) reported that Jan Pablo Davila lost at least $207 million of Codelco, a state-owned Chilean company by typing the wrong financial transaction into his computer. He typed "buy" when he says he ment to type "sell". Now, all of Chile is obsessed with the mistake that cost 0.5% of Chile's GNP and the new word "davilar" is a verb that is "...loosely translated as 'to botch things up miserably.'" ------------------------------ Date: Wed, 16 Mar 1994 15:33:56 -0500 From: Peter Wayner Subject: Aldrich Ames, Master Hacker? The Washington Times (3/16/94,pg A3) reported: CIA sources told the Washington Times that Mr. Ames used his CIA computer to make unauthorized entries into computers within the espionage branch and downloaded information about the CIA's operations in Europe, including the identity of undercover agents posing as businessmen. The story goes on to say that they'll be tightening up access to this information in response to this problem. But later in the story, they note that they'll be loosening requirements for peering into the financial records of the agents. "New legislation would be required to permit secret searches into personal-finance and credit data without employee consent." My prediction is that they will reverse both of these changes in a few years when they discover that 1) some operation abroad was hampered by lack of direct access to info at a critical time and 2) some employee was bribed/spindled or mutilated using the data that they got by peering through credit records. This just illustrates the problems of maintaining secrets and building networks of trust. The CIA has a hard job ahead of them. The folks who are building a Clipper network and crossing their fingers that the centralized repository won't be compromised have an even tougher one. ------------------------------ Date: 15 Mar 94 16:22:48 ES From: Christopher Wysopal Subject: "Clipper Compromised?" brief in Network World 14 Mar 1992 Clipper Compromised? "Security Insider Report," a monthly newsletter published in Seminole, Fla., has reported that government officials are seeking to determine whether former CIA employee and alleged traitor Aldrich Ames may have sold information to the Russians about the government's secret key-escrow technology used in Clipper Chip chipsets and Capstone Tessera cards. The secret key-escrow technology, dubbed Skipjack, can be used to encrypt network voice and data. Network World, March 14, 1994, Page 2 The RISK of secret algorithms and government key escrow being compromised may already be 100 percent. - Christopher Wysopal [Also noted by seaman@noao.edu (Rob Seaman). PGN] ------------------------------ Date: Mon, 14 Mar 1994 11:35:07 -0800 From: Mike Crawford Subject: Sly Imposter Robs S.F. Man of Good Name "Sly Imposter Robs S.F. Man of Good Name", by Catherine Bowman, *San Francisco Chronicle*, 14 Mar 1994, p.1. San Francisco attorney Charles Sentman Crompton II, dogged by a string of arrest reports, mysterious credit card bills and a fake ID, is fed up and frustrated - so frustrated, in fact, that he is taking Charles Sentman Crompton III to court. [...] Using Crompton's name, address, and Social Security number, the man has opened charge accounts at local stores, rented an apartment and obtained a driver's license, Crompton says. He has allegedly run up nearly $3,000 in purchases at Macy's, Radio Shack and other stores, buying a portable computer and other items. [...] (The suspect has been repeatedly arrested and set free by local police for stealing cars, etc., and gave Crompton's name.) [...] (The real Crompton obtains the phony Crompton's driver's license after the suspect drops it while fleeing from a suspicious store clerk.) [...] Crompton obtained a photocopy of that license, which he forwarded to the state Department of Motor Vehicles with a letter explaining the problem. He then asked for a new license with a different number. The DMV obliged. Then in a monumental goof, the agency mailed the license to the other Crompton. [...] (The article includes a photo of the real Crompton and a physical description of both men. Real Crompton states that phony Crompton could not possibly be a true Elvis fan like him.) The punch line: Crompton says he does not blame the system for allowing the case to snowball. Still, he worries about his credit record and being fingered for crimes he did not commit. Hmm... I'd say that this is a built-in feature of the system. --- Mike's doomsday speech: "We are just entering the Information Age. Those who possess the information, those who dispense it, and those who know how to manipulate the information will be the rulers. Those who do not will be the peasants." I conjecture that the DMV goof was caused by different people handling the task of reissuing the license