The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 8 Issue 43

Tuesday 21 March 1989

Contents

o Outdated codes made US missiles useless
Henry Cox
o Risks of dying batteries
Henry Cox
o Things to do with a computer...
Joe Morris
o Possible Cancer Risks from Cellular Phones?
Mike Trout
o Supreme Court and Copyrights
ark
o Mitnick plea bargain
Rodney Hoffman
o Re: Risks of telephone access to your bank account
Phil R. Karn
o Internet Security Plans
Vin McLellan
o Duplicates due to network lossage?
*Hobbit*
o Info on RISKS (comp.risks)

Outdated codes made US missiles useless

henry cox <cox@pike.ee.mcgill.ca>
Tue, 21 Mar 89 10:25:50 EST
[ From the Montreal Gazette, 21 March 1989 ]

OUTDATED CODES MADE U.S. MISSILES USELESS

WASHINGTON (Reuter) - The White House said yesterday obsolete electronic-launch
codes were fed into an unspecified number of US land-based nuclear missiles
several years ago, making them temporarily useless.

"In 1986, a few of the missiles in one squadron at Malstrom Air Force Base were
found to contain outdated codes.  The actual number of missiles involved in the
incident remains classified; however, the ...  [sic] alert rate remained above
98 per cent," spokesman Marlin Fitzwater said.  The base Fitzwater referred to
is a Strategic Air Command installation in west-central Montana.  He said the
outdated codes, which would have kept air force personnel from launching the
missiles in the event of war, were discovered during an annual code change.
The presidential spokesman said launch codes for the 1000 US Minuteman
strategic missiles are changed every year, as are codes at the country's 100
launch centres.  "Presumably, the situation has been corrected," he said.

Fitzwater's comments were prompted by a report in the Washington Times, a
right-wing newspaper with strong ties to the White House, which said it
confirmed the error after an eight-month investigation.  While Fitzwater said
the exact number of missiles found to be inoperable is secret, he said: "There
weren't very many of these missiles involved."  The newspaper reported five of
the 1000 US land-based missiles, each armed with three nuclear warheads, were
temporatilily disabled but it said the incident raises questions about the
security and safeguards of all of them.
                             Henry Cox

                                   [Also noted by <Walter_Roberson@Carleton.CA>
                                   in today's Ottawa Citizen.]


Risks of dying batteries

henry cox <cox@pike.ee.mcgill.ca>
Tue, 21 Mar 89 10:06:56 EST
DYING BATTERIES CALL THE POLICE  [ From the Montreal Gazette, 21 March 1989 ]

CLEVELAND (Reuter) -Dozens of calls to police and fire-emergency lines have
been traced to cordless telephones that short-circui and dial 911 as their
batteries start to die, officials said yesterday.  One suburban police
deparment said it received as many as 25 such calls a day.  A Cleveland police
communications expert said it appears failing batteries caused the devices to
emit pulses that sometimes duplicated a 911 call.

[ Aside from the obvious nuisance factor, there is clear risk if emergency
personel are accustomed to receiving many such calls - they may attribute the
next inexplicable call to a faulty phone.           Henry Cox ]


Things to do with a computer...

Joe Morris (jcmorris@mitre.arpa) <jcmorris@mitre.mitre.org>
Tue, 21 Mar 89 12:57:36 EST
The following item, reproduced in its entirity (without permission) from
the 20 March issue of Digital Review (a DEC-oriented weekly) is both
relevent to security discussions and funny to boot (pun intended).

  COMPANY "SAW" SECURITY PROBLEM FOR MICROVAXES

  You neven know what people are going to do next with a MicroVAX.

  System managers at London's Midland Bank, one of Great Britain's largest
  clearinghouses, originally felt that their MicroVAXes should be located
  in the wholesale systems department.

  But the folks who run MIS at Midland decided that this solution was not
  secure enough, and that the company's computer room would provide a 
  safer location.

  The security of the computer room, however, was called into question one
  weekend afternoon.

  "On a Saturday, one of my guys went into the computer room and saw a 
  carpenter in the process of modifying the room," said Jamie May, project
  manager for the wholesale systems department at Midland.  This carpenter
  was using two of the MicroVAXes as a kind of workbench to try and balance
  the wood he was sawing.

  "The dealers can sometimes be animals, but the computers would have been
  a lot better off and secure in the dealing room," May added.


Possible Cancer Risks from Cellular Phones?

Mike Trout <miket@brspyr1.brs.com>
21 Mar 89 18:27:32 GMT
I recently had a discussion with a major electronics guru for a local
television station.  We were talking about microwave transmitters (radar
speed guns, garage door openers, that sort of thing), when he made a
dramatic statement that shocked me:  he claimed that cellular phones were
extremely hazardous and probably highly carcinogenic.

