The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 7 Issue 72

Tuesday 8 November 1988

Contents

o The Worm/Virus -- and an Unlearned Lesson
PGN
o Airline Reservation System Vulnerabilities
Rodney Hoffman
o Computers in the oldest profession
Dave Horsfall
o Auto Privacy
Dave Robinson
o Computer science unencumbered by fears about cutting safety margins
Jeffrey Mogul
o Re: Risks in Answering Machines (revisited)
Amos Shapir
Gordon Meyer
Bob Felderman
Greeny
William Curtiss
o Re: CRT noise
Ed Ravin
Geoffrey Welsh
o Info on RISKS (comp.risks)

The Worm/Virus -- and an Unlearned Lesson

Peter G. Neumann <Neumann@KL.SRI.COM>
Tue, 8 Nov 88 14:03:20 PST
There have been OVER 50 MESSAGES to RISKS since last evening, and over a
hundred backlogged since Friday.  Bear with me.  I'll get to them.  I am
only human, although I try to be that as well as I can.  Things have been
fairly hectic here.

Not surprisingly, most of the pending messages deal with the RTM worm/virus
discussion, which continues with healthy discussion on propriety, morality,
ethics, prosecution, judgement, compensation, penance, etc.  The messages are
vastly too repetitive to include fully, and range wildly all over the map --
from "string him up" to "let's learn the lessons he has offered for us."  The
discussion is indeed very worthwhile, but needs significant editing to make it
palatable to our usually discriminating audience.  Thus, I thought it might be
nice to have an issue on other subjects while I am trying to get the worm
material together. Here is a potpourri of backlog.

By the way, something approaching a hundred copies of RISKS-7.69 -- which have
been queued since Friday -- are still waiting on my system for the recipient
systems to accept delivery.  (RISKS-7.70 and 71 also.)  I assume many sites are
STILL off the (ARPA|MIL) net.   Worse yet, we had need today to poke at a UNIX
system that claims to be up on the ARPANET but was rejecting mail.  SMTP showed
the system working.  But, guess what?  The DEBUG option still works fine on
that system! I wonder how many other system administrators have still not
learned anything yet.


Airline Reservation System Vulnerabilities

Rodney Hoffman <Hoffman.es@Xerox.COM>
4 Nov 88 12:33:11 PST (Friday)
Today's "Wall Street Journal" carries a story about American Airlines suing a
Tulsa, OK woman and her father who have credit for more than 50 million miles
in American's frequent flier program.  The airline alleges that they and
unknown co-conspirators stole the mileage by breaking into American's computer
reservations system.  They have also been indicted by a federal grand jury for
wire fraud in the alleged scheme.

The woman is an independent employee of a travel agency.  She is accused of
shifting miles from actual travelers who were not part of American Airlines
frequent flier program into fake frequent flier accounts, then redeeming for
tickets and selling those.

But the story concludes with some more general worries:

  The allegations raise some troubling questions about access to airline
  computer systems.  Such systems contain a wealth of information not only
  about frequent-flier trips, but also about the confidential travel plans of
  hundreds of companies.  And yet any employee at any travel agency can
  normally log into the agency's system and see any trips the agency has booked.

  "It's just too easy to get into these systems," says John Caldwell, a travel
  attorney in Washington, D.C.  "I think this is going to become an
  increasingly sensitive issue."


Computers in the oldest profession

Dave Horsfall <dave@stcns3.stc.oz.au>
Wed, 2 Nov 88 13:14:59 est
From the "Backbytes" page in Computing Australia, 31st Oct 88:

``Where the Gigabyte meets garter belt

  As computer and related industry manufacturers scout for new niche
  markets, they could do worse than consider the world's oldest
  profession.  In recent months, US cops have busted several large
  prostitution rings -- all heavily dependent on microcomputer support.
  The databases held such priceless information as clients' names and
  addresses, billing methods, preferred frolics and the names of who did
  what best.  And to whom.

  How the new technocrats had missed the lucrative sales possibilities
  to this service industry is hard to fathom, as one recently raided
  establishment of easy virtue was in San Jose, in the heart of
  California's Silicon Valley.  In its computer's ledger were the names
  of more than 50,000 customers.  Obviously, a considerable horizontal
  market worth the attention of a lateral-thinking, but discreet, sales
  go-getter.''


