The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 16 Issue 02

Tuesday 3 May 1994

Contents

o NEW YORKER article on library automation
Jon Jacky
o Information Warfare: GM vs VW
Mich Kabay
o TechWar: Cell Phone Jamming
Mich Kabay
o Green Card Con Artists Exposed!
Bonnie L. Mahon via D.R. Hilton
o New firewalls book - a great risk reducer
Ray Kaplan
o Re: Drunk in charge
John Simutis
Andy Ashworth
Dan Astoorian
o Boot Prom commits Denial of Service Attack
Butch Deal
o Staying Informed of Security & Privacy Issues
David Johnson
o Info on RISKS (comp.risks)

NEW YORKER article on library automation

Jon Jacky <jon@violin1.radonc.washington.edu>
Mon, 2 May 1994 21:10:10 -0700
The April 4, 1994 issue of the NEW YORKER had a long article by Nicholson
Baker on library automation: "ANNALS OF SCHOLARSHIP: Discards".  It runs from
pages 64 through 87.  My issue also came with a flyer stapled to the cover
with the headline, "THE TRASHING OF AMERICA'S GREAT LIBRARIES."

Baker reports that when most libraries replace their paper card catalogs with
on-line systems, they simply discard the card catalogs.  Baker argues that the
card catalogs are an irreplaceable resource, and contain much scholarly
content which is not carried over into the new systems.  Baker also argues
that the on-line systems often suffer from poor data quality, and make some
kinds of searches (particularly subject searches) more difficult.

RISKS readers will find much of interest about the difficulties of maintaining
integrity and consistency in very large databases.  Baker reports one instance
where all instances of "Madonna" were replaced with "Mary, Blessed Virgin,
Saint," causing reclassification of recent works by Ms. Ciccone.

Some letters responding to the article appear in the May 2, 1994 NEW YORKER.

- Jon Jacky, jon@radonc.washington.edu, University of Washington, Seattle


Information Warfare: GM vs VW (cont'd)

"Mich Kabay [NCSA]" <75300.3232@CompuServe.COM>
03 May 94 09:19:36 EDT
>From the Reuter newswire via Executive News Service on CompuServe (GO ENS):

     "BONN, April 30 (Reuter) - The German car manufacturer Volkswagen,
  accused by rival Opel of industrial espionage, on Saturday denied a magazine
  report that incriminating material had been found in the office of an
  employee.
     Der Spiegel magazine said on Saturday prosecutors found a computer disc
  containing plans for a high-tech small car factory in the office of Jaero
  Arthur Wicker, office manager of production head Jose Ignacio Lopez de
  Arriortua."

The article continues with the following key points:

o   Lopez used to work for General motors; he's accused of having stolen
confidential files when he was hired by VW.

o   VW claims the disk has plans submitted to both GM and VW and rejected
by both companies.

o   The situation is under investigation by both German and US authorities.

o   The newest scuttlebutt is that GM has asked German prosecutors to
investigate daughter Begona Lopez, whom they accuse of having stolen a disk
containing information on cost reductions at GM.

  [Comments by MK: sounds like a tabloid newspaper's version of a rivalry
  between movie stars.]

Michel E. Kabay, Director of Education, National Computer Security Assn

   [That would be a REALLY SMALL car factory if it were to fit into
   the office of Jaero Arthur Wicker, Jaerodynamically at least.  PGN]


TechWar: Cell Phone Jamming

"Mich Kabay [NCSA]" <75300.3232@CompuServe.COM>
03 May 94 09:19:40 EDT
>From the Reuter newswire via Executive News Service on CompuServe (GO ENS):

  "KINSHASA, April 30 (Reuter) - Zaire's main cellular telephone company, at
  loggerheads with a rival firm trying to muscle in on its territory, said on
  Saturday its signals were being deliberately jammed.
     Jim Galan, head of coordination at Telecel, said five or six microwaves
  had been trained on its main antenna for the last four days, drowning out
  many calls made from central Kinshasa."

