The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 14 Issue 79

Tuesday 10 August 1993

Contents

o Industrial espionage
Mich Kabay
o Criminal record data leakage and tampering
Mich Kabay
o Billion-dollar tax bills
Mich Kabay
o More data remanence
Mich Kabay
o Pizza RISK
Dale Drew
o Yet another lottery screwup
Reva Freedman
o "Terminal Compromise" by Winn Schwartau, on the Net
A. Padgett Peterson
o ATM modem insecure?
Andrew Marchant-Shapiro
o Jurassic Park Networks
Mich Kabay
o Intrusion Detection workshop
Teresa Lunt
o Computers, Freedom and Privacy (cfp'94) announcement
George Trubow
o Info on RISKS (comp.risks)

Industrial espionage

"Mich Kabay / JINBU Corp." <75300.3232@compuserve.com>
27 Jul 93 17:54:16 EDT
Car wars: VW strikes back

  BONN (UPI, 27 Aug 1993) -- Volkswagen Tuesday fired back at General
  Motors, challenging its claims of industrial espionage and suggesting that
  evidence found by investigators may have been tampered with.  [...]  "This is
  a battle between two major auto firms against the background of a trade war.
  We did not start start it but we will fight back," Piech said.

The language being used fits right in with the warnings of such experts as
Winn Schwartau that information will be the battleground of the new millenium.
Interpersonal, intercompany, and international hostilities are already
including components of information warfare.

In addition to the risks from accident, we must increase our countermeasures
to reduce the risks from deliberate sabotage and data leakage.

Michel E. Kabay, Ph.D., Director of Education, National Computer Security Assn


Criminal record data leakage and tampering

"Mich Kabay / JINBU Corp." <75300.3232@compuserve.com>
29 Jul 93 16:07:36 EDT
Criminal Records, By LAWRENCE L. KNUTSON, Associated Press Writer

   WASHINGTON (AP, 29 July 1993) -- Data in the computer files of the FBI's
   National Crime Information Center is increasingly being misused by law
   enforcement insiders, often for personal gain, congressional auditors say.

Criminal records are being sold to private detectives, lawyers and politicians
in defiance of right-of-privacy laws.

The article mentions the following specific cases:

--In Arizona, an angry ex-policeman used FBI databanks to track down and
murder a woman.   [actually, his "estranged girlfriend" --- PGN]

--In Pennsylvania, the friend of a drug-dealer used police computers to verify
the background of potential new clients (tracking down police undercover
agents).

The III file includes 17 million records about criminal histories and is
available to 19,000 law enforcement agencies [AGENCIES, not agents!] with over
97,000 terminals able to tap into the system directly.

All the reported abuse was by inside workers, not criminal hackers.

The GAO recommended that strong criminal sanctions be instituted to punish
misuse of criminal records files.

Michel E. Kabay, Ph.D., Director of Education, National Computer Security Assn


Billion-dollar tax bills

"Mich Kabay / JINBU Corp." <75300.3232@compuserve.com>
29 Jul 93 16:08:18 EDT
07/28 1143  IRS sends Midwesterners multibillion-dollar tax bills

  MINNEAPOLIS (UPI, 28 July, 1993) -- The Internal Revenue Service has some
  explaining to do.

  An IRS computer developed a glitch and sent out tax bills for as much as $68
  billion to about 1,000 people in Minnesota, Wisconsin, Illinois, Missouri
  and Iowa.

The IRS was trying to remove the names of Midwest flood victims from its
tax rolls. In an unexpected side-effect, other people got enormous random
tax bills.

I wonder if we could convince the IRS of the value of quality assurance
methodologies if they issued billion-dollar _refunds_ instead of bills?

Michel E. Kabay, Ph.D., Director of Education, National Computer Security Assn


More data remanence

"Mich Kabay / JINBU Corp." <75300.3232@compuserve.com>
02 Aug 93 06:11:16 EDT
Canadian Press report on page 1 of _Globe and Mail_ on Monday, 2 Aug 93:

Summary follows:

     DISK SLIPPED INTO WRONG HANDS.

