The RISKS Digest
Volume 17 Issue 55

Monday, 18th December 1995

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…

Contents

NY Stock Exchange halted for one hour this morning
PGN
Laser Shows and Aircraft
Chuck Weinstock
Electronic food stamps failure
Jeremy J Epstein
Medical diagnosis by computer
Gretchen Herbkersman
Timing cryptanalysis and its hardware analog
Michael Kaelbling
Invitation to the CFP'96 Technology Fair
Simson L. Garfinkel
"netfuture" announcement
Steve Talbott
Taxing data
George Janczyn
Re: Something funny about the funny pages item
Sidney Markowitz
Re: Anonymity
Steve Bellovin
Re: Classified Disks Lost--Court Martial
Andy Ashworth
Peter Horsburgh
Robin Kenny
CERT Advisory CA-95:18 - Widespread Attacks
CERT
ABRIDGED info on RISKS (comp.risks)

NY Stock Exchange halted for one hour this morning

"Peter G. Neumann" <neumann@csl.sri.com>
Mon, 18 Dec 95 13:59:58 PST

Tomorrow's papers will undoubtedly have some coverage on the the NY Stock Exchange, which opened an hour late this morning. From what I can glean from various preliminary sources, the weekend had been spent upgrading the system software. However, at 9:15 this morning, it was discovered that there were serious communications problems in the software between the central computing facility and the specialists' displays. The problem was diagnosed and fixed by 10:00am, and the market reopened at 10:30. It was the first time since 27 December 1990 that the exchange had to shut down. The Chicago Mercantile Exchange, Boston Stock Exchange, and Philadelphia Stock Exchange all waited until the NYSE opened as well.


Laser Shows and Aircraft

Chuck Weinstock <weinstoc@SEI.CMU.EDU>
Tue, 12 Dec 95 11:58:20 EST

An article on the Dow-Jones news service (which I presume means that it is also in the Wall Street Journal) discusses the risks of display lasers (mostly used instead of the old carbon-arc spotlights to call attention to a place) co-existing with aviation. Some of the interesting tidbits:

This reminds me that laser blinding played an important role in a recent Tom Clancy novel.
Chuck Weinstock

Electronic food stamps failure

JEREMY J EPSTEIN <JEPSTEIN@SMTPGATE.cordant.com>
Mon, 18 Dec 1995 11:08:38 -0500

An old risk repeated: The December 15 issue of the Fort Worth (Texas) Star-Telegram reports that the computers used for tracking food stamps in Texas failed, and some merchants were unable to accept cards. The system normally processes 350,000 transactions per day. For some reason (not explained in the article), only some of the 14,000 retailers who accept the card were affected. As of when the article was published, the computers had been out for about a day, and the problem was not yet fixed.


Medical diagnosis by computer

Gretchen Herbkersman Dept 5428 <odinba!odin!gretchen@uunet.uu.net>
Mon, 18 Dec 95 08:55:40 PST

Meet the Doctor: A Computer That Knows a Few Things ---- By Laura Johannes is a very scary article on page B1 of the 18 Dec 1995 Wall Street Journal.


Timing cryptanalysis and its hardware analog

Michael Kaelbling <mjk@borkum.zfe.siemens.de>
Mon, 18 Dec 1995 10:20:12 +0100

Paul Kocher's announcement in RISKS-17.54 about timing attacks to find secret keys reminds me of an analogous (and analog) attack that can be made on chip cards.

Since chip cards can fall into attackers' hands, not only must the encryption algorithms run in a fixed and independent amount of time, but the hardware must consume a fixed and independent amount of power for all branches through the critical code. Attackers have been known to use sensitive measurements of the current drawn during the authentication phase to determine keys.

Timing attacks can be based on apparent optimizations in software multiplication of long numbers.

Current (amp) attacks can even be used against single-cycle multiplications, if the hardware designers are not careful.

"Softies" might be surprised by what the hardware reveals about their code and data.