without communicating the nature of the problem to each other. One clerk dutifully issued a request for a new license, and perhaps typed a memo explaining the problem. Another clerk printed the license and sent it to the address on file (along with the letter explaining the problem, so the phony Crompton was officially tipped off in writing by the state.) The California DMV is one of the largest bureaucracies in the United States, and possesses one of the largest management information systems as well. Well-defined lines of communication to handle such exceptional situations probably do not exist. I'd say we're lucky it works at all for the normal case. One solution might be a government debugging agency. There should be a single office that Crompton could go to, that would work with all of the government agencies and credit bureaus to straighten out the record. Of course this agency would itself be a fertile ground for fraud. Mike Crawford, Author of the Word Services Apple Event Suite crawford@scipp.ucsc.edu Free Mac Source Code: ftp sumex-aim.stanford.edu get /info-mac/dev/src/writeswell-jr-102-c.hqx ------------------------------ Date: Tue, 15 Mar 94 09:19:45 -0500 From: "George Feil" Subject: Fire knocks out phone service in LA A news bulletin just in: A fire in a Pacific Bell switching complex has knocked out local phone service to most of Los Angeles, CA. Those of us who recall the Hinsdale, IL fire of several years ago are already aware of the significant potential single points of failure in the U.S. telephone systems. Again, fire turns out to be the Achilles' Heel in this case. It is ironic that while many financial firms (including my own) have remote disaster sites, and have had occasion to use them (we tested ours for the first time when the World Trade Center was bombed last year), telephone companies continue to use the "fortress" approach, beefing up security of non-redundant phone switches, instead. It doesn't appear to be effective enough, and fire will likely be the key element of disaster. ------------------------------ Date: Tue, 15 Mar 94 22:26:27 PST From: George Pajari Subject: Ease of Administering Phone Systems Leads to Risk of Sabotage The newer digital small-office phone systems (such as the Northern Telecom Meridian or NorStar units) reduce the system complexity and cost by enabling the system to be configured from any telephone (rather than from a terminal or other specialised interface). While all of the critical settings are password protected, changing the password on phone systems seems to be even less popular than managing computer passwords. While waiting for some friends at a local (very) up-market Chinese restaurant I noticed that the convenience phone provided patrons in the waiting area was a NorStar. Having little else to do while waiting I decided to try the factory-default master administration password. It worked. The surprise was that when I turned over the phone I saw the "Installed by" sticker of the local telco's "independent" customer premise equipment interconnect company (i.e. not some small fly-by-night operator but the largest vendor of such equipment in the province). The RISK? Reprogramming their phone switch (a) to change the password and (b) not to ring on any (audible) extension when incoming calls arrive on their reservation lines could easily cost such a restaurant a significant chunk of its income (especially on a Saturday when even finding someone able to fix the problem once it was discovered could result in hours of delay, not to mention the time to type in the entire configuration again once the memory was wiped to get around the changed password). George Pajari, Faximum Software, 1497 Marine Drive, Suite 300, West Vancouver, BC / Canada V7T 1B8 pajari@Faximum.COM / Tel: +1 (604) 925-3600 ------------------------------ Date: Sun, 13 Mar 1994 18:02 -0400 From: Bob_Frankston@frankston.com Subject: Nessy - same new trick Just as a reminder that doctoring photos is nothing new, there is a news story out of the UK on CNN saying that someone confessed (on his deathbed) that the famous Loch Ness Monster picture was a hoax. On one hand, it reminds us that as much as we like to think that all we do is new, it isn't. But it also puts the risk in perspective and makes us think about how these risks have been handled in the past. Alas, they are not handled all that well. ------------------------------ Date: 17 Mar 94 21:37:38 EST From: "Mich Kabay [NCSA]" <75300.3232@CompuServe.COM> Subject: Super-ID and Surveillance Article by David Lyon in Canada's _Globe and Mail_, 94.03.17, p. A21: "Super-ID: keeping and eye on everybody." The author reports on Ontario government officials are considering providing citizens with a single universal identifier to replace the