The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 13 Issue 84

Monday 19 October 1992

Contents

o 15th National Computer Security Conference trip report
Rebecca Mercuri
o Vote Early, Vote Often
Bear Giles
o Toronto Teenager Charged in 911 Case
Nigel.Allen
o Rutgers students charged with scholarship scam
PGN
o A320 engine control problem at Gatwick
John Rushby
o T* S*
anonymous
o DEA mishandling of national security information
Philip R. Moyer
o Using the DOT's computers to steal car stereos
Bill Marshall
o Robot daydreaming
Les Earnest
o Computing Research Association (CRA) seeks assocaite
Rick Weingarten via Lance Hoffman
o Info on RISKS (comp.risks)

15th National Computer Security Conference trip report

Rebecca Mercuri <mercuri@gradient.cis.upenn.edu>
Mon, 19 Oct 92 12:32:04 EDT
NCSC '92 -- Comment and Commentary
Copyright (c) 1992 by Rebecca Mercuri. All Rights Reserved.
Reposting and/or reprint not granted without prior written permission
from the author. Address questions, response and corrections to:
mercuri@gradient.cis.upenn.edu

I attended the 15th National Computer Security Conference held October 13 - 16
in balmy Baltimore MD with the hope of coming away with some solutions for the
security problems I had encountered and observed over the past few years. I
left with a longer list of problems, and the vague feeling that our industry
has become remiss in providing us with answers that we can use, or has answers
and is either incapable or unwilling to yield them publicly. Let me state
clearly here that this comment does not in any way reflect negatively on the
conference organizers -- they should be commended for performing their task
well, creating a superbly orchestrated event which covered a broad spectrum of
topics. Indeed, "rookies" were liberally mixed on panels with esteemed
"greybeards" and many women (sans beards) were in evidence as session chairs
and presenters (although I was somewhat dismayed to note that females appeared
to constitute less than 10% of the attendees, lower than in the computing
community in general). The breadth and extent of the conference does not allow
one reporter to describe it fully, so I offer these remarks merely as comment
and commentary, perhaps to stimulate discussion among other attendees.

The conference held an international flavor, with the keynote by Roland Hueber
(Directorate General of the Commission of the European Communities) and the
closing plenary on International Harmonization serving as bookends. There were
repeated calls for cooperation in developing global security standards, with
the primary advantages of such appearing to be in commerce. In the wake of the
cold war, there seems to be a spirit of openness in this regard, but I offer
the speculation that it may be foolhardy to enter into conformity of thought
and solutions.  Diversity, particularly in commerce, inspires creativity.
Monopoly, or single-mindedness, often leaves one at risk of exploitation by a
strong central power, or of attack by those who are close enough or who
understand the system well enough to side-track it. We may need "fault-
tolerant" and "diversified" answers.

Surveying the Track Sessions:

It is useful to juxtapose thoughts about covert channels with those about
encryption systems. For the uninitiated, covert channels (to a first
approximation on a definition) are created when internal intermittent polling
is performed in an effort to conceal illicit data collection activities. Bob
Morris provided the statistic that 1/10 of a bit per second is enough to expose
a key in approximately 1 month. This is at current processing rates, but one
can extrapolate out the Silicon Valley curve and surmise that our current key
encryption systems will be inadequate within the end of the century (if not
now, perhaps).

In the quest for tools one encounters the debate on provability and formal top
level specification. Virgil Gligor referred to "formal top level specification
as an unmitigated waste of time," saying that data structures and source may
not map to the top level, there may not be enough relevant details provided,
and excessive false illegal flows may occur. Earl Boebert stated that formal
proving methods have worth in analysis of specifications, but have failed
utterly in spec/code, code/object, and code/behavior correspondence. Still,
formal methods have their supporters, most notably SRI, as indicated by John
Rushby, one of their directors (who also publicly revealed that there had been
a major successful break-in at the lab last month). Interestingly, the panel on
Intrusion Detection was chaired by SRI's Teresa Lunt, who discussed the use of
expert systems to encode vulnerabilities, attack methods and known suspicious
behaviors.  Steve Snapp expressed the divide and conquer approach, saying that
there may be no single generalizable model of intrusion, and that static,
incidence/existence, and data driven methods should all be used.

