The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 12 Issue 66

Tuesday 26 November 1991

Contents

o Pentagon computers vulnerable
PGN
o Risks of hardcoded hexadecimal instead of symbolic constants?
Tom Blinn
o Re: Leaves cause railway signal failure
Geraint Jones
o Re: Termination
David Lamb
anonymous
o Proposed Antivirus Certification
Klaus Brunnstein
o Call for Papers: IFIP World Congress'92/Vulnerability
Klaus Brunnstein
o Info on RISKS (comp.risks)

pentagon computers vulnerable

"Peter G. Neumann" <neumann@csl.sri.com>
Mon, 25 Nov 91 12:03:44 PST
     Pentagon Computers Vulnerable
   DELFT, Netherlands (AP, 21 Nov 91)
   A leading Dutch computer security expert Friday said any computer whiz
around the world "who is a bit clever" can break into a Pentagon computer and
cover his tracks.  Prof. Bob Herschberg, who teaches hacking at the Delft
University of Technology, said the teen-age hackers who allegedly penetrated
U.S. military computers during the Gulf War most likely represent only the tip
of the iceberg of such intrusions.  And he questioned a U.S. congressional
investigation's finding that the hackers that penetrated the Pentagon systems
were Dutch.  "Anyone who is a bit clever can do it using detours such that
their number is untraceable," said Herschberg. "They could have been from
anywhere in the world including the United States itself."  Camouflaging a
hacker's trail is so easy via interlinked global computer networks that an
adept hacker would have to be "naive" not to escape detection, Herschberg said.
   U.S. congressional investigators told a Senate subcommittee this week that a
group of Dutch teen-age hackers broke into U.S. military computers at 34 sites
over about a one-year period ending last May.  The information the hackers
retrieved was described as crucial, but not secret.
   Herschberg acknowledged that there have been instances of Dutch computer
operators breaking into American computer mainframes.  But he called the
allegations of Dutch break-ins in this case "fishy," suggesting it was an
attempt to use the Dutch as a scapegoat since hacking has not been outlawed
here.  Herschberg suggested that American investigators may be trying to cover
up what may be a far more serious problem.  "Why else would they make all this
fuss?" he said.
   Herschberg, a professor of computer science at this nation's top engineering
school, teaches his students hacking techniques as part of a course on computer
security.  He regularly assigns students to break into corporate computer
systems, with prior authorization, to identify security gaps.  "It's a good
practical exercise," he said.
   Initial reports surfaced last April that Dutch hackers had broken into U.S.
defense systems computers via a worldwide computer research retrieval system.
In the wake of those disclosures, an official at Utrecht University, who was
told by students of the intrusion, defended it as a legitimate learning
exercise and said it was up to the U.S. military to take precautions.


DNA Dog Tags

Wed, 20 Nov 91 22:39:01 GMT
Army May Issue "DNA Dog Tags"  (Federal Computer Week, 19 Nov 91)

In a world without computers this would be a nice use of biotechnology to
unambiguously identify casualties in the event of disfiguring injury.  In a
world with databases and computers it represents a tremendous potential threat
to personal privacy.

Background:

Although all humans share a common set of genes, if you look closely there are
many small variations (polymorphisms) in our genes.  As a result, we are each
unique.  By taking a sample of DNA and analyzying a set of sites likely to be
polymorphic, it is possible to "finger print" an individual and determine with
very good reliability if another sample of DNA did or did not come from the
same person.  These polymorphisms can also be used to infer familial
relationships (you inherit half of each of your parent polymorphisms), and to
map and trace genetic disease genes like cytic fibrosis, and sickle cell
anemia.

When you have given a sample of your DNA, you have no control over how it will
be analyzed.  It could be used to define a set of polymorphic markers which are
other anonymous (unlinked to any genes of known function).  The same sample
could also be used to see if you have or carry genetic diseases.  If the
military builds a database of soldier's genotypes, there is nothing to prevent
them from including medically important markers as well as identification
information.  On the contrary, there is every reason to expect that they would
want to include as much medical information as possible because many medical
conditions do impact your ability to function as a soldier.

