RISKS-LIST: RISKS-FORUM Digest Thursday 9 February 1989 Volume 8 : Issue 23 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator Contents: Self-Taught Space Craft (Brian Randell) Still a few bugs in the system, as they say (Mark Brader) Multi-gigabuck information "theft" (Mark Brader) Risks of letting key people leave employment? (David A. Curry) Phone Risks (Greeny) Virus Technical Review (David J. Ferbrache) Re: WORM storage and archival records (Curtis Abbott) The RISKS Forum is moderated. Contributions should be relevant, sound, in good taste, objective, coherent, concise, and nonrepetitious. Diversity is welcome. * RISKS MOVES SOON TO csl.sri.com. FTPable ARCHIVES WILL REMAIN ON KL.sri.com. CONTRIBUTIONS to RISKS@CSL.SRI.COM, with relevant, substantive "Subject:" line (otherwise they may be ignored). REQUESTS to RISKS-Request@CSL.SRI.COM. FOR VOL i ISSUE j / ftp KL.sri.com / login anonymous (ANY NONNULL PASSWORD) / get stripe:risks-i.j ... (OR TRY cd stripe: / get risks-i.j ... Volume summaries in (i.j)=(1.46),(2.57),(3.92),(4.97),(5.85),(6.95),(7.99). ---------------------------------------------------------------------- Date: Thu, 9 Feb 89 13:01:01 WET DST From: Brian Randell Return-Path: Subject: Self-Taught Space Craft SCIENTISTS TO BUILD SELF-TAUGHT SPACE CRAFT By Mary Fagan, Technology Correspondent The Independent, 9 February 1989 (in its entirety) Work by British scientists will enable future space craft to control themselves in flight without pilots, learning by trial and error in the way humans learn to walk or ride bicycles. Technology being developed at the Turing Institute in Glasgow will allow satellites, space planes and space stations to learn to cope with the unexpected, including equipment failure and atmospheric changes. Hotol, the British space plane which is involved in a long-running funding row, is to be at the heart of a one-year project to apply a form of artificial intelligence known as machine learning to flight control systems. This will allow Hotol to learn from its own experience, improving and adjusting flight performance as flight conditions change or things go wrong. Although modern control theory for spacecraft is fine as long as nothing unpredicted happens, it cannot always cope with turbulence, if sensors fail or parts of the craft fall off. Professor Donald Michie, of the Turing Institute, said: "The best analogy is a human riding a bike - if the handlebars fall off or something goes wrong, they can adjust their actions to regain balance. Balance is also very important for spacecraft and for satellites in orbit." The work on Hotol, which will take off and land from airport runways, concentrates on machine learning for its initial ascent into space. The concept, Professor Michie says, can also be applied to satellites subjected to unforeseeable fluctuations in solar winds and changes in air density. On large craft the huge solar panels could also be a source of instability. The project is being launched by British Aerospace, which in spite of the Government's lack of support, has kept a large team on the Hotol project. The contract is the first signed under the Hotol Enabling Technology Club programme, which involves a group of companies which feel that software developed for Hotol could be valuable in other industrial areas. Brian Randell, Computing Laboratory, University of Newcastle upon Tyne JANET = B.Randell@uk.ac.newcastle ARPA = B.Randell@newcastle.ac.uk PHONE = +44 91 222 7923 ------------------------------ From: Mark Brader Subject: Still a few bugs in the system, as they say Date: Wed, 8 Feb 89 18:00:06 EST (Information from a Canadian Press wire service article carried in the Toronto Star, February 7. Wording is mine except for quotes.) The Owner-Drivers Radio Taxi Service Ltd. of London, known as Dial-a-Cab, contracted to Mobile Data International Inc., of Richmond, B.C., Canada, for a computerized dispatching system at a cost of $5.4 million (Canadian). Dial-a-Cab milked this for publicity and netted embarrassment. You guessed it. As Alf, one of their drivers, put it: "We'd made such a business saying we'd be the first in Europe to use this computerized system and it broke down within four hours." And it's still sitting idle. Company chairman Ken Burns said: "It's not working ... A microchip has to be changed." Another driver, Ben, said: "There was an overload. ... They hadn't fore- seen the amount of traffic on it." (That'd be 6,000 calls per day.) "We're blowing our tops about it. ... Everything was going to be action, action, action. But [it's] sitting in the cabs doing nothing." Mobile Data's European sales director, Eric Dysthe, admitted the problems, but noted that Dial-a-Cab was "pushing for an early startup" before their annual general