RISKS-LIST: RISKS-FORUM Digest Sunday 19 February 1989 Volume 8 : Issue 28 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator Contents: Continuing problems with WWMCCS command-and-control network (Jon Jacky) US missile-warning radar endangers friendly aircraft (Jon Jacky) Power failure problems (John Sinteur) The Risks of Going on Vacation (Jim Carson) Re: Faking Internet mail (Peter Scott) Multi-gigabuck value of information theft denied (Mark Brader) Re: multi-gigabuck information "theft" (David Chase) Re: Authenticity in digital media (Doug Krause) Digital doctoring of images (Richard Wiggins) PIN? Who needs a PIN? (Bill Mahoney) The RISKS Forum is moderated. Contributions should be relevant, sound, in good taste, objective, coherent, concise, and nonrepetitious. Diversity is welcome. * RISKS MOVES SOON TO csl.sri.com. FTPable ARCHIVES WILL REMAIN ON KL.sri.com. CONTRIBUTIONS to RISKS@CSL.SRI.COM, with relevant, substantive "Subject:" line (otherwise they may be ignored). REQUESTS to RISKS-Request@CSL.SRI.COM. FOR VOL i ISSUE j / ftp KL.sri.com / login anonymous (ANY NONNULL PASSWORD) / get stripe:risks-i.j ... (OR TRY cd stripe: / get risks-i.j ... Volume summaries in (i.j)=(1.46),(2.57),(3.92),(4.97),(5.85),(6.95),(7.99). ---------------------------------------------------------------------- Date: 17 Feb 1989 09:25:29 EST From: jon@june.cs.washington.edu (Jon Jacky) Subject: Continuing problems with WWMCCS command-and-control network The following excerpts are from GOVERNMENT COMPUTER NEWS Feb. 6, 1989 p.1: AF MAY LOSE WIS PROJECT - DCA LIKELY TO TAKE OVER GLOBAL SYSTEM by Brad Bass Officials in the Office of the Secretary of Defense (OSD) planned to meet late last week to consider transferring responsibility for procuring an upgraded Worldwide Military Command and Control System (WWMCCS) from the Air Force to the Defense Communications Agency. ... Glenwood Stevener, director of DCA's Joint Data System Support Center, said the Air Force's WWMCCS Information System (WIS) program was a victim of a vicious circle of schedule slippage and budget cuts. `` These things feed on each other,'' he said. WWMCCS began in the late 1970's as an effort to provide the president, the Defense secretary, the Joint Chiefs of Staff and other military authorities with information to help them make wartime decisions. When a study later that decade showed the system was too slow and limited, officials launched the WIS upgrade project. The Air Force has suffered several setbacks since being selected in 1982 to manage WIS. In July 1987, the WIS program office announced the system would be delayed about a year due to funding cuts and system development problems. A year ago the General Accounting Office reported that program officials had not adequately defined system requirements and security measures. Subsequent funding problems delayed the project by another 12 months to 15 months. Air Force officials who requested anonymity said OSD officials recently set up a task force to propose alternative methods to upgrade WWMCCS in light of WIS program difficulties. ... DCA would take more of an ``evolutionary'' approach to the upgrade than the Air Force did, Stevener said. He said the Air Force has been attempting to field a turnkey system to fulfill a broad range of WWMCCS requirements. The DCA plan would focus on a fielding a partial system at first and incrementally adding capabilities to it, he said. In addition, Stevener said DCA would probably change the name of the program to differentiate it from WIS. - Jonathan Jacky, University of Washington ------------------------------ Date: Fri, 17 Feb 89 10:07:17 PST From: jon@june.cs.washington.edu (Jon Jacky) Subject: US missile-warning radar endangers friendly aircraft These are excerpts from THE NEW YORK TIMES, Feb 12, 1989, p. 14: ADEFENSE RADAR MUST TURN OFF AS PLANES LAND - AIR FORCE FEARS SYSTEM COULD TRIGGER A BLAST (no author given) WASHINGTON, Feb. 11 (AP) - For 14 months operators of a huge radar installation in central Georgia that is part of the United States' defense warning system have had to turn off the system while military aircraft landed at a nearby base. The interruptions are to avoid accidental detonations of tiny explosive charges found in virtually every military weapons system and in the planes and ships that deliver them. The charges are used, among other things, to trigger weapons, drop bombs or jettison fuel tanks. They are normally fired by an electrical circuit, bu they can also be set off by high levels of electromagnetic energy from such sources as radio waves, static electricity, lightning or radar. As a result, the powerful radar center has to be turned off periodically so planes can land