The RISKS Digest
Volume 8 Issue 25

Tuesday, 14th February 1989

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…

Contents

Authenticity in digital media — electronic time travel
Steve Philipson
Bogus Frequent Flyer Scheme
Kenneth R. Jongsma [and Dave Curry]
Automatic targeting for Maverick missile
Jon Jacky
Economics, Engineering and Programming
Jerry Leichter
RE: ATM Error in Europe
Udo Voges
Another bank error
Hsiu-Teh Hsieh
Static Electricity crash
Seth K
Legal clamp-down on Australian "hackers"
Neil Crellin
MIT virus paper available for anonymous ftp
Jon Rochlis
Prospectus for "Computer Viruses"
J Cordani
Info on RISKS (comp.risks)

Authenticity in digital media — electronic time travel

Steve Philipson <steve@aurora.arc.nasa.gov>
Tue, 14 Feb 89 10:18:50 PST
   Two nights ago I saw a piece on Headline News that has some interesting
implications.  It seems Hank Williams Jr. found a previously unknown
recording by his father, the late famed country singer Hank Williams, Sr.
Hank Jr. decided that it would be great to make a new recording as a duet
with his long departed Dad.  From the news article, it sounded like the
recording was heavily processed to remove noise and recording artifacts.
In addition, film footage from a very old Kate Smith TV show was heavily
processed to show Hank Sr. singing this song (they implied that he did
NOT perform it on that show), matching mouth movements to the lyrics in
a very convincing manner.  They also managed to merge an adult Hank Jr.
into the scene as if he was there when it is was recorded.  Quite a feat,
as Hank Jr. was probably about 2 years old (or less) at the time.

   The connection with RISKS is that computer/video processing technology
has progressed to the point where seeing is definitely not believing.
Not everyone is aware of this though, so the possibility exists that
public opinion could be manipulated by showing influential people doing
and/or saying things that are solely in the interest of the persons in
control of this technology.  

   This is probably not new break-through in technology, but it is the 
first I've seen of it in national distribution.
                            Steve


Bogus Frequent Flyer Scheme

<Kenneth_R_Jongsma@cup.portal.com>
Mon, 13-Feb-89 17:10:18 PST
Our local paper carried the following Associated Press story this evening:

     An airline ticket agent piled up 1.7 million bonus air miles via computer
   without leaving the ground, then sold the credits for more than $20,000,
   according to a published report.
     Ralf Kwaschni, 28, was arrested Sunday when he arrived for work at
   Kennedy International Airport and was charged with computer tampering
   and grand larceny, authorities said.
     Kwaschni, a ticket agent for Lufthansa Airlines, used to work for
   American Airlines, the Daily News reported today. Police said he used
   his computer access code to create 18 fake American Airline Advantage
   Accounts - racking up 1.7 million bonus air miles, according to the
   newspaper.
     All 18 accounts, five in Kwaschni's name and 13 under fake ones, listed
   the same post office box, according to the newspaper.
     Instead of exchanging the bonus miles for all the free travel, Kwaschni
   sold some of them for $22,500 to brokers, who used the credits to get a
   couple of first class, round trip tickets from New York to Australia,
   two more between London and Bermuda and one between New York and Paris,
   the newspaper said. It is legal to sell personal bonus miles to brokers
   Port Authority Detective Charles Schmidt said.
     Kwaschni would create accounts under common last names, the newspaper
   said. When a person with one of the names was aboard an American flight
   and did not have an Advantage account, the passengers name would be
   eliminated from the flight list and replaced with one from the fake
   accounts, the newspaper said.
     "As the plane was pulling away from the gate, this guy was literally
   wiping out passengers," Schmidt said.

Just continues to show that the greatest security risk is the internal one.
Aside from the obvious mistake of using the same address for all his
accounts, it would be difficult to catch this type of tampering. He was
doing the type of operations that his job requires (adding and deleting
passengers), so one wonders how American caught on.
                                                         Ken Jongsma

         [Also noted by Dave Curry in the San Jose Mercury News.]


Automatic targeting for Maverick missile

jon@june.cs.washington.edu <Jon Jacky, University of Washington>
Tue, 14 Feb 89 10:10:14 PST
Excerpts from a story in FEDERAL COMPUTER WEEK, 13 Feb 1989, pages 29 and 37:

REDUCING PILOT BURDENS COMES UNDER RAPID FIRE, by Fred Reed

Automatic targeting continues its penetration of the military with the
development of Rapid Fire, an automated fire-control system for the Maverick
air-to-ground missile.  The system, from Hughes Aircraft Co., is typical of
approaches now being investigated by many manufacturers of several types of
weapons . ...  Maverick is a large anti-tank missile that homes in, by means
of a sensor in its nose, on the infrared radiation emitted by tanks and
other vehicles. ...  