The risks:

Genetic privacy - Would you be forced to provide your military genotype data
when you applied for health insurance after discharge?  Would the local police
have the right to search the military genotype database every time a DNA sample
(spot of blood, hair follicle etc.) was found at a crime scene.  How are you
going to protect innocent soldiers against computer errors in that kind of a
search?

It affects people other than the soldier - because your relatives share your
genes, if you find out that you carry a genetic disease, everyone in your
family faces the questions of whether they also carry the gene, should they be
tested, should they screen their children etc.

Infered paternity - for about 5% of births the father of record is not the
biological father.  As a database of genotypes grew, cases would inevitably
arise where the genotype data demonstrated that the bibliographic information
being provided was wrong.  How would the military handle this?

We all carry genetic diseases - there is a concept called "genetic load" which
is the number of heterozygous genes (differences in the copies of a gene
inherited from your mother and father) where one of the copies would be lethal
if you got it from both your mother and father.  An average human carries about
6 such genes.  This is why incest is such a universal taboo; if close relatives
father a child there is greatly increased risk of getting two copies of such a
lethal or nearly lethal gene.  As medical science progresses and we enumerate
more and more such genes, the insurance companies will have the "justification"
to demand anyones genotype as a precondition for health insurance.  Would
insurance companies or the military have the right to screen and veto
prospective marriage partners?

The ethical implications of genotype databases are complex and potentially
threatening.  It would be a terrible mistake to proceed blindly into this area
without considering the numerous implications.
                                                                David States
National Center for Biotechnology Information / National Library of Medicine


Risks of hardcoded hexadecimal instead of symbolic constants?

"Dr. Tom @MKO, CMG S/W Mktg, DTN 264-4865" <blinn@dr.enet.dec.com>
Wed, 27 Nov 91 11:52:26 PST
Re: "Phone outages expected to be tied to typing mistake" (from The Wall Street
Journal, 25Nov91, p.B4) in RISKS-12.65 (Tuesday 26 November 1991):

When you put together 'DSC officials admitted that three bits of information
in a huge computer program were incorrect' with 'a "6" in a line of computer
code should actually have been a "D"', you reach the inevitable conclusion
that someone was coding in hexadecimal, unless the difference between a "6"
and "D" in some symbolic names just happened, coincidentally, to result in a
binary difference of three bits.

It seems highly likely that the use of suitably named symbolic constants in
place of cryptic hexadecimal constants would reduce the likelihood of such
errors.  Of course, many modern languages still make it easy to encode data
using hexadecimal constants, not that using decimal or binary or octal would
likely have avoided this error.
                                 Dr. Thomas P. Blinn, Digital Equipment Corp.
Digital Drive -- MKO2-2/F10, Merrimack, New Hampshire 03054   (603) 884-4865


Re: Leaves cause railway signal failure (RISKS-12.62)

Geraint Jones <Geraint.Jones@prg.oxford.ac.uk>
Wed, 13 Nov 91 14:58:59 GMT
British Rail's problem with wet fallen leaves and electronic train detection is
not caused by the lightness of the new Networker trains (and so is not fixed by
the /weight/ of older heavier trains).

The problem with the newer units is that they use disc brakes.  That means that
the running surfaces of the wheels only ever touch the rails and the insulating
paste of crushed leaf builds up on the /wheels/.   The problem is therefore not
cured by running track-clearing vehicles.   The (clever) fix employed is to
attach a single clutch-braked vehicle to each of the new trains (in many cases,
this would be a heavier clutch-braked multiple unit, but just a carriage will
do).  That car has clean wheels, makes good electrical contact with the rails
and so makes the train visible.

Modifications to clean the running surfaces of the wheels will probably be the
longer-term fix.

It is a classic systems problem:  who would have thought that changing from
external clutch brakes to better-protected disc brakes would undermine the
signalling system?