The article explains that the jamming is making cellular phone use impossible
for Telecel's 4000 Kinshasa users.  It is generally believed that a new
company, Comcell, which is supported by the Zairian government, is using the
frequencies originally assigned to Telecel by that same government.

Legal action is in the works.

  [MK comments: RISKS of doing high-tech business where the rule of law is
  weak.  Example of Information Warfare a la Winn Schwartau.]

Michel E. Kabay, Director of Education, National Computer Security Assn


Disbarrable under Tenn. Code (Canter/Seigel)

J Doe <rosidivi@rintintin.Colorado.EDU>
Mon, 2 May 1994 20:02:25 GMT
Reply-To: drhilton@kaiwan.com
Subject: Green Card Con Artists Exposed!
Keywords: green card canter lawyers

                                    For Immediate Release
                                    October 13,1988
                                    Contact:        Bonnie L Mahon
                                                    The Florida Bar
                                                    Tampa Office
                                    Telephone:      813/875-9821

SUPREME COURT GRANTS ATTORNEY'S PETITION TO RESIGN PERMANENTLY

       TALLAHASSEE, Oct.13-- The Florida Supreme Court has granted
attorney Laurence A. Canter's petition to resign permanently,
effective November 7, 1988.

       Canter, of 240 North Washington Boulevard, Sarasota, was
charged with numerous violations of the attorney disciplinary rules
including neglect, misrepresentation, misappropriation of client funds
and perjury.

       Several of the complaints against Canter involved his failure
to file the necessary or appropriate documents with the United Stated
Immigration and Naturalization Services in matters of permanent
residency and work visas. In addition, Canter refused to refund
clients' funds and neglected to notify his clients that he has been
suspended from the practice of law as a result of a previous
discipline.

       The Florida Bar further alleges that Canter committed perjury
by filing a false affidavit with the Bar and while testifying under
oath in a deposition. These charges resulted after an audit of Canter's
trust account by the Bar showed that trust funds were held in Canter's
account during the time period when he denied any funds were present.

       Canter was born in 1953 and admitted to The Florida Bar in 1980.

       The resignation without leave to apply is not final until time
expires to file motion for rehearing and if filed, determined. The
filling of a motion for rehearing shall not alter the effective date
of this resignation.

       As an official agency of the Supreme Court of Florida, The
Florida Bar and its Department of Lawyer Regulation are charged with
the administration of a statewide disciplinary system to enforce
Supreme Court rules of professional conduct for all lawyers.


New firewalls book - a great risk reducer

RayK <KAPLAN@BPA.ARIZONA.EDU>
Mon, 2 May 1994 23:51:07 -0700 (MST)
Cross post to RISKS (via mail submission), comp.security.announce and
comp.protocols.tcp-ip news groups, and a few other various places.  Sorry
if you see this more than once.

Re: Firewalls and Internet Security - Repelling the Wily Hacker.
Ray Kaplan - May 2, 1994

Buy this book!

Gentle folk,

Here is a risk reducer.  With the wholesale rush to Internet connectivity,
it's about time someone sat down and wrote a good book about how to do this
exercise safely!  And, sure enough, Cheswick and Bellovin have done just that,

Heaping superlatives on something of which you are enamored is always
problematic - the possibility of overstatement looms large.  Accordingly I`ll
cut to the chase.  Buy this book!  I do not get any money for saying this - I
just believe you are well justified in getting it on your reading list -
today. In May of this year, Addison Wesley is releasing an excellent new book
by Bill Cheswick and Steve Bellovin: Firewalls and Internet Security -
Repelling the Wily Hacker.  ISBN 0-201-63357-4.  It will retail for $26.95.
Bulk purchases: 800- 238-9682, individual orders: 800-824-7799 (FAX
617-944-7273).  Email orders over the Internet from bexpress@aw.com (no they
don`t take plastic via Email). For those that are net-challenged, U.S.
snailmail orders from Addison-Wesley, c/o Arlene Morgan, 1 Jacob Way, Reading,
MA  01867 USA.

