Subject: RISKS DIGEST 14.35 REPLY-TO: risks@csl.sri.com RISKS-LIST: RISKS-FORUM Digest Tuesday 23 February 1993 Volume 14 : Issue 35 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator Contents: Seeing red over valentine envelopes (Luis Fernandes) KIO diskettes stolen from Spanish Government (Miguel Gallardo) Citibank outage (Marty Leisner) Japanese Bank Hit By Phone Fraud (John Mello) Long Distance..Is the next best thing to praying there (Paul Robinson) Re: _Friendly Spies_ (Sean Matthews) Re: The "Information America" service (John Pettitt) MIT's on-line Student Information Services (SIS) (Jonathan I. Kamens) Re: Tapping Phones (Mark W. Schumann) 1st ACM Conference on Computer and Communications Security (Dorothy Denning) Call for Papers: Computer Security Applications Conference (Marshall D. Abrams) The RISKS Forum is a moderated digest discussing risks; comp.risks is its Usenet counterpart. Undigestifiers are available throughout the Internet, but not from RISKS. Contributions should be relevant, sound, in good taste good taste, objective, coherent, concise, and nonrepetitious. Diversity is welcome. CONTRIBUTIONS to RISKS@CSL.SRI.COM, with appropriate, substantive "Subject:" line. Others may be ignored! Contributions will not be ACKed. The load is too great. **PLEASE** INCLUDE YOUR NAME & INTERNET FROM: ADDRESS, especially .UUCP folks. REQUESTS please to RISKS-Request@CSL.SRI.COM. Vol i issue j, type "FTP CRVAX.SRI.COMlogin anonymousAnyNonNullPW CD RISKS:GET RISKS-i.j" (where i=1 to 14, j always TWO digits). Vol i summaries in j=00; "dir risks-*.*" gives directory; "bye" logs out. The COLON in "CD RISKS:" is essential. "CRVAX.SRI.COM" = "128.18.10.1". =CarriageReturn; FTPs may differ; UNIX prompts for username, password. For information regarding delivery of RISKS by FAX, phone 310-455-9300 (or send FAX to RISKS at 310-455-2364, or EMail to risks-fax@cv.vortex.com). ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. Relevant contributions may appear in the RISKS section of regular issues of ACM SIGSOFT's SOFTWARE ENGINEERING NOTES, unless you state otherwise. ---------------------------------------------------------------------- Date: Sat, 13 Feb 93 20:46:50 EST From: elf@ee.ryerson.ca (luis fernandes) Subject: Seeing red over valentine envelopes The following appeared in the Feb. 13, 1993 issue of the "Toronto Star": Edmonton(CP)-- It's that time of year again when love is in the air and Canada Post is seeing red. Red envelopes, that is. That's because the computerized mail sorting machines, which can process 33,000 letters an hour, have trouble reading addresses off the red envelopes popular for Valentine Day greetings, a Canada Post spokeswoman says. "We in Canada have some of the most technically advanced machinery in the world," Teresa Williams says. "And while it's not impossible for them to read red envelopes, some of them can present a bit of a challenge." If your valentine card hasn't arrived, it may have been delayed in the mail-sorting process, William says. A reminder for next year: white envelopes should be used instead. "Or put a white sticker on a red envelope," Williams suggests. Meanwhile Hallmark Cards Inc., based in the United States, is complying with a U.S. Postal Service request to stop producing dark-colored envelopes over the next couple of years. U.S. machines can't read them either. ------------------------------ Date: Wed, 10 Feb 1993 15:52:04 UTC+0100 From: "(Miguel Gallardo)" Subject: KIO diskettes stolen from the Spanish Government During the night of 5 February 1993, 18 diskettes were stolen from the Ministry of Economy and Taxes in Madrid, Spain. All the diskettes contained information of international funds transferred by Kuwait Investment Office (KIO) since 1988. The situation of this large group of chemical, building and real estate companies in Spain is very complex, because many of them are in bankruptcy, the Spanish Government paid a lot of money for this industry support, there are thousands of people losing their jobs, and present managers of KIO in Spain demanded old jobs at the Court, because of money fraud and political corruption. Javier De la Rosa, Fouad K. Jaffar and Mohamed al Sabah are the names related with it that appear every day in several press items that compare their management with Michael Milken (convicted), John H. Gutfreund, Donald M. Feurstein (Salomon Inc) and other Securities & Exchange Commission affairs in USA. But they control many journalists here, thanks to the singer Julio Iglesias' ex-manager, and now Javier De la Rosa's speaker [spokesman?], Alfredo Fraile. The Government Ministry, Carlos Solchaga, told the