This is completely outside my area of expertise, so I can only repeat what he
said.  He claimed that the frequency wavelengths used for cellular phone radio
transmissions were just about equal to the diameter of the human brain cavity.
This, he claimed, accelerated by the fact that the receiver is always held up
against the human skull, sets up highly dangerous conditions within the human
brain.  He said that ten years or so from now we're going to see an explosive
increase in brain tumors among cellular phone users.  He also claimed that some
cellular units were far more hazardous than others, but that ALL of them are
carcinogenic.  He said he won't even work on them, and wouldn't wish a cellular
phone on his worst enemy.  This guy is rather eccentric at times, but his
knowledge of electronics is legendary.  His co-workers seemed to share his
opinions; one of their technicians was severely injured some years back by
climbing on a transmission tower during a high-intensity transmission.  Whether
this guy knows anything about human physiology is another question.  Is this
nonsense, an urban myth, or is this actually a matter of risk?

Michael Trout
BRS Information Technologies, 1200 Rt. 7, Latham, N.Y. 12110     (518) 783-1161


Supreme Court and Copyrights

<ark@europa.UUCP>
Tue, 21 Mar 89 14:44:59 EST
The US Supreme Court decided yesterday that state governments,
including state universities, are immune to copyright laws.
I wonder what effect this will have on the software industry?


Mitnick plea bargain

Rodney Hoffman <Hoffman.ElSegundo@Xerox.com>
20 Mar 89 18:43:17 PST (Monday)
An article by Kim Murphy in the 16 March 1989 'Los Angeles Times' reports on
the disposition of the case against Kevin Mitnick, "who prosecutors said was as
dangerous with a keyboard as a bank robber with a gun."  [See RISKS 7.95 and
8.3 for earlier reports.]  Edited excerpts from the latest article:

   Mitnick pleaded guilty to one count of computer fraud and one count of
   possessing unauthorized long-distance telephone codes.  He admitted
   penetrating a DEC computer in Mass., secretly obtaining a copy of a
   sophisticated computer security program which the company had spent 
   $1 million to develop.  The program, said Mitnick's attorney, was 
   designed to alert companies when their computers had been penetrated 
   by hackers like Mitnick.  Mitnick never attempted to sell or distribute 
   the program, he said.  Mitnick also admitted possessing 16 unauthorized
   MCI long-distance codes than enabled him to make long-distance telephone
   calls without charge.  A prosecutor said Mitnick used the codes to make
   connections to computers.

   Mitnick faces one year in prison.  Under a plea agreement with the
   government, he must also submit to three years' supervision by probation
   officers after his release from prison.  Prosecutors said they agreed to
   a 12-month sentence because the amount of financial damage was relatively
   low.  DEC lost about $100,000 to $200,000 in computer "down time" 
   investigating the security program theft.  As part of the plea agreement,
   prosecutors agreed to dismiss two additional counts charging Mitnick with
   illegally accessing the Leeds Univ. computer in England and separate 
   charge related to the DEC computer program.


Re: Risks of telephone access to your bank account

Phil R. Karn <karn@thumper.bellcore.com>
Mon, 20 Mar 89 13:50:29 EST
Brint Cooper makes the point that cellular phone isn't "telephone", it's radio.
True enough, the braindamaged ECPA notwithstanding. But even calls placed
between conventional telephones can, on occasion, be almost as easily
intercepted.

To demonstrate:

1. Obtain or set up a standard TVRO (Television Receive Only) satellite
earth station. The receiver should have a "composite video" output jack
(now pretty much standard, since VideoCipher descramblers need them).

2. Connect the aforementioned composite video jack into the RF input of
a garden variety "shortwave" (HF) communications receiver set for single
sideband (SSB) reception.

3. Aim the satellite dish at one of the AT&T Telstar satellites and find
a transponder that doesn't seem to be carrying video.

4. Tune around below 6 MHz or so with the SSB receiver.

Rumor has it that dedicated circuits belonging to travel reservation services
have been heard in this manner.   Phil


Internet Security Plans

Tue, 21 Mar 89 08:56:29 PST
INTERNET COMPUTER NETWORK TO USE CODE TO ENSURE PRIVACY
By VIN McLELLAN, c.1989 N.Y. Times News Service