     A used hard disk sold to an Edmonton man contained two years of
     detailed and confidential personnel files about 166 employees of the
     Alberta land-titles employees.

     An investigation is to be ordered by the Deputy Justice Minister.

Another example of failing to consider information as an asset requiring
protection....

Michel E. Kabay, Ph.D., Director of Education, National Computer Security Assn


Pizza RISK

Dale Drew <ddrew@Tymnet.COM>
Tue, 3 Aug 93 12:24:57 PDT
The RISKs of propagating databases used by companies has been covered many,
many times.  It is a fairly well known fact that companies are massing great
amounts of information on individuals for marketing purposes.

For the past several years, I have been identifying the numerous companies
that create, pass, trade, sell, distribute, and correlate my information.
During this process I identified several possible RISKs.  One of which I
thought I'd pass along:

I discovered that an individual was attempting to gain access to my personal
information by calling Pizza Hut and attempting to order a pizza under my
name.  Pizza Hut just happens to maintain a database of all its customers to
make deliveries easier.  The culprit identified himself as me and ordered a
small pizza, and then attempted to verify my mailing address.

Fortunately, I had taken advanced precautions and the information was not
accessible.  However, it raises the question of identification and
authorization when it comes to releasing confidential and/or sensitive
information.  This process does not exist in the industry, and opens a wide
area of exposure for individuals wishing to gain information for whatever use.

It also raises the question of liability.  Most companies make no attempt to
inform the "end user" that they are collecting "such-and-such" information and
intend on using it in "such-and-such" manner, it is up to the individual to
go on a mass writing campaign to identify where, exactly his/her information
is, and what it's being used for.

If the information had been released, and was used against me in some manner,
would Pizza Hut be liable for that release?  Probably not.  What motivation do
they have in performing identification and authorization checks?  Probably
nothing.

[I wonder if Pizza Hut would deliver to a PO box?]

Dale Drew, BT North America, Inc., Global Network Security
Business Information Security (408) 922-6004 ddrew@druid.Tymnet.COM


Yet another lottery screwup

Reva Freedman <freedman@delta.eecs.nwu.edu>
Fri, 6 Aug 93 14:46:24 CDT
Even if you're opposed to state lotteries, if we're going to have them, don't
you wish they'd design the hardware and software better? Here follows a
summary of an incident in Illinois based on a Chicago Tribune article by Peter
Kendall (8/4/93, sec. 2, p.3).

  The only sure winners of last weekend's $11 million lottery drawing are the
  lawyers. The other winners are likely to be determined in court. The story
  started last week when office worker Carol Stonecipher attempted to buy a
  lottery ticket from the mini-mart at a Pride Petroleum gas station. She
  marked off six numbers on a card and handed it to the clerk, who was
  supposed to stick it into the lottery terminal.

  But the terminal was temporarily inactive, so the clerk, John Warford, kept
  re-inserting the card to print Ms. Stonecipher's ticket. When the terminal
  became active again a few seconds later, it printed out six tickets, one for
  each stored request.

  According to state lottery regulations, the store is required to pay for
  tickets printed by mistake unless someone else pays for them. The clerk gave
  Stonecipher the opportunity to buy the extra tickets, but she declined. None
  of this would have been of any importance except that Stonecipher holds the
  only winning number for last weekend's drawing.

  Stonecipher says that the clerk told her that he was going to invalidate the
  extra tickets. Both the mini-mart owners and the clerk are claiming that
  they are the true owners of the extra tickets.

Gives new meaning to the term "printing money," huh?

Reva Freedman <freedman@eecs.nwu.edu>
Dept. of EECS, Northwestern University, Evanston, IL


"Terminal Compromise" on the Net

A. Padgett Peterson <padgett@tccslr.dnet.mmc.com>
Thu, 22 Jul 93 10:06:17 -0400
Though commercial in nature, I find this an important announcement since the
novel is an excellent read about potential RISKS of widespread computer use
and possible terrorism attacks AND since it is available electronically
(ARCHIE found the 617K/560 page novel at knot.queensu.ca as
/wuarchive/doc/misc/termcomp.zip. More sites are probably available by now).
Note that the novel also predates (1991) "Rising Sun".