safely at Robins Air Force Base, two miles to the north. That precaution is not enough, local critics contend. They fear a major accident at the air base and have sued to force safety improvements. INTENDED TO SPOT MISSILES The $90 million radar complex, on of four of its type in the United States, would provide instant warning of a submarine-launched missile off the south- east coast [ The story does not say so, but I believe this must be one of the PAVE PAWS phased-array radar intallations - JJ ]. Th Air Force says the unit's time out of service caused by landing planes totals about an hour a month. Ther interruptions have not hindered the early warning system, the Air Force says, because they are random and other radars are available as backups. Routine maintenance of the system turns the radar off for about 40 hours a month, an official said. The 10-story, pyramid shaped installation consists of thousands of antennas that can scan 240 degrees for 3,000 miles and can reportedly identify an object the size of a basketball 1,500 miles away. CRITICS FEAR A DISASTER (Robins Air Force Base) is Georgia's largest and is near the city of Warner- Robins, which has a population of 40,000. ... Critics have filed a lawsuit in Federal Court in Washington. Patricia Axelrod, coordinator of one of the groups that has joined in the suit ... argues that flight restrictions force pilots into`` a trapeze act without a net'' because of the possibility of an error in the communication required to turn off the radar. Senator Sam Nunn, the Georgia Democrat who is chairman of the Senate Armed Services Committee, has also criticized the restrictions because of their reliance ``on the potentially fallible human links'' required to turn the system off. OPTIONS BEING CONSIDERED The Air Force has already spent $600,000 for a study by the Raytheon Corporation, which built the radar system. The study recommended moving it, at a cost of $37.7 million, or modifying it, at a cost of $27 million, so it would turn off automatically if a plane breached the restricted zone. Lieut. Gen. Donald J. Kutyna, who heads the Air Force Space Command that has jurisdiction over the unit, said moving it is not reasonable but modification remains under consideration. A decision is to be made in June. [I find several things interesting about this story, apart from the overall irony of the situation. First, it is another illustration of the tendency noted by Paul Bracken and others for modern military C3I systems to become ever-more tightly-coupled and interdependent in ways unforseen by their designers. Second, Nunn and others' assumption that some kind of automated system would necessarily be more reliable than the present arrangement. - Jon Jacky, University of Washington ] ------------------------------ Date: Sun, 19 Feb 89 13:38 N From: Subject: Power failure problems I ran into something curious when I visited my previous employer yesterday. They moved to a brand new building recently, and took the opportunity to increase access-security. They installed magnetic card readers on all doors (including the computer-room doors), keeping physical access to the office space and the computer room under control in a better way. They thought. A few days after the move, the power went down. The UPS cut in, and kept the computer systems on juice. The operators have got 15 minutes to manually turn off the computer systems (after software shutdown procedures of course) before the batteries are out as well. Unfortunately, the card readers were out, making it very difficult indeed to enter the computer room... No need to say that they modified the system a bit... It's small things like this that are difficult to anticipate, but are sooooo important... -John Sinteur Whatever I say is not to be taken as a statement of the Dutch Army (my current employer) or my previous employer who shall remain nameless here. ------------------------------ Date: Sun, 19 Feb 89 12:06:31 CST From: Jim Carson Subject: The Risks of Going on Vacation I was going to be out of town and wanted to use "vacation." For those who aren't familiar with it, vacation is a program from 4.