The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 14 Issue 20

Thurs 31 December 1992

Contents

o Another Jail Computer Glitch
PGN
o Antiviral technology target of legal action
PGN
o Dutch chemical plant explodes due to typing error
Ralph Moonen
o 911 in Massachussetts
Barry Shein
o What about "little brother?"
Brian Seborg
o Re: Electronic democracy
Barbara Simons
o Re: Programming errors affect state lottery
Charles D. Ellis
o Re: Bundestag speechless
Boris Hemkemeier
Markus U. Mock
Daniel Burstein
o Latest (?) credit card scams
Jerry Leichter
o Risks of satellite-controlled anti-theft devices
Jim Griffith
o OECD Security Guidelines
Marc Rotenberg
o Info on RISKS (comp.risks)

Another Jail Computer Glitch

"Peter G. Neumann" <neumann@csl.sri.com>
Wed, 30 Dec 92 11:16:35 PST
Around 7pm on 27 December 1992, the new San Joaquin (California) County Jail
computer system automagically unlocked all of the cell doors in a high-risk
area, with a highly audible series of loud clicks, releasing about 120
potentially dangerous inmates who were being held in an "administrative
segregation pod."  Fortunately, the pod was itself isolated by other doors
that remained locked.  The glitch was attributed to a spurious signal from the
"incoder card" whose responsibilities include opening those doors in
emergencies.  [Source: San Francisco Chronicle, 30 Dec 1992, p.A14, article by
Peter Fimrite]

Fimrite's article also noted other California cell-door problems.  Less than a
year after the supposedly escape-proof Pelican Bay State Prison near Crescent
City CA opened, inmates learned how to pop open the pneumatic cell doors at
will.  A similar system in the Santa Rita Jail in Alameda County was also
found to be pickable.  [If it had required breaking DES, that situation might
have been DES-pickable!]

For those of you new to RISKS (or in case Fimrite or his Chron colleages see
this in RISKS), our archives include the following computer-related cases.
(Rather than grep-ing through the back issues, I give references to back
issues of the ACM SIGSOFT Software Engineering Notes, containing material
derived from the earlier issues of RISKS.  S 10 1 is dated Jan 84, S 12 4 is
Oct 87, S 13 4 is Oct 88, S 17 1 is Jan 92.)

  ..... Earlier prison problems
  Santa Clara prison data system (inmate altered release date) (S 10 1)
  Drug kingpin escapes LA County prison via bogus release message (S 12 4)
  Convicted forger released from Tucson jail via bogus fax (S 17 1)
  Seven Santa Fe inmates escaped; prison control computer blamed (S 12 4)
  Oregon prisoner escaped; frequent-false-alarm alarm ignored (S 12 4)
  New Dutch computer system frees criminals, arrests innocent; old system
    eliminated, and no backup possible! (S 12 4)
  New El Dorado jail cell doors won't lock -- computer controlled (S 13 4)


Antiviral technology target of legal action

Peter G. Neumann <neumann@csl.sri.com>
Thu, 31 Dec 92 11:31:38 PST
The Washington Post has an article by John Burgess (at least some of which
appears in today's San Francisco Chronicle) discussing a federal judge's order
to McAfee Associates of Santa Clara CA, to stop distributing their Pro-Scan
Version 2.31 and ViruCide Version 2.33 and derivative products.  Imageline
Inc. of Richmond VA (maker of PicturePak and ValuePak) has sued McAfee
Associates for libel, fraud, and other misdeeds, because those antiviral
products mistakenly identify Imageline products as containing viruses.  Stay
tuned for further details.


Dutch chemical plant explodes due to typing error

<rmoonen@ihlpl.att.com>
Wed, 23 Dec 92 09:26 GMT
In the first half of this year the chemical factory Cindu exploded causing
several deaths and a chaos. It was confirmed yesterday that a simple typing
error led to this tragic accident. Apparently the computerised chemical
processing installation was fed with data in which a comma was placed at a
wrong digit, causing the wrong amount of chemicals to be mixed in the
installation. This led to an enormous explosion and the closure of the
factory.

The Dutch news said that the responsible person has been found and he
will be charged with negligible conduct causing death.