Padgett

                     !!!!POST EVERYWHERE!!!!
      THE WORLD'S FIRST NOVEL-ON-THE-NET (tm) SHAREWARE!!!
                       By Inter.Pact Press
                      "TERMINAL COMPROMISE"
                        by Winn Schwartau

     A high tech thriller that comes from today's headlines!

          "The Tom Clancy of computer security."
          Assoc. Prof. Dr. Karen Forcht, James Madison University

"Terminal Compromise" is a highly praised novel about the invasion of the
United States by computer terrorists.

Since it was first published in conventional print form, (ISBN: 0-962-87000-5)
it has sold extremely well world-wide, but then again, it never hit the New
York Times Bestseller List either.  But that's OK, not many do.

Recently, someone we know very well came up with a real bright idea.  They
suggested that INTER.PACT Press take the unprecedented, and maybe slightly
crazy, step to put "Terminal Compromise" on the Global Network thus creating a
new category for book publishers.  The idea is to offer "Terminal Compromise,"
and perhaps other titles at NOVEL-ON-THE-NET SHAREWARE(tm) rates to millions
of people who just don't spend a lot of time in bookstores.  After discussions
with dozens of people - maybe even - more than a hundred - we decided to do
just that.  We know that we're taking a chance, but we've been convinced by
hackers and phreakers and corporate types and government representatives that
putting "Terminal Compromise" on the net would be a fabulous step forward into
the Electronic Age, (Cyberspace if you will) and would encourage other
publishers to take advantage of electronic distribution.  (It's still in the
bookstores, though.)


NOVEL-ON-THE-NET SHAREWARE Fees For The People:

The suggested donation for individuals is $7.  If you hate Terminal Compromise
after reading it, then only send $6.50.  If you're really, really broke, then
tell a hundred other people how great it was, send us a rave review and post
it where you think others will enjoy reading it, too.  If you're only a little
broke, send a few dollars.  After all, this is how we stay in business.  With
each registration, we will also send a FREE! issue of "Security Insider
Report," a monthly security newsletter also published by Inter.Pact Press.

Please forward all NOVEL-ON-THE-NET SHAREWARE fees to:

     INTER.PACT PRESS
     11511 Pine St. N.
     Seminole, FL., 34642

Communications:

     Phn: 813-393-6600
     Fax: 813-393-6361
     E-Mail: p00506@psi.com
             wschwartau@mcimail.com

  [Archie only reported TERMCOMP.ZIP at knot.queens.ca but the opening screen
  there recommends that outsiders use wuarchive.wustl.edu. I can verify that
  right now it is there as /doc/misc/termcomp.zip .  Padgett]


ATM MODEM INSECURE?

"MARCHANT-SHAPIRO, ANDREW" <MARCHANA@gar.union.edu>
22 Jul 93 13:40:00 EST
Hey, how hard can it be to break into an ATM?  It's easier than you think...

Today, needing a little cash, I wandered over to the College Center
(nope, they don't call it a UNION here) to use the ATM.  To my surprise,
there was a little box sitting on top of the ATM with a lot of blinking
lights -- a modem.  A General Datacom NMS 2400, to be specific.  It had
a standard DB-25 on the back and was plugged into the ATM's serial port.

I should note that I've been out of town for a couple of months, and,
when I left, there was no modem sitting on top of the box like that.  So
this MAY be temporary (let's hope).  Anyway.

I do not believe that this modem is a secure device...  It had no
obvious security system, and there was no one around watching.  Had I
needed a 2400 baud modem, I could have picked it up and walked away with
it (it wasn't screwed down).  Far more interesting, however, would be
the possibility of opening the box while it was running, attaching a
wire or two, and getting a nice record of the codes sent from and
received by the ATM.  I didn't do it, of course.

I suppose there must be some kind of internal security in the ATM so
that it will only dispense cash when it has a card in place (I don't
know much about how they work), but it scares me to realize just how
unsecure the link really is.  For a few dollars, I could have had a
printout (or a file) of the data stream between the ATM and its masters.
Even if the stream were encoded, it would be a simple matter to watch
what was being done by ATM customers and match it to the codes.

