The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 6 Issue 83

Thursday 12 May 1988

Contents

o Time-bomb warning: SunOS may have one set to go off TOMORROW!
Dave Platt [2]
PGN
o A reminder on listening to the boy who cried wolf!
PGN
o Report on the Northwest crash in Detroit
PGN
o CCC informs on `Virus Jerusalem'; valid threat?
Klaus Brunnstein
o `Virus Epidemic Center' at Hamburg University
Klaus Brunnstein
o Risks and Risk Reporting
Elizabeth D. Zwicky
o Hawaiian Tel and HISS -- the Hawaiian Islands SysOp Society
Todd South
o Info on RISKS (comp.risks)

Time-bomb warning: SunOS may have one set to go off TOMORROW!

Dave Platt <dplatt@coherent.com>
Thu, 12 May 88 14:36:05 PDT
Our site administrator has just received notice of what's said to be a
"confirmed rumor" that there is a time-bomb buried in some current versions
of SunOS (the Sun variant of Unix).  This time-bomb is reported to be set to
trigger tomorrow (Friday the 13th).  It was suggested that we should either
shut down our Sun systems tomorrow, or alter the date so that the time-bomb
doesn't go off.  As we don't know whether the bomb is of the "go off on the
13th" or "go off on or after the 13th" variety, it would seem safest to set
the system clocks back rather than forwards.

We have no details at this time about the content of the time-bomb.  The
call to our administrator did not come from Sun, but from one of her
contacts at another Sun customer's site; it was of the "We thought you
should know... more details soon" variety.

It is possible that this rumor, although "confirmed", is actually mistaken
or is a hoax.  So, I apologize in advance to everyone everywhere if this
alert turns out to be a false alarm.

I'll mail updates when and as I receive them.

Dave Platt                                             VOICE: (415) 493-8805
  USNAIL: Coherent Thought Inc.  3350 West Bayshore #205  Palo Alto CA 94303
  UUCP: ...!{ames,sun,uunet}!coherent!dplatt     DOMAIN: dplatt@coherent.com
  INTERNET:   coherent!dplatt@ames.arpa,    ...@sun.com,    ...@uunet.uu.net


Followup to SunOS time-bomb alert

Dave Platt <dplatt@coherent.com>
Thu, 12 May 88 15:25:28 PDT
Within the past 20 minutes, I've spoken to two people in Sun's tech-support
department.  They report the following:

-  They have been running extensive experiments on their in-house machines,
   attempting to detect any signs of a "Friday the 13th" time-bomb.  So far,
   there has been "absolutely no sign" of any such time-bomb.

-  They have no information that leads them to believe that any such time-
   bomb exists in the code.

-  They're not sure where the rumor of the time-bomb originated.  It
   appears to have first "broken" at about noon PDT (3 PM EDT), and has
   spread with extreme rapidity.  One of the people to whom I spoke indicated
   that he has spoken with "at least 30" contacts across the country.

-  There have been no reports from Australia or Japan (where it's already
   Friday the 13th) that would indicate the triggering of any time-bombs.

So... at this point, it appears likely that the "Friday the 13th time-bomb"
rumor is just that... a rumor with no facts behind it.

Dave Platt                                             VOICE: (415) 493-8805
  USNAIL: Coherent Thought Inc.  3350 West Bayshore #205  Palo Alto CA 94303
  UUCP: ...!{ames,sun,uunet}!coherent!dplatt     DOMAIN: dplatt@coherent.com
  INTERNET:   coherent!dplatt@ames.arpa,    ...@sun.com,    ...@uunet.uu.net


