The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 16 Issue 75

Thurs 19 January 1995

Contents

o Airline schedules in local time
Matthew Kwan
o Car-radio security code nuisance
Daniel P. B. Smith
o Bugs in Digital RAID Storage Subsystems
Andy Ram
o Maryland Emission testing
Paul Peters
o Computers in nuclear plant
WB Whaley via Jonathan_Welch
o Anik E2 redux
Luis Fernandes
o Shaky testing
Mark Stalzer
o Re: Midnight Batch Run Bites
Paul Robinson
o New Risk from the WWW
John MacInty
o RISKS on the World Wide Web
Lindsay F. Marshall
o Criminal hacker arrested in Winnipeg
Mich Kabay
o Phone Phreaking Explored
Steve O'Keefe
o International Cryptography Institute 1995
Dorothy Denning
o 12th Annual ISSA Conference & Exposition
Jack Holleran
o Info on RISKS (comp.risks)

Airline schedules in local time

Matthew Kwan <mkwan@cs.mu.oz.au>
Mon, 9 Jan 1995 11:53:35 +1100
Anyone who has received an itinerary from a travel agent knows that airlines
tend to publish their schedules with departure and arrival times expressed
in local time.

While this is little more than an inconvenience for travelers who want
to figure out flight durations, it can become a more serious problem
when the airlines use local times in their internal computer systems
(and inflict these files on third-party software developers!).

A case in point involves an airline who had a flight out of Athens
at 0205 on 25sep94 (local time). Unfortunately, according to the
airline's timezone information, Athens switches from daylight savings
(UTC+0300) to standard time (UTC+0200) at exactly 0300 on 25sep94.
In other words, 25sep94 0205 occurs twice, so when converting this
time to UTC you have a 50/50 chance of being out by an hour.

In our particular case the only risk was that the system would report
the cabin crew working hours as being one hour less than reality, but
the results could potentially be more serious, especially if the
computers at the airport get confused.

mkwan


Car-radio security-code nuisance

"Daniel P. B. Smith" <dpbsmith@world.std.com>
Sun, 8 Jan 1995 20:04:39 +0001 (EST)
I bought a used 1994 Geo Prizm with a factory-installed Delco radio that
claims to have a "theft deterrent."  The owner's manual says "the theft
deterrent feature ... can be used or ignored.  If ignored, the system
plays normally.  If it is used, your system won't be usable if it's ever
stolen.  The instructions below tell you how to enter a security code
into the system.  If your vehicle loses battery power for any reason,
you must enter the security code again before the system will turn on."

I was tempted to ignore it, but decided, what the heck, I suppose I'd
better use it.  Well, of course, I discovered that the previous owner had
entered a security code, and had not removed it when the car was sold.
So if anyone were to leave the car headlights on overnight and drain the
battery (why, no, _I_ certainly couldn't be so stupid as to do that :-) )
the radio would become unusable.

The used-car dealer had no idea what to do, but suggested I call a Chevy
dealer.  The Chevy dealer hadn't ever heard of the situation and wasn't
aware the radio had such a feature, and suggested I call a Chevy 800 number.
The Chevy 800 number know nothing, and suggested I call a Delco 800 number.
At every stage, of course, I had to explain the security feature, which
apparently was new to the 1994 model.  And at every stage I had to endure
further misunderstandings, because at each stage, they were initially
unable to understand why there was any problem given that the radio worked.

Delco said, "sure, no problem, we'll fax the dealer the directions, a
lot of them don't know about it."  I asked how long the fix took and was
told, "it depends how good they are at following directions.  If the
radio isn't inoperative yet it's easy, otherwise it gets pretty involved."

I took the car to the dealer.  I had a chance to glance at the faxed
instructions but not read them carefully.  I have the impression that if
the radio isn't inoperative, removing the security code just requires
entering a complicated, but fixed series of digits and button-pushes.
(A savvy radio thief would have to remember to do this BEFORE
stealing the radio).  After it has had power removed and decided to become
inoperative, there is a much longer procedure, involving calling Delco
to get a dealer code, leaving the radio unpowered for a long time, etc.

