25-May-87 14:51:41-PDT,21563;000000000000 Mail-From: NEUMANN created at 25-May-87 14:49:35 Date: Mon 25 May 87 14:49:35-PDT From: RISKS FORUM (Peter G. Neumann -- Coordinator) Subject: RISKS DIGEST 4.90 Sender: NEUMANN@CSL.SRI.COM To: RISKS-LIST@CSL.SRI.COM RISKS-LIST: RISKS-FORUM Digest Monday, 25 May 1987 Volume 4 : Issue 90 FORUM ON RISKS TO THE PUBLIC IN COMPUTER SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator Contents: Laser guided missiles... (Herb Lin) Computer use costs civil servants $1,270 (Matthew Kruk) Liability in Expert Systems (David Chase) Electronic Communications Privacy Act (Dave Curry) ATM security (Kenton Abbott Hoover via Martin Minow) Communications Technology Aids Criminals (Larry Lippman) The RISKS Forum is moderated. Contributions should be relevant, sound, in good taste, objective, coherent, concise, nonrepetitious. Diversity is welcome. (Contributions to RISKS@CSL.SRI.COM, Requests to RISKS-Request@CSL.SRI.COM) (Back issues Vol i Issue j available in CSL.SRI.COM:RISKS-i.j. MAXj: Summary Contents Vol 1: RISKS-1.46; Vol 2: RISKS-2.57; Vol 3: RISKS-3.92.) ---------------------------------------------------------------------- Date: Mon, 25 May 1987 13:54 EDT From: LIN@XX.LCS.MIT.EDU To: "Peter G. Neumann" Cc: RISKS@CSL.SRI.COM, arms-d@XX.LCS.MIT.EDU Subject: Laser guided missiles... From: Peter G. Neumann ... He claimed that the Iranians electronically countermanded the missiles (an Exocet [which did not explode] and the other still unidentified missile, possibly an AS-30 laser-guided missile) AWAY FROM one of their tankers. Other messages have also referred to laser-guided missiles. [They] require a laser to designate the target, which the missile then homes in on, by seeking the reflected laser light. That means that there must be a laser actively illuminating the target at all times while the missile is seeking. If the airplane carrying the missile goes away or drops out of line of sight, it can't illuminate the target. [This discussion at the moment is labelled SPECULATION with respect to the Stark investigation in progress. But one question is, how easily can a missile such as the laser-guided AS-30 be faked out? What happens under cloud cover? Does the missile go inertial for a while if it loses the target, in hopes of reacquiring the target? Can it get confused by decoys, light chaff, fireworks, or whatever? Is the Iranian countermeasure claim plausible? Remember, there were two missiles (the exploded one suspected NOT to be an Exocet?), and if one was electronic and the other laser guided, the countermeasure theory seems less likely. Although I presume analogous arguments hold for electronic countermeasures on electronically guided missiles, the mechanisms might be different... In any case, the risks of hitting something other than the desired target seem to be nontrivial. PGN] FURTHER RESPONSE FROM HERB: The AS-30 is indeed a laser guided missile, but it too requires an independent laser designator. If no Iranian airplane or boat was in sight of the ship, no target designation would take place. You must have a line of sight to the target. [Rafsanjani reportedly said that there had been an Iranian tanker in range. PGN] The AS-30 is described as having two guidance components -- inertial reference for the initial phase, and laser homing for the terminal phase. If anything intervenes between the laser beam and the target, most likely the missile will lock its home-on track, and be lost. ------------------------------ Date: Mon, 25 May 87 09:20:40 PDT From: Matthew_Kruk%UBC.MAILNET@MIT-Multics.ARPA To: RISKS@CSL.SRI.COM Subject: Computer use costs civil servants $1,270 [Canadian Press] OTTAWA - Two federal public servants who used a government computer for their own purposes have been ordered to pay the government $1,270 for misuse of high technology. The environment department billed Michel Grenier and Gaston Boisvert, two Montreal-based computer systems workers, for tying up a government computer for almost an hour in August 1986. Grenier, with the permission of his supervisor Boisvert, used the computer for 57 minutes to develop a personal program. ------------------------------ Date: Sun, 24 May 87 21:38:55 CDT From: David Chase Subject: Liability in Expert Systems To: NEUMANN@csl.sri.com ReSent-To: RISKS@CSL.SRI.COM Perhaps this is an old problem; it occurred to me a couple of days ago. It seems that there is more and more litigation initiated by people who feel that they have been wronged by someone else's malice, negligence, or deep pockets (ahem). Someone out there already sued Lotus, right? What happens when an "expert system" is involved? Who gets the blame? The programmer, who designed the system, or the expert(s) who supposedly provided the rules that direct the system? Can you imagine the stream of expert witnesses giving their debugging of the problem? Of course, if the debugger was faulty.... Another source of fault might be the non-maintenance of an expert system. For example, a new edition of the Physician's Desk Reference is published every year. The new information should be added to the expert