hodge-podge of driver's license, medical card and so on. Key points: o Driving concern is fraud, especially by foreigners using Canadian medical insurance cards for free medical care. o Trend towards a "surveillance society" in which it is expected that governments and private industry have a right to as much information as they can gather about individuals, their preferences, behaviour and movements. o Risks of developing and using profiles of suspect behaviour and applying sanctions or suspicion to innocent people simply because they happen to fit a statistical pattern. o Single ID allows cross-relations among disparate databanks; could easily lead to abuse by commercial or other exploiters. o Countries differ in extent to which they require "papers":to be carried by citizens. France have used them for decades, Germans since 1987. Britain still resisting the universal ID, including DNA fingerprints. Australian proposal rejected in 1987. o Recent surveys in Canada indicate popular concern over privacy is rising; in 1993, a "survey by Ekos Associates showed that 52 per cent of Canadians are `extremely concerned' about privacy. Sixty per cent claim they have less privacy than 10 years ago, and 81 per cent of them attribute this to computer use." The author ends his thoughtful, concise essay with a note on who shall determine whether a single ID is to be used. He urges everyone to "question the morality of the super-ID and its place in the trend toward a surveillance society. And we need to find out just how and why people feel threatened, diminished or fearful about things that on other levels--security, efficiency, convenience--seem so alluring. The paper published this note about the author: "David Lyon is associate professor of sociology at Queen's University, Kingston [Ontario]. His latest book is _The Electronic Eye: The Rise of Surveillance Society_ (University of Minnesota Press, 1994). Michel E. Kabay, Ph.D., Director of Education, National Computer Security Assn ------------------------------ Date: 17 Mar 94 21:37:45 EST From: "Mich Kabay [NCSA]" <75300.3232@CompuServe.COM> Subject: Caught with their pants down [de-picted by rabbit admirers] An article from the Reuters News Agency appeared in Canada's _Globe and Mail_ newspaper for 94.03.17, p. A15: "Who undressed Jessica Rabbit?" It seems that officials at Walt Disney Co. are embarrassed because some of their animators got a little playful with Jessica Rabbit, the sultry lead in the semi-animated film, "Who Framed Roger Rabbit?" In one scene, the animators (or someone) removed Jessica's underwear in three frames during a pirouette which causes her skirt to ride up around her waist. News of this ghastly descent into depravity seems to have caused hundreds of people to rush out and buy the $40 CD of the film, depleting stocks at many retail outlets. As one viewer said after the L.A. Fox TV affiliate KTTV showed the three frames publicly on the 16th of March, "If that turned you on, it's time to see a psychiatrist." [Seems to me that the RISK here is quality control failure more than anything specifically electronic. However, given the growing dependence of animators on computers to help overcome the drudgery of their craft, I can see all kinds of possibilities for bored technicians or crafty hackers. How about a new version of Snow White--showing what she was _really_ up to with those cute dwarves. What about _The Lady and the Tramp--After Hours_? Or _The Unexpurgated Little Red Riding Hood_?] Michel E. Kabay, Ph.D., Director of Education, National Computer Security Assn ------------------------------ Date: 17 Mar 94 21:37:54 EST From: "Mich Kabay [NCSA]" <75300.3232@CompuServe.COM> Subject: Neo-nazi T.A.D. eavesdropping >From the Canadian national newspaper, _The Globe and Mail_, 94.03.17, p. A2B. "Ex-member of Heritage Front tells hearing of dirty tricks." by R. Platiel (Globe and Mail reporter). A disenchanted young former Nazi reported that the neo-Nazi Heritage Front group broke into telephone answering devices (T.A.D.s) used by anti-racism activists and recorded the phone numbers of correspondents. They then passed these numbers around among neo-Nazi supporters and harassed the victims. She claimed that some anti-racists were followed; others found that their employers had received phone calls alleging that they were "Bolsheviks." [Most T.A.D.s have a 2-digit code at best. Not very challenging to crack.] Michel E. Kabay, Ph.D., Director of Education, National Computer Security Assn ------------------------------ Date: Tue, 15 Mar 1994 11:03:05 -0800 From: Phil Agre Subject: Derivatives The new issue of Fortune contains a long article about the potential risks of derivatives, which are complex types of financial deals that depend on the values of certain