The matter of viruses was explored throughout various sessions. The general
consensus of opinion seemed to be that rigorous procedures and policies need to
be implemented so that recovery is possible to some level following
contamination or invasion. In the talks I attended, no clear method for
handling the recovery from a "new" virus (that can not be eradicated with
existing software) was offered. This was not consoling to someone who had just
last week left a client's law office with the admonishment "don't use any of
the text files that you've created in the last 6 months until I can find out
what the new virus strain is that appears to have adhered to some unknown
quantity of them." Here too, the standardization on certain operating systems
and environments (such as Microsoft Windows(TM)), and uniform acceptance of
specific tools (such as the legal community's reliance on Word Perfect(TM))
encourages the proliferation of attacks that could potentially disable large
sectors of the user base.

Losses seem to be tied heavily to the bottom line. In banking, it may not be
advantageous to implement a $10M or more security system that still does not
assure total impenetrability when insurance coverage can be obtained at a cost
of $1M (even if this price only remains low until there is a hit). In health
care, as described in Deborah Hamilton's award- winning paper, the bottom line
may indeed be one or more people's lives. As true with drug approvals, it is
easy to see that holding back an inadequately tested computer system may cost
more lives than providing it while continuing to make improvements and
corrections. How does one weigh security, reliability and verifiability issues
when there is a crying need for access to the developing technology? We are
faced with a moral dilemma without a governing body to set policies.

The area of privacy was eloquently addressed by Attorney Christine Axsmith who
said that our reasonable expectations of privacy, as expressed by the 4th
Amendment, protect people, not just places. But she went on to say that with
regard to the computer industry, the Privacy Act and other legislation efforts
still suffer from a lack of court rulings necessary to define their
interpretations. Will our efforts to improve security undermine privacy?  Curt
Symes (from IBM) stated that "we'll all be using smart cards in the future, for
a higher level of authentication." Does this mean that I will eventually be
required to be bioidentified (DNA, fingerprint, retinal scan, voiceprint) in
order to obtain access to my own data and research?  A chilling thought.

In conclusion, to paraphrase Peter Neumann (which seems only fitting, as he
"scooped" my Nov. 92 CACM Inside Risks column on voting machines by referring
to some of its salient points in his banquet address, without citation) --
perhaps the conference theme "Information Systems Security: Building Blocks to
the Future" should be read not as "building-blocks" (the small bricks), but as
"building BLOCKS" or obstacles to our future as security professionals. There
is a sense of urgency now -- many of us need more than a foundation of toy
blocks, requiring true solutions which appear to not be forthcoming. What we
don't want are systems and design structures that are so cumbersome as to
impede computational progress.  Discussion may be fruitful, but let us all get
our noses to the grindstone and provide functional tools and answers, rather
than guidelines and assertions. Some are working in this direction, others are
needed.


Vote Early, Vote Often

Bear Giles <bear@tigger.cs.colorado.edu>
Thu, 8 Oct 1992 10:35:12 -0600
A local proponent of voting-by-phone keeps pointing to the 'safety' of absentee
ballots as evidence that phone-voting would be safe.  So it was with more than
passing interest that I read the lead article in the _Rocky Mountain News_
today....

(Main headline [1])
Vote fraud riddles Colorado County

'Vote early, vote often' was Costilla County pattern, judge rules.
Non-residents used absentee ballots to help pals win office

(Article headline)

Judge finds Costilla County riddled with election fraud

Non-residents marked absentee ballots to help friends, relatives wind
elections, court rules

by Dick Foster
Rocky Mountain News Southern Bureau

Widespread election fraud has been uncovered in Costilla County [in
south-central Colorado abutting New Mexico], where evidence shows people cast
absentee ballots for friends and relatives seeking public office back to 1984.

One of those who cast an absentee ballot in the southern Colorado county was
not even a U.S. citizen.  Another was an imprisoned felon, evidence shows.