Re: Followup to SunOS time-bomb alert

Peter G. Neumann <NEUMANN@csl.sri.com>
Thu 12 May 88 17:28:34-PDT
Private net communications from <werner@rascal.ics.utexas.edu> Werner Uhrig and
chuq@Sun.COM (Chuq Von Rospach) and spaff@purdue (Gene Spafford) confirm that
as far as any one can tell, the rumor is totally unfounded, but that Sun is
taking this very seriously.  (By the way, I know that several computer
companies routinely run their systems with the clock advanced in an effort to
detect time-bombs in the official products.)  Serious concern about the rumor
is reported within the U.S. government.  No one has yet been able to identify
the source of the rumor, although it could have easily been someone's confusion
with the alleged Israeli time bomb, also scheduled for 13 May but presumably
defused by now.  (Rumors sometimes do have a thread of reality behind them.)
And, after all, as Werner noted, it is Friday the 13th -- which is sort of an
imitation April Fool's Day.

Starting rumors is a commonly used technique to attempt to damage the
competition, or to test public reaction.  It also provides a mask for the
perpetrator of the real thing to hide behind.  [See the next item!]


A reminder on hearing the boy who cried wolf!

Peter G. Neumann <NEUMANN@csl.sri.com>
Thu 12 May 88 13:38:13-PDT
Security personnel in the First Interstate Bank tower in Los Angeles
apparently reset the smoke alarms that went off at the beginning of last
Wednesday's fire, believing that this was another in a recent string of false
alarms.  They also sent maintenance engineer Alexander John Handy to
investigate the alarms.  (He died in the elevator.)  At least seven minutes
were lost until three phone calls came in to 911 from outside the bank.

Although this is not computer related, the less on is clear: mere presence of
false alarms must always be considered as a potentially serious system problem.
[SF Chron, 11 May 88, p.A8]


Report on the Northwest crash in Detroit

Peter G. Neumann <NEUMANN@csl.sri.com>
Thu 12 May 88 13:35:41-PDT
The National Transportation Safety Board officially blamed the crash last
August (killing 156) on pilot error.  They also acknowledged the contribution
of the audible warning system, which did not go off because power to it had
been cut, and which should have alerted the pilots that the flaps were not set
properly.  They were unable to determine whether a circuit had been pulled by
the pilots or maintenance workers, or if the alarm had simply failed.  
[SF Chron, 11 May 1988, p.A5]


CCC informs on `Virus Jerusalem'; valid threat? (Re: RISKS-6.80)

Klaus Brunnstein <brunnstein%rz.informatik.uni-hamburg.dbp.de@RELAY.CS.NET>
Members of Computer Chaos Club have informed German public authorities that
a version of `Jerusalem Virus' has invaded public PCs. These authorities have
asked some Computer Security experts, but up to now, there is no evidence of
such an epidemic. Can anybody else help to verify or falsify this?

In this context, the following information from a CCC insider may become
interesting: the arrest of CCC leader, Mr.Wernery, who is the virus expert of
his organisation, has heavily upset CCCs members; some younger guys evidently
plan a `revenge action'. Since the chances to invade German public computers
are rather restricted, due to missing links to publicly accessible networks,
they may try to distribute `interesting' programs (games, text processors, DTP,
databanks) infected with a virus with `retarded activation'. According to good
information souces, such activities are discussed but I have no insight that
they have decided and begun action!


`Virus Epidemic Center' at Hamburg University (Re: RISKS-6.80)

Klaus Brunnstein <brunnstein%rz.informatik.uni-hamburg.dbp.de@RELAY.CS.NET>
As a consequence of growing concern of economic and public organisations in
Fed.Rep.Germany, we are establishing in Hamburg, together with scientific staff
and some 20 students, a `Virus Epidemic Center' aimed at testing any new virus
as well as producin and testing `hygienic software' to detect and eliminate
`infections'. We focus our work on PC (DOS) and PS (OS-2), Amiga, ATARI and
MacIntosh. We plan to establish a formatted description distributed
electronically (and available to RISK FORUM directly or by reference, depending
on PGNs moderation), and to publish a (German) book on "Viruses, and how to
fight them" covering our tests.  We are interested in any exchange of
information and experiences.

