Subject: RISKS DIGEST 17.55 RISKS-LIST: Risks-Forum Digest Monday 18 December 1995 Volume 17 : Issue 55 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator ***** See last item for further information, disclaimers, etc. ***** Contents: NY Stock Exchange halted for one hour this morning (PGN) Laser Shows and Aircraft (Chuck Weinstock) Electronic food stamps failure (Jeremy J Epstein) Medical diagnosis by computer (Gretchen Herbkersman) Timing cryptanalysis and its hardware analog (Michael Kaelbling) Invitation to the CFP'96 Technology Fair (Simson L. Garfinkel) "netfuture" announcement (Steve Talbott) Taxing data (George Janczyn) Re: Something funny about the funny pages item (Sidney Markowitz) Re: Anonymity (Steve Bellovin) Re: Classified Disks Lost--Court Martial (Andy Ashworth, Peter Horsburgh, Robin Kenny) CERT Advisory CA-95:18 - Widespread Attacks (CERT) ABRIDGED info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Mon, 18 Dec 95 13:59:58 PST From: "Peter G. Neumann" Subject: NY Stock Exchange halted for one hour this morning Tomorrow's papers will undoubtedly have some coverage on the the NY Stock Exchange, which opened an hour late this morning. From what I can glean from various preliminary sources, the weekend had been spent upgrading the system software. However, at 9:15 this morning, it was discovered that there were serious communications problems in the software between the central computing facility and the specialists' displays. The problem was diagnosed and fixed by 10:00am, and the market reopened at 10:30. It was the first time since 27 December 1990 that the exchange had to shut down. The Chicago Mercantile Exchange, Boston Stock Exchange, and Philadelphia Stock Exchange all waited until the NYSE opened as well. ------------------------------ Date: Tue, 12 Dec 95 11:58:20 EST From: Chuck Weinstock Subject: Laser Shows and Aircraft An article on the Dow-Jones news service (which I presume means that it is also in the Wall Street Journal) discusses the risks of display lasers (mostly used instead of the old carbon-arc spotlights to call attention to a place) co-existing with aviation. Some of the interesting tidbits: . The Luxor in Las Vegas has a beam which reflects off of a waterfall. When the water pressure of the fall weakens, the reflections cause problems for the nearby airport. A check valve has been installed to shut the beams down when the water pressure drops too low. . A McDonnell Douglas study found that 45% of participants crashed a flight simulator when exposed to a laser beam while making a turn. . Several incidents of laser blinding have been reported by pilots. Example: A pilot for Southwest Airlines, took off from Las Vegas's McCarran International Airport. About three miles into the flight he was blinded by a flash of brilliant light, requiring his fellow pilot to grab the controls. . The FDA has ordered a halt to laser light shows within 20 miles of any Las Vegas airport as a result of such incidents. . The Las Vegas Hilton has installed TCAS(!) - Traffic Collision Avoidance System which will shut off its lasers if it senses any type of aircraft in their path. But the system is unreliable with aircraft below 1,200 feet. This reminds me that laser blinding played an important role in a recent Tom Clancy novel. Chuck Weinstock ------------------------------ Date: Mon, 18 Dec 1995 11:08:38 -0500 From: JEREMY J EPSTEIN Subject: Electronic food stamps failure An old risk repeated: The December 15 issue of the Fort Worth (Texas) Star-Telegram reports that the computers used for tracking food stamps in Texas failed, and some merchants were unable to accept cards. The system normally processes 350,000 transactions per day. For some reason (not explained in the article), only some of the 14,000 retailers who accept the card were affected. As of when the article was published, the computers had been out for about a day, and the problem was not yet fixed. ------------------------------ Date: Mon, 18 Dec 95 08:55:40 PST From: odinba!odin!gretchen@uunet.uu.net (Gretchen Herbkersman Dept 5428) Subject: Medical diagnosis by computer Meet the Doctor: A Computer That Knows a Few Things ---- By Laura Johannes is a very scary article on page B1 of the 18 Dec 1995 Wall Street Journal. ------------------------------ Date: Mon, 18 Dec 1995 10:20:12 +0100 From: Michael Kaelbling Subject: Timing cryptanalysis and its hardware analog Paul Kocher's announcement in RISKS-17.54 about timing attacks to find secret keys reminds me of an analogous (and analog) attack that can be made on chip cards. Since chip