Auto Privacy

DAVE ROBINSON DTN:830-6498 REO2-G/C2 <robinson%osi.DEC@decwrl.dec.com>
Fri, 4 Nov 88 01:43:49 PST
In recent issues of RISKS there has been concern voiced over the ability to
trace the location of a car from its car phone.  Last night, no BBC's TOP GEAR
programme, a device deliberately designed to locate cars was described.
Essentially, it is a navigational aid designed to take into account traffic
congestion.

You tell the device your intended destination and it determines the best route.
On the way, it tells you when the turn right or left both on a dashboard
indicator and a synthesised voice. So far, nothing particularly revolutionary.

The route selected takes into account the traffic congestion on various roads.
To determine this, there are many sensors across a town. When you pass one of
these sensors, the device in your car sends a message to it. Each sensor is
connected to a central computer. This records the time taken to travel from one
sensor to another to judge the current congestion alone the route. However, the
side effect is that the central computer knows our location and route through a
city. This loss of privacy would be even greater should the scheme be extended
to cover not only the individual cities but also the interconnecting motorways
and side roads.

At present, the scheme is only in prototype. It is being developed at the
Goverment's Road Research Laboratories. However, it does indicate the sort of
devices we may be getting in the future.

To the best of my knowledge, Digital Equipment Co. has no involvement in the
project. Hence the usual disclaimers apply.
                                                     Dave Robinson


computer science unencumbered by fears about cutting safety margins

Jeffrey Mogul <mogul@decwrl.dec.com>
2 Nov 1988 1742-PST (Wednesday)
I had to spend a few hours at the British Airways terminal at Heathrow last
week, and to help kill time I picked up a copy of the October 1988 issue of a
free magazine called "Airport".  The cover story is "Fighting for the Freedom
of the Skies: In Europe ...", and covers the European experiences with their
version of airline deregulation.  Apparently, the fragmented and uncoordinated
nature of European Air Traffic Control is causing chaos (my own flight was
delayed by ATC for 45 minutes, and our pilot told us as we left that flights
requesting clearance at that time were being told to wait for 90 minutes).

The final two paragraphs of the article made me chuckle (nervously):

    Aviation Scientists in Britain, the US, France and West Germany are
    now working on a data-exchange system which would reduce or even
    eliminate the human element in air traffic control and in airport
    approach, landing and take-off-slot technique.

[so far, so good]

    Machine-talking-to-machine would enable the system to improve
    perhaps five-fold, because the precise nature of computer science
    is unencumbered by fears about cutting safety margins too finely.  A
    cold dish of comfort, perhaps; one which will not be available until
    well after 2005.  And anyway, nobody knows yet how much such a system
    will cost.  But we all know who's going to pay for it, don't we?

The syntax of the first sentence is a little confusing, but I think the
author believes that once things are computerized there will be no need for
safety margins.  Computerization might well reduce the need for safety
margins, but this has little to do with how precise computer science is
(or is alleged to be).


Re: Risks in Answering Machines (revisited) (RISKS DIGEST 7.68)

Amos Shapir <amos@taux02.UUCP>
2 Nov 88 13:16:44 GMT
Andy-Krazy-Glew writes:
>   (3) Have there been any incidents of remote sabotage of answering machines,
>    or, worse, criminal interception of messages, or bugging, as I describe
>    above?

During the latest election campaign here, one of the major parties set up
several answering machines for political messages, e.g.  "if you want to know
why you should vote for us, dial 555-1234".  They were very surprised when they
found out that the messages have been changed, (not in their favor of course).

The machines  were rented  from a  company that lets  users have  only a
phone  number to  call to,  and an  access code;  so the  only way  such
messages may have been altered is by remote control.

Amos Shapir, National Semiconductor (Israel) P.O.B. 3007, Herzlia 46104, Israel


re: risks in answering machines (revisted)

Gordon Meyer <TK0GRM1@NIU.BITNET>
Wed, 02 Nov 88 12:38 CST
Andy Glew expresses some concerns about the security of telephone answering
machines.  I too have these concerns, and have had some problems along these
lines with my answering machine at home.  It is an older Cobra model.
Manufactured in about 1982 it offers remote message retrieval with the use of a
tone generating device.  The remote control device is a pain to use...you have
to carry it around with you, and past experiments have shown that tone units
from other machines will work just as well as the one the company provides! A
friend of mine had a similar machine, of another brand, and our remote controls
worked interchangably.  Also, I did a little experimenting and found that I
could activate both our machines by using a sweeping tone generated by my home
computer.