Re: Termination (Bartelt, RISKS-12.65)

David Lamb <dalamb@umiacs.umd.edu>
27 Nov 91 23:27:07 GMT
I don't see that the "computer system" makes things significantly different.
I've known of companies whose method of laying someone off was essentially a
Friday pink slip saying "Hand in your badge now, here's the contents of your
desk in this box, don't come back Monday, and here's K (>=2) weeks' pay in lieu
of notice" - which in some jurisdictions at least is considered to satisfy
statutory requirements about due notice.  Computer security concerns might make
such practices more widespread - but if you're going to get paid anyway, why is
it important to be allowed to continue to have access to the company's
property?  I suppose you might have personal files on the company computers,
which complicates things a bit.

  [The COMPUTER-RELATED RISK from the company's viewpoint is that ANY access
  whatever could lead to retributional acts.  On one hand, assuming an employee
  is reliable and responsible, there might be a lot of benefits to allowing
  computer accounts to be cleaned up by the individual in question.  On the
  other hand, ``friendly termination'' may be oxymoronic in many situations...
  PGN]


Re: Termination (Bartelt, RISKS-12.65)

<[anonymous]>
Wed, 27 Nov 91 12:22:53 XST
A certain medium-sized software vendor recently went through the second set of
layoffs in six months.  How did people find out that they were laid off?  They
came into work Wednesday morning, and found all of the machines shut off.  So,
they waited, and talked to each other, and talked in the halls, until managers
came by and picked people off one by one.  Their accounts had been disabled the
night before, you see, and management didn't want people finding out by not
being able to log in.  (I never said this company was intelligent.)

For the previous set of layoffs, the dial-in modems were shut down for a day
or so, because some of the system administrators were fired.

Is there a RISK in all of this?  I'm not sure.  The firings (excuse me,
``layoffs'') were not done in a friendly manner, as near as I can find out.
Since there were indications a couple of weeks in advance (some of the people I
knew were positive they would be going before they were told to leave), the
precautions were pretty useless in my opinion -- and the treatment of the
employees in question did not seemed designed to incur goodwill.


Proposed Antivirus Certification

Klaus Brunnstein <brunnstein@rz.informatik.uni-hamburg.dbp.de>
22 Nov 91 14:49 +0100
         Computer-Anti-MalWare Certification. A Proposal

                        Vesselin Bontchev
                      Dr. Klaus Brunnstein
                         Morton Swimmer
           Faculty for Informatics, Virus Test Center,
                      University of Hamburg
             Submitted to: NCSA Antivirus Conference
              Washington D.C, November 25-26, 1991

Abstract: To assure and enhance the quality of antiviral products, academic,
user and industry organisations (e.g., EICAR, NCSA) should initiate a process
of cooperation and standardization to lead to a process in which a
"certification" service is offered by a volunteer cooperative of interested
parties and organisations (here described as Anti-MalWare Certification
Institutions, AMCI).  It is hoped that this certificate may become an accepted,
respected and expected indicator of quality and function for software and
hardware.  Evaluation shall be based on published methodology and a collection
of malware (short for: malicious software) both known to exist or to be
feasible.

The tasks of AMCIs are described.  Virus Test Center at the University of
Hamburg is undertaking a pilot project to evaluate and describe the
capabilities of existing antiviral products.  Future research will try to
advance the development and understanding of the methodology of antiviral
products, including detection, prevention, repair of damages as well as
side-effects.

1) Foreword:

As problems of malicious software (malware) continue and spread worldwide and
at fast pace (presently more than 10 per week in IBM-compatible PCs),
enterprises, institutions and organisations find themselves more and more in
danger to become a victim of a "computer accidents". Users must ever more rely
on the quality of anti-malware measures whose producers depend on actual
knowledge of new threats.  With growing numbers and new virus methods, the
"anti/viral gap" (understood as the time gap between detection of a new virus
and the availability of an antiviral product recognising it) inevitably will
also grow (as long, as inherently secure and safe architectures are not
available).

To improve the likelihood of success and reduce the potential for damage, we
identify two possible efforts that deserve our increased attention:

     * secured and fast distribution of new malware knowledge
       to all parties with interest in anti-virus production,

     * evaluation and description of the capabilities of available anti-malware
       products by "credible" (and possibly "authoritative") individuals or
       organisations.