Rumors loom large that at least one of the authors (Ches?) will be at Interop
with copious quantities of this work of art.  As dues of superlative
authorship that is destined to be popular, I hope they both get writer`s cramp
autographing!

Details

While worthwhile, well written, pace-setting, technically astute works of art
are rare - this is certainly one of them.  I am always hard pressed to
identify any one thing as unique in its decade (especially when the decade is
still in progress). Suffice it to say that this work is the most complete
treatment of firewall technology and experience that is available.  The
availability of this work is exciting news for security firewall builders -
including Internet security firewall builders - and, for the great number of
people that seem to be befuddled by the complexity and the general issues of
interconnecting networks.

The book

While my review copy (well dog-eared, now) is a bit dated (March 7, 1994), I
think you can expect that it is close to the book`s final form: a standard
(w=7.5in, h=9in) Addison-Wesley Professional Computing Series book like the
ones that should already dot your shelves.  (I don`t get any money for my
obvious favorable bias toward this series.  My bias is born out of the fact
that the series (Brian Kernighan is the consulting editor for it) contains
great authors and titles like Radia Pealman`s Interconnections - Bridges and
Routers and Richard Sevens` TCP/IP Illustrated, Volume I - The Protocols.)

305 pages in 14 chapters, appendices, a bibliography, a list of "bombs"
(security holes) and an index.

Out of the box, the authors set the tone for their work by quoting F.T. Gramp
and R.H. Morris: "It is easy to run a secure computer system.  You merely
have to disconnect all dial-up connections and permit only direct-wired
terminals, put the machine and the terminals in a shielded room, and post a
guard at the door."  This is followed by a detailed discussion of the art
and science of building a firewall. There is so much good stuff here, that all
I can do is list the book`s contents - lest I write a tome which distracts you
from picking up a copy of it ASAP.

Chapters and content - from the table of contents.

Getting started
Introduction
- Why security?
- Picking a security policy
- Strategies for a secure network
- The ethics of computer security
- Warning
Overview of TCP/IP
- The different layers
- Routers and routing protocols
- The Domain name service
- Standard services
- RPC-based protocols
- The "r" commands
- Information services
- The X-11 service
- Patterns of trust

Building your own firewall
Firewalls and gateways
- Firewall philosophy
- Situating firewalls
- Packet-filtering gateways
- Application-level gateways
- Circuit-level gateways
- Supporting inbound services
- Tunnels - good and bad
- Joint Ventures
- What firewalls can`t do
How to build an application-level gateway
- Policy
- Hardware configuration options
- Initial installation
- Gateway tools
- Installing services
- Protecting the protectors
- Gateway administration
- Safety analysis - why our setup is secure and fail-safe
- Performance
- The TIS firewall toolkit
- Evaluating firewalls
- Living without a firewall
Authentication
- User authentication
- Host-to-host authentication
Gateway tools
- Proxylib
- Syslog
- Watching the network: Tcpdump and friends
- Adding logging to standard demons
Traps, lures and honey pots
- What to log
- Dummy accounts
- Tracing the connection
The hacker`s workbench
- Introduction
- Discovery
- Probing hosts
- Connection tools
- Routing games
- network monitors
- Metastasis
- Tiger teams
- Further reading

A look back
Classes of attacks
- Stealing passwords
- Social engineering
- Bugs and backdoors
- Authorization failures
- Protocol failures
- Information leakage
- Denial-of-service
An evening with Berferd
- Introduction
- Unfriendly acts
- An evening with Berferd
- The day after
- The jail
- Tracing Berferd
- Berferd comes home
Where the wild things are: a look at the logs
- A year of hacking
Proxy use
- Attack sources
- Noise on the line