[23]BSD that sends a form letter back to anyone who sends you mail. This is useful because you can let people know when you will return and give them other ways to contact you in an emergency. Vacation has provisions so you don't send mail to MAILER-DAEMON, Postmaster, or a *-Request@*, since these senders are usually automated and you could risk getting into a mail-loop if you sent form-letters back. Now consider what would happen if you subscribed to an automated discussion group that sends mail without any of these lines in the header. This was the case with Sun-Spots, the Sun discussion group moderated by Bill LeFebvre at Rice. The header: > From SUNSPOTS@icsa.rice.edu Sun Feb 19 09:42:43 1989 > Reply-To: SUN-SPOTS%RICE.EDU@icsa.rice.edu > Sender: Sun Spots Discussion The discussion group was set up so when Bill is done compiling an issue, he sends it to a mail alias containing a list of everyone who subscribes to Sun-Spots. When I got a copy of the issue, vacation sent a reply. However, since the reply goes to everyone who subscribes to the group, including myself, a reply to the reply was sent, and so on. About forty messages were sent before I logged in this morning to check for any last minute mail. One of the other subcribers sent me mail because he thought we had a mail virus. [...] ------------------------------ Date: Fri, 17 Feb 89 10:07:19 PDT From: Peter Scott Subject: Re: Faking Internet mail [Re: RISKS-8.27] It is incredibly easy to fake mail. Read RFC 821, which although it is 50 pages long, details on page 4 everything you need to know. The server on the first remote machine (that which comes after "@") expects to see commands of the form: HELO (optional) MAIL From: RCPT To: DATA . QUIT (optional) There are other possible commands, but those are enough. You can enter these manually by TELNETting to the SMTP port on the remote machine (TELNET machine 25). Of course, you can enter whatever you want after "From:". I have sent messages to friends purportedly from Grim.Reaper@Hells.Gate, but much more latitude is possible. The just released "With A Microscope and Tweezers" report on the Internet worm (they called it a virus) includes an account of how a message detailing several aspects of the operation of the worm was posted "anonymously" to a newsgroup. I don't see how you could authenticate the sender, except with a public-key encryption system. Fat chance of implementing that everywhere on the Internet this century. Occasionally I see messages which contain a header of the form "Warning: From: field does not match Sender". How does that come about and who constructs the Sender: field? >How about the >other way around: how much danger is there that someone can spoof mail in >order to receive messages destined for someone else? The only way I know of doing this is if your machine is on the path for the mail in the first place, in which case you can look at everything that passes through anyway. I use VMS and we don't have NEWS (yet), so maybe someone can tell me whether the same thing is possible for USENET news articles? [...] Peter Scott (pjs@grouch.jpl.nasa.gov - really) ------------------------------ Date: Fri, 17 Feb 89 12:07:19 EST From: Mark Brader Subject: Multi-gigabuck value of information theft denied A few days ago I summarized for RISKS an article that had appeared in the Toronto Star on February 8 about a case of "theft" of information. [...] Two days later, however, significantly different facts were reported. (This submission to Risks was delayed because I intended to email to Mike Tilson to ask if he wanted to write something himself.) Information here is from the (Toronto) Globe & Mail. The article is headlined "Computer information theft detected by security system, company says". And it begins as follows: # The theft of information from a company's computer program [sic] # was detected by the firm's own computer security system. # # Mike Tillson [sic], president of HCR Corp., which specializes in # developing computer software, said yesterday an unusual pattern # of computer access was noticed on the company's system last week. The article continues by saying that police reports valuing the "program" at $4 billion (Canadian) were called grossly exaggerated by Tilson: "It's more in the tens of thousands of dollars range". He also said that the illegal access had been only a week before; there was no 2-month investigation. And asked about resale of the information , he said: "It's not clear how one would profit from it. There are any number of purposes one could imagine to idle curiosity. There is a possibility of no criminal intent." The information not being HCR customer data, and Tilson declining to identify it, the article goes on to mention UNIX, to mumble about AT&T intellectual property, and to note that AT&T is not in the investigation "at this stage". Mark Brader "Every new technology carries with it SoftQuad Inc., Toronto an opportunity to invent a new crime" utzoo!sq!msb, msb@sq.com -- Laurence A. Urgenson ------------------------------ Date: Thu, 16 Feb 89 12:11:44 -0800 From: chase@orc.olivetti.com (David Chase) Subject: Re: multi-gigabuck information "theft" In RISKS 8.26, Jeff Makey says: > The "computer files" are nothing more than the source > code for