underlying assets, such as currencies, commodities, or composite entities like stock indexes. The full reference is: Carol J. Loomis, The risk that won't go away, Fortune 129(5), 7 March 1994, pages 40-57. At the moment, there exist outstanding derivatives contracts on assets whose total value is about $16 trillion dollars, about 2.5 times the United States' GDP. The problem is that nobody really understands how derivatives work. They only exist in the first place because of big computers and global data networks (see Risks 14.87). In theory, they allow firms to manage the risks of global business by hedging against potentially damaging fluctuations in commodity prices, interest rates, currency exchange rates, and so forth, and this can be a good thing. In practice, it is difficult to do this right. Moreover, the nature of derivative contracts entails increasing levels of interconnection in the world financial system, with the solvency of each major player frequently contingent on the ability of numerous other players to make good on complex contracts. A serious misjudgement at a large bank, on the order of the savage losses recently incurred through bungled oil-price hedging at the German firm Metallgesellschaft, could conceivably propagate through the entire system. It actually gets worse from there, as Loomis explains at some length. Regulation is nearly nonexistent, largely because nobody knows how one *could* regulate such things. Reporting requirements are derisory as well. In short, the global economy is wound up real tight. To be sure, market forces are bringing an urgent profusion of risk management strategies. The big question is whether the prudence of individual players is adequate to prevent the total system from collapsing in case of some exogenous event, or simply because there's an angle nobody figures out until it's too late. Phil Agre, UCSD PS. The same issue of Fortune contains some advice for companies wishing to engage in commercial activity on the Internet. ------------------------------ Date: Wed, 16 Mar 94 19:00:26 -0800 From: Lauren Wiener Subject: Followup report on TCAS incident in Portland >From the Oregonian, March 14, 1994, p. B3: [I'm in square brackets counting risks. LRW ] "FAA wants to know why system sent 2 jets toward each other A collision course alarm sounded in the Portland incident, but the equipment's subsequent response has officials baffled A system designed to avert air collisions sent two planes heading toward one another near Portland Int'l Airport, and federal authorities are trying to figure out why. The Feb. 3 incident involved an Alaska Airlines jetliner and a HorizonAir commuter jet. Each plane was equipped with the Traffic Collision Avoidance System, which alerts pilots to other air traffic and sounds an alarm if there is a chance of a collision. "The question is not whether TCAS did its job. The question is why did the logic of TCAS tell the upper plane to go down and the lower plane to climb," said Dick Meyers, a Federal Aviation Administration spokesman based in Renton, Wash. A crash would not have resulted if the pilots had continued obeying the instructions of the system, but the planes would have come uncomfortably close, FAA officials said. Alaska Airlines pilot Thomas Hedrick had been instructed by an air traffic controller to climb to 9,000 feet and level off. At the same time, a HorizonAir commuter jet piloted by Brian Penwell was approaching the airport and was instructed to descend to 10,000 feet and level off. In both planes, the FAA-required collision avoidance alarm sounded -- a common occurrence in the traffic-congested skies around airports -- letting the pilots know they were too close to other aircraft. [Risk 1 -- many false alarms. LRW ] Then a second alarm sounded indicating the aircraft were on a potential collision course. Rather than advising the pilots to level off, the system instructed the higher-flying plane to descend below the lower-flying plane and the lower-flying plane to climb above the other. [Risk 2 -- uncoordinated solutions. LRW ] An air traffic controller noticed the HorizonAir plane descending toward the Alaska plane and ordered the pilot to level off. "I told him we could not because we were receiving a Resolution Advisory," Penwell wrote in a report filed with the FAA. A Resolution Advisory in this case was the system's directive to descend. [Risk 3 -- unclear who or what is in charge. LRW ] Penwell said he finally saw the Alaska plane and banked to the left at about 9200 feet. Penwell estimated that the planes came within about a mile of each other." ------------------------------ Date: Fri, 11 Mar 1994 19:35:05 -0500 (EST) From: "Robert Morrell Jr." Subject: Caller ID utility An anonymous contributor recently denigrated