I had been getting complacent about RISKs lately -- "oh, yeah, another
scare story about (phones, ATMs, aircraft, you name it)."  Maybe it
shouldn't, but this shook me out of that.  Again an avid reader...

Andrew Marchant-Shapiro    Depts of  Sociology and Political Science
USmail: Union College, Schenectady  NY  12308   AT&T: (518) 388-6225*
INTERNET:  marchana@gar.union.edu     BITNET:  marchana@union.bitnet


Jurassic Park Networks

"Mich Kabay / JINBU Corp." <75300.3232@compuserve.com>
29 Jul 93 16:09:39 EDT
The following text is Copyright (c) 1993 by Network World. All rights
reserved.

Permission is granted by the copyright holder and the author to distribute
this file electronically or otherwise as long as the entire file is printed
without modification (other than cosmetic or formatting changes).

The following is the text as submitted to Network World. It was slightly
edited and then published as "Jurassic Park's net security policies are
prehistoric," _Network World_ 10(30):89 [26 July 93].


Velocihackers and Tyrannosaurus superior

by M. E. Kabay, Ph.D., Director of Education
National Computer Security Association
10 South Courthouse Avenue, Carlisle, PA 17013
Tel 717-258-1816  Fax 717-243-8642


The current hit movie "Jurassic Park" stars several holdovers from 65 million
years ago. It also shows errors in network security that seem to be as old.

For those of you who have just returned from Neptune, "Jurassic Park" is about
a dinosaur theme park that displays live dinosaurs created after scientists
cracked extinct dinosaur DNA code recovered from petrified mosquitos. The
film has terrific live-action dinosaur replicas and some heart-stopping
scenes. It also dramatizes awful network management and security.
Unfortunately, the policies are as realistic as the dinosaurs.

Consider a network security risk analysis for Jurassic Park. The entire
complex depends on computer-controlled electric fences and gates to keep a
range of prehistoric critters from eating the tourists and staff. So at a
simple level, if the network fails, people turn into dinosaur food.

Jurassic Park's security network is controlled by an ultramodern Unix system,
but its management structures date from the Stone Age. There is only one
person who maintains the programs which control the security network. This
breaks Kabay's Law of Redundancy, which states, "No knowledge shall be the
property of only one member of the team." After all, if that solitary guru
were to leave, go on vacation, or get eaten by a dinosaur, you'd be left
without a safety net.

Jurassic Park's security system is controlled by computer programs consisting
of two million lines of proprietary code. These critical programs are not
properly documented. An undocumented system is by definition a time bomb. In
the movie, this bomb is triggered by a vindictive programmer who is angry
because he feels overworked and underpaid.

One of the key principles of security is that people are the most important
component of any security system. Disgruntled and dishonest employees cause
far more damage to networks and computer systems than hackers. The
authoritarian owner of the Park dismisses the programmer's arguments and
complaints as if owning a bunch of dinosaurs gives him the privilege of
treating his employees rudely. He pays no attention to explicit indications of
discontent, including aggressive language, resentful retorts, and sullen
expressions. If the owner had taken the time to listen to his employee's
grievances and take steps to address them, he could have prevented several
dinosaur meals.

Bad housekeeping is another sign of trouble. The console where the disgruntled
programmer works looks like a garbage dump; it's covered in coffee-cup fungus
gardens, historically significant chocolate bar wrappers, and a treasure trove
of recyclable soft drink cans. You'd think that a reasonable manager would be
alarmed simply by the number of empty calories per hour being consumed by this
critically important programmer. The poor fellow is so overweight that his
life expectancy would be short even if he didn't become dinosaur fodder.

Ironically, the owner repeats, `No expense spared' at several points during
the movie. It doesn't seem to occur to him that with hundreds of millions of
dollars spent on hardware and software--not to mention the buildings and
grounds and an entire private island--modest raises for the staff would be
trivial in terms of operating expenses but significant for morale.

In the movie, the network programmer is bribed by competitors to steal
dinosaur embryos. He does so by setting off a logic bomb that disrupts network
operations completely. The network outage causes surveillance and containment
systems to fail, stranding visitors in, well, uncomfortable situations. Even
though the plot is not exactly brilliant, I'd like to leave at least something
to surprise those who haven't seen the movie yet.