Another 106 people who had cast ballots in one or more of the last four
elections lived nowhere near Costilla County and had no claim to an absentee
vote, Chief District Judge Robert Ogburn of Monte Vista ruled.

It took the action of citizens banding together to file a civil lawsuit to halt
the abuses after their complaints were rebuffed by the Colorado secretary of
state's office and the local district attorney.

Office holders felt "entitled" to collect as many absentee votes as possible
from children who had long ago left the county "as well as from nieces and
nephews and anyone else who bore the slightest resemblance to being a
relative," said Ogburn.  "Over the years, the practice expanded to include
friends who had left the community to live elsewhere."

One Mexican national with a green card testified that a county commissioner
solicited his vote and gave him an absentee ballot.

Many of the absentee voters gave fake addresses in the county.  Others simply
used local post office box numbers as their claim to local residence.

Ogburn called one box "famous" -- it had been claimed by several absentee
voters.

Costilla County had 254 absentee ballots in the 1990 general election, about
14% of the county's total vote of 1,827.  In neighboring counties, only 5% to
7% of the votes were absentee.

At least once, absentee ballots meant the difference between victory and defeat
for incumbents.  In 1988, a resident named Lillian Maestas ran against county
clerk and recorder Roy D. Martinez.  She led in election day returns, but lost
when the absentee votes were counted, said Wilmer Pacheco, a Maestas campaign
worker.

"Some of these people haven't lived here since World War II and they're voting
here.  When you have that many votes in a small county it's going to throw the
election," said Stephanie Kimbrel, one resident who helped organize Citizens
for Better Government after the August primary election.  The group launched
its own investigation and civil lawsuit to stop voting abuse.

Urcilia Auth joined the group after returning to San Luis to retire and serving
as a poll watcher during the August primary.  "I saw people I knew from Alamosa
[in a different county] come in here and cast ballots," she said.  "But the
county clerk hadn't given us a challenge list so we couldn't challenge them.
And names appeared on the registration list of some people I know who live in
Colorado Springs."

The residents said they grew angrier when their calls for an investigation of
election abuse where turned aside by the secretary of state's office and
Alamosa County District Attorney Douglas Primavera.

"When I took this to Donetta Davidson, the elections director at the secretary
of state's office, after the August primary, she told me that we should hire a
lawyer because their office has no responsibility at all in these matters,"
said Kimbrel.

Secretary of State Natalie Meyer told the _Rocky Mountain News_ Wednesday "the
law does not give me any authority to do anything" to investigate election
abuses.  Such matters are for the district attorney to investigate, she said.

Primavera told the _Rocky Mountain News_ his office lacked the staff to conduct
an investigation into the residents' allegations.

"They all just passed the buck," Pacheco said.

The residents hired Alamosa attorney Martin Gonzales, who filed a civil lawsuit
in September challenging 108 names of absentee voters in the county.  The
residents themselves gathered records and witnesses to prove the voters were
not county residents.

"I think the secretary of state's office could have stepped in," Gonzales said.
"They didn't."


[1] The _Rocky_ is printed in tabloid format, not broadsheet.  The front page
is a collection of headlines and a large photo; the lead story can appear
anywhere in the paper.  The _Rocky_ is _not_ a tabloid paper in the style of
the Weekly World News_ -- it is one of two leading newspapers in Colorado and
choose the tabloid format for marketing reasons around 50 years ago.

Bear Giles   bear@fsl.noaa.gov


Toronto Teenager Charged in 911 Case

Nigel Allen <Nigel.Allen@lambada.oit.unc.edu>
Wed, 7 Oct 1992 21:51:00 GMT
Here is a press release that I received from the Metropolitan Toronto
Police. The Toronto Star ran a story (based on the press release) on its
front page today (October 7).

 1992 October 06, 1950 hours

 Teenage Computer Hacker Nabbed by Police

 Detectives from the Major Crime Squad at Police Headquarters have arrested a
15-year-old North York boy and charged him with a number of computer-related
crimes. Investigations have revealed that on some occasions his pranks
paralyzed the Metropolitan Toronto 911 emergency telephone system.