Odds and ends
Legal considerations
- Computer crime statutes
- Log files as evidence
- Is monitoring legal?
- Tort liability considerations
Secure communications over insecure networks
- An introduction to cryptography
- The Kerberos authentication system
- Link-level encryption
- Network- and transport-level encryption
- Application-level encryption

Where do we go from here?
Appendices

Useful free stuff
- Building firewalls
- Network management and monitoring tools
- Auditing packages
- Cryptographic software
- Information sources

TCP and UDP ports - Fixed ports
- MBone usage

Recommendations to vendors
- Everyone
- Hosts
- Routers
- Protocols
- Firewalls

Bibliography - List of bombs - Index

I have criticisms, complaints and suggestions.  However, considering that this
is such a darn fine piece of work - I hasten to get my recommendation that you
buy this book out ASAP.

Meantime, to whet your appetite:

- Index - (a well done, 26 pages worth - you can actually find pointers to
what you want to know!  What a concept.

- TCP ports discussion - a Comprehensive list and reasonable advice on what to
do with them.

- Bombs - a summarized list of the 43 major security holes that they identify.

- Bibliography - Ahhhh.  19 pages of the best firewalls-related bibliography
that I`ve seen.

- Where to from here - excellent advice for techies and managers who don`t
want to keep working at the job of firewalling or who simply want to spend a
bit of resources on it only once.

Kudos to the authors - buy this book.

Of course - these are my own views, and they don`t necessarily reflect those
of anyone - including my employer.  However, in this case, they probably do.

Ray Kaplan             CyberSAFE, Corporation
rayk@ocsg.com          Formerly Open Computing Security Group (OCSG)
                       (206) 883-8721
                       FAX at (206) 883-6951
                       2443 152nd Ave NE
                       Redmond, WA 98052

Better living through authentication


Re: Drunk in charge (RISKS-15.80)

John Simutis <simutis@ingres.com>
Fri, 29 Apr 94 15:12:34 PDT
While I was a contract programmer at GM/EDS, there was an explicitly
stated policy: it was permissible to drink alcohol, as having a beer
with lunch, but ONLY if one did not plan to return to work that day.
It was stated further that we were obligated to give the customer our
best work, and alcohol was not consistent with that effort.

John Simutis, simutis@ingres.com  Alameda, California, USA


Re: drunk in charge...... (RISKS-15.80)

Andy Ashworth <tcsaca@aie.lreg.co.uk>
Fri, 29 Apr 94 09:10:21 BST
I understand that British Rail have a policy that no personnel who can affect
the safety of others is allowed to have alcohol in their bloodstream during
working hours - the penalty for violating this rule is, I think, dismissal.
This grouping includes engineering staff involved in the R&D of systems such
as signaling.

This is more than just "drunk in charge of a computer", this is, sensibly IMHO,
"being under the influence of alcohol while capable of influencing the safety
of others". I hope that the next time I fly in a fly-by-wire aircraft or drive
my systems heavy car I can have confidence that the developers of the systems
that could affect my safety applied a similar abstemious regime.

Andy Ashworth, Lloyd's Register, 29, Wellesley Road, Croydon CR0 2AJ
+44 (0)81 681 4723  Fax: +44 (0)81 681 4839     tcsaca@uk.co.lreg.aie


drunk in charge... (RISKS-15.80)

Dan Astoorian <djast@utopia.druid.com>
Sun, 1 May 1994 11:31:00 -0400
Driving requires quick response time; electric work requires manual
dexterity.  Alcohol impairs both these things, and as noted, the dangers
are obvious, immediate, and tragic.

Software engineering requires very little in the way of fast responses
or manual dexterity, unless one considers an inordinate number of typos
a serious RISK.

Moreover, the skills which *are* required to write software tend to be
more of the problem-solving variety.  I don't dispute that alcohol dulls
these; however, when you take away one's problem solving skills, the
result is that the problem doesn't get solved.