AT&T's UNIX operating system ... few thousand dollars -- > a far cry from $4 billion. I suspect that AT&T's lawyers are at > the root of this sensationalism. I think in this case the lawyers are doing their job, and it might not be sensationalism. I believe (word of mouth from UNIX-related legal mess that some friends were in long ago) that the UNIX operating system is protected by trade secret law, and (according to my copy of _Legal Care for Your Software_) a corollary of this is that you must diligently maintain the "secret" (licensed, confidential) status of that software, or all your legal protection is gone. If the lawyers don't behave like rabid piranhas, then perhaps they aren't being diligent, and if they aren't diligent and lose trade secret protection, then the loss to AT&T could well total billions. And, of course, since we're talking about product protection, "UNIX" is a trademark of AT&T. David Chase ------------------------------ Date: 17 Feb 89 11:39:37 GMT From: Doug Krause Subject: Re: Authenticity in digital media [RISKS-8.26] "ALBTSB::SCHILLING1" writes: > >Seeing hasn't been believing for a long time. Remember Fred Astaire dancing on >the ceiling in the movie "Singing in the Rain"? Gene Kelly was in "Singing in the Rain". Fred Astaire's ceiling dance was in "Royal Wedding". Douglas Krause, University of California, Irvine [Also noted by cmb@robots.oxford.ac.uk (Chris Brown).] ------------------------------ Date: Thu, 16 Feb 89 09:33:00 EST From: Richard_Wiggins@um.cc.umich.edu Subject: Digital doctoring of images (re Steve Philipson, RISKS-8.25) Steve Philipson points out the risks of new technologies to digitally alter video images and audio recordings. An article in The Whole Earth Review about three years ago discussed the digital doctoring of photographic (still) images; that technology is quite mature already. The article pointed out that the major news publishers such as Time own digital processing devices that put the best airbrush artist to shame. It is quite easy to merge unrelated images, superimposing a person in a scene he never visited, and to cover all the seams. It is also easy to remove unwanted objects and blend in the background to cover. The claim in this article was that photographic images were no longer worthwhile as evidence of anything. I suspect that is a bit strong; the testimony of a photographer that her record is honest would probably hold water. (After all, the notes of a police officer can be altered, but are admissable when read as part of testimony.) Also, few currently have direct access to this technology. But the risks are real. ------------------------------ Date: Sat, 18 Feb 89 01:10:44 -0500 From: bill%zycor%ugn%hdr%mcmi%uunet@ames.UUCP Subject: PIN? Who needs a PIN? (Alan Wexelblat, RISKS-8.26) Like most ATMs, the Diebolds (there are several models) are programmable from the host computer. This can include modes where the pin is read and encrypted (DES) before sending, or where the PIN is read and sent in the clear, or where the pin is not even read. It would seem a little strange to run the ATM in the last mode, but I have seen a system in the UK where the PIN is transmitted over a bisync line with no encryption whatsoever. In any case, the menus, the "fast $xx" amount, the order of operations when processing a user transaction, etc. are all remotely programmable. It could be that the ATM you were at had been incorrectly programmed, but generally there is one file in the host that contains the ATM information, and this is just sent down over the wire to all of them. Your name was probably encoded on track 1 or 3 of the card. [That does open up some significant vulnerabilities. PGN] On a related note, I noticed quite a risk using credit cards. We are currently implementing a credit card (CC) authorization system for retail stores, and the handy way to test it seemed to be to run my own card through the magnetic reader. Now, a CC has a "track two" where the account information is encoded. After the account information, there is a special character that serves as a field sep, and then "issuing bank discretionary data" follows. In this field the first four are usually the expiration date on the card. In the case of Commercial Federal here in Omaha, my checking account is there, AND it is the issuing bank for my CC. Imagine my suprise when testing the card reader with my CC. The CC account is there, so is the expiration date, followed immediately by MY CHECKING ACCOUNT NUMBER at Commercial Federal! So apparently my bank account number is going over the wire every time I buy something with my Visa... Bill Mahoney ------------------------------ End of RISKS-FORUM Digest 8.28 ************************