The RISKS Digest
Volume 14 Issue 35

Tuesday, 23rd February 1993

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…

Contents

Seeing red over valentine envelopes
Luis Fernandes
KIO diskettes stolen from Spanish Government
Miguel Gallardo
Citibank outage
Marty Leisner
Japanese Bank Hit By Phone Fraud
John Mello
Long Distance..Is the next best thing to praying there
Paul Robinson
Re: _Friendly Spies_
Sean Matthews
Re: The "Information America" service
John Pettitt
MIT's on-line Student Information Services (SIS)
Jonathan I. Kamens
Re: Tapping Phones
Mark W. Schumann
1st ACM Conference on Computer and Communications Security
Dorothy Denning
Call for Papers: Computer Security Applications Conference
Marshall D. Abrams
Info on RISKS (comp.risks)

Seeing red over valentine envelopes

luis fernandes <elf@ee.ryerson.ca>
Sat, 13 Feb 93 20:46:50 EST
The following appeared in the Feb. 13, 1993 issue of the "Toronto Star":

Edmonton(CP)-- It's that time of year again when love is in the air and Canada
Post is seeing red. Red envelopes, that is.  That's because the computerized
mail sorting machines, which can process 33,000 letters an hour, have trouble
reading addresses off the red envelopes popular for Valentine Day greetings, a
Canada Post spokeswoman says.  "We in Canada have some of the most technically
advanced machinery in the world," Teresa Williams says. "And while it's not
impossible for them to read red envelopes, some of them can present a bit of a
challenge."  If your valentine card hasn't arrived, it may have been delayed
in the mail-sorting process, William says.  A reminder for next year: white
envelopes should be used instead. "Or put a white sticker on a red envelope,"
Williams suggests.

Meanwhile Hallmark Cards Inc., based in the United States, is complying with a
U.S. Postal Service request to stop producing dark-colored envelopes over the
next couple of years. U.S. machines can't read them either.


KIO diskettes stolen from the Spanish Government

"(Miguel Gallardo)" <gallardo@batman.fi.upm.es>
Wed, 10 Feb 1993 15:52:04 UTC+0100
During the night of 5 February 1993, 18 diskettes were stolen from the
Ministry of Economy and Taxes in Madrid, Spain.  All the diskettes contained
information of international funds transferred by Kuwait Investment Office
(KIO) since 1988.

The situation of this large group of chemical, building and real estate
companies in Spain is very complex, because many of them are in bankruptcy,
the Spanish Government paid a lot of money for this industry support, there
are thousands of people losing their jobs, and present managers of KIO in
Spain demanded old jobs at the Court, because of money fraud and political
corruption.

Javier De la Rosa, Fouad K. Jaffar and Mohamed al Sabah are the names related
with it that appear every day in several press items that compare their
management with Michael Milken (convicted), John H. Gutfreund, Donald M.
Feurstein (Salomon Inc) and other Securities & Exchange Commission affairs in
USA.  But they control many journalists here, thanks to the singer Julio
Iglesias' ex-manager, and now Javier De la Rosa's speaker [spokesman?],
Alfredo Fraile.

The Government Ministry, Carlos Solchaga, told the press that he thinks the
goal of the thief is to sell this information to the press, and to discredit
HIM.  He advised journalists not to buy this interesting digital information,
because legal prosecution will be ordered if anything is published.

On the other side, Javier De la Rosa told the journalists that there is a
mafia in Spanish bureaucracy that stole the diskettes.  But this is not a
clever idea because it is not necessary to steal something that can be easily
diskcopied.

What is much more interesting is that KIO has nothing to say, and that a
Spanish Justice refused to accept its demand because there was not enough
information enclosed.  It seems that they did not find a computer expert able
enough to look for financial scandal data in computers and back-ups, now
owned by them.

IMHO, everybody has too many things to hide in this sad story.