Later that morning the dealer called me and said, "We think your ignition
lock security system must be interfering with your radio because we tried
your radio and everything works fine, including the cassette player."  So
I explained the problem once again.  I came by at noon as agreed to pick it
up and was told it would take a little longer, "because we are waiting for
Delco to call us back with a dealer code."  When I picked it up, they HAD
removed the old security code (and installed a new one, but they told me
what it was).  It had forgotten all the station settings.  I suspect that
they either did the complicated procedure when they only needed to do the
simple one, or someone disconnected the radio as part of their
troubleshooting, or someone couldn't resist disconnecting it to see what
would really happen...

What's the RISK?  Well, given that people do sell used cars, and that
many people may not even bother to read that part of the manual--
especially if the radio is working--what has been achieved overall is
to take a highly reliable car radio and reduce its life expectancy to
the same as that of a car battery.

Daniel P. B. Smith
dpbsmith@world.std.com


Bugs in Digital RAID Storage Subsystems

"Andy Ram, x1783, Hong Kong" <ARAM%11305@gs.com>
Sun, 08 Jan 1995 20:48:05 -0500 (EST)
Does any one know anything about reported bugs in the Digital RAID Storage
System ? One tends to hear so much of this bug.. nothing about it ?


Maryland Emission testing

Paul Peters <PPeters@DOCKMASTER.NCSC.MIL>
Mon, 9 Jan 95 09:55 EST
The following article appeared in the 8 Jan 1995 Washington Post:

     Maryland Delays New Auto Tests

     A computer glitch has forced the delay of Maryland's tough new
     auto emissions testing program.
          The state Motor Vehicle Administration announced Friday
     that the start-up of the program would be delayed for several
     weeks to fix the problems in the software used to measure
     emissions.  The MVA had planned to start mailing notices Friday
     to about 25,000 ddrivers to get their cars and trucks tested.
          "it's not going to start until we're satisfied we can
     give a quick and accurate test."  MVA Administrator W. Marshall
     Rickert Jr. said.
          The General Assembly passed the tougher testing program after the
     federal government ordered the state to reduce smog.

Comments heard on this topic include the opinion that it might be an
excuse to delay this testing which includes having a state driver test
your car at 55 mph on a dynamometer.  The test will be more costly that
the present test and is expected to result in a high failure rate.


Computers in nuclear plant

Jonathan_Welch <JHWELCH@ecs.umass.edu>
Mon, 09 Jan 1995 08:34:04 -0500
I read this in comp.os.vms this morning and it made me wonder
just how well this plant in Georgia is managed.

Jonathan Welch  VAX Systems Manager  Umass/Amherst  JHWELCH@ecs.umass.edu

- - - - -

Newsgroups: comp.os.vms
Subject: VAX 4000 Upkeep/Maintenance
From: wbwhaley@aol.com (WBwhaley)
Date: 9 Jan 1995 06:33:26 -0500

At work recently we just installed a Vax 4000 with 2 model 100's as our
hosts and numerous model 60's, VLC's, and a few model 90's as our basic
system workstations. Approx 20 workstations total along with an assortment
of LAN Bridge 150's / 200's, local segment repeaters all tied together on
thick wire ethernet and fiber optic cable. Its primary use is being our
plant computer for the nuclear power plant I work at, so it is in constant
use. A vast majority of the extra network equipment is for redundancy
being that we hate to loose any plant info/data in case of a failure.
Anyway, I was curious to see what other system users performed on their
systems as regular preventive maintenance and the such being that we are
new to the system. Defrag HD, cleaning bridges/repeaters/servers, host
cpu's, etc. Right now, we are tied to using built in VMS utilities and  I
would like your suggestions. I have gotten a good bit of info from the
system managers manual, but wasn't sure if there were any other tricks I
may have missed. VMS is totally new to me, so pardon my simple
description. <G> Any help would be appreciated.

Bill Whaley  Augusta, Ga


Anik E2 redux

Luis Fernandes <elf@eccles.ee.ryerson.ca>
Tue, 17 Jan 1995 14:47:07 +0500
Excerpts from the July, 4, 1994 Aviation Week and Space Technology follow:

    "Telesat Canada engineers have succeeded in a five-month rescue
    effort by reestablishing pointing control over the Anik E2
    satellite without the use of its failed momentum wheel systems,
    thus salvaging a $203-million asset."