When the systems fail, for some reason all the electric locks in the park's
laboratory are instantly switched to the open position. Why aren't they
automatically locked instead? Normally, when a security controller fails, the
default should be to keep security high, not eliminate it completely. Manual
overrides such as crash bars (the horizontal bars that open latches on
emergency exits) can provide emergency egress without compromising security.

As all of this is happening, a tropical storm is bearing down on the island.
The contingency plan appears to consist of sending almost everyone away to the
mainland, leaving a pitifully inadequate skeleton crew. The film suggests that
the skeleton crew is not in physical danger from the storm, so why send
essential personnel away?  Contingency plans are supposed to include
redundancy at every level.  Reducing the staff when more are needed is
incomprehensible.

At one point, the systems are rebooted by turning the power off to the
entire island on which the park is located. This is equivalent to
turning the power off in your city because you had an application
failure on your PC. Talk about overkill: why couldn't they just power
off the computers themselves?

Where were the DPMRP (Dinosaur Prevention, Mitigation and Recovery Planning)
consultants when the park was being designed? Surely everybody should know by
now that the only way to be ready for dinosaurs, uh, disasters, is to think,
plan, rehearse, refine and update. Didn't anyone think about what would happen
if the critters got loose? Where are the failsafe systems? The uninterruptible
power supplies? The backup power generators? Sounds like Stupidosaurians were
in charge.

We may be far from cloning dinosaurs, but we are uncomfortably close to
managing security with all the grace of a Brontosaurus trying to type.

I hope you see the film. And bring your boss.

     Best wishes, Mich

     Michel E. Kabay, Ph.D.
     Director of Education
     National Computer Security Association


Intrusion Detection workshop

Teresa Lunt <lunt@csl.sri.com>
Thu, 5 Aug 93 11:05:26 -0700
                 TWELFTH INTRUSION DETECTION WORKSHOP
                        CALL FOR PARTICIPATION

SRI is holding a one-day workshop on intrusion detection at the Baltimore
Convention Center in Baltimore MD on Thursday, September 23, 1993, which is
the final day of the 15th National Computer Security Conference.  This will be
the twelfth in a series of intrusion-detection workshops.  The NCSC conference
organizers have kindly provided us with a room at the convention center.

If you and/or your colleagues wish to attend, please let us know using the
attached reply form.  For other questions, please call Liz Luntzel at
415-859-3285 or send us a fax at 415-859-2844 or email at luntzel@csl.sri.com.

The workshop will consist of several short presentations as well as discussion
periods.  To help me in preparing the agenda, I would be interested in knowing
whether you have any progress to report on an intrusion-detection project or
some related work that would be appropriate for a brief presentation.  If so,
please indicate the title and a paragraph describing your proposed talk on the
enclosed form.  Please also indicate there your suggestions for discussion
topics.  Please mail the completed form to Liz Luntzel at the address below:

                      Liz Luntzel EL250
                      SRI International
                      Computer Science Laboratory
                      333 Ravenswood Avenue
                      Menlo Park, California USA 94025

You may also email the completed form to: luntzel@csl.sri.com

There is no charge for the workshop, and meals are not included.  There are
numerous places in the surrounding Baltimore Harbor area for breakfast and
lunch.  The workshop will begin at 9am and will conclude at 4pm.  At the
request of the organizers of the National Computer Security Conference, we
will break at 11am to allow you to attend the closing plenary session of the
conference, and resume at 2pm after lunch.

I look forward to seeing you at the workshop!

Teresa Lunt lunt@csl.sri.com

    ------------------------------ cut here ---------------------------------

                 TWELFTH INTRUSION DETECTION WORKSHOP

Yes! I will attend the Intrusion-Detection Workshop September 23 at the
Baltimore Convention Center.

Please complete the following:

Name: Title: Affiliation: Address:

Indicate one:
      I am / am-not interested in presenting a talk.