system, or else it will get out of date (and lack information on new drugs and newly discovered side-effects and interactions). If the expert system was designed in such a way that maintenance was difficult, then the designer might share some blame, too. Just thought I'd ask. It sounds like a great opportunity for finger-pointing. David [We've been around this one several times before, although not specifically in the context of "expert systems". The juries are not in yet. Are there any new contributions in the wings? PGN] ------------------------------ Date: Sun, 24 May 87 19:24:25 EST From: davy@intrepid.ecn.purdue.edu (Dave Curry) To: risks@csl.sri.com, security@red.rutgers.edu Subject: Electronic Communications Privacy Act When I got the MIT notice from the SECURITY list, I did a little digging in the law books (Purdue's library is a Federal Depository). I pulled out a copy of the Act (Public Law 99-508, H.R. 4952) and a copy of Title 18 of the United States Code, which it amends. From this (after a couple of hours of "strike words a through f, insert words g through m" -- I'd hate to be a law clerk), I extracted most of the "interesting" parts of the law. These parts pertain to administrators and users of electronic communications services (if your machine has electronic mail or bboards, it fits into this category). The parts I specifically went for were what we can and cannot do, what the punishment is if we do it, and what our means of recourse are if it's done to us. I left out all the stuff about government agents being able to requisition things and stuff, and all the stuff pertaining to radio and satellite communications. So anyway, I typed all this stuff in to give it to our staff so they'd be aware of the new legislation. Since there is probably interest in this, I am making the document availble for anonymous ftp from the host intrepid.ecn.purdue.edu. Grab the file "pub/PrivacyAct.troff" if you have troff (it looks better), or "pub/PrivacyAct.output" if you need a pre-formatted copy. Bear in mind I'm not a lawyer, and I just typed in the parts of the law I deemed to be of interest to our staff. --Dave Curry ------------------------------ Date: Sun, 24 May 87 19:20:09 edt From: decvax!LOCAL!minow@decwrl.DEC.COM (Martin Minow) To: decwrl!risks@csl.sri.com Subject: ATM security (from Usenet) [Background: sci.crypt is intended to discuss cryptography issues. Recently, it has been discussing automatic teller machines, the security of personal id numbers, and how cards are invalidated after successive incorrect input of the user's "secret code." This article branches out a bit, and might be of interest to Risks readers. Martin Minow ] Path: decvax!ucbvax!ucbcad!ames!lll-tis!ptsfa!lll-lcc!well!shibumi From: shibumi@well.UUCP (Kenton Abbott Hoover) Newsgroups: sci.crypt Subject: Re: ATM security (was Re: DES info wanted) Date: 23 May 87 21:26:55 GMT Organization: Whole Earth 'Lectronic Link, Sausalito, CA The determination on invalidation is done at the host. If the programmer wants to invalidate the card on three attempts, well, then the programmer has to put a flag on the data record for the card. An example: Bank Of America (who I used to work 4) simply sends a report to the branch where your account is and the branch personel decide whether to flag your card, or just call you and ask what the h**l is going on. Trivia: The Diabold and IBM ATMs (diabolds have CRTs with 4 unmarked buttons, IBMs say IBM on them, if not they have the cash sort of flop out of a slot and have an open/closed sign on them) are ...wait for it... 3270 devices! They] actually have PF keys and the whole nine yards built-in. Usual chain of activity in an ATM: 1) The interaction with the user, screens, etc. is done by some sort of controller, a Series/1-type (read: VERY STUPID) machine which controls a whole set of ATMs. The controller normally resides at some central location and communicates with the ATMs over leased lines. 2) When you do a transaction, the controller tries to queue up a set of transactions from its other ATMs. It will either succeed or timeout. In either case, the transactions are communicated to a 37X5 and from there to a mainframe which runs a batch job to do the transaction. 3) Most banks cannot update the account base in real-time, so the ATM processor (the mainframe doing the batch run, not the ATM itself) works from a database containing last nights data corrected with todays transactions. The transaction you actually do is simply made a memo posting and is entered into the actual accounts system as if it were a teller withdrawl/deposit with a note saying it was from an ATM. MORE TRIVIA: The PIN is not a timing issue (in most systems). Its just that the whole transaction is usually sent to the mainframe, and that is slow going. EVEN MORE TRIVIA: Have you ever been cheated out of money by an ATM? If you were it was most likely an IBM. Go to your branch and report it, and they (after you fill out the usual form) will credit your account. Save the ATM receipt, as they normally ask for it. The IBM machines steal like theives, and normally (like in socks in dryers) the