This is the first time that a rescue of a geosynchronous, 3-axis
stabilized satellite without a serviceable momentum wheel on board has
been successful (other satellites with this type of problem have been
abandoned, in the past). No one is certain why the integrated
circuits in the control systems failed, but it is believed that
electrostatic discharge during an intense solar storm is to blame.

    "...during the five months that the satellite was out of action,
    Telesat Canada lost about $15 million. Engineers devised an
    alternative pointing system...and installed two entirely separate
    ground-based systems for redundancy. A software program developed
    by Telesat Canada engineers...keeps track of the satellite in
    three axes and calculates adjustments in pointing."

Anik E2 service life will be shortened by one year because of the
extra fuel used in re-positioning the satellite during it life.


Shaky testing

Mark Stalzer <stalzer@macaw.hrl.hac.com>
Thu, 12 Jan 1995 11:43:49 +0800
In the Jan. 12 LA Times, Pacific Bell, the US Geological Service, and
CalTech, announced an 18 month trial of a new system for measuring the
effects of earthquakes. The system uses sensors placed around
Southern California that relay data to CalTech's computers during
a 5+ magnitude earthquake. The data is reduced to give emergency
crews the location of large ground accelerations so that they
can tailor their responses. (Large ground motion can occur far
away from the epicenter, e.g. Filmore is about 20 miles from
Northridge yet it was severely damaged in the 6.8 quake.)

One interesting issue is testing the system: a 5+ quake is required.
A Pacific Bell official said they would extend the test period if
an appropriate quake doesn't occur. Talk about waiting a long time
for test runs...

Mark Stalzer, mas@acm.org


Midnight Batch Run Bites (Kowalczyk, RISKS-16.71)

<ROBINSON_PAUL@tandem.com>
9 Jan 95 10:16:00 -0800
Not so many years ago, I needed a certified check from my large Boston-area
bank.  I arrived at my branch office at 9:05am, gave a teller appropriate
paperwork to transfer funds from savings to checking, and then had the
necessary incantations performed to transform my normal everyday check into
a certified check.  Among other things, this caused the check amount to be
immediately debited from my checking account; but since I'd just requested a
transfer of the necessary amount into checking, the teller did not complain
about the apparent overdraft.  So far so good.

Within a week I received an overdraft penalty notice, because my transaction
at the teller window to do the transfer was not processed until after midnight
thus leaving my checking account short that day.  I had to show my transfer
receipt, with its 9:05am timestamp, to an actual human before the bank would
clear the penalty.

The incident taught me to avoid teller transactions whenever possible, though,
because the nice human who cleared the penalty told me that all the ATM
transactions were cleared first, before teller transactions, each evening.
A RISK of avoiding new technology??

Paul T. Robinson
robinson_paul@tandem.com    (NOT the Paul Robinson of paul@tdr.com)


New Risk from the WWW

<jmacinty@mv.us.adobe.com>
Tue, 17 Jan 95 07:55:55 PST
At the end of January middle of February this year Microsoft will be
introducing Internet Assistant.  A HTML creater and WEB browser for Word for
Windows 6.0.

The WEB browser will read Word 6.0 documents directly and therefore the risk.

Word documents can come with programming that will activate on opening.  While
this has always been a problem document distribution hasn't generally been
widespread until soon from now.

Three types of things I can see happening.

1. Viral type documents.  These are documents that will change your
normal.dot and copy itself from document to document.

2. Trojan Horse type 1 documents.  These are documents that do something on
opening, like delete files etc....And possible even harmless things.

3. Trojan Horse type 2 documents.  Really scary documents that communicate
BACK to the web-server without your knowing it and sending additional
information gleaned from your machine and or network.  There are some truly
scary things that could be done with a creative VBA/CGI programmer.