meeting. "That ... did not allow us to do the testing we should normally do." Burns says Mobile Data says the problem is fixed but requires two more months for testing. The system has been installed in 1,450 cabs and the company, despite the problems, has ordered an additional 320 units. Similar systems are widely used in Canada; the one in Toronto, which is reported to work well, is from a different supplier. Mark Brader "Where is down special?" ... "Good." Toronto "Do you refuse to answer my question?" "Don't know." utzoo!sq!msb, msb@sq.com ------------------------------ Date: Wed, 8 Feb 89 17:41:08 EST From: Mark Brader Subject: multi-gigabuck information "theft" (Information from an article by Bob Mitchell in the Toronto Star, February 8. Wording is mine except for the quoted matter, which is from Constable Craig Lewers.) A man has been arrested and charged with unauthorized use of computer information, following a 2-month police investigation. The suspect was an associate of a "very big" Toronto company: "a company that people would know ... with offices across Canada". Police are keeping the company's name secret at its request. They say the perpetrator acted alone. A password belonging to the company was used to steal information which the company values at $4 billion (Canadian): computer files belonging to an American company, believed [sic] to contain records from numerous companies, and used by large Canadian companies and the U.S. government. "We don't know what this individual was planning to do with the information, but the potential is unbelievable. ... I'm not saying the individual intended to do this, but the program [sic] contained the kind of information that could be sold to other companies", said Lewers. Mark Brader "Every new technology carries with it SoftQuad Inc., Toronto an opportunity to invent a new crime" utzoo!sq!msb, msb@sq.com -- Laurence A. Urgenson ------------------------------ Date: Thu, 09 Feb 89 11:03:10 -0800 From: davy@riacs.edu Subject: Risks of letting key people leave employment? San Jose Mercury News, 2/8/89 TV editor charged in raid on rival's files TAMPA, Fla. (AP) - A TV news editor hired away from his station by a compet- itor has been charged with unlawfully entering the computer system of his for- mer employer to get confidential information about news stories. Using knowledge of the system to bypass a security shield he helped create, Michael L. Shapiro examined and destroyed files relating to news stories at Tampa's WTVT, according to the charges filed Tuesday. Telephone records seized during Shapiro's arrest in Clearwater shoed he made several calls last month to the computer line at WTVT, where he worked as assignment editor until joining competitor WTSP as an assistant news editor in October. Shapiro, 33, was charged with 14 counts of computer-related crimes grouped into three second-degree felony categories: offenses against intellectual property, offenses against computer equipment and offesnes against computer users. He was released from jail on his own recognizance. If convicted, he could be sentenced to up to 15 years in prison and fined $10,000 for each second-degree felony count. Bob Franklin, WTVT's interim news director, said the station's management discovered several computer files were missing last month, and Shapiro was called to provide help. Franklin said the former employee claimed not to know the cause of the problem. At a news conference, Franklin said: "Subsequent investigation has revealed that, at least since early January, WTVT's newsroom computer system has been the subject of repeated actual and attempted `break-ins.' The computers con- tain highly confidential information concerning the station's current and future news stories." The news director said Shapiro was one of two people who had responsibility for daily operation and maintenance of the computer system after it was in- stalled about eight months ago. The other still works at WTVT. Terry Cole, news director at WTSP, said Shapiro has been placed on leave of absence from his job. Shapiro did not respond to messages asking for comment. Franklin said Shapiro, employed by WTVT from February 1986 to September, 1988, left to advance his career. "He was very good ay what he did," Franklin said. "He left on good terms." ------------------------------ Date: Thu 09 Feb 1989 15:23 CDT From: GREENY Subject: Phone Risks ...Just when you thought the phones were safe, here is something to make you even more paranoid... The other day I was on the phone with a collegue of mine discussing some things when he realized that he had to make a quick call to someone else. He placed me on "Consultation Hold" [where you can put the person you're talking to on hold, while calling another, and then go back to the first -- sorta like Call Waiting..]