BTW: This year has been disaster-year for the Netherlands. We have had 2
serious plane crashes: the well-known El al 747 that crashed into two
apartment buildings, the DC10 with 300 Dutchmen aboard that crashed in Faro
this week. We had the Cindu explosion, an earthquake (yes, in Holland) 2 major
train-accidents, and quite a few lesser accidents. I hope the next year will
have some mercy on us :-)
                                     --Ralph Moonen


911 in Massachussetts

Barry Shein <bzs@world.std.com>
Wed, 30 Dec 1992 01:24:42 -0500
I assume you have already been inundated with the issue of the woman
who was murdered by (her ex-husband I believe) here in Boston. It
seems she dialed 911 when she heard him at the door but unfortunately
her exchange was a Brookline exchange (a neighboring township a few
blocks away, not politically part of Boston), so the 911 call went to
the Brookline Police. On hearing her address the Brookline police
informed her she needed to call the Boston Police.

I am not certain of the exact details of what ensued (I'm not sure
anyone outside of the Police departments is certain yet), the
Brookline police claim the delay would not have made any difference in
the outcome (her murder), but of course that's a fairly convenient
position for them to take.

This has been a front-page story in the Boston Globe these last few days.
Makes one want to pick up their phone and dial 911 and see exactly who you get
and ask whether they would actually come should you need them.

        -Barry Shein

Software Tool & Die   bzs@world.std.com  uunet!world!bzs  617-739-0202


What about "little brother?"

Brian Seborg <seborg@first.org>
Wed, 23 Dec 92 12:28:17 EST
In the past we have tried to control information collected by "Big Brother" or
the Federal Government.  I believe that this has for the most part been
accomplished.  What has not been done, and what seriously needs to be
addressed is the collection and dissemination of information by numerous
"Little Brothers."  Specifically, additional guidance is needed to protect
information maintained by credit reporting agencies, State Government
agencies, retail stores, and other entities which routinely collect
information that can be linked to an individual by name or other unique
identifier.

Since I teach a computer security class at a local college, the issue of
privacy seems even more important once you know how many ways the information
can be compromised.  After a lecture on privacy one of my students mentioned
that he worked with some private investigators, and he mentioned that they
routinely had access to all kinds of information on people, and that agencies
such as the state department of motor vehicles routinely sold access to their
records to just about anyone.

To illustrate the problem I asked the student to initiate an inquiry and to
see what he could find out with only my name as information.  The next class
he brought me the results of his spending about 30 minutes at a computer
terminal.  Here is a partial list of what he provided me in printed form: my
current address, the addresses of all my previous residences, a list of all of
the automobiles I have ever owned, my social security number, my drivers
license number, a list of all of the credit cards I have ever owned including
cancelled cards, their credit limits, the credit card numbers, and the current
balance, the name and address of my employer, my father and brother's name and
address, the name of my wife, the name address and phone numbers of all of my
neighbors, their date of residence, and the type of home they had, my criminal
record (blank) along with any pending cases, my traffic record (not blank
unfortunately!  :-)), my race, my income, the amount of my mortgage, my credit
rating, etc.  I imagine that most people have no idea that such information
about them is so easily accessible.  Imagine the potential for coming up with
a detailed profile of a person once you begin associating individuals to the
groceries they buy if the current trend of using check cashing cards or
bank-cards to pay for groceries really catches on!  For example, could you
imagine who might want to have access to lists of customers which bought
specific products?  Giant supermarkets (a large chain in our area) already has
the computer printing out coupons based on the purchases you have made, what
would they do with this information if they could associate you with the
groceries you bought?  One could imagine the following phone call after
purchasing a bladder control product: "Yes, Mr. Seborg, this is the office of
Dr. Nosey, Urologist, we are offering five dollars off your initial
consultation, when can we schedule you for your first appointment?"  Or worse,
you could have someone inferring some personal profile based on your patterns
of consumption.  Far fetched, maybe, but I bet you may think before you use
that bank card, or check cashing card next time at the grocery store, eh?

Brian Seborg, VDS Advanced Research Group  seborg@csrc.ncsl.nist.gov


Re: Electronic democracy (Agre, RISKS-14.19)

Barbara Simons <simons@almaden.ibm.com>
Wed, 23 Dec 92 12:36:33 PST
>Now, some people argue that electronic open government will level the
>playing field by giving The People access to the same information as special
>interests.  But maybe it doesn't work that way. ....