Klaus Brunnstein       University of Hamburg      FRG


Risks and Risk Reporting

Elizabeth D. Zwicky <zwicky@pterodactyl.cis.ohio-state.edu>
Wed, 11 May 88 17:14:27 EDT
Risks have been on our minds a lot here recently. We're in a bad security
position as a heavily networked educational site. This quarter we have some 500
students (all in Computer and Information Science) using Sun workstations.
Probably 400 of them know barely enough about UNIX to do the work. Another 90
know enough to fool around, but are basically harmless.  Those last 10 students
are a real problem, though. We implement a little more security every quarter.
We started by making the client Suns unable to touch any of the disk as root.
Then we modified the boot sequence so that it will not simply dump you into
single-user mode if interrupted, but will ask for the password first. This
quarter we modified the programs that allow you to become the superuser so that
they only work for users in specific groups and also log extra attempts.

While we were doing all this, we were of course merrily creating other security
holes we didn't know about. The one that just came to our attention had to do
with a screen saver. The students here run the X window system, and there is a
program that is not advertised to them but is available called "xsecure" which
blanks the screen to black and bounces a little lock around it until you type
your password at it.  Earlier, in one of our less security-minded moments, we
added to xsecure a feature we had come to know and love in the SunView version
of the program, where you can type the root password as well as the user
password to clear the lock. This allowed us to easily and non-destructively
clear locks. Students are not supposed to lock screens for more than a few
minutes, since we are rather short of Suns. As a stick-in-the-mud, I stuck to
my old violent method of just rebooting the Sun. Turns out that this was a good
thing, as a clever student trojan-horsed xsecure. His program looked just like
xsecure, but stored the password. He just set it running and left, sure that an
operator would come by and unlock it eventually - and one did.

Everybody now uses my method.

Then, the CACM got here. Several people asked, on a public newsgroup, whether
we had the mentioned Gnu Emacs bugs. Fact is, we don't. I can't imagine what
posessed them to ask on cis.general, however. Did they think we were going to
say that we did have the bugs? Some security improvement that would be!

Elizabeth Zwicky
                             [I presume you are referring to Cliff 
                             Stoll's article in the May 88 CACM?  PGN]


Hawaiian Tel and HISS -- the Hawaiian Islands SysOp Society

Todd South <tsouth@pro-pac.cts.com>
Mon, 9 May 88 06:00:26 HST
Recently, Hawaiian Tel has gone on the local news and stated that they want to
change the laws so that ALL computer BBS's will have to have business lines and
become actual businesses! This is the result of a recent person in the
community deciding that he would become a universal watchdog for the Hawaiian
area BBS's.  After sending intimidating letters to Hawaiian Tel, the Star
Bulletin newspaper, all local military commanders, and to the sysops of a large
number of local systems, this person finally sparked Hawaiian Tel into action.
The telephone company has been badgering people with claims of false service
and threatening them with federal prosecution if they do not change their lines
to business service RETROACTIVELY to the first day the phone line was
installed!

Their (HTel) basic claim is that even if you have a BBS listing on your system
that does nothing but list the phone numbers of other local area BBS's you
are advertising.  If someone on your system says, "hey I want to sell this
extra CP/M board I have", you (as a sysop) are running a business.

To this effect there have also been claims of tax evasion and other illicit
activities with no founded proof.  But, it is all a bad situation that has
caused a number of us to band together into an association of sysops in Hawaii
so that we may have a large base of people and financial backing in case this
thing comes down to lawyers.  The following is the official notice that is
being published around Hawaiian systems.

                   --------------------------------------

First off, my name is Toni Hinton (aka "avatar") and my husband Stan and I
run The Restaurant... BBS.