I seem to vaguely recall an old study in which a group of people, some
of which had been given a couple of drinks, were called upon to solve
arithmetic problems of moderate difficulty, with no time limit.  I
believe the outcome was that those who had had the drinks took much
longer to finish the problems, but their responses were *more* accurate
than the teetotalers, presumably due to their awareness that they were
prone to make errors.

(I would therefore advise project managers to take Friday pub lunches
into account when setting deadlines.)

Incidentally, I'm not sure how one would distinguish between mistakes due to
being under-the-influence and those due to being under stress (perhaps due to
looming deadlines), or simple inexperience or incompetence, or even
honest-to-God oversights.  if the QA system for critical systems doesn't catch
all such types of mistake, there's already a serious problem.  Obviously this
is not intended as an argument against reducing the number of errors to be
found by QA, but still... a bug is a bug.

(I'm reminded of a phrase a colleague used to repeat: "Sure, alcohol
kills brain cells.  But only the weak ones.")

Dan Astoorian, Mississauga, Ontario, Canada   djast@utopia.druid.com


Boot Prom commits Denial of Service Attack

Butch Deal NRL <butch@keep.blackmagic.com>
Fri, 29 Apr 1994 20:00:45 -0400
What is the risk here?  People like to put blame one other systems all the
time.  I see this as only a matter of misconfiguration and miscommunication
among the different system admins.  What do the DEC stations need to run tftp
for?  Shouldn't they be logging in to a non-critical partition?  Shouldn't the
Suns have a similar tcpwrapper installed?  Maybe they should all log to some
central machine, with syslog maybe.  The could be several machines that can
serve a diskless station.  The broadcast allows them to find the right one on
the local network and come on up.  I do not think it is at all fair to try to
blame a hardware manufacturer because the equipment worked exactly as
documented, but that happens not to be the way you want it to work.

butch@keep.blackmagic.com    Butch Deal


Staying Informed of Security & Privacy Issues

David Johnson <worldwid@uunet.uu.net>
Mon May 02 10:23:44 1994
STAYING INFORMED: Resources for Privacy Seekers & Computer Security Buffs
by David Johnson

(Copyright 1994 under the International & Pan-American Copyright Conventions)

Having conducted various types of security and investigative work that
has taken me to ten Asian countries, I am quite familiar with various
obstacles one must hurdle to obtain hard-to-find and elusive data.

Even though our computers are valuable tools, adopting a multi-faceted
approach to information gathering is the most effective way to cover
all the angles.

Use this listing to build your own private intelligence network.

COMPUTER SECURITY PUBLICATIONS              PRIVACY-RELATED PUBLICATIONS


Auerbach Data Security Management           Full Disclosure Magazine
Information Systems Security                Box 244
                                            Lowell, MI 49331 USA
210 South St.                               Voice: (800) 633-3274
Boston, MA 02111 USA                        Voice: (616) 897-7222
Voice: (800) 950-1218                       Fax: (515) 897-0705
Voice: (212) 971-5000
Fax: (617) 423-2026                         International Privacy Bulletin
                                            666 Pennsylvania Ave., S.E.
Computer Security, Auditing & Controls      Washington, DC 20003 USA
57 Greylock Rd.
Box 81151
Wellesley Hills, MA 02181 USA               Privacy and Security 2001
Voice: (617) 235-2895                       504 Shaw Rd., #222
                                            Sterling, VA 20166 USA
                                            Voice: (800) US-DEBUG
Computer Audit Update                       Voice: (703) 318-8600
Computer Fraud & Security Update            Fax: (703) 318-8223
Computer Law & Security Report
Computers & Security

Crown House, Linton Rd., Barking            Privacy Journal
Essex I611 8JU, England                     Box 28577
Voice: (44) 81-5945942                      Providence, RI 02908 USA
Fax: (44) 81-5945942                        Voice: (401) 274-7861
Telex: 896950 APPSCI G