Concerns have been raised, which we intend to give due considerations:

   (1) making (dangerous) knowledge about viral methods available only to
       trusted parties (both in regard to secure communications as in judging
       the intentions and likely actions of the intended recipient);

   (2) ensuring that decisions restricting the flow of  knowledge of  details
       of malware do not result in undesirable  side-effects.

Speedy and effective improvement of anti-malware products and the benefit of
free-market competition is recognized as directly influenced by decisions as to
what information is made available.

2) Mission of "Anti-Malware Certification":

     - To  develop  a process  of  "Anti-Malware  Certification",
       several  independent institutions or individuals shall  be
       asked  (and suitably funded) to perform regular tests  and
       evaluations of anti-malware products or updates.

     - To  inaugurate and assist in such a development,  user  or
       industry organisations with knowledge on malware  problems
       and anti-malware software (e.g., NCSA/USA or EICAR/Europe)
       may  charge  institutions  or  individuals  with  assessed
       knowledge   to perform specific assessments to  assure
       the quality of anti-malware products.

     - Institutions  charged  with  "Anti-Malware  Certification"
       should  not  have commercial interests  in  production  or
       distribution of anti-malware measures.

     - The  test  basis shall be a collection  of  known  malware
       based  upon precise knowledge about any essential  detail,
       the  contents  of which must  be  suitably  published.  To
       minimize the dangers of such a  collection,  state-of-the-art
       security and safety measures shall be applied.

     - Each  submitted  anti-virus is tested for  its  detection,
       elimination  or  prevention capacity against  the  malware
       databank  under  a published  methodology.  The  test  for
       detection  shall  indicate,  in a form  understandable  to
       users, correct, false and missing diagnosis.

     - To guarantee the quality of the test methods applied and of the secure
       malware collection, "Anti-Malware Certification Institutions" will
       discuss their methods in critical scientific discourse.  Where feasible
       and possible without undue bureaucratization, they may also seek some
       form of certification  by legally established  institutions (e.g.,
       NIST/USA, German Information Security Agency).

     - Generally, test results (protocol, remarks) shall be published as some
       sort of "Anti-Malware User Report"; the organisations supporting the
       certification institutions may publish statistical surveys.  Only in
       cases of individual tests asked for by an anti-malware producer, results
       are confidential unless published by the submitter.

     - As independent individuals and academic institutions cannot develop and
       maintain such quality assurance mechanisms (including hardware,
       software, personnel and management), some adequate method of funding
       must be established.  One suggestion is that "Anti-Malware Certification
       Institutions" may charge a fee to cover personal,  managerial and
       machine costs; other suggestions may adapt established consumer report
       and product test procedures.  The adequacy of the financial arrangements
       shall be controlled by public discussion with users, academia and
       industry (possibly via related organisations).

3) Initialisation of the Anti-Malware Certification Process:

Based on the current work of Computer Anti-Virus Research Organisation (CARO),
a collection of annotated trojans and viruses in IBM- and compatible PCs has
been established at the Virus Test Center, University of Hamburg.  A test
methodology is being developed and currently tested, to run antiviral products
against the databank and to diagnose which malware (virus, trojan) is correctly
or incorrectly recognized.

The collection's content will be published periodically (Index of Established
Malware (IBM-PCs); next edition: December 1991). The test methodology (in the
first phase, with a multiplicity of files infected with known file viruses)
will be published when validated with some experience.

A first draft of this document has been initially discussed with the European
Institute for Computer Antivirus Research (EICAR) at its meeting of
chairpersons, on November 18, 1991 in Hamburg.  Following suggestions from this
meeting, Virus Test Center will perform experimental tests and evaluations of
available anti-malware software and report on the results in spring 1992.
After the EICAR meeting, the document had been refined; the authors wish
especially to thank Werner Uhrig (Austin/Texas, major contributor to Macintosh
antiviral activities) for his highly constructive contributions which helped to
refine this paper.