About six months ago I had a problem with an unknown person calling my machine
and listening to my messages.  There was no way I could disable this option,
but there is a switch that prevents outside callers from erasing the messages
after listening to them.  There is no option to change outgoing messages and
the like so that is not a concern with this machine.  Luckily I have since
moved and the new phone number has stopped these outside invasions of my
privacy.

A back issue of 2600 Magazine had a short editorial on this subject.
Their response to the uncaring attitude of the manufacturer was to
call the company at night, (the company was using their own machines
to man the phones at night) and change the outgoing message to one
warning others about the lack of security on the product.

Gordon R. Meyer,  Dept of Sociology, Northern Illinois University.


Re: RISKS DIGEST 7.68 (Answering machines)

Bob Felderman <feldy@ats.ucla.edu>
Mon, 31 Oct 88 18:38:24 PST
The cobra AN-8500 allows ONLY remote listening to messages and has a switch on
the machine which determines whether msgs will be erased after being heard
remotely.  Unfortunately, the code for remote listening is one (1) factory
preset digit.

Bob Felderman                                feldy@cs.ucla.edu
UCLA Computer Science       ...!{rutgers,ucbvax}!cs.ucla.edu!feldy


re: Risks in Answering Machines (revisited)

GREENY <MISS026@ECNCDC.BITNET>
Mon 07 Nov 1988 00:56 CDT
> Are there any machines on the market.....

Well, the one that I have (mainly for cost reasons, since I'm just an
undergrad) is a Phonemate.  Basically, it answers the phone, plays my digitally
recorded message, and takes the message.....then when I come home I can listen
to them.

About the only thing that it does remotely is answer the phone, and get my
messages.  Although it does allow one to turn it on (if its accidently let
off) from a remote location by letting the phone ring 15 times or more (it will
pick up and play the message to let you know that it is on.....).

After being on RISKS for a few years, I have realized that the convience
realized by a completely remote machine is not worth the risks.  I suppose
I could always go to voice mail, or hire a secretary if I needed one....

> Is there any machines out there w/o the remote erase....

What's the big deal?  The machine *usually* has a cassette, in it, and assuming
that it wont do a remote rewind of the cassette after playback, all one would
have to do to disable the erase circuit would be to install a small switch in
series with the erase head....when you go out, flip it off when you come back
in and want to erase -- flip it on.  GEtting a copy of the schematics would be
helpful if possible so that you could disable the entire circuit thereby
preventing the thing from rewinding w/o erasing and then taping over the
messages....perhaps a circuit that would prevent erasure during rewind (the way
they usually work) so that you could play them back but not erase em (i.e. it
wouldnt rewind or erase if you selected erase with the "switch" off....

Shouldn't be too much of a hassle if you are somewhat knowledgeable in
electronics.....or if you arent -- try to find a hungry student in electronics
and offer PIZZA! :->

Greeny

Bitnet: miss026@ecncdc
Internet:miss026%ecncdc.bitnet@cunyvm.cuny.edu
Disclaimer: I ain't responsible for nothing you or anyone else does...so
     don't blame me....


Re: Risks in Answering Machines

<Curtiss@DOCKMASTER.ARPA>
Wed, 2 Nov 88 14:03 EST
In RISKS 7.68, Andy "Krazy" Glew asks if there are any answering machines
with redefinable passwords that are long enough for an acceptable level of
security and if any have only non-destructive remote commands.  One possible
solution is an "answering machine card" for a PC.  Essentially, it is a
complete telephone interface, capable of recognizing touch tones, recording
and playing digitized speech (stored on a hard disk or floppy) and acting as
a modem.  A program is usually included with the board that makes it
function as an answering machine.  Since the full power of a complete
computer is available, the user can create any kind of password scheme they
desire, including multi-level menus for leaving messages for specific
people.  Also, the program can be modified to eliminate destructive remote
commands and new functions can be added.  They can even be set up to call
people, delivering a pre-recorded message (ala, computer cold calling).

There are two such boards available, that I know of.  Either can be had for
about $250, not much more than a full featured, top-of-the-line dedicated
machine.