Miguel A. Gallardo Ortiz, PX86 Engineer UNIX&C freelance working on RSA crypto
Fernando Poo, 16 (Proyecto X86)  E - 28045 Madrid (Spain)
Tel: (341) 474 38 09 - FAX: 473 81 97  E-mail: gallardo@batman.fi.upm.es


Citibank outage

Marty Leisner 71348 <leisner@eso.mc.xerox.com>
Tue, 23 Feb 1993 08:03:35 PST
"Software Problem Halts Citibank's Automatic Tellers for 4 Hours" — Sunday NY
Times, page 43 Metro, February 14. 1993 About 7 column inches

Citibanks 1200 ATMs went down (refused to dispense cash or complete
transactions) from 10AM to 2 PM on Saturday because of "a software glitch"
when new software was being installed...

marty  leisner@eso.mc.xerox.com  leisner.henr801c@xerox.com


Japanese Bank Hit By Phone Fraud

John Mello <jmello@igc.apc.org>
Tue, 23 Feb 93 14:20:38 PST
The Boston Business Journal, February 1993

     A Boston branch of the Daiwa Bank Ltd., the 25th largest bank in the
world, was victimized by prison inmates with a gift for social engineering,
according to the Boston Business Journal.  The inmates placed collect calls to
the Daiwa switchboard, identified themselves as telephone repairmen, and said
they could fix the company's telephone problems by being connected to an
outside line. Once connected to an outside line, the cons made long-distance
calls, sticking Daiwa with the tab.  Some of the calls were to sex hotlines.
     Hospitals in the Boston area were some of the first victims of this form
of phone fraud, the newspaper reported.  Inmates treated at the hospitals
would memorize employees' names or use the names of physician's who appeared
on TV to con operators into giving inmates access to outside lines.  Once the
operators got wind of what was happening, though, the hospitals were able to
clamp down on the problem. One inmate, impersonating a doctor who appeared on
TV the previous day, gave himself away by referring to himself by title
"doctor." The operator knew the physician always identified himself by his
first name. the last thing the jailbird heard before the operator hung up on
him was, "I suggest you speak to the warden about that."


Long Distance..Is the next best thing to praying there

Paul Robinson <tdarcos@access.digex.com>
Tue, 23 Feb 1993 13:39:44 -0500 (EST)
>From the {Washington City Paper} of Feb 19-25, page 18:

News of the Weird by Chuck Shepard:

  In January, Israel's national telephone company initiated a fax service that
  transmits messages to God via the Wailing Wall in Jerusalem.  In May, the
  Roman Catholic Church will unveil a high-tech confessional at a trade show
  in Vincenza, Italy, that will accept confessions by fax.  And in December, a
  sect of Orthodox Jews in Brooklyn, NY began selling its members special
  beepers so they will know instantly when the Messiah arrives on earth."

And there is precedent for a response, I guess:
  "Your Majesty, I have a message from God for you."     - Judges 3:20

Paul Robinson — TDARCOS@MCIMAIL.COM

    [Hopefully, the Messiah will not arrive on the Sabbath, although there
    might be a question as to whether the beeper is actually being USED as
    long as it does NOT trigger.  Confessions by EMail should be easy to set
    up.  L.A. has long had drive-through churches; I suppose services via
    on-line interactive multimedia X-window conferencing cannot be far behind.
    But watch out for a hi-tech Allah McGordo bombshell in virtual reality.
    PGN]


re: _Friendly Spies_ (Wayner, RISKS-14.34)

"Sean Matthews" <sean@mpi-sb.mpg.de>
Tue, 23 Feb 93 09:34:39 +0100
Consider this a balancing comment on economic risk of incorporating
american technology (it is also tangentially relevant to the original
discussion about export restrictions on US cryptographic technology).

I don't doubt that the French, German or British intelligence services carry
out occasional industrial espionage for their local industries (certainly, I
have seen reports of British intelligence doing this in the British press).

However, to balance this (least anyone think from the above that the US is
somehow more virtuous in these things, and does not behave in such an
underhanded, ungentlemanly, or even, dare I say it, nefarious, manner) I
should point out that there are, or at least were, when I still lived there,
regular complaints in the British press from firms trying to sell technology
that contained US made components to, say, China, only to find, first, that
the US department of trade prohibited the sale on strategic grounds, and
second, that identical technology was suddenly no longer strategic when it was
offered by some US company that had mysteriously heard about the British deal,
and was able to close it instead.