The authors submit this document to the user and academic public, and to
interested organisations.  Especially, this paper is submitted to National
Computer Security Association (NCSA/USA) at it's first Antivirus Developers
Conference, November 25-26, 1991 in Washington D.C.  for discussion.  Moreover,
legal aspects of the proposed quality assurance procedure shall also be
discussed with adequate institutions (e.g., NIST/USA, German Information
Security Agency).

4) Future developments:

Next scientific steps will undertake to assess also the reliability of
eradication (esp.  in multiple attacks) as well as preventive methods such as
checksumming and integrity tools.  Present experiences with shortcomings of
antiviral software prove that there is a lack of knowledge in basic methods to
assess such eradication or prevention of anti-viral methods.  To certify also
deletion and prevention methods, basic research will be needed.


Call for Papers: IFIP World Congress'92/Vulnerability

Klaus Brunnstein <brunnstein@rz.informatik.uni-hamburg.dbp.de>
22 Nov 91 17:11 +0100
                        Call for Papers
                 12th World Computer Congress
          IFIP Congress 92: From Research to Practice
               Madrid/Spain: September 7-11, 1992

               especially for the Congress Stream:
       Diminishing the Vulnerability of Information Society

Overview of the Congress:
This IFIP Congress is composed of topical and interrelated conferences each
organized by a separate subcommittee of the International Program Committee.

   Five parallel streams                     Stream Committee chairman
   ------------------------------------      -------------------------
   Software Development and Maintenance       A.N.Habermann,Pittsburgh
   Algorithms and Efficient Computation        Jan van Leeuwen,Utrecht
   From Architectures to Chips                   Gerald L.Reijns,Delft
   Informatics and Education              Peter Bollerslev, Copenhagen
   Diminishing the Vulnerability of
               the Information Society        Klaus Brunnstein,Hamburg

   Two subconferences:                Subconference Committee chairman
   -------------------------------    --------------------------------
   Expanding the Power of the Personal Computer Friedrich Vogt,Hamburg
   Enhancing the Intelligence
                 in Information Systems       Gordon Davis,Minneapolis

The Congress will also include one day workshops, tutorials and an exhibition.
IFIP Congress 92 papers will be published in the conference proceedings
(Elsevier's "Transactions in Informatics" series).

International Program Committee:
Chair: Wilfried Brauer,          Technical University, Munich, Germany
ViceChair:Carlos Delgado Kloos Universidad Politecnica de Madrid,Spain
PastChair: Herve Gallaire                           gsi, Paris, France

Organizing Committee:
Chair: Rosa Alonso           Alcatel Standard Electrica, Madrid, Spain
ViceChair: Jaume Argila                                          Spain
ViceChair: Jose Ignacio Boixo                                    Spain
ViceChair:Fernando Saez Vacas  Universidad Politecnica de Madrid,Spain

                    Special Call for Papers
     Stream: Diminishing the Vulnerability of Information Society

With  worldwise use of Information Technology (IT), new  opportunities
arise but,  likewise,  new risks emerge through growing dependence  on
that same technology.  This means all users become more vulnerable  to
attacks  on and misuse of IT.  New types of computer based crime  have
been reported while the efficient operation of both public and private
enterprises  has  become susceptible  to  malfunction,  deliberate  or
accidental, in the information technology itself.

New  concerns  have arisen and older ones  have  been  enhanced.  Such
concerns include both human and civil rights,  privacy and freedom  of
the individual,  leisure and education,  the roles and design of work,
quality and reliability of the technology, etc. The very existence and
competitivity  of  enterprises has  become,  in  many  cases,  totally
dependent  upon the efficiency and reliability of  IT.  Moreover,  the
problem of complexity in contemporary system design may mean that some
systems  are  uncontrollable  by their users and  even  unfamiliar  to
systems experts. At the same time, the overall quality and reliability
of  the  technology plays an important role in  system  selection  and
design.

The Stream "Diminishing the Vulnerability of Information Society" will
attempt to assess the degree of vulnerability to IT that has developed
since the first discussions in the early 1980s.  Moreover, this stream
aims at identifying the ways and means by which this vulnerability may
be  reduced  and  how emerging problems may be solved  in  advance  by
anticipatory action.