cards can fall into attackers' hands, not only must the encryption algorithms run in a fixed and independent amount of time, but the hardware must consume a fixed and independent amount of power for all branches through the critical code. Attackers have been known to use sensitive measurements of the current drawn during the authentication phase to determine keys. Timing attacks can be based on apparent optimizations in software multiplication of long numbers. Current (amp) attacks can even be used against single-cycle multiplications, if the hardware designers are not careful. "Softies" might be surprised by what the hardware reveals about their code and data. Michael Kaelbling ------------------------------ Date: Sun, 17 Dec 1995 10:01:53 -0500 From: simsong@vineyard.net (Simson L. Garfinkel) Subject: Invitation to the CFP'96 Technology Fair Many RISKS readers are familiar with the annual conference on Computers, Freedom and Privacy. For those of you who are not, CFP is the leading conference exploring issues having to deal with the complex interactions of computers, privacy, and our legal system. Past conferences have been heavily attended by law enforcement, academics, and journalists, has been a place where people on different sides of complex issues such as national cryptography policy can get together and talk things out. This year's conference sponsored, in part, by the National Science Foundation, the John D. and Catherine T. MacArthur Foundation, America Online, IBM, News Corp, and the Freedom Forum First Amendment Center. You can get more information about CFP at http://web.mit.edu/cfp96 This year, CFP will be having a technology fair. I am one of the people who is putting the fair together. We are looking for companies and individuals who are interested in exhibiting. We have identified the following key areas that we are interested in: People to invite for the technology fair: * Internet Filtering Technology * Voice and Data Encryption * Smart Cards * Secure Payment Systems * Public Access Internet * Personal Dossiers Building Technology * Crime Tracking * Internet Monitoring & Marketing The fair will be on Wednesday, the 27th of March. It will be open to the public, and there will be no admission charge. We estimate that there will be at least 400 attendees form the conference, plus another 1000 from the MIT and surrounding Boston/Cambridge high-tech community. We can provide you with a table and electricity, plus a connection to the Internet, if that would be useful. If you are interested in exhibiting at the fair, please send mail to me (simsong@vineyard.net) or to cfp96@mit.edu Simson L. Garfinkel, CFP 96 Programming Committee ------------------------------ Date: Thu, 7 Dec 1995 18:39:08 EST From: stevet@ora.com (Steve Talbott) Subject: "netfuture" announcement O'Reilly & Associates 101 RT. 21C Ghent, New York 12075 1-518-672-5103 WHAT TO DO WHILE WAITING FOR THE NEXT WAVE OF INTERNET BACKLASH O'Reilly & Associates is establishing the "netfuture" mailing list. This is a moderated list to which O'Reilly editor, Steve Talbott, will post approximately weekly pieces concerning high-technology trends in relation to individual responsibility. Some of these pieces will be selections from his own forthcoming collection of provocations, "Daily Meditations for the Computer-entranced." Technology and the Net: Who Is Responsible? The "netfuture" list will have a focus similar to the well-known and estimable comp.risks newsgroup, with this difference: "netfuture" will look beyond the generally recognized issues such as privacy, access, and dangerous computer glitches, seeking especially to address those deep levels at which we half-consciously shape technology and are shaped by it. What is half-conscious can, after all, be made fully conscious, and can become material for public discussion and policy-making. As we wait for the second wave of Internet backlash, what better to do than try to understand the forces that have propelled the Net so dramatically onto center stage amid near worship on the one hand, and (among a few) something more like dread? Once "netfuture" is under way, a companion, unmoderated discussion list may be launched, based on the advice of participants. Steve Talbott is author of "The Future Does Not Compute -- Transcending the Machines in Our Midst," currently available from O'Reilly & Associates. To subscribe to the "netfuture" mailing list, address an e-mail message to: listproc@online.ora.com No "Subject" is needed. The first line in the body of your message should read like this (but with