 Last July, a young man called the 911 emergency number from a location in the
west end of Metropolitan Toronto and reported a number of medical emergencies
which caused units from the Metropolitan Toronto Police, ambulance services and
local fire departments to respond. All of these calls were determined to be
false.

 On one occasion, he totally monopolized the 911 system and rendered it
inoperable thereby denying citizens access to the 911 lifeline throughout the
Metropolitan Toronto area.

 Bell Canada security officers assisted police in their search for the source
of the calls. Acting on a Criminal Code search warrant, police today entered a
North York home, seized a quantity of computers and arrested a teen-age boy.
He is to appear in Youth Court, 47 Sheppard Avenue East, North York, Friday,
November 6, 1992, charged with theft of telecommunications, 24 counts of
mischief and 10 counts of convey false message.

 Investigations are continuing.

 (end of press release)

 Note from NDA: More information may be available from the public affairs
office of the Metropolitan Toronto Police at (416) 324-2222 or from
Detective W. Johnston of the Major Crime Squad at (416) 324-6245.

  [The usual disclaimers: No connection with any police agency, telephone
  company or obnoxious teenagers who think false alarms are amusing.
  The opinions expressed are not necessarily those of the University of
  North Carolina at Chapel Hill, the Campus Office for Information
  Technology, or the Experimental Bulletin Board Service.
  internet:  bbs.oit.unc.edu or 152.2.22.80]


Rutgers students charged with scholarship scam

"Peter G. Neumann" <neumann@csl.sri.com>
Sun, 11 Oct 92 15:45:15 PDT
  NEW BRUNSWICK, N.J. (UPI) -- Three Rutgers University students have been
charged with trying to bilk their fellow students with a fake scholarship scam.
The trio allegedly placed fliers around campus advertising ``New Jersey
Scholarship and Grant Search Services,'' directing applicants to send Social
Security and bank account numbers and credit card data to a mailing address.
Police say they used the information to apply for duplicate birth certificates.

Police say they have located only one victim who actually lost money, a
Livingston College student who had $1,000 withdrawn from her bank account. But
another women allegedly reported that she had received notices from credit card
companies that someone was trying to obtain cards using her name.

Police have charged Justin Okieze, 18, of North Brunswick; Robert Harrell, 21,
of New Brunswick; and Lisa Young, 20, of Edison, with theft by deception.


A320 engine control problem at Gatwick

John Rushby <RUSHBY@csl.sri.com>
Sat 10 Oct 92 10:41:43-PDT
Source: dp:DPA:Deutsche Press-Agentur

LONDON (OCT. 8) DPA - A fully-laden Airbus A 320 lost power in one engine for
no accountable reason while approaching London's Gatwick airport,
necessitating emergency procedures, it was reported Thursday.

This suggested that computers controlling the engine 'could be capable of
developing a mind of their own and countermanding decisions made by the crew',
The Times newspaper said.

The aircraft of the Air 2000 charter company was on its way from Venice to
Gatwick with 135 Passengers and seven crew September 26 when the starboard
engine continued to 'wind down' until well below the required flight idle
speed, the newspaper said.

The captain had to shut the engine down completely - a routine operation that
did not affect safety - and then restarted the engine at 14,000 feet to make a
normal two-engined landing.

'Despite a detailed check of all the systems, the fault has not been traced,
but it is believed to involve the engine overspeed valve which restricts the
flow of fuel to the engine as power is cut,' the newspaper said.


T* S*

<Anonymous Bosh>
Mon, 12 Oct 92 6:33:26 PDT
Today in a meeting, it was brought up that some one had emailed a message and
most likely added the words T** Sec**t in jest or fun.  The message body was
apparently one of those systems which can include the bitmap for a military
service which will remain nameless.  Some how or other the DoD got this message
and started an investigation.  Needless to say, the DoD was not amused, this
despite system wide disclaimers that said systems are not to be used for
classified work.  Ah!  The electronic future is going to be an interesting one.