I'm not quite sure that this is a good solution to the problem, though.  Now
we have a potentially expensive machine attached to the phone line.  If
you're worried about losses to messages on a dedicated tape, just think
about the PC with one of these cards.
                                               William Curtiss


<cmcl2!cucard!dasys1!eravin@harvard>
Thu, 3 Nov 88 15:42:07 EST
> That noise is *very* nasty; there really ought to be emissions standards.
> Every low-cost computer I've ever worked with has been horribly annoying.
> IBM PC's with CGA cards (or EGA cards in CGA mode) were terrible offenders;
> even my Mac is fairly offensive.

I used to shudder when I heard an IBMPC go into EGA graphics mode.  On my
current job that happens ten or twenty times a day, I still don't like it
but I'm used to it.   I love using the Mac but do notice the noise:
sometimes it helps on a lot of these monitors to hang a cloth or drape
something soft behind the machine.  When the monitor is backed against a
solid wall the problem is usually worse.  I also have noticed noise coming
out of a couple of IBM AT clone's power supplies, though not at irritating
frequencies.

> (High-resolution screens (noninterlaced, 640x480 and up) don't seem to
> have the problem, but they won't become common in cost-sensitive
> applications for quite a while.)

I don't agree with this.  I think you just can't hear them anymore because
they're using higher scan rates.  My usually reliable intuition has steered
me away from a Sun workstation with a 19" color screen.  However, working
with Unix PC's has really sensitized me to this stuff: when I was last
abroad I had trouble being in the same room as a European TV set (625 scan
lines), especially 25" models.

>   How can we drum up some pressure to get OSHA to look into this?

Good question.  I've never thought about it, but I sure would like to try.  I
suspect letters and phone calls to one's favorite senator or representative
would be a start.  Might even be worth trying...
                                                     -- Ed Ravin
Reader bears responsibility for all opinions expressed in this article.


Ultrasonic emissions a real problem

Geoffrey Welsh <izot@f171.n221.z1.fidonet.org>
Mon, 07 Nov 88 18:13:29 EST
 
In RISKS-7-68 eravin@dasys1.UUCP (Ed Ravin) writes:

>I've got my own story to tell about high frequency noises crawling out of
>computer related devices, and since I'm new to RISKS, my apologies if any
>or all of this has been discussed before.

   I, too, am new to RISKS (drawn here by news of the ARPAnet worm), and I,
too, share your earitability. (sorry!)

   When I was much younger, I used to hear whistle sounds and I'd ask my
parents what they were. They immediately took me to the doctor, who told
them that I did *not* have an ear infection. They stopped only short of taking
me to a neurologist to find out if something upstairs was shorting out.

>After that I began noticing the sounds made by all the other CRT's in my
>life. They were high pitched and slightly irritating, but not painful. I had
>always, even before meeting computers, noticed the 15khz whine from a TV set,
>but it had never bothered me.

   It didn't take me long to figure out that this was among the causes of the
noise I was hearing. I have also heard sounds which are distinctly higher
in pitch than a standard NTSC CRT (i.e. higher frequency than a 15,750 Hz
flyback transformer). I am puzzled as to exactly what these are as the only
things I know of that operate around 16 KHz RF are LORAN-type devices and, to
the best of my knowledge, I am near no such installations (e.g. the nearest
sizable body of water is a long drive from here).

>Maybe my problem is that I never listened to loud rock music and my hearing
>above 15khz is mostly intact.

   Here's the kicker: I HAVE listened to loud rock music. I have worked in
factories where a wide spectrum of loud noises assaults me for eight or twelve
hours at a time (with occasional breaks), but my inability to hear these high
frequencies clearly fades within an hour or so after I leave, leading me to
believe that that my decreased hearing sensitivity is more a muscle reaction
in my ear rather than damage cause by the volume.

   What, then, leads some of us to be sensitive to these frequencies to a
fault and others to be completely unaware of them? Worse, how can we determine
what levels are acceptable, given that some people are simply more sensitive
than others?

   If indeed ultrasonic emissions are a cause of illness or other unacceptable
consequences, it is vital that a study into the area be launched. Who knows;
in a few years we may find our present CRTs replaced with ones that have a
horizontal scan rate above 30 KHz to avoid this problem.

Geoffrey Welsh, 66 Mooregate Crescent, Suite 602, Kitchener, Ontario N2M 5E6 -
CANADA

Please report problems with the web pages to the maintainer

Top