(North American distributor)
Box 882                                     Privacy Laws and Business
New York, NY 10159 USA                      Box 23
Voice: (212) 989-5800                       7400 GA, Deventer, Netherlands
                                            Voice: (31) 57-0033155
                                            Fax: (31) 57-0022244
                                            Telex: 49295 KLUDV NL
Computer Control Quarterly
1 Southbank Blvd., Level 8                  (North American Distributor)
S. Melbourne, Vic. 3205, Australia          6 Bigelow St.
Voice: (03) 6121666                         Cambridge, MA 02139 USA
Fax: (03) 6295609                           Voice: (617) 354-0140

Computer Security Alert
Computer Security Journal                   Privacy Times
                                            Box 21501
600 Harrison St.                            Washington, DC 20009 USA
San Francisco, CA 94107 USA                 Voice: (202) 829-3660
Voice: (415) 905-2370                       Fax: (202) 829-3653
Fax: (415) 905-2234

                                            COMPUTER SECURITY ORGANIZATIONS
Computer Security Digest
150 N. Main St.                             Center for Computer Law
Plymouth, MI 48170 USA                      1112 Ocean Dr.
Voice: (313) 459-8787                       Manhattan Beach, CA 90266 USA
Fax: (313) 459-2720                         Voice: (213) 372-0198

Computing & Communications                  Computer Security Institute
(Law & Protection Report)                   360 Church St.
Box 5323                                    Northborough, MA 01532 USA
Madison, WI 53705 USA                       Voice: (617) 393-2600
Voice: (608) 271-6768

                                            Info Systems Security Assn.
Data Security Manual                        Box 71926
Box 322                                     Los Angeles, CA 90071 USA
3300 AA Dordrecht, Netherlands
Voice: (31) 78-524400
Voice: (31) 78-334911
Fax: (31) 78-334254                         Nat'l Center for Computer
Telex: 29245 KAPG                           Crime Data
                                            4053 JFK Library - CSULA
(North American Distributor)                5151 State University Drive
Box 358                                     Los Angeles, CA 90032 USA
Hingham, MA 02018 USA                       Voice: (213) 225-1364
Voice: (617) 871-6600
                                            PRIVACY-RELATED RESOURCES
Information Systems Security Monitor
U.S. Department of Treasury                 F.E.C., Inc.
Bureau of the Public Debt                   P.O. Box 959
AIS Security Branch                         Centro Colon 1007-91/12-0695
200 3rd St.                                 San Jose, Costa Rica
Parkersburg, WV 26101 USA                   (financial & personal privacy)
Voice: (304) 480-6355
BBS: (304) 480-6083
                                            Eden Press
                                            Box 8410
InfoSecurity News                           Fountain Valley, CA 92728 USA
498 Concord St.                             Voice: (714) 556-2023
Framingham, MA 01701 USA                    Fax: (714) 556-0721
Fax: (508) 872-1153                         (various books on privacy)

Journal of Computer Security                Consumertronics
Van Diemenstraat 94                       Drawer 537, Alamagordo, NM 88310 USA
1013 CN Amsterdam, Netherlands              Voice: (505)434-1778
Voice: (31) 20-6382189                      Fax: (505) 434-0234
Fax: (31) 20-6203419                        (technical invasion manuals)

(North American distributor)
Box 10558
Burke, VA 22009 USA                         Privacy Hotline (800) 773-7748
Voice: (703) 323-5554                       (California only) 10am-3pm, M-F

*******************************************************************************
David Johnson                               2421 W. Pratt Boulevard, Suite 971
President, Worldwide Consultants            Chicago, Illinois 60645
Editor, Information Gatherer Newsletter     U.S.A.
International Investigator                  Tel: (800) 316-0801 (24 hrs.)
Security Consultant                         Fax (c/o World-Con): (908) 542-1266
Privacy Strategist                          E-mail: worldwid@uunet.uu.net

Please report problems with the web pages to the maintainer

Top