press that he thinks the goal of the thief is to sell this information to the press, and to discredit HIM. He advised journalists not to buy this interesting digital information, because legal prosecution will be ordered if anything is published. On the other side, Javier De la Rosa told the journalists that there is a mafia in Spanish bureaucracy that stole the diskettes. But this is not a clever idea because it is not necessary to steal something that can be easily diskcopied. What is much more interesting is that KIO has nothing to say, and that a Spanish Justice refused to accept its demand because there was not enough information enclosed. It seems that they did not find a computer expert able enough to look for financial scandal data in computers and back-ups, now owned by them. IMHO, everybody has too many things to hide in this sad story. Miguel A. Gallardo Ortiz, PX86 Engineer UNIX&C freelance working on RSA crypto Fernando Poo, 16 (Proyecto X86) E - 28045 Madrid (Spain) Tel: (341) 474 38 09 - FAX: 473 81 97 E-mail: gallardo@batman.fi.upm.es ------------------------------ Date: Tue, 23 Feb 1993 08:03:35 PST From: leisner@eso.mc.xerox.com (Marty Leisner 71348 ) Subject: Citibank outage "Software Problem Halts Citibank's Automatic Tellers for 4 Hours" -- Sunday NY Times, page 43 Metro, February 14. 1993 About 7 column inches Citibanks 1200 ATMs went down (refused to dispense cash or complete transactions) from 10AM to 2 PM on Saturday because of "a software glitch" when new software was being installed... marty leisner@eso.mc.xerox.com leisner.henr801c@xerox.com ------------------------------ Date: Tue, 23 Feb 93 14:20:38 PST From: John Mello Subject: Japanese Bank Hit By Phone Fraud The Boston Business Journal, February 1993 A Boston branch of the Daiwa Bank Ltd., the 25th largest bank in the world, was victimized by prison inmates with a gift for social engineering, according to the Boston Business Journal. The inmates placed collect calls to the Daiwa switchboard, identified themselves as telephone repairmen, and said they could fix the company's telephone problems by being connected to an outside line. Once connected to an outside line, the cons made long-distance calls, sticking Daiwa with the tab. Some of the calls were to sex hotlines. Hospitals in the Boston area were some of the first victims of this form of phone fraud, the newspaper reported. Inmates treated at the hospitals would memorize employees' names or use the names of physician's who appeared on TV to con operators into giving inmates access to outside lines. Once the operators got wind of what was happening, though, the hospitals were able to clamp down on the problem. One inmate, impersonating a doctor who appeared on TV the previous day, gave himself away by referring to himself by title "doctor." The operator knew the physician always identified himself by his first name. the last thing the jailbird heard before the operator hung up on him was, "I suggest you speak to the warden about that." ------------------------------ Date: Tue, 23 Feb 1993 13:39:44 -0500 (EST) From: Paul Robinson Subject: Long Distance..Is the next best thing to praying there >From the {Washington City Paper} of Feb 19-25, page 18: News of the Weird by Chuck Shepard: In January, Israel's national telephone company initiated a fax service that transmits messages to God via the Wailing Wall in Jerusalem. In May, the Roman Catholic Church will unveil a high-tech confessional at a trade show in Vincenza, Italy, that will accept confessions by fax. And in December, a sect of Orthodox Jews in Brooklyn, NY began selling its members special beepers so they will know instantly when the Messiah arrives on earth." And there is precedent for a response, I guess: "Your Majesty, I have a message from God for you." - Judges 3:20 Paul Robinson -- TDARCOS@MCIMAIL.COM [Hopefully, the Messiah will not arrive on the Sabbath, although there might be a question as to whether the beeper is actually being USED as long as it does NOT trigger. Confessions by EMail should be easy to set up. L.A. has long had drive-through churches; I suppose services via on-line interactive multimedia X-window conferencing cannot be far behind. But watch out for a hi-tech Allah McGordo bombshell in virtual reality. PGN] ------------------------------ Date: Tue, 23 Feb 93 09:34:39 +0100 From: "Sean Matthews" Subject: re: _Friendly Spies_ (Wayner, RISKS-14.34) Consider this a balancing comment on economic risk of incorporating american technology (it is also tangentially relevant to the original discussion about export restrictions on US cryptographic technology). I don't doubt that