your name substituted for "John Doe"): subscribe netfuture John Doe Within the next day or so (usually much sooner) you should get a reply message welcoming you to the list and explaining how to participate. If you don't get the initial reply, or if you have other problems or questions, please send e-mail to: netfuture-owner@online.ora.com -- tell us when you sent your message and include your telephone number. If you have more than one computer account or read e-mail on several different services, be sure to send your subscription request from the place where you want to read "netfuture". Our system automatically reads your e-mail address from your subscription-message and registers you at that particular address. [If your FROM: address is different from your desired address, you'd better complain to Steve directly. I suggested they should fix that problem, or at least respect the REPLY-TO field, but apparently they can't. It is extraordinary how much mail I get with FROM: addresses to which I cannot answer. PGN] ------------------------------ Date: Mon, 18 Dec 1995 11:49:05 -0800 (PST) From: George Janczyn Subject: Taxing data (Re: Alvarez, RISKS-17.54) I recently became victim of a virus that erased the FAT on my hard disc. Because my most recent backup was about three weeks old (highlighting another well-known RISK), I was obliged to seek the services of a data recovery company. After the work was done, the bill included a charge for sales tax. It was explained to me that sales tax must be collected because of the process involved, to wit: they salvaged the data (minus FAT) from my hard drive and saved it temporarily on another drive. After reformatting my hard drive, they reconstructed the FAT and copied the data back again. The fact that they placed "new" data on an empty hard drive is what triggers the sales tax. (I'm in California.) George J. Janczyn, T.S. Automated Systems Mgr, Geisel Library, 0175-K University of California, San Diego, La Jolla, CA 92093 619-534-1282 ------------------------------ Date: Sat, 16 Dec 1995 12:25:16 -0800 From: sidney@atg.apple.com (Sidney Markowitz) Subject: Re: Something funny about the funny pages item (Alvarez, RISKS-17.54) RISKS-17.54 had a short mention about an NPR piece on IRS policies on taxing cartoonists. I didn't hear that piece, but the description in RISKS cannot be correct. Sales tax is a state thing, not from the IRS. There is an issue right now concerning the California State Board of Equalization's attempts to collect sales tax on printed comic book original pages, which may be what was mentioned on NPR. Since the BOE is trying to tax the sale of the documents (claiming that they are commercial illustrations and taxable and not author's literary manuscripts, which are not), it is the case that transmitting cartoons electronically may not be taxable. The only reference to this I have found on the net doesn't say much, but see http://www.insv.com/cbldf/cases.html under the heading "San Francisco, California". That's a page at the Comic Book Legal Defense Fund web site, home page http://www.insv.com/cbldf/ -- sidney markowitz [Also noted by Eric Amick . PGN] ------------------------------ Date: Fri, 15 Dec 95 21:10:01 ESTF From: smb@research.att.com Subject: Re: Anonymity (Schwartau, RISKS-17.54) > I've heard of this penet.fi happening to another person. > Anyone else? Any ideas? Paranoia is an occupational disease in the computer security business. I try to watch out for it myself... You are automatically allocated an anonymous account if you ever send mail to someone else's anonymous account. You can do this directly, or indirectly via a mailing list -- if an anonymous account is a subscriber, even indirectly, the mail to them will be routed through penet -- and you'll get your own id. Now -- a few years ago, and possibly still, there were some attacks aimed at discovering who owned which anonymous ids. There are, after all, people who want to know who posts to alt.sex.gerbils or the like -- think of your favorite extremist politician. --Steve Bellovin [The automatic enrollment was noted by a score of respondents! RISKS was also swamped with war stories of previous spoofings of .fi, often using forged e-mail. Apparently, anon.penet.fi now requires passwords (which themselves are spoofable). And don't forget that monitoring incoming traffic and outgoing traffic can enable someone to identify the [apparent] sender's FROM: address unless multiple layers of anonymity are used. Or you can be tricked into answering a message that can reveal YOUR identity! Or any of several