the utility of caller ID in stopping obscene callers, believing instead that the real purpose is to swell the business telephone data banks. Yet in the note it is recognized that the uility for catching obscene callers is decreasing "as would be callers catch on". Forgive me, but does that mean they are modifying their behavior? If it inconveniences them, discourages the casual obscene caller, has it not done its task? The risks of this logic is clear... discard a technology that is doing what it was intended to do because someone else is making (horrors) money. Bob ------------------------------ Date: Thu, 17 Mar 94 14:06:10 EST From: meadows@itd.nrl.navy.mil (Catherine A. Meadows) Subject: New Security Paradigms Workshop: CFP and Correction Note: The address of the second Program Chair, Eric Leighninger, has changed since this announcement appeared in SIGSAC Review and elsewhere. The address listed below is the correct one. CALL FOR PAPERS A workshop sponsored by ACM SIGSAC and DOD NEW SECURITY PARADIGMS '94 Paradigm shifts disrupt the status quo, destroy outdated ideas, and open the way to new possibilities. This workshop explores new ways of looking at computer security, hoping to develop transcendent solutions that provide the interoperability and flexibility users need in trusted systems. AUGUST 3-5, 1994 Stone House Club Little Compton, R.I. New Security Paradigms '94 provides a creative and constructive workshop environment at a small seaside inn for 20 researchers. Dress is casual. The workshop fee of about $450 includes room, meals, and workshop materials. To participate, submit a research paper or a 5-10 page position paper (5 copies) to one of the two program chairs by March 26, 1994. The Program Committee will referee the papers and notify authors of acceptance by June 11, 1994. Proceedings will be published by ACM. Program Chair: John Dobson Computing Science Dept. University of Newcastle Newcastle NE1 7RU U.K. (+44) 91 222 8228 email: John.Dobson at newcastle.ac.uk Program Chair: Eric Leighninger NOTE NEW ADDRESS! 334 Linwood Ave Apt.3 Newtonville, MA 02160 (617) 558-1412 Workshop Chair: Hilary H. Hosmer, Data Security, Inc. Publications Chair: Catherine Meadows, NRL Scholarships: Ravi Sandhu, George Mason University Treasurer: Steven Cha, Aerospace ACM SIGSAC Liaison: Dixie Baker, Aerospace ------------------------------ Date: ongoing From: RISKS-request@csl.sri.com Subject: Info on RISKS (comp.risks), contributions, subscriptions, FTP, etc. The RISKS Forum is a moderated digest. Its USENET equivalent is comp.risks. Undigestifiers are available throughout the Internet, but not from RISKS. SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup on your system, if possible and convenient for you. BITNET folks may use a LISTSERV (e.g., LISTSERV@UGA) with SUBSCRIBE RISKS or UNSUBSCRIBE RISKS as needed. Users on US Military and Government machines should contact (Dennis Rears). UK subscribers please contact . Local redistribution services are provided at many other sites as well. Check FIRST with your local system or netnews wizards. If that does not work, send requests to (not automated). CONTRIBUTIONS: to risks@csl.sri.com, with appropriate, substantive Subject: line, otherwise they may be ignored. Must be relevant, sound, in good taste, objective, cogent, coherent, concise, and nonrepetitious. Diversity is welcome, but not personal attacks. PLEASE DO NOT INCLUDE ENTIRE PREVIOUS MESSAGES in responses to them. Contributions will not be ACKed; the load is too great. **PLEASE** include your name & legitimate Internet FROM: address, especially from .UUCP and .BITNET folks. Anonymized mail is not accepted. ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. Relevant contributions may appear in the RISKS section of regular issues of ACM SIGSOFT's SOFTWARE ENGINEERING NOTES, unless you state otherwise. ARCHIVES: "FTP CRVAX.SRI.COMlogin anonymousYourName CD RISKS: Issue j of volume 15 is in that directory: "GET RISKS-15.j". For issues of earlier volumes, "GET [.i]RISKS-i.j" (where i=1 to 14, j always TWO digits) for Vol i Issue j. Vol i summaries in j=00. "DIR" (or "DIR [.i]") lists (sub)directory; "bye" logs out. CRVAX.SRI.COM = [128.18.30.65]; =CarriageReturn; FTPs may differ; UNIX prompts for username, password. WAIS and bitftp@pucc.Princeton.EDU are alternative repositories. FAX: ONLY IF YOU CANNOT GET RISKS ON-LINE, you may be interested in receiving it via fax; phone +1 (818) 225-2800, or fax +1 (818) 225-7203 for info regarding fax delivery. PLEASE DO NOT USE THOSE NUMBERS FOR GENERAL RISKS COMMUNICATIONS; as a last resort you may try phone PGN at +1 (415) 859-2375 if you cannot E-mail risks-request@CSL.SRI.COM . ------------------------------ End of RISKS-FORUM Digest 15.66 ************************