the French, German or British intelligence services carry out occasional industrial espionage for their local industries (certainly, I have seen reports of British intelligence doing this in the British press). However, to balance this (least anyone think from the above that the US is somehow more virtuous in these things, and does not behave in such an underhanded, ungentlemanly, or even, dare I say it, nefarious, manner) I should point out that there are, or at least were, when I still lived there, regular complaints in the British press from firms trying to sell technology that contained US made components to, say, China, only to find, first, that the US department of trade prohibited the sale on strategic grounds, and second, that identical technology was suddenly no longer strategic when it was offered by some US company that had mysteriously heard about the British deal, and was able to close it instead. Sean ------------------------------ Date: Tue, 23 Feb 1993 16:54:41 GMT From: jpettitt@well.sf.ca.us (John Pettitt) Subject: Re: The "Information America" service Information America does a lot more than is described in the post (I have not seen the Mondo article yet). I know one of their sales people (well ex she quit just before christmas). Their prime selling strategy to lawyers seems to be in competition with Lexis, Nexis (sp?) and Dialog (all large online database services). The idea is that the lawyer (or more correctly a paralegal) can research case law on line in a fraction of the time it would take in the law library. They have all US court cases on line (local & federal). I don't think there is any "dark' intent in the lack of publicity for IA, more that they just don't see value in advertising to people who are not going to buy their service. As to the other services they provide, what is the problem ? We live in an information society. If you don't want people using and tracking information, don't give it to them (i.e., go live some place where there are no phones or credit cards). [ P.S. I am CEO of a direct response marketing company so I'm biased :-) ] John [I presume there will be comments about a person's not having to give the information to them for it to be there -- whether it is right or wrong! Subsequent discussion might better belong in the PRIVACY groups noted in RISKS-14.34. PGN] ------------------------------ Date: Wed, 10 Feb 93 18:19:20 -0500 From: "Jonathan I. Kamens" Subject: MIT's on-line Student Information Services (SIS) (Re: "Anyone can get your U. of Illinois transcript" in RISKS-14.31) MIT recently put on-line a new service, SIS, through which students can access data in the registrar's database, including both personal and confidential data about their own status and general data such as course schedules. SIS is worth mentioning here, in response to Carl Kadie's message about problems with a similar system at the University of Illinois, because (in my opinion) SIS is a good example of system designers taking security issues seriously enough and doing a good job of meeting security needs. In order to use SIS to access personal data, a user must first register an "extra" password with the Kerberos database. The program that registers this password does so by transmitting it to the Kerberos server in encrypted form (using a key derived from the user's main Kerberos principal, for which he already has a password) so that it isn't exposed to the network. The assumption that led to the extra-password requirement is that people already have the mindset that it's OK to share their accounts (i.e., their main Kerberos principal password) with other people, so that name/password pair is not sufficient authentication. The documentation about SIS, and the prompting that takes place when the user chooses an extra password, makes it very clear that this password should be treated more securely by the user, and that if the user sees fit to give it to others, that user is giving those others access to his personal data in the registrar's database. Once the user has registered for an extra password, he still can't access personal data in the registrar's database immediately. A notification is mailed, by U.S. Mail, to the address for the user in the registrar's database. About a week after that notification is received by the user, the password actually becomes active and the user can access personal data on-line. Obviously, this second safeguard is to protect against the possibility of a user registering another user's extra password. The notification mailed to the user explains in detail what it's about, and tells the user whom to contact if he *did not* register