money has simply vanished. Diabold ATMs miscount once in a blue moon, AND if you do a transaction that asks for more money than is the the ATM (they dont keep track in most cases), it will give you what it has and debit your account for only that much. STILL MORE TRIVIA: Dont deposit cash unless it is to a Diabold ATM. Diabold ATMs check the deposit envelope to see if there is anything in it. IBMs dont. The deposit box is opened by two branch officers, and they (normally) wont swipe cash from a Diabold, since it would be hard to claim an empty envelope. However, an IBM machine... (someone should really write a book on this subject) ------------------------------ From: Date: Fri, 22 May 87 23:40:12 EDT To: sunybcs!csl.sri.com!risks Subject: Communications Technology Aids Criminals I have submitted the following to comp.dcom.telecom, but thought it may also be of interest to RISKS as indicating how advances in communication technology pose a risk to society by facilitating the conduct of criminal activity. > In a recent article dmt@ptsfa.UUCP (Dave Turner) writes: > > The following is from an editorial by Wayne Green in the June, 1987 issue > of 73 Amateur Radio magazine: > > The recent legislation making cellular phone calls illegal to listen in on > has provided a bonanza for both organized and disorganized crime. It's > difficult not to laugh over the situation the cellular industry has gotten > itself into in its blind pursuit of the fast buck. > > What's happened is a mass move into cellular by criminals. They buy a > cellular system, have an unscrupulous dealer alter the electronic serial > number (ESN) on the built-in programmable IC, which makes calls both > untraceable and free--a great combo. They tool around town, making calls > to Pakistan, Columbia, and their Caribbean drug warehouses at will. I have a few comments to make on this and some related topics which may be of interest to Net readers. My comments are based upon personal knowledge and experience as one who has provided some forensic science consulting services to certain law enforcement agencies for a number of years. It's sort of interesting to note that it was even easier to implement spoofing fraud in dial IMTS mobile telephone installations, but such fraud has been virtually unheard of. The reasons for this are: much fewer IMTS channels and much fewer IMTS customers than cellular make such fraud extremely conspicuous; most IMTS installations are combined with MTS installations and have a high probability of telephone company (or RCC) operator monitoring. My personal opinion is that cellular fraud has been encouraged due to "safety in numbers". :-) > Cellular has turned out to be great for coordinating every kind of criminal > activity. It's just what criminals have been needing for years-- a > dependable, free, untraceable, and safe communications system. With a > combination of pagers and cellular phones, crooks are making a shambles > of the cellular system--all protected by Congress. > > If you wanted to deal in drugs, how better to get orders from your > customers than by giving them your cellular phone number? There's no way > to tap a telephone that can be anywhere in a big city, operating through > different cells as it moves around. And with an altered ESN it's all free! Progress in telecommunications has unquestionably been of benefit to criminal activity. Probably the single greatest benefit has been the introduction of call forwarding. This service has been of such great benefit to the conduct of unlawful gambling, narcotics and prostitution operations that for many years I have jokingly referred to it as: "1A Criminal Facilitation Service"; AT&T and BOC people may appreciate the satire in this remark. As an example, an unlawful gambling operation could change location every day or so, with the telephone number for bettors being the same. This situation also neatly defeats any court-authorized eavesdropping warrant since there would never be conversations on the telephone pair that was the subject of such a wiretap; a forwarded call never takes place on the physical line whose number was dialed. In earlier No. 1 and No 1A ESS installations there was no rapid method to determine to what number a given line had its calls forwarded; such determination could only be made by an experienced switchman using the ESS maintenance tty. This rather frustrated law enforcement agencies in their investigation of unlawful gambling and narcotics activity. Furthermore, I know of some instances where telephone company personnel flatly denied to law enforcement investigators that they could determine the forwarded telephone number; this was, of course, a false statement, but was made in a misguided effort to keep the telephone company "uninvolved". As an interesting aside, prior to the advent of ESS and call forwarding, some larger unlawful gambling operations used an electronic device called a "cheese box" that effected a rudimentary kind of call forwarding in a manner similar to a loop-around test line. Two telephone lines would be ordered for say, an unoccupied office or apartment, and