. Before he put me on hold, he said "If you're on hold too long then just hang up..." Ten minutes later (I lost track of time typing something...), I was still on hold, when I was suddenly brought back to reality by a beeping in the phone. I figured that it was simply the phone system trying to signal him that I was still on hold and ignored it. After five minutes of this beeping, I gave up and hung up the phone. Then I left my office for a while. About an hour later, my girlfriend came to my office and said "Gee you've been o the phone for a long time...". I hadn't so I decided to check and see if I might have left the phone off the hook, or if my modem had been automatically turned on by someone calling it up. Both turned out to be false, however, when I picked up the phone I was presented with BOTH SIDES OF A CONVERSATION THAT SOMEONE ELSE WAS HAVING. Clear as a bell, as if we were in a three-way call. So I tried to say something, but they couldn't hear me. Wierd I thought, must be a fluke, and hung up. Then I picked up the phone about 5 minutes later and they were still talking. 30 minutes later, this guy was talking to his girlfriend. Enough was enough I decided, so I got on another extension and called the campus operator. She couldn't do anything of course, and recommended I call the Campus Features People. They also couldn't do anything, but said that they would leave a note for the network people in the morning. Just wonderful, I thought. And went home. The next day, the phone was working, so I called the Telecommunications office on campus, and inquired as to what happened. The lady there said that she'd check it out and get back to me. About 10 minutes later she did and informed me that it was "a software problem in the switch" and to "call back immediately if it happens again". Oh great, I'm thinking. How can I ever be sure that my conversations are at least semi-private, and not screwed up all the time. This campus just recently had a multi-million dollar phone system installed (at least the first phase of it -- Audio), and I thought that it was relatively bug free. But recently strange things have been happening -- such as my phone playing "operator", and an ENTIRE dorm being cut off from phone service for about 6 hours. ...Yet another software bug....*ho hum* Does anyone out there know of a good, inexpensive, voice scrambler? Greeny ------------------------------ Date: 9 Feb 89 10:53:21 GMT From: "David.J.Ferbrache" Subject: Virus Technical Review This request has appeared on the bitnet virus-l mailing list, and has been crossposted to the appropriate comp.sys groups and to comp.risks. I apologise for any readers who receive duplicate copies. ------------------------------------------------------------- A review of the threat posed to the security and integrity of microcomputer systems posed by self-replicating code segments ------------------------------------------------------------- I am in the process of compiling information on existing computer viruses, with a view to the production of a technical paper reviewing the threat to system security posed by both present computer viruses and likely future developments. To this end I would be very grateful for information on individual infections, preferably detailing the symptoms observed, damage caused and disinfection techniques applied. Naturally I am also interested in details of the operation of the viruses, although I appreciate the reticence shown by infected parties to disseminate any details of virus operation, on the basis that it could lead to development of further viruses. The technical report is part of a Doctoral research thesis in computer security, and will be available in late May. Distribution of the technical report will be restricted to people who have a legitimate interest (ie systems managers, commercial concerns, research), as I expect to review the techniques exploited by viruses in a fair degree of detail at the BIOS/DOS interface level. The report will consider the techniques used by virus to duplicate, the ways in which viruses gain control of the computer system, the camouflage techniques adopted and a brief overview of the existing computer viruses. Finally the report will consider the likely development of the threat from viruses, and how this developing threat can be addressed by protective software in both virtual and non-virtual machine operating environments. At the moment I know of the following viruses: IBM PC MS/DOS 1. Lehigh variant 1 and 2 2. New Zealand (stoned) 3. Vienna (Austrian, 648) 4. Blackjack (1701, 1704) 5. Italian (Ping Pong) 6. Israeli variant 1 (Friday 13th, 1813, PLO, Jerusalem), variant 2, variant 3 (April 1st), variant 4 7. Brain (Pakastani) and variants 8. Yale Also potentially variant of the Rush Hour and VirDem viruses developed during the CCC's work on viruses. APPLE MAC 1. NVir variant A and B, Hpat 2. Scores 3. INIT 29 4. ANTI 5. Peace (MacMag) APPLE II 1. Elk AMIGA 1. SCA 2. Byte Bandit 3. IRQ ATARI ST 1. Boot sector 2. Virus construction set viruses Mainframe OS worms 1. Internet worm 2. DECNET worm 2. BITNET Xmas chain letter I would be grateful for any information on these, or any other viruses. Reports of infection may be given in confidence, in which case they will only be used as an indication of geographical distribution of infection. A summary of known viruses, their symptoms, geographic distribution and known disinfection measures will be posted to the list as soon as sufficient information is available to prepare an interim report. As part of the paper I will also be reviewing the effectiveness of viral disinfection software, and would thus be interested in details of any software you use, its effectiveness, and availability. Thanks for your time! For those interested here is a summary of a few of the virus reports published on virus-l and usenet, Subject, author and date Virus Virus-l issue THE AMIGA VIRUS - Bill Koester (CATS) SCA LOG8805 comp.sys.amiga, 13 November 1987 New Year's Virus Report - George Robbins IRQ 1 January 1989, comp.sys.amiga The Elk Cloner V2.0 - Phil Goetz ELK 26 Apr 1988 THE ATARI ST VIRUS - Chris Allen ATARI ST 22 March 1988, comp.sys.atari Features of Blackjack Virus, Otto Stolz BLACKJACK v2.24 24 Jan 1989 Comments on the "(c) Brain" Virus BRAIN LOG8805 Joseph Sieczkowski, Apr 1988 Brain and the boot sequence, Dimitri Vulis BRAIN v2.5 5 Jan 1989 The Israeli viruses, Y.Radai ISRAELI LOG8805 2 May 1988 VIRUS WARNING: Lehigh virus version II LEHIGH v2 v2.35 Ken van Wyk, 3 Feb 1989 The Ping-Pong virus, Y.Radai ITALIAN v2.18 17 Jan 1989 Known PC Viruses in the UK and their effects MOST PC v2.23 Alan Solomon, 1989 Yale Virus Info, Chris Bracy, YALE LOG8809a 2 Sep 1988 New Macintosh Virus, Robert Hammen ANTI comp.sys.mac, 7 Feb 1989 Hpat virus-it is a slightly modified nVIR HPAT Alexis Rosen, comp.sys.mac, 7 Jan 1989 INIT 29: a brief description, INIT 29 v2.18 Joel Levin, 18 Jan 1989 A detailed description of the INIT 29 virus INIT 29 v2.30 Thomas Bond, 27 Jan 1989 The Scores Virus, John Norstad SCORES LOG8804 info-mac digest, 23 Apr 1988 Macintosh infection at Seale-Hayne College TSUNAMI LOG8808d Adrian Vranch, 8 July 1988 DEFENCE DATA NETWORK MANAGEMENT BULLETIN, DECNET (see also v1.59a) 50, 23 Dec 1988, The internet worm program, an analysis INTERNET Gene Spafford, Nov 1988 I apologise for any researchers whose articles I have not cited, in what is currently an incomplete list of references. Hopefully, this article will be of some use in providing a general list of viruses which have affected computer systems in the past. Thanks for your time, and I look forward to any information you can supply me with. Dave Ferbrache Personal mail to: Dept of computer science Internet Heriot-Watt University Janet 79 Grassmarket UUCP ..!mcvax!hwcs!davidf Edinburgh,UK. EH1 2HJ Tel (UK) 31-225-6465 ext 553 ------------------------------ Date: Wed, 18 Jan 89 15:43:23 PST From: abbott.pa@Xerox.COM Subject: Re: WORM storage and archival records I think RAMontante 's remarks deserve a response. Steve Phillipson's proposal of WORM devices for archival storage surely had to do with preventing electronic tampering. Physical tampering is quite another matter. Floppy disks and other electronic storage media are physical objects, and therefore subject to the same controls on authenticity and tampering as more traditional physical objects. Thus, a publisher of "authentic" Shakespeare could physically mark his disks in such a way that I can tell if the disk I get from RAMontante is authentic. Then what remains are problems like overwriting 0's with 1's (mentioned by PGN, I believe). There are lots of ways around this if you even believe it's a problem. (You might choose not to since only changing 0's to 1's already greatly limits the edits you can make.) For example, a single parity bit gives you a lot of protection (or rather, detection). Slightly more elaborate, and hardly more costly, schemes can give you full protection. A perhaps relevant observation about the difference between paper and electronic media is that in the former, a certain degree of authenticity and tamperproofness is intrinsically bound up with the medium. It doesn't cost more, and you don't have to think about it. Those things aren't generally true of the newer media, so if we don't think about it, and pay for it, we sometimes get unpleasant surprises. - Curtis Abbott ------------------------------ End of RISKS-FORUM Digest 8.23 ************************