other horrible risks. Perhaps we need a comp.risks.anonymous. Caveat emptor. Beware of Anonymous Bosch. By the way, several Unix-centric folks also noted that ls -lu shows the time most recently read (well, to a first approximation, anyway), but neglected to note that can be tampered with also! PGN] ------------------------------ Date: Mon, 18 Dec 95 09:34:49 GMT From: Andy Ashworth Subject: Re: Classified Disks Lost--Court Martial (Kennedy, RISKS-17.54) A "Severe reprimand" in the Royal Navy is something that will remain on the service records of those two officers and will continue to be held against them for the rest of their careers. The nature of the data lost should also be taken into account when considering the severity of their punishment; they were returning to their unit after having given a presentation on wages - the data was therefore more likely to be of a personal confidential nature rather than a more serious threat to UK security. If however they had just attended a presentation on the latest thing in Communications Security I'm sure that the punishments would have been a little more severe. (But that still asks the question, what were they doing in a pub with sensitive data?). As regards the apparent lack of exposure to classified material claimed by one of the officers, I find this quite believable. Instructor Officers, as their title implies, are specialist instructors and would not usually be as used to handling secure information as their colleagues. Andy Ashworth, PO(Comms)(Sea) Royal Naval Reserve; Lloyd's Register, 29, Wellesley Road, Croydon CR0 2AJ UK +44 (0)181 681 4040 ext 4501 ------------------------------ Date: Mon, 18 Dec 1995 05:35:36 EST From: "Peter Horsburgh" Subject: Re: Classified Disks Lost--Court Martial (Kennedy, RISKS-17.54) As a military man, Dave knows that a "severe reprimand" can ruin an officer's career - especially at the Commander level. If they were in the Royal Navy - the article does not say so specifically - they will have "incurred Their Lordship's displeasure" - now THAT is a bad thing ! As for the embarrassment, let the punishment fit the crime - Their Lordships were severely embarrassed... Peter Horsburgh zawlhpvh@ibmmail.com [Also noted by Robin Kenny . PGN] ------------------------------ Date: Mon, 18 Dec 95 9:38:26 EDT From: Robin Kenny Subject: Re: Classified Disks Lost--Court Martial (Kennedy, RISKS-17.54) Something I've noticed in the use of British and American language is that the British make an art out of understatement. So, having your head bashed by an iron bar during a robbery becomes "creating an affray while committing a criminal act" and actually killing someone is "a breach of the peace" (!) robink@aus.hp.com Melbourne, Australia UTC +10 hours ------------------------------ Date: Mon, 18 Dec 1995 12:11:33 -0500 From: CERT Advisory Subject: CERT Advisory CA-95:18 - Widespread Attacks CA-95:18 CERT Advisory December 18, 1995 Widespread Attacks on Internet Sites Over the last several weeks, the CERT Coordination Center has been working on a set of incidents in which the intruders have launched widespread attacks against Internet sites. Hundreds of sites have been attacked, and many of the attacks have been successful, resulting in root compromises at the targeted sites. We continue to receive reports, and we believe that more attacks are going undetected. ********************************************************************** All the vulnerabilities exploited in these attacks are known, and are addressed by CERT advisories (see Section III). ********************************************************************** We urge everyone to obtain these advisories and take action to ensure that systems are protected against these attacks. Also, please feel free to redistribute this message. As we receive additional information relating to this advisory, we will place it in ftp://info.cert.org/pub/cert_advisories/CA-95:18.README We encourage you to check our README files regularly for updates on advisories that relate to your site. I. Description Intruders are doing the following: - using automated tools to scan sites for NFS and NIS vulnerabilities - exploiting the rpc.ypupdated vulnerability to gain root access - exploiting the loadmodule vulnerability to gain root access - installing Trojan horse programs and packet sniffers - launching IP spoofing attacks II. Impact Successful exploitation of the vulnerabilities can result in unauthorized root access. III. Solution The CERT staff urges you to immediately take the steps described in the advisories and README