Michael Kaelbling

Invitation to the CFP'96 Technology Fair

Simson L. Garfinkel <simsong@vineyard.net>
Sun, 17 Dec 1995 10:01:53 -0500

Many RISKS readers are familiar with the annual conference on Computers, Freedom and Privacy. For those of you who are not, CFP is the leading conference exploring issues having to deal with the complex interactions of computers, privacy, and our legal system. Past conferences have been heavily attended by law enforcement, academics, and journalists, has been a place where people on different sides of complex issues such as national cryptography policy can get together and talk things out. This year's conference sponsored, in part, by the National Science Foundation, the John D. and Catherine T. MacArthur Foundation, America Online, IBM, News Corp, and the Freedom Forum First Amendment Center. You can get more information about CFP at http://web.mit.edu/cfp96

This year, CFP will be having a technology fair. I am one of the people who is putting the fair together.

We are looking for companies and individuals who are interested in exhibiting. We have identified the following key areas that we are interested in:

People to invite for the technology fair:

The fair will be on Wednesday, the 27th of March. It will be open to the public, and there will be no admission charge. We estimate that there will be at least 400 attendees form the conference, plus another 1000 from the MIT and surrounding Boston/Cambridge high-tech community. We can provide you with a table and electricity, plus a connection to the Internet, if that would be useful.

If you are interested in exhibiting at the fair, please send mail to me (simsong@vineyard.net) or to cfp96@mit.edu

Simson L. Garfinkel, CFP 96 Programming Committee

"netfuture" announcement

Steve Talbott <stevet@ora.com>
Thu, 7 Dec 1995 18:39:08 EST

O'Reilly & Associates 101 RT. 21C Ghent, New York 12075 1-518-672-5103

WHAT TO DO WHILE WAITING FOR THE NEXT WAVE OF INTERNET BACKLASH

O'Reilly & Associates is establishing the "netfuture" mailing list. This is a moderated list to which O'Reilly editor, Steve Talbott, will post approximately weekly pieces concerning high-technology trends in relation to individual responsibility. Some of these pieces will be selections from his own forthcoming collection of provocations, "Daily Meditations for the Computer-entranced."

Technology and the Net: Who Is Responsible?

The "netfuture" list will have a focus similar to the well-known and estimable comp.risks newsgroup, with this difference: "netfuture" will look beyond the generally recognized issues such as privacy, access, and dangerous computer glitches, seeking especially to address those deep levels at which we half-consciously shape technology and are shaped by it. What is half-conscious can, after all, be made fully conscious, and can become material for public discussion and policy-making. As we wait for the second wave of Internet backlash, what better to do than try to understand the forces that have propelled the Net so dramatically onto center stage amid near worship on the one hand, and (among a few) something more like dread?

Once "netfuture" is under way, a companion, unmoderated discussion list may be launched, based on the advice of participants.

Steve Talbott is author of "The Future Does Not Compute — Transcending the Machines in Our Midst," currently available from O'Reilly & Associates.

To subscribe to the "netfuture" mailing list, address an e-mail message to:

listproc@online.ora.com

No "Subject" is needed. The first line in the body of your message should read like this (but with your name substituted for "John Doe"):

subscribe netfuture John Doe

Within the next day or so (usually much sooner) you should get a reply message welcoming you to the list and explaining how to participate. If you don't get the initial reply, or if you have other problems or questions, please send e-mail to: netfuture-owner@online.ora.com — tell us when you sent your message and include your telephone number.

If you have more than one computer account or read e-mail on several different services, be sure to send your subscription request from the place where you want to read "netfuture". Our system automatically reads your e-mail address from your subscription-message and registers you at that particular address.

[If your FROM: address is different from your desired address, you'd better complain to Steve directly. I suggested they should fix that problem, or at least respect the REPLY-TO field, but apparently they can't. It is extraordinary how much mail I get with FROM: addresses to which I cannot answer. PGN]

Taxing data (Re: Alvarez, RISKS-17.54)

George Janczyn <gjanczyn@oclcgate.ucsd.edu>
Mon, 18 Dec 1995 11:49:05 -0800 (PST)

I recently became victim of a virus that erased the FAT on my hard disc. Because my most recent backup was about three weeks old (highlighting another well-known RISK), I was obliged to seek the services of a data recovery company.

After the work was done, the bill included a charge for sales tax. It was explained to me that sales tax must be collected because of the process involved, to wit: they salvaged the data (minus FAT) from my hard drive and saved it temporarily on another drive. After reformatting my hard drive, they reconstructed the FAT and copied the data back again. The fact that they placed "new" data on an empty hard drive is what triggers the sales tax. (I'm in California.)