Sean


Re: The "Information America" service

John Pettitt <jpettitt@well.sf.ca.us>
Tue, 23 Feb 1993 16:54:41 GMT
Information America does a lot more than is described in the post (I have
not seen the Mondo article yet).  I know one of their sales people (well ex
she quit just before christmas).  Their prime selling strategy to lawyers
seems to be in competition with Lexis, Nexis (sp?) and Dialog (all large
online database services).

The idea is that the lawyer (or more correctly a paralegal) can research
case law on line in a fraction of the time it would take in the law
library.  They have all US court cases on line (local & federal).

I don't think there is any "dark' intent in the lack of publicity for IA,
more that they just don't see value in advertising to people who are not
going to buy their service.

As to the other services they provide, what is the problem ?  We live in an
information society.  If you don't want people using and tracking information,
don't give it to them (i.e., go live some place where there are no phones or
credit cards).

[ P.S. I am CEO of a direct response marketing company so I'm biased :-) ]

John
        [I presume there will be comments about a person's not having to give
        the information to them for it to be there — whether it is right or
        wrong!  Subsequent discussion might better belong in the PRIVACY
        groups noted in RISKS-14.34.  PGN]


MIT's on-line Student Information Services (SIS)

"Jonathan I. Kamens" <jik@aktis.com>
Wed, 10 Feb 93 18:19:20 -0500
(Re: "Anyone can get your U. of Illinois transcript" in RISKS-14.31)

MIT recently put on-line a new service, SIS, through which students can access
data in the registrar's database, including both personal and confidential
data about their own status and general data such as course schedules.

SIS is worth mentioning here, in response to Carl Kadie's message about
problems with a similar system at the University of Illinois, because (in my
opinion) SIS is a good example of system designers taking security issues
seriously enough and doing a good job of meeting security needs.

In order to use SIS to access personal data, a user must first register an
"extra" password with the Kerberos database.  The program that registers this
password does so by transmitting it to the Kerberos server in encrypted form
(using a key derived from the user's main Kerberos principal, for which he
already has a password) so that it isn't exposed to the network.

The assumption that led to the extra-password requirement is that people
already have the mindset that it's OK to share their accounts (i.e., their
main Kerberos principal password) with other people, so that name/password
pair is not sufficient authentication.  The documentation about SIS, and the
prompting that takes place when the user chooses an extra password, makes it
very clear that this password should be treated more securely by the user, and
that if the user sees fit to give it to others, that user is giving those
others access to his personal data in the registrar's database.

Once the user has registered for an extra password, he still can't access
personal data in the registrar's database immediately.  A notification is
mailed, by U.S. Mail, to the address for the user in the registrar's database.
About a week after that notification is received by the user, the password
actually becomes active and the user can access personal data on-line.

Obviously, this second safeguard is to protect against the possibility of a
user registering another user's extra password.  The notification mailed to
the user explains in detail what it's about, and tells the user whom to
contact if he *did not* register an extra password.

I suspect that an extra password does not become valid if the paper mail
notification is returned by the post office (i.e., is not successfully
delivered to the user).  Granted, the time given for the notification to be
returned by the post office probably isn't sufficient for all failed delivers,
but I think that the probability of a notification not being delivered
properly to someone whose extra password was illicitly registered by someone
else is sufficiently low that this is not a concern.

Once a user's extra password becomes valid he must type this password each
time he wants to use the SIS service to access personal data (and he must
already have valid Kerberos tickets for his main principal).  The Kerberos
tickets thus acquired are used to establish a Kerberos-authenticated network
connection to the machine on which the registrar's database resides.
Furthermore, the session key created while establishing that connection is
used to encrypt all personal data sent over the network.

There is one more safeguard to prevent security breaches of the database.  The
SIS protocol does not allow for direct modification of the database on the SIS
server.  Most data in the system can't be modified through it at all; instead,
users must talk to the registrar directly to effect changes.  The data that
*can* be modified is mostly MIT directory information, e.g., term address and
phone numbers, and when a user requests modifications to that data, the
modifications are stored and manually eyeballed for sanity by the registrar
before actually being fed into the system.