According to (Rapid Fire project manager Floyd) Smoller, the processing is
possible with today's computers.  Further, processing is less complex than
in full-scale target recognition systems that seek to identify targets with
certainty. ...  ``The system does not give a hard and fast discrimination
between tanks and other vehicles,'' Smoller said.  ``However, it does favor
tanks, based on variables such as size, aspect ratio and known signature.
It rejects objects in its range that are too large to be vehicles --- roads,
barns and so on.  And it ignores fires so you don't shoot at burning tanks
or forests.''

Having found all candidate targets in its field of view, he said, the system
chooses four targets, if the aircraft carries four missiles.  ``Then, if the
pilot wants, he can simply fire at the targets or he can change the priority
of the targets.  The Air Force never likes to give up the final say on
firing,'' Stoller said. ...

The two trends exemplified by Rapid Fire --- toward integration of computer,
sensors, and weapons and toward increasing automation --- can be seen in many
modern weapons. ...  An Air Force spokesman said Rapid Fire seemed to be a good
system but that the Air Force doesn't have a requirement for it now.

Hughes said it is working on an F-16 application to demonstrate Rapid Fire.
The company believes the system will become more important as close air
support grows in importance.'


Economics, Engineering and Programming

LEICHTER-JERRY@CS.YALE.EDU <"Jerry Leichter>
Tue, 14 Feb 89 12:41 EST
In a recent RISKS, Robert English points out that much of the pressure that
leads to programs being shipped quickly, without extensive testing, is inhe-
rent in the economic structure of the industry.

He's very right.  The following passage, forwarded to me by a friend, was
taken from an article entitled "Technology and Competitiveness:" by John A.
Young (who is president and CEO of the Hewlett-Packard Company):

    "In today's world, shortening the time between idea stage and finished
    product often makes the difference between success and failure.  The
    high costs of developing new products, the brief time before copies
    appear, and the rapid obsolencence make for a short innovation cycle -
    often 3 to 5 years (6).  A study by the consulting firm McKinsey &
    Company demonstrated that for a typical product with a 5-year life
    span, a 6 month delay in shipping would reduce after-tax profits by
    one third.  A 50% development cost overrun, by contrast, would reduce
    the after-tax profits by only 3.5% (13)."

    bibliography
    (6)  F. Press, in A HIGH TECHNOLOGY GAP (Council on Foreign Relations,
         New York, 1987) pp. 14-15.

    (13) D. G. Reinertsen, WHODUNIT? THE SEARCH FOR THE NEW PRODUCT
         KILLERS (McKinsey & Company, New York, July 1983).

    [taken from THE BENT of Tau Beta Pi - Winter 1989 issue]


Obviously, not everyone considers "6 month delay in shipping" and "50% deve-
lopment cost overrun" as the only two alternatives.
                            — Jerry


RE: ATM Error in Europe (RISKS-8.22)

KFK/KARLSRUHE - Udo Voges <<IDT766@DKAKFK3.BITNET<>
02/10/89 09:16:11 CET
A similar error happened at the postal banking office in Munich: a wrong tape
was mounted on 5 Jan 89 redoing all monthly transfers due at the end of the
month. The error was discovered (due to customer complains?) and repaired the
next working day (9 Jan) and apologies were mailed.
                                                            Udo Voges


Another bank error

Console Cowboy <vlsi005@ucscj.UCSC.EDU>
Sun, 12 Feb 89 02:02:44 -0800
This happened about a year ago in a small local bank which has been
expanding its branches so far.  One day I got a letter from a bank (computer
generated one) informing me that my checking account has been closed.  This
was a shock to me, considering the fact that I have never requested my
checking account to be closed.  When I went to the bank to demand an
explanation for the letter, the manager at the bank called up the central
data processing facility in another location, and here is what she told me:
my checking account was closed because it has not been accessed for 3
months, and since the balance was $0.00.  This was correct as far as I knew,
but I have kept the balance in my checking account at $0.00 for over a year
then, since I have a share draft protection which means that whenever there
is not an adequate fund in the checking account, adequate fund are
automatically transferred from my savings account.  So to simplify
bookkeeping, I have kept my checking account on balance $0.00 on purpose.
Also, I had considerable fund in my savings account at the time.

Although the bank manager apologized for this error, I have changed to
another bank since then.

Hsiu-Teh Hsieh, Univ. of Calif., Santa Cruz


Static Electricity crash

<sethk@sco.UUCP>
Mon Feb 13 14:16:22 1989
Jeffrey Mogul (mogul@decwrl.dec.com) mentioned the following in RISKS-8.21:

> In RISKS 8.18, Jeff Makey writes about a PDP-11/40 that could be
> crashed by walking across the room and kicking the console terminal,
> thereby transferring a static charge to the console and the CPU.  (...)
> If a PC were this sensitive to static, typewriters would still be big sellers.