Agre then goes on to ask if we should welcome or oppose electronic "open
government" if our primary interest is in strengthening democracy.

I agree that there are many pitfalls related to the question of electronic
democracy as it is usually described.  The one that I find most disturbing is
the question of access.  Users of the net tend to be white males from a
certain age group and socio-economic class.  There are very few
representatives of the impoverished underclass on the net, and women are very
much underrepresented.  Also underrepresented are old people and very young
people.  If we were to increase access to government for users of the net, we
would be increasing access for a relatively prosperous, well educated, and
successful group, at the expense of much of the rest of the country.  This is
not a healthy situation for a democracy.

There is a serious risk of disenfranchisement contained within the standard
description of electronic democracy.  While this may not be the sort of risk
usually discussed in this forum, it is nonetheless significant, and it is
possible only because of computers.

Barbara Simons


Re: Programming errors affect state lottery (Seecof, RISKS-14.18)

Charles D. Ellis <cde@aplexus.jhuapl.edu>
Fri, 18 Dec 1992 19:19:28 GMT
GTECH, the company which got the mysteriously beneficial contract change
indemnifying them from operational goofs is in the news big time here in
Maryland.

It seems that allofasudden/outoftheblue they were awarded a contract for Keno
which was a total surprise to all, including the state legislature. The
no-bid award was justified due to a "fiscal emergency".

They must have one hell of a contracts department!

Charlie Ellis   cde@aplexus.jhuapl.edu


Re: Bundestag speechless (Weber-Wulff, RISKS-14.19)

Boris Hemkemeier <boris@math30.mathematik.uni-bielefeld.de>
Sun, 27 Dec 1992 20:01:46 +0100
The earlier report is only the half story.  The president of the German
Bundestag has a new priority button that switches off all microphones except
his own.  After resuming the debates in the new building, Johnny Klein put a
heavy book on the button and didn't notice the effect.  Security personal
prevented technicians from entering the Bundestag.  Then the parliament
decided to move back to his old building, which incidentally is controlled by
the same (working!) computer.  (See the German newspaper, Die Zeit, "Johnny
griff daneben", for details.)
                                                   Boris Hemkemeier
boris@mathematik.uni-bielefeld.de.
                                             [Eine KLEINe NICHTmusik!  PGN]


Re: ... Bundestag speechless (Weber-Wulff, RISKS-14.19)

"Markus U. Mock" <mock@ira.uka.de>
Wed, 23 Dec 92 15:39:43 MET
[...] If this event shows the risks of complex technical systems, the light
was actually cast on the un-informed 'user' community and the lack of
information transfer to those who will use the systems.  [...]

Markus U. Mock, University of Karlsruhe, Dept. of Computer Science
mock@ira.uka.de ukj6@dkauni2.bitnet


Bundestag sound problems (RISKS 14.19)

Daniel Burstein <0001964967@mcimail.com>
Wed, 23 Dec 92 04:15 GMT
Hmm, seems I recall seeing this problem demonstrated at length in the mid
1960's.  Didn't Don Adams and Barbara Feldon (and Edward Platt) repeatedly run
into problems of this sort when using the "Cone of Silence" over at
"Control"?

Since the show was a continuing news documentary describing actions of spy
agencies, one would have thought that if anyone had studied it intensly, it
would have been the (then) East and West Germans...

Danny  <dburstein@mcimail.com> <----direct e-mail address

(A quick note to our younger crowd: The television show in question was "Get
Smart," which was kind of a spoof on the entire spy genre.  It is currently in
syndication throughout the United States, and quite a few other countries as
well).


Latest (?) credit card scams

Jerry Leichter <leichter@lrw.com>
Tue, 29 Dec 92 16:56:45 EDT
As I was paying for some magazines at a local bookstore today, I happened to
notice two interesting bulletins to store owners - passed on to the people
minding the cash registers - about the latest in credit card fraud.  There
are two closely related frauds involved:

    1.  Credit cards with their magnetic stripes re-recorded with a
    different, but valid, account number.  Since these days
    pretty much the entire system runs on what is read off
    the magnetic stripe, with a complete receipt printed for
    you without a need to emboss anything from the original
    card, this is a great way to charge things to someone else.