George J. Janczyn, T.S. Automated Systems Mgr, Geisel Library, 0175-K University of California, San Diego, La Jolla, CA 92093 619-534-1282

Re: Something funny about the funny pages item (Alvarez, RISKS-17.54)

Sidney Markowitz <sidney@atg.apple.com>
Sat, 16 Dec 1995 12:25:16 -0800

RISKS-17.54 had a short mention about an NPR piece on IRS policies on taxing cartoonists. I didn't hear that piece, but the description in RISKS cannot be correct. Sales tax is a state thing, not from the IRS. There is an issue right now concerning the California State Board of Equalization's attempts to collect sales tax on printed comic book original pages, which may be what was mentioned on NPR. Since the BOE is trying to tax the sale of the documents (claiming that they are commercial illustrations and taxable and not author's literary manuscripts, which are not), it is the case that transmitting cartoons electronically may not be taxable. The only reference to this I have found on the net doesn't say much, but see http://www.insv.com/cbldf/cases.html under the heading "San Francisco, California". That's a page at the Comic Book Legal Defense Fund web site, home page http://www.insv.com/cbldf/

-- sidney markowitz <sidney@atg.apple.com>
[Also noted by Eric Amick <eamick@clark.net>. PGN]

Re: Anonymity (Schwartau, RISKS-17.54)

<smb@research.att.com>
Fri, 15 Dec 95 21:10:01 ESTF

> I've heard of this penet.fi happening to another person.
> Anyone else? Any ideas?

Paranoia is an occupational disease in the computer security business. I try to watch out for it myself...

You are automatically allocated an anonymous account if you ever send mail to someone else's anonymous account. You can do this directly, or indirectly via a mailing list — if an anonymous account is a subscriber, even indirectly, the mail to them will be routed through penet — and you'll get your own id.

Now — a few years ago, and possibly still, there were some attacks aimed at discovering who owned which anonymous ids. There are, after all, people who want to know who posts to alt.sex.gerbils or the like — think of your favorite extremist politician.

--Steve Bellovin
[The automatic enrollment was noted by a score of respondents! RISKS was also swamped with war stories of previous spoofings of .fi, often using forged e-mail. Apparently, anon.penet.fi now requires passwords (which themselves are spoofable). And don't forget that monitoring incoming traffic and outgoing traffic can enable someone to identify the [apparent] sender's FROM: address unless multiple layers of anonymity are used. Or you can be tricked into answering a message that can reveal YOUR identity! Or any of several other horrible risks. Perhaps we need a comp.risks.anonymous. Caveat emptor. Beware of Anonymous Bosch.

By the way, several Unix-centric folks also noted that ls -lu shows the time most recently read (well, to a first approximation, anyway), but neglected to note that can be tampered with also! PGN]


Re: Classified Disks Lost--Court Martial (Kennedy, RISKS-17.54)

Andy Ashworth <tcsaca@aie.lreg.co.uk>
Mon, 18 Dec 95 09:34:49 GMT

A "Severe reprimand" in the Royal Navy is something that will remain on the service records of those two officers and will continue to be held against them for the rest of their careers. The nature of the data lost should also be taken into account when considering the severity of their punishment; they were returning to their unit after having given a presentation on wages - the data was therefore more likely to be of a personal confidential nature rather than a more serious threat to UK security. If however they had just attended a presentation on the latest thing in Communications Security I'm sure that the punishments would have been a little more severe. (But that still asks the question, what were they doing in a pub with sensitive data?).

As regards the apparent lack of exposure to classified material claimed by one of the officers, I find this quite believable. Instructor Officers, as their title implies, are specialist instructors and would not usually be as used to handling secure information as their colleagues.

Andy Ashworth, PO(Comms)(Sea) Royal Naval Reserve; Lloyd's Register, 29, Wellesley Road, Croydon CR0 2AJ UK +44 (0)181 681 4040 ext 4501

Re: Classified Disks Lost--Court Martial (Kennedy, RISKS-17.54)

"Peter Horsburgh" <zawlhpvh@ibmmail.com>
Mon, 18 Dec 1995 05:35:36 EST

As a military man, Dave knows that a "severe reprimand" can ruin an officer's career - especially at the Commander level. If they were in the Royal Navy - the article does not say so specifically - they will have "incurred Their Lordship's displeasure" - now THAT is a bad thing ! As for the embarrassment, let the punishment fit the crime - Their Lordships were severely embarrassed...