I'm not sure how much of the garbage going on you're aware of -- the
letters "reporting" SysOps to HawTel for running "businesses" on residential
lines; letters supposedly sent to local TV stations and newspapers; letters
to the Provost Marshals of military bases and military SysOps' commanding
officers suggesting they be reprimanded for their "illegal and fraudulent
activities"; the anonymous letters of some months ago suggesting that it
was impossible and risky to run a BBS no matter how responsible the SysOp
might be; and other actions whose apparent aim is to cause diffculty (both
personal and legal) and strife in the BBS community here.

I say it has to stop!

I've been approached by several local SysOps who have been told by others
that I have the "straight dope" on the situation. I don't; but from each
person I've spoken to I've learned more, and I know enough now to have a
pretty good grasp of the situation. I also have my suspicions as to who has
been waging this campaign, but nothing I can prove as yet. It's a safe bet
(I think) that it's someone within the BBS community, either a current or
former SysOp.

A lot of ill will, misinformation, and fear has been spread by this person
or persons, and outside forces are also coming into play. You're probably
aware that in many cases the "outside world" considers us all unprincipled,
lawless "hackers" -- stories in the Star-Bulletin recently have only
confirmed this view with their emphasis on BBSes used to further "kiddie
porn" and unlawful access to credit companies, banks, telephone companies,
and classified government information.

It's time for Hawaiian SysOps to band together to communicate with each
other and to begin policing our ranks from internally before someone from
the outside, with little understanding of what it is to be a SysOp, does it
for us.

To this end, the two of us and some other SysOps we are friendly with are
working to organize "HISS" -- the Hawaiian Islands SysOp Society.
Membership in HISS will be open to any Hawaiian SysOp with a BBS currently
active; whether commercial or hobby, public or private. HISS will give a
chance to meet fellow SysOps, talk, get to know each other and hopefully be
able to be prepared if another troublemaker tries his/her tricks. Our best
weapon is our strength as a group and communication in that group, and we
haven't made much of an effort to utilize that weapon. Ironic, isn't it,
when the purpose of BBSes is to facilitate communication?

Right now, HISS is just a handful of us working as a sort of "board of
directors" to get it off the ground. As such, I haven't much to report on
our progress. Our first board meeting will be early this week, and we'll
try to hammer out a few rough guidelines -- meeting dates, times, location,
all the niggling details of getting a large group of people together. We
will do our best to keep you informed of our progress.

To this end, I would appreciate it if you could set up an account on your
system for us to communicate with you. It needs to only have email or
feedback privileges so that we may leave messages to you. Use the account
name of HISS (if a last name is necessary, as it is on our TBBS system,
use a period) with the password of "grumpy". You may also contact us via
The Restaurant at (808) 499-1101 (24 hours, 3-2400 baud), where we have set
up an account for visiting Sysops under the name of "Visiting SysOp", pass-
word "howdy" (all lower case, TBBS considers lower case different from upper
case). Look under the Bulletin Board menu for "The Lounge" which is our
visiting SysOp message base. All updates and details will be posted there.
We may also be contacted voice at (808) 499-3158 between 10am and 10pm.

Thanks for your attention and we hope to see you at the first meeting of
HISS in the very near future.

                        Toni
               ------------------------------------------

To this end, an account has been setup on my site, Pro-pac, to facilitate
mail from the 'net' at large on this subject.  If you have any comments on
this, or would like to learn more about the results of this situation as
they develop, please send mail to hiss@pro-pac.CTS.COM and it will be
forwarded to the appropriate people.  Thanks for the soapbox, and any
support you may provide.
                                          Todd South

UUCP: {nosc, ihnp4, cacilj, sdcsvax, hplabs!hp-sdd, sun!ihnp4}
                           ...!crash!pnet01!pro-simasd!pro-pac!tsouth
ARPA: crash!pnet01!pro-simasd!pro-pac!tsouth@nosc.MIL   
INET: tsouth@pro-pac.CTS.COM - BITNET: pro-pac.UUCP!tsouth@PSUVAX1

Please report problems with the web pages to the maintainer

Top