Finally, just in case there is some possibility that someone might manage to
break into the database machine (although it's pretty fortress-like in its
configuration :-), that machine is not actually the "home location" of the
registrar's database.  It's a copy that is updated by SneakerNet (a tape
carried from the registrar's office) regularly.  The registrar's computer is
on a subnet that is isolated from most of the campus network (and that is
certainly more paranoid about who gets to connect to it than the rest of the
campus network).

As you can see, I think that the people who designed and implemented
SIS did a good job of meeting security concerns.  Their only mistake
was using Motif for the UI :-).

Jonathan Kamens              Aktis, Inc.                 jik@Aktis.COM


re: Tapping Phones (Cohen, RISKS-14.33)

"Mark W. Schumann" <mark@whizbang.wariat.org>
Sat, 20 Feb 1993 14:24:03 EST
Fred Cohen <fc@turing.duq.edu> writes in RISKS v14n33:

!        3 - The best encryption in the world won't make you very safe if you
!dial into CompuServe (NOTE I AM NOT CITING COMPUSERVE AS AN ACTUAL PERPETRATOR
!BUT RATHER AS A CONVENIENT NAME-RECOGNITION IDENTIFIER FOR THE LARGER CLASS OF
!SUCH SERVICES) from your PC to send the information. ...

You're perpetuating a security scare that has no basis in fact.

Prodigy, the latter service you mention, requires the use of its own front-end
program on your PC.  You cannot use Prodigy without it.  Since this front-end
program executes on your PC, it does have the potential for the abuse you
mention.  I personally do not use Prodigy in part because of this security
loophole.

On the other hand, other communication services, such as Compuserve, do not
have this questionable "feature" at all.

You dial Compuserve from your PC with a communications program of your choice.
At all times the contents of your memory and hard drive are under the complete
control of your CPU and communications program.

You are probably thinking of the "Quick B" transfer protocol which appears to
allow Compuserve to "take over" your PC to run both ends of a file
upload/download.  (A similar sequence occurs with the popular ZMODEM
protocol.)  This is not really so; Compuserve actually sends only an ENQ (05)
character to the PC, which is interpreted by your comm program as a request to
begin a file transfer.  Again, the PC's memory and hard drive are still under
the control of your own comm program, not Compuserve.  Most comm programs,
such as Telix and Crosstalk, can be configured to ignore ENQ and require the
PC user to execute the transfer command manually.

Bottom line: No online service can cause your PC to execute code that is not
in the PC's memory space, Prodigy notwithstanding.

Mark W. Schumann/3111 Mapledale Avenue/Cleveland, Ohio 44109-2447 USA
Domain: mark@whizbang.wariat.org                      CIS:73750,3527


1st ACM Conference on Computer and Communications Security

Dorothy Denning <denning@cs.cosc.georgetown.edu>
Tue, 9 Feb 93 11:29:05 EST
 ******* 1st ACM Conference on Computer and Communications Security *******
                         Nov 3-5 1993, Fairfax, Virginia

                                 Sponsor: ACM SIGSAC
                  Hosts:    Bell Atlantic and George Mason U

                       In cooperation and participation from:
                  International Association of Cryptologic Research
        IEEE Communications Society TC on Network Operations and Management
                   IEEE Computer Society TC on Security and Privacy


                             C A L L   F O R   P A P E R S

 Topics of interest
 ==================

The purpose of this new conference is to bring together researchers and
practitioners of computer and communication security.  The emphasis is
on the security requirements of the industrial and commercial sectors,
e.g.  telecommunications, finance, banking, etc.  The primary focus is
on high quality original unpublished research, case studies and
implementation experiences.  We also encourage submission of papers
addressing the social and legal aspects of security.  Conference
proceedings will be published by ACM.  Selected papers, with suitable
revisions, will be considered for publication in upcoming special issues
of the Communications of the ACM and IEEE Communications Magazine.
Topics of interest include:

 Communications & Information Security: Theory and Techniques

 Access Control     Cryptanalysis      Digital Signatures  Intrusion Detection
 Audit              Cryptosystems      Formal Models       Randomness
 Authentication     Crypto. Prtcls     Hash Functions      Viruses and Worms
 Authorization      Database Sec.      Integrity           Zero Knowledge


