The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 5 Issue 63

Monday, 23 November 1987

Contents

o Logic bombs and other system attacks -- in Canada
PGN
o Video signal piracy hits WGN/WTTW
Rich Kulawiec
o Garage Door Openers
Brint Cooper
o Sudden acceleration revisited
Nancy Leveson
o Centralized Auto Locking
Lindsay F. Marshall
o Re: The Stark incident
Amos Shapir
o Bank Networks
George Bray
o Re: Optimizing for cost savings, not safety
Dave Horsfall
o L.A. Earthquake & Telephone Service
LT Scott A. Norton
USN
o Gripen flight delayed
Henry Spencer
o Mariner 1
Mark Brader
o Systemantics
John Gilmore
haynes
o Re: "UNIX setuid stupidity"
Joseph G. Keane
Martin Minow
o Info on RISKS (comp.risks)

Logic bombs and other system attacks -- in Canada

Peter G. Neumann <Neumann@KL.SRI.COM>
Mon 23 Nov 87 13:27:25-PST
An article by Kirk Makin in the Globe and Mail, 3 November 1987, describe a
talk given by Sergeant Ted Green of the Ontario Provincial Police at the
recent annual conference of the Probation Officers Association of Ontario.

  * A disgruntled employee of a London, Ontario, company planted a logic
    bomb that would have knocked out the computer system.  It was detected.
    The man was prosecuted, but not convicted.  Evidence of a previous
    logic bomb implantation was not admitted because the previous company
    (in Alberta) had refused to press charges.

  * Another Toronto company had a logic bomb triggered the day an employee's
    termination notice was processed by the computer system.  Sgt Green
    noted that "It wiped out the whole system."

  * On the occasion of its 10th anniversary, a bank branch decided to
    honor the customer who had the most active account.  It turned out to 
    be an employee who had accumulated $70,000 funnelling a few cents out 
    of every account into his own.

  * On employee altered an access password and demanded $50,000 to reveal
    the new password.  Apparently he got it.

  * One Toronto student recently made 2177 attempts to enter the computer
    system of Alcan Aluminium's Kingston, Ont., plant.

Sgt. Green also noted $1000 in computer-initiated bogus charges, a[nother]
bogus bank deposit slip scam attempt, and a case of a Toronto-area machinery
supplier using mailing lists and blueprints extracted from a rival's computer.


Video signal piracy hits WGN/WTTW

Rich Kulawiec <rsk@s.cc.purdue.edu>
Mon, 23 Nov 87 17:20:56 EST
At about 9:15 CST last night (Sunday, November 22, 1987), "superstation"
WGN-TV (Channel 9 in Chicago) was the victim of an interesting technological
crime; its signal was overridden for approximately 15 seconds by a pirate
transmission.  The incident was repeated at about 11:15 CST, with WTTW
(Channel 11, the Chicago PBS station) falling prey on the second occasion,
which lasted about 90 seconds.

The transmission, which interrupted a newscast on WGN and "Dr. Who" on
WTTW, consisted primarily of someone in a Max Headroom mask throwing
Pepsi and Coke cans around while raving in a largely unintelligible
voice.  The transmission concluded (I'm not kidding) with a shot of the
Max-impersonator's exposed derriere' being whacked with a flyswatter.
The video quality of the transmision was fairly good, but the audio was
very garbled.  I happened to be taping Dr. Who at the time, and so I've
watched the broadcast several times; even so, I can't understand more
than a word or two.

A couple of phone calls (to the local cable TV company, and to WTTW)
led to a little more information; it is likely that the pirate
transmission was inserted somewhere in the Chicago area, as it was
distributed over WGN's satellite link and WTTW's (land-based) microwave
links.  If my information is correct, WGN has the capability of
switching to a second frequency for the uplink portion of its broadcast
chain, but it's not clear whether they actually did so during or after
the incident.  WTTW does not have this capability, and the person I
talked to on the phone sounded (understandably) a little worried that
this might happen again.

As one might expect, the FCC and the FBI, among other agencies, are
investigating.  It seems likely to me that the culprit found a point through
which WGN's and WTTW's signals both pass, and tapped in at that point; while
this certainly isn't the only way that this piracy could be accomplished, it
seems the easiest.
                        Rich Kulawiec, rsk@s.cc.purdue.edu, s.cc.purdue.edu!rsk

    [This is becoming almost too frequent, but still worth noting.  PGN]


Garage Door Openers

Brint Cooper <abc@BRL.ARPA>
Thu, 19 Nov 87 11:40:39 EST
    This morning's Baltimore Sun tells of folks in Frederick, MD,
who are having great difficulty with their remotely controlled garage
door openers.  It seems that, installed in their houses, these things
have just stopped responding to commands from the hand held unit.
However, when taken back to the point of purchase, they work just fine.