Peter Horsburgh zawlhpvh@ibmmail.com
[Also noted by Robin Kenny <robink@aus.hp.com>. PGN]

Re: Classified Disks Lost--Court Martial (Kennedy, RISKS-17.54)

Robin Kenny <robink@aus.hp.com>
Mon, 18 Dec 95 9:38:26 EDT

Something I've noticed in the use of British and American language is that the British make an art out of understatement. So, having your head bashed by an iron bar during a robbery becomes "creating an affray while committing a criminal act" and actually killing someone is "a breach of the peace" (!)

robink@aus.hp.com Melbourne, Australia UTC +10 hours

CERT Advisory CA-95:18 - Widespread Attacks

CERT Advisory <cert-advisory@cert.org>
Mon, 18 Dec 1995 12:11:33 -0500

CA-95:18 CERT Advisory
December 18, 1995
Widespread Attacks on Internet Sites

Over the last several weeks, the CERT Coordination Center has been working on a set of incidents in which the intruders have launched widespread attacks against Internet sites. Hundreds of sites have been attacked, and many of the attacks have been successful, resulting in root compromises at the targeted sites. We continue to receive reports, and we believe that more attacks are going undetected.

**********************************************************************
All the vulnerabilities exploited in these attacks are known, and are
addressed by CERT advisories (see Section III).
**********************************************************************

We urge everyone to obtain these advisories and take action to ensure that systems are protected against these attacks. Also, please feel free to redistribute this message.

As we receive additional information relating to this advisory, we will place it in ftp://info.cert.org/pub/cert_advisories/CA-95:18.README

We encourage you to check our README files regularly for updates on advisories that relate to your site.

I. Description

Intruders are doing the following:

II. Impact

Successful exploitation of the vulnerabilities can result in unauthorized root access.

III. Solution

The CERT staff urges you to immediately take the steps described in the advisories and README files listed below. Note that it is important to check README files as they contain updated information we received after the advisory was published.

a. Using automated tools to scan sites for NFS and NIS vulnerabilities

b. Exploiting the rpc.ypupdated vulnerability to gain root access c. Exploiting the loadmodule vulnerability to gain root access d. Installing Trojan horse programs and packet sniffers e. Launching IP spoofing attacks The CERT advisories and README files are available from

ftp://info.cert.org/pub/cert_advisories

If you find a compromise, please complete the Incident Reporting Form that we have provided in the appendix of this advisory, and return the form to cert@cert.org. This completed form will help us better assist you.

Note: Because of our workload, we must ask you not to send log files of activity, but we would be happy to work with you as needed on how to interpret data that you may collect. Also, the CERT staff can provide guidance and advice, if needed, on how to handle incidents and work with law enforcement.

If you see activity that indicates an attack is in progress, we encourage you to contact other sites involved and the service providers, as well as the CERT Coordination Center.

Contacting the CERT Coordination Center

For sensitive information, please use encrypted email. The CERT public PGP key is available from

ftp://info.cert.org/pub/CERT_PGP.key

If you prefer to use DES, please call the CERT hotline

+1 412 268 7090

to exchange a DES key over the phone.

Other CERT contact information:

Internet email: cert@cert.org
Telephone: +1 412-268-7090 (24-hour hotline)
CERT personnel answer 8:30 a.m.-5:00 p.m. EST(GMT-5)/EDT(GMT-4), and are on call for emergencies during other hours.
Fax: +1 412-268-6989

Postal address: CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh, PA 15213-3890
USA

CERT advisories and bulletins are posted on the USENET newsgroup comp.security.announce. If you would like to have future advisories and bulletins mailed to you or to a mail exploder at your site, please send mail to cert-advisory-request@cert.org.

Past CERT publications, information about FIRST representatives, and other information related to computer security are available from ftp://info.cert.org/pub/

Copyright © 1995 Carnegie Mellon University
This material may be reproduced and distributed without permission provided it is used for noncommercial purposes and the copyright statement is included.

CERT is a service mark of Carnegie Mellon University.

[The Copyrighted 1995 Incident Reporting Form is omitted from this RISKS version. Send e-mail to the CERT to obtain a copy. PGN]
CERT is a service mark of Carnegie Mellon University.

Please report problems with the web pages to the maintainer

x
Top