 Applications,Case Studies & Experiences

 Cellular and Wireless    LAN Security   Security APIs       Smart Cards
 Electronic Commerce Network Firewalls   Security Arch.      Telecom. Sec.
 Enterprise Security Open Systems Security   Security Mgmt.  WAN Security


 Social and Policy Issues

 Cryptographic standards       Legal Issues
 Information Priv.             Tech. Export


 Instructions for Authors
 ========================

Authors should submit five copies of their papers to Ravi Ganesan at the
address below by May 15, 1993.  Papers should not exceed 7500 words
(approx.  15 single spaced pages of 11pt), and should not have been
published or submitted else where.  As the review process will be
anonymous, names and affiliations of authors should appear only on a
separate cover sheet.  Authors will be notified of review decisions by
July 15, 1993.  Camera ready copies of accepted papers are due back by
August 15, 1993 for inclusion in the Conference proceedings.


 Program Committee
 =================

 Victoria Ashby, MITRE                   Steve Bellovin, AT&T Bell Labs.
 Whitfield Diffie, SUN Microsystems      Taher El Gamal, RSA
 Deborah Estrin, Univ. of Southern CA    Joan Feigenbaum, AT&T Bell Labs.
 Virgil Gligor, Univ. of Maryland        Li Gong, ORA Corp.
 Richard Graveman, Bellcore              Sushil Jajodia, George Mason U
 Paul Karger, GTE                        Carl Landwehr, NRL
 E. Stewart Lee, Univ. of Toronto        Giancarlo Martella, Univ. of Milan
 Michael Merritt, AT&T Bell Labs         Jonathan Millen, MITRE
 Clifford Neuman, USC Info. Sci. Inst.   Steven Rudich, CMU
 Rainer Rueppel, R3 Security Engg.       Eugene Spafford, Purdue Univ
 Jacques Stern, DMI-GRECC                Michael Wiener, BNR
 Yacov Yacobi, Bellcore


 Organizers
 ==========

 General Chairs

 Dorothy Denning                         Raymond Pyle
 Georgetown U                            Bell Atlantic
 Reiss 225                               7th Floor, 11720 Beltsville Drive
 Georgetown, DC 20057                    Beltsville, MD 20705
 denning@cs.georgetown.edu               rpyle@socrates.bell-atl.com

 Program Chairs

 Ravi Ganesan                            Ravi Sandhu
 Bell Atlantic                           George Mason U
 7th Flr, 11720 Beltsville Drive         ISSE Dept.
 Beltsville, MD 20705                    Fairfax, VA 22030
 ravi@socrates.bell-atl.com              sandhu@sitevax.gmu.edu
 Ph#: (301) 595-8439

 Proceedings Chair and Treasurer         Local Arrangements Chair

 Victoria Ashby                          Catherine Hoover
 MITRE                                   George Mason U
 7525 Coleshire Drive,                   Center for Professional Development
 McLean, VA 22102                        Fairfax, VA 22030
 ashby@mitre.org                         Ph#:(703) 993-2090


Call for Papers: Computer Security Applications Conference

Marshall D. Abrams <abrams@mitre.org>
Mon, 22 Feb 93 15:30:48 EST
        CALL FOR PAPERS AND PARTICIPATION

        Ninth Annual Computer Security
           Applications Conference


                December 6 - 10, 1993
           Orlando Marriott Internation Drive
                  Orlando, Florida

The Conference
   The Information Age is upon us, along with its attendant needs for
protecting private, proprietary, sensitive, classified, and critical
information.  The computer has created a universal addiction to
information in the military, government, and private sectors.  The
result is a proliferation of computers, computer networks, databases,
and applications empowered to make decisions ranging from the mundane
to life threatening or life preserving.
    Some of the computer security challenges that the community is faced
with include:
    * To design architectures capable of protecting the
      sensitivity and integrity of information, and of assuring
      that expected services are available when needed.

    * To design safety-critical systems such that their software and
      hardware are not hazardous.

    * To develop methods of assuring that computer systems
      accorded trust are worthy of that trust.

    * To build systems of systems out of components that have
      been deemed trustworthy.