files listed below. Note that it is important to check README files as they contain updated information we received after the advisory was published. a. Using automated tools to scan sites for NFS and NIS vulnerabilities * CA-94:15.NFS.Vulnerabilities * CA-94:15.README * CA-92:13.SunOS.NIS.vulnerability b. Exploiting the rpc.ypupdated vulnerability to gain root access * CA-95:17.rpc.ypupdated.vul * CA-95:17.README c. Exploiting the loadmodule vulnerability to gain root access * CA-93:18.SunOS.Solbourne.loadmodule.modload.vulnerability * CA-95:12.sun.loadmodule.vul * CA-95:12.README d. Installing Trojan horse programs and packet sniffers * CA-94:01.ongoing.network.monitoring.attacks * CA-94:01.README e. Launching IP spoofing attacks * CA-95:01.IP.spoofing * CA-95:01.README The CERT advisories and README files are available from ftp://info.cert.org/pub/cert_advisories If you find a compromise, please complete the Incident Reporting Form that we have provided in the appendix of this advisory, and return the form to cert@cert.org. This completed form will help us better assist you. Note: Because of our workload, we must ask you not to send log files of activity, but we would be happy to work with you as needed on how to interpret data that you may collect. Also, the CERT staff can provide guidance and advice, if needed, on how to handle incidents and work with law enforcement. If you see activity that indicates an attack is in progress, we encourage you to contact other sites involved and the service providers, as well as the CERT Coordination Center. Contacting the CERT Coordination Center For sensitive information, please use encrypted email. The CERT public PGP key is available from ftp://info.cert.org/pub/CERT_PGP.key If you prefer to use DES, please call the CERT hotline +1 412 268 7090 to exchange a DES key over the phone. Other CERT contact information: Internet email: cert@cert.org Telephone: +1 412-268-7090 (24-hour hotline) CERT personnel answer 8:30 a.m.-5:00 p.m. EST(GMT-5)/EDT(GMT-4), and are on call for emergencies during other hours. Fax: +1 412-268-6989 Postal address: CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213-3890 USA CERT advisories and bulletins are posted on the USENET newsgroup comp.security.announce. If you would like to have future advisories and bulletins mailed to you or to a mail exploder at your site, please send mail to cert-advisory-request@cert.org. Past CERT publications, information about FIRST representatives, and other information related to computer security are available from ftp://info.cert.org/pub/ Copyright 1995 Carnegie Mellon University This material may be reproduced and distributed without permission provided it is used for noncommercial purposes and the copyright statement is included. CERT is a service mark of Carnegie Mellon University. [The Copyrighted 1995 Incident Reporting Form is omitted from this RISKS version. Send e-mail to the CERT to obtain a copy. PGN] CERT is a service mark of Carnegie Mellon University. ------------------------------ Date: 6 September 1995 (LAST-MODIFIED) From: RISKS-request@csl.sri.com Subject: ABRIDGED info on RISKS (comp.risks) The RISKS Forum is a moderated digest. Its USENET equivalent is comp.risks. SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) on your system, if possible and convenient for you. BITNET folks may use a LISTSERV (e.g., LISTSERV@UGA): SUBSCRIBE RISKS or UNSUBSCRIBE RISKS. [...] DIRECT REQUESTS to (majordomo) with one-line, SUBSCRIBE (or UNSUBSCRIBE) [with net address if different from FROM:] INFO [for further information] CONTRIBUTIONS: to risks@csl.sri.com, with appropriate, substantive Subject: line, otherwise they may be ignored. Must be relevant, sound, in good taste, objective, cogent, coherent, concise, and nonrepetitious. Diversity is welcome, but not personal attacks. [...] ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. Relevant contributions may appear in the RISKS section of regular issues of ACM SIGSOFT's SOFTWARE ENGINEERING NOTES, unless you state otherwise. RISKS can also be read on the web at URL http://catless.ncl.ac.uk/Risks RISKS ARCHIVES: "ftp ftp.sri.comlogin anonymous[YourNetAddress] cd risks or cwd risks, depending on your particular FTP. [...] [Back issues are in the subdirectory corresponding to the volume number.] Individual issues can be accessed using a URL of the form http://catless.ncl.ac.uk/Risks/VL.IS.html [i.e., VoLume, ISsue] ftp://unix.sri.com/risks [if your browser accepts URLs.] ------------------------------ End of RISKS-FORUM Digest 17.55 ************************