It is unfortunate that these risks exist, because otherwise the ability to
have "programmable" documents on the web is a really cool concept.  But
nonetheless risks like these have to be dealt with

John


RISKS on the World Wide Web

"Lindsay F. Marshall" <Lindsay.Marshall@newcastle.ac.uk>
Tue, 17 Jan 1995 15:29:07 GMT
You can now read the complete RISKS archives on the World Wide Web (apart
from the very earliest issues which will appear as soon as I have hand
converted them...) Individual issues have a file name of the form
volume.issue.html where issues is always a two digit number:

    http://catless.ncl.ac.uk/Risks/16.01.html

is the first issue of volume 16. The URL http://catless.ncl.ac.uk/Risks
gives you an introduction page and leads you to the indices for previous
issues.  The latest issue can always be found via the URL

    http://catless.ncl.ac.uk/Risks/latest

The translation from RISKS to html is automatic so there may be errors.
Please report any that you find to me so that I can fix them. Currently the
text of messages is left as pre-formatted text. I have hand converted issues
16.74 to use the html formatting commands. Any feed back on what people
would like to see and any improvements that I could make will be most
welcome.

Lindsay

MAIL :  Lindsay.Marshall@newcastle.ac.uk
URL  :  http://catless.ncl.ac.uk/Lindsay.html
POST :  Dept. of Comp. Science, U of Newcastle, Newcastle upon Tyne, UK NE1 7RU
VOICE:  +44-191-222-8267    (FAX: -8232)


Criminal hacker arrested in Winnipeg

"Mich Kabay [NCSA Sys_Op]" <75300.3232@compuserve.com>
09 Jan 95 13:35:38 EST
According to a Canadian Press reported printed in _The Globe and Mail_
(955.01.07, p. A4),

    Police crack illegal access to Internet

    WINNIPEG -- Police have made what they believe is one of
    Canada's first arrests for breaking into the Internet....

    a 31-year-old man was arrested...after an eight-month police
    investigation into illegal access to the Internet computing
    system at the University of Manitoba....

    ...[T]he man will be charged with two counts of unauthorized
    use of a computer service....

The article states that the Crackerjack program "was used to decrypt the
access codes of legitimate users" and that the accused is alleged to have
stored stolen software and porn online.

M.E.Kabay,Ph.D.
DirEd/Natl Computer Security Assn (Carlisle, PA)
Mgmt Consultant/LGS Group Inc. (Montreal, QC)


Phone Phreaking Explored

Steve O'Keefe <okeefe@olympus.net>
18 Jan 1995 17:37:20 GMT
HarperCollins has just released MASTERS OF DECEPTION: The Gang That Ruled
Cyberspace, a new book by New York Newsday journalists Michelle Slatalla
and Joshua Quittner. You might recall the book from a cover story in the
December issue of WIRED. Slatalla and Quittner unravel the story of gang
warfare between the Legion of Doom (LOD) and the Masters of Deception
(MOD), a turf battle fought through the phone system that led to one of
the most high-profile hacker prosecutions ever.

Slatalla and Quittner followed the Masters of Deception story for five
years at Newsday. When the WIRED excerpt appeared, their phone service was
hacked and their e-mail attacked by a group calling themselves the
Internet Liberation Front, or ILF. A police investigation is still in
progress.

The authors begin an 8-city tour in New York today. They are planning to
kick off a "cybertour" in February. The book is available for purchase on
Delphi (Online Bookstore) and CompuServe (Go HAR), or at your local
bookstore.The WIRED excerpt is on HotWIRED at the following URL:
     http://www.hotwired.com/Lib/Wired/2.12/features/hacker.html

For more information about the book -- including a tour schedule -- please
send e-mail requesting a "digital flyer" to <okeefe@olympus.net>

STEVE O'KEEFE
Electronic News & Reviews


INTERNATIONAL CRYPTOGRAPHY INSTITUTE 1995

Dorothy Denning <denning@cs.cosc.georgetown.edu>
Fri, 13 Jan 95 11:25:27 EST
             Call for Participation (Deadline: March 15, 1995)

       INTERNATIONAL CRYPTOGRAPHY INSTITUTE 1995: GLOBAL CHALLENGES

                          September 21-22, 1995
                              Washington, DC

                           Presented by
         The National Intellectual Property Law Institute


The International Cryptography Institute will focus on the cryptography
challenges associated with meeting the information protection needs of
users and the law enforcement and national security needs of nations.
The Institute will address such topics as:

  - national encryption policies and regulations
  - meeting user needs for information security and data recovery
  - meeting law enforcement and national security needs
  - national and global encryption markets and product availability
  - international approaches and standards
  - creating an international cryptography infrastructure
  - the use of encryption technologies in different countries
  - cryptography in the financial industry and other industries
  - legal and policy issues of digital signatures and digital cash
  - new developments in encryption policies and technologies

Persons interested in speaking at the conference are invited to submit
a proposal to the Institute Chair:

          Prof. Dorothy E. Denning, Chair ICI '95
          Georgetown University
          Computer Science Department
          225 Reiss Building
          Washington DC 20057-0997
          ph: 202-687-5703, fax: 202-687-6067
          e-mail: denning@cs.georgetown.edu

Proposals must be received by MARCH 15, 1995, and should include the
following:

  - Name, title, organization, address, phone, fax, and e-mail address
  - Brief biography
  - Title of presentation
  - Abstract of presentation or paper
  - Amount of time requested for presentation and discussion

Notification of acceptance will be made by April 15, 1995.  Papers and
materials for the proceedings will be due on August 15, 1995.

Inquiries about registration or the proceedings should be addressed to:

              The National Intellectual Property Law Institute
              P.O. Box 27913, Washington, DC 20038-7913
              ph:  800-301-MIND or 202-962-9494
            , fax: 800-304-MIND or 202-962-9495


12th Annual ISSA Conference & Exposition

Jack Holleran <Holleran@DOCKMASTER.NCSC.MIL>
Tue, 17 Jan 95 09:46 EST
Information Systems Security Association (ISSA) is pleased to announce
             LEARNING From EACH OTHER,
 the 12th Annual Conference & Exposition
         to be held
 April 2-5 1995 at Sheraton Hotel and Towers
           Toronto, Ontario, Canada

The cost is $795 (ISSA Member), $895 (nonmember); Full Day electives $295.
Canadians may pay in Canadian Dollars (same rates!)
 Brochure and registration form are available from:
 ISSA Headquarters, 4350 DiPaolo Center, Suite C, Glenview, IL, 60025
 Phone: (708) 699-6441; fax (708) 699-6369;
 or by sending E-Mail to: ISSA @ MCS.COM

The event begins with Pre-Conference Specialty Seminars on Saturday and Sunday

 A Welcome Reception and Vendor Exhibition opening will be held Sunday evening
 - an excellent opportunity for networking!  Each Day then begins with
 Registration at 7:30 and continental breakfast and Vendor Exhibition at 8:00.

April 1 - Saturday (Pre-conference Activities)
 Four elective Full Day Seminars to choose among

April 2 - Sunday
 The First CISSP Examination sponsored by (ISC)2
 Two elective Half Day Seminars to choose
 7pm   Welcome Reception and Vendor Exhibition

April 3 - Monday's Highlights:
 Welcome and General Session will include "How to Handle Internal Investigation
 and Establish Successful Compliance Programs" by Terry F. Lenzner, a former
 member of the Board of Overseers of Harvard University with a broad range of
 experiences in public and private legal investigations.

AM Track Choices:  10:30-noon
  A1: Gale Warshawsky of LLNL will explore the merits and processes of
      Making Computer Security Information Available Electronically
  B1: Charles Blauner of Bellcore will Introduce the security issues
      involved in the use of Distributed Systems.
  C1: Francis Labayen and Kimberly Clair of Andersen Consulting will discuss
      LAN Security issues by component, and their corresponding solutions.
  D1: Vendor panel: Viruses: an opportunity to see a virus contained and
      neutralized, as well as learn from leaders in the field how to avoid
      the beasties!
  E1: Lessons Learned: Richard Heffernan and William Haywood increase the
      participant's awareness of threats to intellectual property from
      industrial espionage.