each line would connect to the "cheese box". The actual location of the gambling operation would call the first line, and remain on the line and wait for calls; the "customers" would call the second line, with the result that it would auto-answer and be connected to the first line. Telephone company loop-around test lines were used for the conduct of unlawful narcotics dealing during the 1970's, but this practice has generally disappeared as telephone companies: (1) installed 60A control units or equivalent devices that dropped loop-around connections upon the detection of speech energy (legitimate use of loop-around test lines is for single frequency transmission measurements only); and (2) went ESS and therefore had "call trace" capability that would automatically determine the origin of calls to loop-around and other test lines. After call forwarding, the next most useful communications adjunct to criminal activity is the voice radio pager. It is an unfortunate fact of life that no self-respecting prostitute or "street dealer" of narcotics would be caught without their voice pager. Voice pagers represent an ideal, inexpensive method of arranging clandestine meetings. A typical voice pager scenario: customer calls narcotics dealer's pager from a coin telephone, giving coin telephone number; narcotics dealer finds coin telephone to call coin telephone where customer is waiting to arrange for a meeting. What could be simpler and more untraceable? In my travels, I have known of only two instances where criminals used any speech privacy devices (speech scramblers) to defeat eavesdropping (lawful of otherwise); however, I suspect that a new generation of low-cost digital speech privacy devices will result in more of these devices being used by criminals. The units that I have seen used were all based upon analog "speech inversion" techniques; these devices are easy to defeat, whereas the digital devices are virtually impossible to compromise by other than NSA. One of the most novel (at the time) applications of communications technology by criminals that I have personally seen was the use of telecopiers by a large unlawful gambling operation about 11 years ago. While the law enforcement agencies involved had obtained eavesdropping warrants to install wiretaps on some of the telephone lines involved, they were totally baffled by the strange sounds heard during some intercepted calls. I was called in to solve the mystery, and some listening told me that this was an FSK facsimile machine running in 6-minute mode. So we borrowed a telecopier to decode the tapes; this was not as easy as first anticipated. I finally had to modify the telecopier to start in receive mode without receiving a ringing signal (which was not possible from an after-the-fact tape recording). We got some pretty damning evidence, much to the consternation of the criminals (who suspected a wiretap, but felt that the facsimile machine was "secure"). While telecopiers are rather common today, such was not the case 11 years ago. I suspect that as telecopiers decrease in price, they too will be more commonly used by criminals. While Group I and Group II facsimile machines are fairly easy to monitor, the more common Group III (sub-minute) machines are much more complex since they are digital and require faking a handshake protocol by any receiving machine used as a monitor. > If it weren't against the law to listen to cellular channels, I'd suggest we > hams help the law by listening for suspicious cellular calls and recording > them. Say, how'd you like to get the goods on some serious crooks and find > (a) the evidence is inadmissible because it was illegally attained and (b) > yourself on trial for making the recordings. So join me in a big laugh, okay? I know of law enforcement agencies that have in the past used scanners to listen to paging service channels and IMTS mobile telephone channels, and have obtained useful intelligence information. None of the information so derived was used in court per se, but it may have contributed to the "probable cause" for looking in a certain _public_ place at a certain time. When any investigator was pressed in court for the "basis of probable cause", the information was attributed to an "anonymous informant" - a VERY common source of law enforcement information. Under the circumstances, I see nothing wrong with this - but I am certain that a number of people will disagree with me. For example, an experienced investigator can readily detect a drug deal going on via certain types of pager messages. Now, if a police cruiser just happened to be going by the aforesaid location, and decided it was time for a routine traffic check... :-) [Flames about prosecuting people for alleged "victimless" crimes such as gambling, narcotics and prostitution should be directed to /dev/null] <> Larry Lippman @ Recognition Research Corp., Clarence, New York <> UUCP: {allegra|ames|boulder|decvax|rocksanne|watmath}!sunybcs!kitty!larry <> VOICE: 716/688-1231 {hplabs|ihnp4|mtune|seismo|utzoo}!/ ------------------------------ End of RISKS-FORUM Digest ************************ -------