    The U.S. Army has an installation, Ft Detrick (sp?) nearby.  One
of its two functions has something to do with electronic communications.  
An Army spokesperson denies that the Army is radiating anything that 
would lock up these receivers.
                                               _Brint


Sudden acceleration revisited

Nancy Leveson <nancy@commerce.UCI.EDU>
Mon, 23 Nov 87 08:50:21 -0800
There was just a report on the NBC news (Sunday, Nov. 21 at 4:30 pm PST)
on the sudden acceleration problems with the Acura Legend.  The Acura
dealers say it is driver error.  The drivers all say they have been
driving for 30-40 years without an accident or a ticket and they insist
they had at least one foot on the brake (one woman said she had both feet
on the brake).  A mechanic who has been examining one of the cars involved
says it is obviously a problem in the fuel injection system, and he is
sure that the computer is involved.  

Does anyone know if there is any connection between the microprocessor
used in the Acura and in the other cars with this problem, e.g., the
Audi 5000?


Centralized Auto Locking

"Lindsay F. Marshall" <lindsay%kelpie.newcastle.ac.uk@NSS.Cs.Ucl.AC.UK>
Mon, 23 Nov 87 11:19:20 GMT
My father spotted a report in a paper about someone who was trapped in a car
when the central locking mechanism went haywire. The person in question was
too large to escape by climbing through the window, which was how some of the
other passengers got out. Sadly I have no more details about this as my
father couldn't remember where he had seen it - it sounds like a FOAF story
("friend of a friend" story - urban legend, if you're a sociologist), but I'd
be interested if anyone else has heard it.
                                                        Lindsay


Re: The Stark incident (RISKS DIGEST 5.62)

Amos Shapir <nsc!taux01!taux01.UUCP!amos@Sun.COM>
22 Nov 87 09:38:59 GMT
It looks like the culprit in this case was whoever decided to classify
incoming missiles into 'hostile' and 'friendly' categories - did they
think that a friendly missile fired by mistake should behave any friendlier
than a hostile one?

    Amos Shapir         (My other cpu is a NS32532)
National Semiconductor (Israel)
6 Maskit st. P.O.B. 3007, Herzlia 46104, Israel  Tel. +972 52 522261
amos%taux01@nsc.com (used to be amos%nsta@nsc.com) 34 48 E / 32 10 N


Bank Networks (Re: RISKS-5.61)

George Bray <lcc.ghb@SEAS.UCLA.EDU>
Fri, 20 Nov 87 13:02:58 PST
I have two comments on the article in RISKS 4.61 by David G. Grubbs:

  >(VISA card numbers all start with 4, Master Card with 5, AMEX with 37, etc.)

Actually, AMEX cards can begin with 34, 35, or 37.  (Nit-picky, I know.)

  > Our money is managed by people who care nothing for the details of
  > an single transaction.  They sell financial services like the grocer
  > sells apples.  So what if a few are dropped on the floor?  It's just a
  > "cost of doing business."  As the throughput of transactions increases over
  > time, each detail gets commensurately smaller.  It can only get worse.

That is quite true.  In my days working for a bank (which actually was 
better than most about it) I was often astounded at the cavalier attitude
towards a single transaction.  Of course, from the point of view of the
bank, fixing a major problem in the middle of the day (one that was costing
thousands of dollars an hour) is clearly vital, but I couldn't help worrying
about the poor customer who happened to go up to an ATM during the 10 minutes
the front-end processor was being downloaded, or during any other downtime
in the middle of the day.  From the bank's point of view, a few transactions
lost out of half a million or more a day is minor.  From the customer's
point of view (who is late for a flight and needs cash), that one transaction
is critical.
                              George Bray


Re: Optimizing for cost savings, not safety (RISKS-5.57)

Dave Horsfall <munnari!runx.ips.oz.au!dave@uunet.UU.NET>
Sat, 21 Nov 87 01:33:04 AESST
> Re: Optimizing for cost savings, not safety (John McLeod)
 >From: bill@trotter.usma.edu (Bill Gunshannon)
 >   A letter was published in an amateur radio oriented magazine called QST
 >a few years back by a ham who tried to install a UHF mobile radio in his
 >newly purchased Japanese import.  He too had problems with interference to
 >the electronic ignition in the car.  A call to the US Service Representative
 >for the cars manufacturer resulted in a very simple solution to the problem.
 >They told him "don't install the radio in the car".
 >
 >  A novel approach to preventing interference.
 >                                                     bill gunshannon

Another "informed" reply that appeared in an amateur radio magazine was:
"Try shielding the antenna".  And these people design cars?
                                                               -- Dave


L.A. Earthquake & Telephone Service

"LT Scott A. Norton, USN" <4526P%NAVPGS.BITNET@wiscvm.wisc.edu>
Fri, 20 Nov 87 15:17:09 PST
The December 87 issue of The Institute: News Supplement to IEEE Spectrum has
a short but interesting article on the effect of Oct 1st's Los Angeles
earthquake on the utilities.  Most of the article deals with electric power,
which had the most problems ( but still minor ).  But a few paragraphs on
the telephone service should be of interest to RISKS readers.

The article points out that telephone network was largely undamaged by
the quake because many lines have recently been replace by fiber optic
cables that were installed with a large amount of slack, which permitted
them to move without breaking during the quake.