    Their recommendation:  Cross-check the information embossed on
    the card with the information printed on the receipt.  There's
    a reward offered to anyone who finds a "magnetically forged"
    card this way.  In practice, don't bet the ranch.  It's hard
    enough to find anyone who bothers to check the signature any
    more; how many people will bother to check long strings of
    digits?  It's worth keeping in mind that unless the card IS
    checked, there is no good way to prove, or even reliably
    detect, the fraud later:  The only information in the system
    is what came off the magnetic stripe.  (Well, you do have the
    signature - but do stores even bother to keep all those
    signed, printed receipts?  Finding any particular one would
    be a horrible job.)

    2.  Someone has apparently gone into business creating fake credit
    cards with valid (stolen) credit card numbers on them.  They
    are currently easily detectable because they all bear the
    name of some particular non-existent bank.  If the creator
    had thought about this a bit, he would have created fake
    Citibank or AT&T cards - even if it were hard to get them to
    look *exactly* like the real ones, they'd still be much, much
    harder to detect than cards "issued" by a specific "First
    Federal of Oshkosh", which since it doesn't exists has issued
    NO real cards.  (I hope I haven't given anyone a new idea.)

The potential losses here are staggering.  I don't know who ends up stuck with
the immediate bill for these losses - certainly not the owner of the valid,
stolen credit card (though proving that a fraud has taken place could be time
consuming and painful), most likely not the retailer (after all, he DID get a
"valid card/good transaction" response from whatever agency he checks with).
There should be some interesting finger-pointing between the issuing banks and
the transaction approving agencies.

In the end, of course, we all end up paying.  Check your monthly bills
carefully!
                            -- Jerry


Risks of satellite-controlled anti-theft devices

Jim "The Big Dweeb" Griffith <griffith@xcf.Berkeley.EDU>
Tue, 29 Dec 92 23:49:54 -0800
Here in the Bay Area, there has been a rash of carjacking crimes.  In San
Francisco alone, there have been around 60 carjackings in the past six months
or so.  Several people have been injured when resisting a carjacker - the
latest being a young man who was shot in the head on Christmas Eve when he
wouldn't give up his car.  The police recommend that drivers should give up
their cars to would-be car-jackers, since a life is more valuable than a car.

Naturally, Silicon Valley has been working on the problem, the first
solution being a remote-controlled ignition kill switch, operated from a fob
such as those used with active car alarms.  One of our local stations had a
blurb about the latest innovation, which uses pager technology to allow a
car owner to dial a 1-800 number, triggering a pager-like satellite signal
which causes a particular car to kill its ignition.  This way, car owners
can calmly let a carjacker escape with the vehicle, then walk to the nearest
telephone and stop the car in its tracks.

I thought this was a rather clever use of technology, so I gleefully told one
of my house-mates about it.  His reaction was "gee Jim, now I can hassle you
without ever leaving the house".  This kind of stopped me in my tracks, and
after having thought about it a bit, a number of risks seem evident.
Basically, any kind of "wrong number" risk can potentially create a serious
traffic hazard, as well as resulting in personal annoyance (depending on the
mechanism used to re-allow ignition - especially when the user doesn't have a
car-phone).  You've then got yet another number that you must guard as closely
as an ATM code, but which contains significantly more digits to remember (the
1-800 number plus a password-like code), and keeping track of that while
keeping it away from others is hard.  Plus, a single fault at a pager company
can cause large-scale regional traffic disruptions (if the device becomes
popular, which it probably will).
                               Jim


OECD Security Guidelines

Marc Rotenberg <Marc_Rotenberg@washofc.cpsr.org>
Wed, 30 Dec 1992 17:51:47 EST
        The Organization for Economic Cooperation and Development (OECD) has
adopted international Guidelines for the Security of Information Systems.  The
Guidelines are intended to raise awareness of the risks in the use of
information systems and to establish a policy framework to address public
concerns.

       The OECD Security Guidelines should be of special interest to RISKS
readers.  They are similar in form to the 1980 OECD Privacy Guidelines and
will probably have a substantial impact on security policy.