If your are interested, please complete the following:

Title of Proposed Talk:
Abstract:

Suggestions for Discussion Topics:


cfp'94 announcement

</G=G/S=TRUBOW/O=COMPMAIL/ADMD=TELEMAIL/C=US/@sprint.com>
Wed, 4 Aug 1993 10:51:52 -0700
                     Conference Announcement
              Computers, Freedom, and Privacy 1994
                         23-26 March 1994

     The fourth annual conference, "Computers, Freedom, and Privacy," (CFP'94)
will be held in Chicago, Il., March 23-26, 1994.  The conference is hosted by
The John Marshall Law School; George B.  Trubow, professor of law and director
of the Center for Informatics Law at John Marshall, is general chair of the
conference. (E-Mail: 7trubow@jmls.edu). The program is sponsored jointly by
these Association for Computing Machinery (ACM) Special Interest Groups:
Communications (SIGCOMM); Computers and Society (SIGCAS); Security, Audit and
Control (SIGSAC).

     The advance of computer and communications technologies holds great
promise for individuals and society.  From conveniences for consumers and
efficiencies in commerce to improved public health and safety and increased
participation in government and community, these technologies are
fundamentally transforming our environment and our lives.

     At the same time, these technologies present challenges to the idea of a
free and open society.  Personal privacy is at risk from invasions by
high-tech surveillance and monitoring; a myriad of personal information data
bases expose private life to constant scrutiny; new forms of illegal activity
may threaten the traditional barriers between citizen and state and present
new tests of Constitutional protection; geographic boundaries of state and
nation may be recast by information exchange that knows no boundaries in
global data networks.

     CFP'94 will present an assemblage of experts, advocates and interest
groups from diverse perspectives and disciplines to consider freedom and
privacy in today's "information society." A series of preconference tutorials
will be offered on March 23, 1994, with the conference program beginning on
Thursday, March 24, and running through Saturday, March 26, 1994.

     The Palmer House, a Hilton hotel located in Chicago's "loop," and only
about a block from The John Marshall Law School, is the conference
headquarters.  Room reservations should be made directly with the hotel after
September 1, 1993, mentioning John Marshall or "CFP'94" to get the special
conference rate of $99.00, plus tax.

                     The Palmer House Hilton
               17 E. Monroe., Chicago, Il., 60603
      Tel: 312-726-7500;  1-800-HILTONS;  Fax 312-263-2556

Communications regarding the conference should be sent to:
                             CFP'94
                    The John Marshall Law School
                       315 S. Plymouth Ct.
                     Chicago, IL 60604-3907
(Voice: 312-987-1419; Fax: 312-427-8307; E-mail: CFP94@jmls.edu)

      CALL FOR CFP'94 PARTICIPATION AND PROGRAM SUGGESTIONS

     It is intended that CFP'94 programs will examine the potential benefits
and burdens of new information and communications technologies and consider
ways in which society can enjoy the benefits while minimizing negative
implications.

     Proposals are requested from those who desire to present an original
paper in a relevant area of technology, policy analysis or law, or to suggest
a program presentation.  Any proposal (1) should not exceed three typewritten
double-spaced pages; (2) must state the title of the paper or program; (3)
briefly describe its theme and content; and (4) set out the name, address,
credentials and experience of the author or suggested speakers. If a proposed
paper has already been completed a copy should be attached to the proposal.

                    STUDENT PAPER COMPETITION

Full time college or graduate students are invited to enter the student paper
competition.  Papers must not exceed 2500 words and should address the impact
of computer and telecommunications technologies on freedom and privacy in
society.  Winners will receive a scholarship to attend the conference and
present their papers. All papers should be submitted by November 1, 1993
(either as straight text via e-mail or 6 printed copies) to:

                      Prof. Eugene Spafford
                 Department of Computer Science
                        Purdue University
                  West Lafayette, IN 47907-2004
         E-Mail: spaf@cs.purdue.edu; Voice: 317-494-7825

                          REGISTRATION

Registration information and fee schedules will be announced by September 1,
1993.  Inquiries regarding registration should be directed to RoseMarie
Knight, Registration Chair, at the JMLS address above; her voice number is
312-987-1420.

Please report problems with the web pages to the maintainer

Top