As we already know, many subscribers were unable to get dial tones
after the quake.  I thought "Lots of people calling relatives tied it
up", which was a factor, but The Institute reports that most of the
delays resulted because the quake knocked phone receivers off the hook.
Of course, anxious and curious callers also tied up the lines, and
two central offices lost power intermittently.

Can anyone with better knowledge of the phone companies' local offices tell
me if there is some simple way to shed this extra load in a reasonable way?
I know that after some minutes off the hook, the phone loses its dial tone.
Does this adequately release the resources the off-the-hook phone was using?

LT Scott A. Norton, USN     | From Internet, if you need a gateway, use
Naval Postgraduate School   |    4526p%navpgs.bitnet@jade.berkeley.edu
Monterey, CA 93943-5018     | or 4526p%navpgs.bitnet@ucscc.ucsc.edu
4526P@NavPGS.BITNET         | The WISCVM gateway will close 15 Dec 87. )


Gripen flight delayed

<mnetor!utzoo!henry@uunet.UU.NET>
Tue, 17 Nov 87 21:04:31 EST
The Oct 5th Aviation Week reports that first flight of Sweden's new Gripen
fly-by-wire combat aircraft will slip about eight months due to software
development delays.  This is on top of a previous six-month slip for the
same reason.  This is the last slip that can be absorbed without delaying
the operational service date (1992).  No real details were provided; on the
surface it would appear that things are going well but unexpectedly slowly,
and prime contractor Saab-Scania is just being cautious.

Henry Spencer @ U of Toronto Zoology {allegra,ihnp4,decvax,pyramid}!utzoo!henry

     [Yes, this is a risk commonly attributed to computers, but it is
     hardly novel.  It is included to remind us of the dependence on
     the software development process...  PGN]


Mariner 1

Mark Brader <msb@sq.com>
Sun, 22 Nov 87 12:34:05 EST
 *   A rocket on the way to Mars has to be destroyed because a crucial
     line is left out of the computer software controlling it.

Presumably the above refers to Mariner 1.  This is about the fourth or
so version that I've heard of what the actual error was.  Arthur C. Clarke
says it was a missing "-".  Others say that a "." was typed in place of a
"," in a Fortran DO statement (thus turning it into an assignment).

Peter, do you know of a reference that tells authoritatively what the actual
bug was?  Normally I'd consider ACC authoritative, but the version he tells
doesn't seem to appear anywhere else, so maybe not this time.

I posted the same question to sci.space a year or two ago and got no takers.

Mark Brader, Toronto, utzoo!sq!msb, msb@sq.com

     [We've tried this one before, but perhaps someone new has joined us.  PGN]


Systemantics

John Gilmore <hoptoad.UUCP!gnu@cgl.ucsf.edu>
Sat, 21 Nov 87 06:32:18 PST
David Chase's recommendaion of "Normal Accidents" reminded me of the
book "Systemantics" which I read years ago and can no longer remember
the vitals of.  Its premise, well explored and humorously explained, is
that sufficiently complex systems always have unexpected behaviours.

I suspect it's another RISKS cornerstone.
                                               John Gilmore

      ["Systemantics" by John Gall.   Although humorous, in the spirit 
      of Parkinson's Law, it has some great truths, such as

    "Fail-safe systems fail by failing to fail safe."

      haynes@ucscc.bitnet, ...ucbvax!ucscc!haynes]

         [Legendary!  Previously noted in RISKS by
             Jim Horning, RISKS-1.2;
             Earl Boebert, RISKS-2.16;
             Hal Murray, RISKS-2.18.
         Consult your local Books-in-Print.  PGN]


Re: "UNIX setuid stupidity" (RISKS-5.57)

"Joseph G. Keane" <jk3k+@andrew.cmu.edu>
Sat, 21 Nov 87 10:51:03 -0500 (EST)
The designers of UNIX considered that a trusted program may wish to allow 
operations only on a certain part of the directory tree.  So they provided the 
`chroot' system call, which allows a program to do just that, in a secure way. 
 I was surprised as i saw the argument go by with no one mentioning this, but 
maybe i shouldn't have been.  I guess the moral is that a feature doesn't do 
you any good if no one knows about it.

--Joe


<minow%thundr.DEC@decwrl.dec.com>
      (Martin Minow THUNDR::MINOW ML3-5/U26 223-9922)
Date: 23 Nov 87 09:02
To: risks@csl.sri.com
Subject: further comment on setuid problem

  From Risks 5.62:
  >From: munnari!basser.cs.su.oz.au!steve@uunet.UU.NET (Stephen Russell)
  ... 
  >This raises the interesting question of who is responsible for this security
  >bug - the person who wrote the buggy program, or the programmer who
  >installed it without vetting it?

Perhaps one might add to this list the people who designed an error-prone
capability, or the people who failed to document the way in which a
security-enhancing function can -- though used with good intent -- serve
to decrease the security of the system.
                                                  Martin.

Please report problems with the web pages to the maintainer

Top