DEA mishandling of national security information

"Philip R. Moyer" <prm@ecn.purdue.edu>
Mon, 12 Oct 92 14:23:47 -0500
This is a brief overview of a General Accounting Office (GAO) review of
computer security procedures at the Drug Enforcement Administration (DEA).

The results of the GAO investigation showed that DEA is not adequately
protecting national security information in its computer systems, and that
though the DEA knows of no unauthorized disclosures, revelations of this
national security information would endanger lives and hinder US drug
enforcement and interdiction programs.

The Department of Justice requires that all of its component agencies identify
all computers used to process national security information.  DEA, however,
has failed to do so.  DEA's report was produced by the Office of Security
Programs based on a survey.  Ommisions in DEAs report were caused because
the headquarters was not surveyed, and because one field division did not
respond to the request for information.  Another field division reported
that they did not have any computers processing national security
information when in fact, the GAO found that they do.

DEA was in violation of National Security Guidelines by

  - using the office automation system to process classified data. This system
    has not been approved or safeguarded for processing classified data.
  - not conducting a risk analysis of the system.
  - operating said office automation workstations in open, unshielded work
    areas.
  - using non-TEMPEST rated workstations to process national security
    information.
  - using unencrypted data communications lines.

Additional problems occur because DEA uses the Office Automation system to
process national security information.  For example, any DEA employee,
regardless of clearance, has access to any information stored in any of the
office automation workstations.  Also, vendor-issued system passwords have
not been changed, so the vendor and other knowledgable individuals would
have complete access to the system (which was installed in 1987).

Some DEA personnel were processing classified information on microcomputers
that had fixed hard disks, which, in some cases, results in the inadvertant
storage of classified information on that disk, where it can later be
revealed to individuals without clearance (see GAO/T-IMTEC-91-6 for examples).

In addition to the information security problems outlined above, DEA has the
following physical security problems, which increase the risk from the above
problems:

  - inadequately controlled access to sensitive areas
  - individuals without national security clearances working unescorted in
    sensitive areas
  - unattended computers left logged on
  - computer-generated printouts and disks being left unattended and unsecured
  - documents left unattended and unsecured
  - safes left open and unattended

A specific example mentioned was that janitors are left unattended in
areas where computers were used to process national security information, and
that those computers were left logged on at the time.  These janitors had
neither a clearance nor a need to know.

Non-computer related physical security problems include

  - electronic card key devices are disabled during working hours and doors
    are propped open
  - security staff fail to review card-key logs
  - stolen or lost keycards are not deactivated
  - non-DEA employes have key cards that open sensitive areas within DEA
  - locks on division offices have not been changed since 1985, even
    though 17 keys have been lost or stolen, including masters to computer
    areas
  - DEA employees are not required to wear identification badges

The report concludes that these security weaknesses endanger the lives of
federal agents and need to be corrected immediately.


The document summarized in this article is GAO/IMTEC-92-31.  The GAO makes
one copy of each report available for free; additional copies are $2.00.
Orders can be sent to

    U.S. General Accounting Office
    P.O. Box 6015
    Gaithersburg, MD  20877

or phone them in at 202-275-6241.
                                                  Phil


Using the DOT's computers to steal car stereos

Bill Marshall <marshall@cs.iastate.edu>
Wed, 14 Oct 1992 00:25:13 GMT
>From the Des Moines (Iowa) Register, Friday, October 9, 1992, page 1M

Car break-in ring cracked; youth shows the way

By Tom Alex - Register Staff Writer

[I have only entered the paragraphs that containted computer information]