Specific areas of interest which may be addresses in submitted papers include:

     - Opportunities and risks in the adoption of Information
            Technology, particular at International levels, with
            special emphasis on developments in Latin America
     - Social Vulnerability and major Risks
     - Legal Aspects: Reducing Vulnerability through the Law
     - Enhancing IT to meet demands for Reliability and Security,
            with particular emphasis on Personal Computers and
            Local Area Networks
     - Hardware and software systems for identification and
            authentication of users and attached systems
     - Reliability and security in Personal Computers
            and Local Area Networks (LANs)
     - Computer Supported Work: Impact of Vulnerability of IT
            on groups and organisation in an enterprise
     - Human centered strategies to cope with Vulnerability:
            the role of participation, education, and task design
     - The Electronic Cottage: Delivering Information and Communic-
            ation Technologies at Home: For Better or Worse?
     - Women, Computers and Work
     - Computer Ethics and Professional Responsibility.

Moreover,  short  presentations (posters) describing ongoing  research
projects  are  suggested  esp.  for the following  topics  (or  others
related to the topic):

     - The Electronic Cottage
     - Vulnerability of and through AI Systems
     - Enhancing the Security and Safety of IT, with special focus
            on Electronic Data Interchange (EDI) and Electronic
            Funds Transfer Systems (EFTS)

Invited speakers in the stream:
       Professor Harold Highland       New York/USA
       Professor Lance Hoffman         Washington/USA
       Professor Herbert Kubicek       Bremen/Germany
       Professor Bryan Niblett         Abington/England

Panel sessions on:
       Informatics and development
       Identification and authentification of users and systems
       The Electronic Cottage: How will daily life be affected
       Human, Man, Woman
       Ethics of Computing: Information Technology and
                            professional responsibility

Stream Program Committee:
     Klaus Brunnstein (chair)                   University of Hamburg
     William Caelli     Queensland University of Technology, Brisbane
     Robert R.Moeller                        Sears & Roebock, Chicago
     Jose Pino                 University of Chile, Santiago de Chile
     Fernando Saez-Vacas               Polytechnic University, Madrid

Information for Authors:
Six (6) copies of a full paper in English (no longer than 4500  words
or 12 double-spaced pages, including figures, with  150 word abstract,
full title, name and affiliation of author(s) as well  as  postal  and
electronic mail addresses, and telephone and fax numbers)  should   be
submitted not later than 10 January 1992 to the Stream's chairman:

               Professor Klaus Brunnstein
               Faculty for Informatics
               University of Hamburg
               Vogt-Koelln-Str.30
               2000 Hamburg 54
               Germany
               email: Brunnstein@rz.informatik.uni-hamburg.dbp.de

All papers will be reviewed by at least three, and relevance, originality and
clarity will be considered.  Accepted papers will be published in full in the
Conference Proceedings.

How to Submit a Poster: Three (3) copies of a one page abstract for a 10 minute
presentation should be sent to the appropriate subcommittee chairman so as to
arrive by April 15, 1992. The poster proposal will be judged for relevance and
clarity. Acceptance/rejection will be notified by May 15, 1992.  The final
version of the abstract has to be sent to the organizing committee for
inclusion into the poster brochure so as to arrive by June 20, 1992.

Key Dates:
    January 10,1992: Deadline for submission of papers
       March 9,1992: Notification of acceptance/rejection of papers
      April 15,1992: Deadline for submission of posters
      April 24,1992: Camera ready paper at Program Committee
        May 15,1992: Notification of acceptance/rejection of posters
       June 20,1992: Camera ready poster at Organizing Committee
September 7-11,1992: World Computer Congress, Madrid

For more details, please contact:
         FESI (Federacion Espanola de Sociedades de Informatica)
         IFIP Congress '92
         Hortaleza 104
         E-28004 Madrid, Spain
         Fax: (+34-1) 2431003
         E-mail: fesi@dit.upm.es

Please report problems with the web pages to the maintainer

Top