   BOSTON -- Officials of Internet, the computer network that ties together
hundreds of academic, government and corporate networks, are planning to begin
a program that will permit users to send messages to one another in what is
intended to be an unbreakable code.  At present, users communicating over the
network have little privacy. Sophisticated users can easily intercept and read
messages.  This lack of security has increasingly worried computer experts as
the use of the networks has spread.
  For many scientists and engineers, the networks have become a
mainstay in their communications, used to exchange research results
as well as carry on conversations that would otherwise occur over
the telephone.
  Under the new system, not only can an encrypted message be sent but the
message will carry concealed information that will leave no doubt for the
recipient that the person who says he sent the message did indeed send it.  The
recipient will also know with certainty that the message has not been altered.
  Developers of the technology say the encryption will provide users with
``digital envelopes'' that cannot be opened except by the addressee, and the
contents will have ``digital signatures'' that cannot be forged.
  The encryption will be offered to 400 computer networks that are tied by the
Internet network.  The system will be based on one devised by RSA Data Security
Inc. of Redwood City, Calif., that uses ``public key encryption'' techniques
developed in the late 1970's by federally financed researchers at the
Massachusetts Institute of Technology.
  PKE, as the encryption technique is known, involves two ``keys,'' one public
and one secret. Each user has a secret key and a public one that is published
in a directory, just as phone numbers are. Someone uses the recipient's public
key to send a message and the recipient uses his secret key to decode it.
  The Internet proposal comes just as RSA and the Digital Equipment Corp. of
Maynard, Mass., have agreed to give Digital full access to the same technology
that Internet proposes to use.
  DEC is expected to announce the agreement today. Digital officials said they
expected to integrate RSA's technology into a broad array of software and
hardware products.  ``The events of the past two years have shown that security
has now become a necessary aspect of reliable distributed computing,'' said
Robert Schleelein, manager of strategic relations for Digital's network and
communications group.  He was referring to numerous recent cases in which
intruders have entered computer networks.
  The agreement between Digital and RSA could give Digital a competitive edge
in providing future computer equipment to users of the networks who want to
take advantage of its new encryption technology.  It will also probably mean
that RSA's public key encryption technology, which is proprietary, could become
the encryption standard on computer networks.
  ``Those of us who are involved in setting standards don't like to include in
a standard anything that is a proprietary technology,'' noted Dr. Stephen Kent,
chairman of the Internet Task Force on Privacy.  ``Adopting RSA, we have
violated that rule of thumb, but we've done it with the full knowledge that we
were doing it, and because we felt there were no other viable alternatives.''
Kent, chief scientist at BBN Communications Inc., in Cambridge, Mass., said the
Internet standard was the result of more than two years of joint efforts by
representatives from BBN, the Mitre Corp., the Xerox Corp., Digital, Texas
Instruments Inc., University College in London, the Lawrence Livermore National
Laboratory and the Commerce Department's Institute of Standards and Technology.
  Digital's adoption and explicit endorsement of the RSA technology is itself a
``tremendous advance in information security,'' said John O'Mara, executive
director of the Computer Security Institute, an association of 3,000 corporate
data security officers.


Duplicates due to network lossage?

*Hobbit* <hobbit@pyrite.rutgers.edu>
Tue, 21 Mar 1989 14:41:56 EST
Has anyone else been receiving complaints about lots of duplicate messages from
people at particular sites?  Some of these poor victims are getting on the
order of 25 copies of one message.  I've done some queue-watching and it
appears that the SMTP dialog in these cases flies right along, no problem,
until the . after the DATA, whereupon the remote host just sits there
[ostensibly trying to deliver the message], and my end times out and requeues
the message.  Meanwhile the foreign end, not particularly caring that the
sender nuked the connection, finally figures out what it was doing and delivers
the message.  While (stuck) repeat...

We've been having some network problems down here over the past couple of days,
but one would think that once the connection is open and the dialog is running,
you wouldn't get an inordinate delay *ONLY* after the DATA is sent.  What's
going on with these sites?  Below I have included a list of offenders I could
find on the Security list.  Any ideas?  I'm running regular ole sendmail, and
everything's working fine otherwise; it's just that these hosts refuse to
acknowledge receipt of the message.  They are running a bunch of different
mailers, as well, so it isn't a problem with a particular type of mailer
[although I've seen that sort of thing in the past].
                                                            _H*

"slow" hosts follow:

AI.AI.MIT.EDU, asd.wpafb.af.mil, bbn.com, BCO-MULTICS.ARPA, cam.unisys.com,
CCA.cca.com, CCINT1.RSRE.MOD.UK, cs.ucla.edu, EDN-VAX.ARPA, gateway.mitre.org,
ibm.com, maths.bath.ac.uk, MITRE.ARPA, mitre-bedford.ARPA, mitre-gateway.arpa,
mizar.usc.edu, msc.umn.edu, MWUNIX.MITRE.ORG, nems.arpa, opus.cray.com,
prime1.lancashire-poly.ac.uk, RADC-TOPS20.ARPA, rand.org, relay.cs.net,
relay.mod.uk, sdcrdcf.arpa, stony-brook.scrc.symbolics.com, stripe.SRI.com,
tis.llnl.gov, ucbarpa.berkeley.edu, UCBVAX.BERKELEY.EDU, vaxa.isi.edu,
vax.bbn.com, venera.isi.edu, wb3ffv.ampr.org

              [I still get a monster BARFlist each time I send an issue.  
              I try to be charitable before axing an address or a site.  
              ("Clean up your axe?")  PGN]

Please report problems with the web pages to the maintainer

Top