Lunch in the Exhibit Hall
 After Lunch  Track Choices   1:30-3:00 pm
  A2: Rebecca Duncan of DataPro gives a blueprint for effective network
      security strategy.
  B2: Charles Blauner of Bellcore leads a discussion of  OSF Distributed
      Computing Environment (DCE) and its security capabilities.
  C2: Robert Kane of Intrusion Detections describe Best Practices for
      Securing Novell Netware LANs.
  D2: Vendor Panel: PC Security Solutions, and the extent of their
      effectiveness.
  E2: Lessons Learned:  Jamie Trainer examines a real world example of
      securing a multinational 1400 heterogeneous node network of
      workstations and PCs.
 Late PM Track Choices:    3:30-5:00 pm
  A3: Peter Davis' Manager's Guide to Internet Security
  B3: Tsvi Gal, Bank of America; discusses protecting "the network is the
      computer."
  C3: Ed Blackwell presents "Primer for PBX and Voice Mail Fraud"
  D3: Vendor Panel: Disaster Recovery - Business Resumption
  E3: Lessons Learned: L. Dain Gary, CMU SEI, Internet Security and CERTSM
 Late-Late Birds of a Feather and Committee meetings

April 4 - Tuesday Highlights:
 Plenary: Crossroads, by Steven J. Green, University of Houston; application
 and development of computer and communications security responsibility with
 in the work setting.

AM Track choices:  10:30-noon
  A4: Teresa Donatelli and Ann McHoes present a detailed discussion of
      Developing a Security Awareness Program
  B4: Will Ozier moderates a panel discussion of the activities of the
      ISSA GSSP committee in establishing Generally Accepted System Security
      Principles.
  C4: John Clark, Andersen Consulting discusses risks introduced by Frame
      Relay technology.
  D4: Vendor Panel; Pros and Cons of Encryption; determining your need for
      it.
  E4: Sadie Pitcher Department of Commerce Disaster Plans.
 Lunch in the Exhibit Hall
 After Lunch Track Choices:  1:30-3:00 pm
  A5: Charlotte Greig, Wells Fargo Bank; How to get (management's) Attention
      for Information Security Awareness Part I.
  B5: Allan Cobb, York University; The Architecture of Audit Facility for a
      Distributed Application: using OSF DCE in university student
      application processing.
  C5: Douglas Conorich, RAXCO, Strengths and weaknesses of TCP/IP Network
      Security.
  D5: Vendor Panel: What a network manager should consider in Distributed
      Informations Systems Security Management.
  E5: James P. Litchko; Internet Threats and Countermeasures.

Late PM Track Choices:  3:30-5:00 pm
  A6: How to Get Attention for Information Security Awareness - Part II
  B6: Gary Baker, Ernst & Young; "Distributed Computing and Client Server -
      An Auditor's Perspective"
  C6: Ed Blackwell, "Value Added Networks Security Pitfalls" Using the
      security features provided by VANs.
  D6: Vendor Panel: Discuss the security ramifications of network components
       (routers, bridges, etc.)
  E6: Fred Sanborn, Booz, Allen and Hamilton; Securing the Enterprisewide
      Network.

Late-Late Birds of a Feather and Committee meetings  5:00-6:30 pm
 Special ISSA Social Event  7-9 pm

April 5 - Wednesday Highlights:

Annual Meeting of  The Information Systems Security Association

AM Track choices:  10:30-noon
  A7: Alex Woda, "How to Secure, Audit and Control EDI"- a practical
      approach.  An EDI audit program will available for participants
  B7: Colin Rous, Cerberus, "Distributed Computing and Client/Server
      Security: What it means for the Security Administrator."
  C7: Robert Clyde, RAXCO, "Multi-Platform Enterprise Security Management"
  C8: Panel: Security Issues for Electronic Commerce", Loreto Remorca and
      David Lyons, moderators.
  D7: Vendor Panel: Awareness and Training; ideas and solutions you can
      incorporate into your program.
  E7: Bart Burron, Auditor General Canada, "A Top Down Computer Security
      Assessment for Senior Management."

After Lunch  Committee Meetings  1 - 3 pm

April 6 - Thursday:  (Elective) CISSP Preparation Course.  This session will
 assist in preparation for the CISSP exam and explain test contents as well
 as the tools and methods for preparation.

Make your room Reservations with the Sheraton, and tell them you will be
attending the 12th Annual ISSA Conference and the rate will be $127 (plus
15%)

For more information call ISSA headquarters (708) 699-6441.

Please report problems with the web pages to the maintainer