      Of course, there are lots of issues left open by the Guidelines,
including the relationship between privacy and security.  But the principles
offer a good starting point for public discussion on security and
risks-related issues.

        A copy of the press release and an excerpt from the Guidelines
follows.  For additional information or for a copy of the Guidelines, contact
Ms. Deborah Hurley, OECD, 2, rue Andre-Pascal, 75775 Paris Cedex 16, France
33-1-45-24-93-71 (tel) 33-1-45-24-93-32 (fax).

Marc Rotenberg, Director, CPSR Washington office and Member, OECD Expert
Group on Information System Security           rotenberg@washoc.cpsr.org

=============================================================

         OECD ADOPTS GUIDELINES FOR THE SECURITY OF INFORMATION SYSTEMS

        The 24 OECD Member countries on 26th November 1992 adopted Guidelines
for the Security of Information Systems, culminating almost two years' work by
an OECD expert group composed of governmental delegates, scholars in the
fields of law, mathematics and computer science, and representatives of the
private sector, including computer and communication goods and services
providers and users.

        The term information systems includes computers, communication
facilities, computer and communication networks and the information that they
process.  These systems play an increasingly significant and pervasive role in
a multitude of activities, including national economies, international trade,
government and business operation, health care, energy, transport,
communications and education.

        Security of information systems means the protection of the
availability, integrity, and confidentiality of information systems.  It is an
international issue because information systems frequently cross national
boundaries.

        While growing use of information systems has generated many benefits,
it has also shown up a widening gap between the need to protect systems and
the degree of protection currently in place.  Society has become very
dependent on technologies that are not yet sufficiently dependable.  All
individuals and organizations have a need for proper information system
operations (e.g. in hospitals, air traffic control and nuclear power plants).

        Users must have confidence that information systems will be available
and operate as expected without unanticipated failures or problems.
Otherwise, the systems and their underlying technologies may not be used to
their full potential and further growth and innovation may be prohibited.

        The Guidelines for the Security of Information Systems will provide
the required foundation on which to construct a framework for security of
information systems.  They are addressed to the public and private sectors and
apply to all information systems.  The framework will include policies, laws,
codes of conduct, technical measures, management and user practices, ad public
education and awareness activities at both national and international levels.

        Several OECD Member countries have been forerunners in the field of
security of information systems.  Certain laws and organizational and
technical rules are already in place.  Most other countries are much farther
behind in their efforts.  The Guidelines will play a normative role and assist
governments and the private sector in meeting the challenges of these
worldwide systems.  The Guidelines bring guidance and a real value-added to
work in this area, from a national and international perspective.


PRINCIPLES

1. Accountability Principle

        The responsibilities and accountability of owners, providers and users
of information systems and other parties concerned with the security of
information systems should be explicit.

2.  Awareness Principle

        In order to foster confidence in information systems, owners,
providers and users of information systems and other parties should readily be
able, consistent with maintaining security, to gain appropriate knowledge of
and be informed about the existence and general extent of measures, practices
and procedures for the security of information systems.

3. Ethics Principle

        Information systems and the security of information systems should be
provided and used in such a manner that the rights and legitimate interests of
others are respected.

4. Multidisciplinary Principle

        Measures practices and procedures for the security of information
systems should take into account of and address all relevant consideration and
viewpoints, including technical, administrative, organizational, operational,
commercial, educational and legal.

5.  Proportionality Principle

        Security levels, costs, measures, practices and procedures should be
appropriate and proportionate to the value of and degree of reliance on the
information systems and to the severity, probability and extent of potential
harm, as the requirements for security vary depending upon the particular
information systems.

6. Integration Principle

        Measures, practices and procedures for the security of information
systems should be co-ordinated and integrated with each other and with other
measures, practices and procedures of the organization so as to create a
coherent system of security.

7. Timeliness Principle

        Public and private parties, at both national and international
levels, should act in a timely co-ordinated manner to prevent and to respond
to breaches of information systems.

8.  Reassessment Principle

        The security information systems should be reassessed periodically,
as information systems and the requirements for their security vary over time.

9. Democracy Principle

        The security of information systems should be compatible with the
legitimate use and flow of data ad information in a democratic society.

[Source: OECD Guidelines for the Security of Information Systems (1992)]

Please report problems with the web pages to the maintainer