    * To build applications on evaluated trusted systems without
      compromising the inherent trust.

    * To apply to the civil and private sectors trusted systems
      technologies designed for military applications.

    * To extend computer security technology to specifically
      address the needs of the civil and private sectors.

    * To develop international standards for computer security
      technology.

     This conference will attempt to address these challenges. It will
explore a broad range of technology applications with security and safety
concerns through the use of technical papers, discussion panels, and
tutorials.

     Technical papers, panels and tutorials that address the application of
computer security and safety technologies in the civil, defense, and
commercial environments are solicited.  Selected papers will be those
that present examples of in-place or attempted solutions to these
problems in real applications; lessons learned; original research,
analyses and approaches for defining the computer security issues and
problems.  Papers that present descriptions of secure systems in use
or under development, or papers presenting general strategy, or
methodologies for analyzing the scope and nature of integrated
computer security issues; and potential solutions are of particular
interest.  Papers written by students that are selected for presentation
will also be judged for a Best Student Paper Award.  A prize of $500,
plus expenses to attend the conference, will be awarded for the selected
best student paper (contact the Student Paper Award Chairperson for details,
but submit your paper to the Technical Program Chairperson).

     Panels of interest include those that present alternative/controversial
viewpoints and/or those that encourage "lively" discussion of relevant
issues. Panels that are simply a collection of unrefereed papers will not
be selected.

INSTRUCTIONS TO AUTHORS:

     Send five copies of your paper or panel proposal to Ann Marmor-Squires,
Technical Program Chairman, at the address given below. Since we provide blind
refereeing, we ask that you put names and affiliations of authors on a
separate cover page only.  Substantially identical papers that have been
previously published or are under consideration for publication elsewhere
should not be submitted.  Panel proposals should be a minimum of one page that
describes the panel theme and appropriateness of the panel for this
conference, as well as identifies panel participant and their respective
viewpoints.  Send one copy of your tutorial proposal to Daniel Faigin at the
address given below.  It should consist of one- to two-paragraph abstract of
the tutorial, an initial outline of the material to be presented, and an
indication of the desired tutorial length (full day or half day).  Electronic
submission of tutorial proposals is preferred.

Completed papers as well as proposals for panels and tutorials must
be received by May 18, 1993.  Authors will be required to certify prior
to June 19, 1993, that any and all necessary clearances for public release
have been obtained; that the author or qualified representative will be
represented at the conference to deliver the paper, and that the paper has
not been accepted elsewhere.  Authors will be notified of acceptance by
July 31, 1993.  Camera ready copies are due not later than September 18, 1993.
Material should be sent to:

Ann Marmor-Squires      Daniel Faigin
Technical Program Chair     Tutorial Program Chair
TRW Systems Division        The Aerospace Corporation
1 Federal Systems Park Dr.  P.O. Box 92957, MS M1/055
Fairfax, VA  22033      Los Angeles, CA  90009-2957
(703) 803-5503          (310) 336-8228
marmor@charm.isi.edu        faigin@aero.org

        Ravi Sandhu
        Student Paper Award
        George Mason Univ.
        ISSE Dept.
        Fairfax,  VA 22030-4444
        (703) 993-1659
        sandhu@gmuvax2.gmu.edu

Areas of Interest Include:

Trusted System Architectures
Software Safety Analysis and Design
Current and Future Trusted Systems Technology
Encryption Applications (e.g., Digital Signature)
Application of Formal Assurance Methods
Risk/Hazard Assessments
Security Policy and Management Issues
Trusted DBMSs, Operating Systems and Networks
Open Systems and Composted Systems
Electronic Document Interchange
Certification, Evaluation and Accreditation

Additional Information
     For more information or to receive future mailings, please contact
the following at:

Dr. Ronald Gove         Diana Akers
Conference Chairman     Publicity Chair
Booz-Allen & Hamilton       The MITRE Corporation
4330 East-West Highway      7525 Colshire Dr.
Bethesda, MD  20814     McLean, VA  22102
(301) 951-2395          (703) 883-5907
gover@jmb.ads.com       akers@mitre.org

Please report problems with the web pages to the maintainer

x
Top