    Des Moines police this week broke a sophisticated youth theft
ring that was using license plate numbers and state records to locate
cars for late-night break-ins.
    The youths would spot cars with expensive stereo gear in
parking lots during the day and then use Iowa Department of
Transportation computer records to determine where cars would be
parked at night.
    With the license plate numbers, the teen-ager went to an Iowa
Department of Transportation office at Park Fair Mall and used public
access computers to learn the home addresses of the owners of the
vehicles.
    He and his cohorts didn't want to break into the vehicles when
there were a lot of potential witnesses around, police said, so they
found addresses from registration information and visited the victims
at their leisure.
    Security problems with public access computers cropped up
last year shortly after the computer terminals were installed, said
Jan Hardy, assistant office director with vehicle registration.
    A case worked in the juvenile system reported having a client
who had been using the terminals for illegal activities.
    Sortly afterward, officials developed a security system to
help curtail illegal acts. People wishing to look up license plate
numbers must identify themselves to the computer.
    "If they use the front counter terminal and sign on
themselves, that does provide at least some tracking of inquires,"
said Hardy.
                                      marshall@cs.iastate.edu
Bill Marshall, Computer Science Department, Iowa State University


Robot daydreaming

Les Earnest <les@sail.stanford.edu>
Sat, 10 Oct 92 11:39:50 -0700
Copyright 1992 by UPI.  Reposted with permission from the ClariNet
Electronic Newspaper newsgroup clari.news.interest.quirks.  For more
info on ClariNet, write to info@clarinet.com or phone 1-800-USE-NETS.

    STANFORD, Calif. (UPI) -- Stanford University Hospital removed its new
robotic transportation devices from service Thursday after one of the
units went awry and fell down a set of stairs.
    Associate hospital director Louis Saksen said no one was injured when
the robot veered off course and tumbled down the steps.
    Stanford purchased three of the units to perform simple tasks, such
as delivering food trays to patients and transporting X-rays and
supplies around the hosptial.
    The facility has been phasing in the units for use this fall and has
had no problems with the robots during their first weeks of the trial
period.
    Officials said they had no idea what caused the robot to malfunction
when it returned from delivering a food tray to a patient.
    Saksen said the robots are designed to free hosptial workers from
routine duties to do other, more vital work.
    The battery-operated devices have been used for similar duties in
several hospitals across the United States.

   [David Cheriton remarks that it was probably garbage collecting at the time.
   That's the logical thing to do after delivering food.
   -Les Earnest (les@cs.stanford.edu)]


Announcement (fwd)

"Lance J. Hoffman" <hoffman@seas.gwu.edu>
Wed, 14 Oct 92 11:38:51 EDT
   [From Professor Lance J. Hoffman, Department of Electrical Engineering and
   Computer Science The George Washington University Washington, D. C. 20052
   (202) 994-4955   fax: (202) 994-0227   hoffman@seas.gwu.edu]

Forwarded message:
Date: Wed, 14 Oct 92 09:10:37 -0400
From: rweingar@cs.UMD.EDU (Rick Weingarten)
Subject: Announcement

The Computing Research Association (CRA), a nonprofit association in
Washington, DC, seeks a motivated staff policy associate with a computer
science or engineering background and an interest in public policy. In
conjunction with the Association for Computing Machinery (ACM), CRA will be
significantly expanding its coverage of public policy issues affecting the
computing community. This entry-level position offers an exciting opportunity
to be involved in policy-making, as it relates to computers and information
technology.  Issues CRA currently is following include:

* Long-term changes in the way government supports R&D;

* The High-Performance Computing and Communications initiative, including the
National Research and Education Network (NREN);

* Digital libraries; and

* Information policies, including privacy, security, intellectual property and
public access to government information.

The associate will track the development of issues, perform research, attend
meetings and communicate with experts in the field. Through written and oral
communications, the policy associate and the executive director will inform the
computing community about important issues. The associate will work with CRA
and ACM committees to set priorities and strategies for further action, such as
drafting letters and testimony, convening workshops and seminars, and
developing position papers.  In addition to a computer science or engineering
background, the associate must have excellent communication skills. Knowledge
of the legislative process and public policy experience are a plus. A
bachelor's degree is required. The salary for this entry-level position is
commensurate with that of similar policy jobs in the Washington area. CRA
offers a good benefits package.  Send cover letter, salary requirements, resume
and three appropriate writing samples to

Fred W. Weingarten, Executive Director
Computing Research Association
1875 Connecticut Ave. NW, Suite 718
Washington, DC  20009.

Please report problems with the web pages to the maintainer

Top