Ever since SCO made the big conversion off of PDP-11/44's and on to PC's,
we have been plagued by crashes due to static. While some machines seem
more prone to this problem than others, it seems that any PC with a 
cartridge tape drive has the potential of crashing when the tape is 
inserted (and the correct conditions for static electricity exist). 
The policy recommended for those who handle backups here is to ground 
yourself to the chassis of the machine before/during insertion of the tape.
I do not plan to sell my manual Olivetti typewriter yet.
             -Seth    (sethk@sco.COM)


Legal clamp-down on Australian "hackers"

Neil Crellin <neilc@natmlab.dms.oz.au>
Tue, 14 Feb 89 19:11:12 +1100
(Reproduced from The Financial Review, Feb 14th, 1989)

              Clamp on computer hackers, by Julie Power

        Federal Cabinet is expected to endorse today draft legislation
containing tough penalties for hacking into Commonwealth computer systems.
It is understood that the Attorney-General, Mr Lionel Bowen, will be
proposing a range of tough new laws closely aligned with the recommendations
of the Attorney-General's Department released in December.  Mr Bowen
requested the report by the Review of Commonwealth Criminal Law, chaired by
Sir Harry Gibbs, as a matter of urgency because of the growing need to
protect Commonwealth information and update the existing legislation.
    Another consideration could be protection against unauthorised
access of the tax file number, which will be stored on a number of
Government databases.
    If the report's recommendations are endorsed, hacking into
Commonwealth computers will attract a $48,000 fine and 10 years
imprisonment.  In addition, it would be an offence to destroy, erase,
alter, interfere, obstruct and unlawfully add to or insert data in a
Commonwealth computer system.
    The legislation does not extend to private computer systems.
However, the Attorney-General's Department recommended that it would
be an offence to access information held in a private computer via a
Telecom communication facility or another Commonwealth communication
facility without due authority.

Neil Crellin, CSIRO Maths and Stats, Sydney, Australia. (neilc@natmlab.oz.au)
PO Box 218, Lindfield, NSW 2070.  (ph) +61 2 467 6721 (fax) +61 2 416 9317


MIT virus paper available for anonymous ftp

Jon Rochlis <jon@ATHENA.MIT.EDU>
Tue, 14 Feb 89 18:11:49 EST
The MIT paper on the Internet virus of last Novemember, "With Microscope and
Tweezers: An Analysis of the Internet Virus of November 1988", is now
available via anonymous ftp from either bitsy.mit.edu (18.72.0.3) or
athena-dist.mit.edu (18.71.0.38) in the pub/virus directory as mit.PS (and
mit.PS.Z). A version of this paper will be presented at the 1989 IEEE
Symposium on Research in Security and Privacy.
                                                        — Jon

Abstract:

In early November 1988 the Internet, a collection of networks consisting of
60,000 host computers implementing the TCP/IP protocol suite, was attacked
by a virus, a program which broke into computers on the network and which
spread from one machine to another.  This paper is a detailed analysis of
the virus program itself, as well as the reactions of the besieged Internet
community.  We discuss the structure of the actual program, as well as the
strategies the virus used to reproduce itself. We present the chronology of
events as seen by our team at MIT, one of a handful of groups around the
country working to take apart the virus, in an attempt to discover its
secrets and to learn the network's vulnerabilities.

We describe the lessons that this incident has taught the Internet community
and topics for future consideration and resolution.  A detailed routine by
routine description of the virus program including the contents of its built
in dictionary is provided.  


Prospectus for "Computer Viruses"

<"CORDANI, LTC J/A914-2469474" <cordani@pentagon-opti.army.mil<>
12 Feb 89 17:08:00 EDT
  1. Dr. J Cordani, at Adelphi University, and E. Rustadt, at Pace University
propose to bring out a collection of articles on the subject of computer
viruses for the academic and research community.
  2. We envision a volume of 10 to 20 articles, each 10 to 30 pages in length.
We will attempt to cover the field of viruses in historical, social, ethical,
economic, and technical areas.
  3. We envision a section as introduction, theory, classifications, life
cycles, epidemiology, countermeasures, economic and social issues, law,
beneficial uses, the future.  
  4. As a member of this forum, I know of few more fruitful media in which to
search for participants. 
  5. I should be most happy to discuss participation in the project with those
interested.  

Dr. John Cordani Schools of Business Adelphi University Garden City, NY 11530
(516) 663 1182 

(My host system will be down from Feb 17 to Feb 24 from maint problems.)

Please report problems with the web pages to the maintainer

x
Top