an extra password. I suspect that an extra password does not become valid if the paper mail notification is returned by the post office (i.e., is not successfully delivered to the user). Granted, the time given for the notification to be returned by the post office probably isn't sufficient for all failed delivers, but I think that the probability of a notification not being delivered properly to someone whose extra password was illicitly registered by someone else is sufficiently low that this is not a concern. Once a user's extra password becomes valid he must type this password each time he wants to use the SIS service to access personal data (and he must already have valid Kerberos tickets for his main principal). The Kerberos tickets thus acquired are used to establish a Kerberos-authenticated network connection to the machine on which the registrar's database resides. Furthermore, the session key created while establishing that connection is used to encrypt all personal data sent over the network. There is one more safeguard to prevent security breaches of the database. The SIS protocol does not allow for direct modification of the database on the SIS server. Most data in the system can't be modified through it at all; instead, users must talk to the registrar directly to effect changes. The data that *can* be modified is mostly MIT directory information, e.g., term address and phone numbers, and when a user requests modifications to that data, the modifications are stored and manually eyeballed for sanity by the registrar before actually being fed into the system. Finally, just in case there is some possibility that someone might manage to break into the database machine (although it's pretty fortress-like in its configuration :-), that machine is not actually the "home location" of the registrar's database. It's a copy that is updated by SneakerNet (a tape carried from the registrar's office) regularly. The registrar's computer is on a subnet that is isolated from most of the campus network (and that is certainly more paranoid about who gets to connect to it than the rest of the campus network). As you can see, I think that the people who designed and implemented SIS did a good job of meeting security concerns. Their only mistake was using Motif for the UI :-). Jonathan Kamens Aktis, Inc. jik@Aktis.COM ------------------------------ Date: Sat, 20 Feb 1993 14:24:03 EST From: "Mark W. Schumann" Subject: re: Tapping Phones (Cohen, RISKS-14.33) Fred Cohen writes in RISKS v14n33: ! 3 - The best encryption in the world won't make you very safe if you !dial into CompuServe (NOTE I AM NOT CITING COMPUSERVE AS AN ACTUAL PERPETRATOR !BUT RATHER AS A CONVENIENT NAME-RECOGNITION IDENTIFIER FOR THE LARGER CLASS OF !SUCH SERVICES) from your PC to send the information. ... You're perpetuating a security scare that has no basis in fact. Prodigy, the latter service you mention, requires the use of its own front-end program on your PC. You cannot use Prodigy without it. Since this front-end program executes on your PC, it does have the potential for the abuse you mention. I personally do not use Prodigy in part because of this security loophole. On the other hand, other communication services, such as Compuserve, do not have this questionable "feature" at all. You dial Compuserve from your PC with a communications program of your choice. At all times the contents of your memory and hard drive are under the complete control of your CPU and communications program. You are probably thinking of the "Quick B" transfer protocol which appears to allow Compuserve to "take over" your PC to run both ends of a file upload/download. (A similar sequence occurs with the popular ZMODEM protocol.) This is not really so; Compuserve actually sends only an ENQ (05) character to the PC, which is interpreted by your comm program as a request to begin a file transfer. Again, the PC's memory and hard drive are still under the control of your own comm program, not Compuserve. Most comm programs, such as Telix and Crosstalk, can be configured to ignore ENQ and require the PC user to execute the transfer command manually. Bottom line: No online service can cause your PC to execute code that is not in the PC's memory space, Prodigy notwithstanding. Mark W. Schumann/3111 Mapledale Avenue/Cleveland, Ohio 44109-2447 USA Domain: mark@whizbang.wariat.org CIS:73750,3527 ------------------------------ Date: Tue, 9 Feb 93 11:29:05 EST From: denning@cs.cosc.georgetown.edu (Dorothy Denning) Subject: 1st ACM Conference on Computer and Communications Security ******* 1st ACM Conference on Computer and Communications Security ******* Nov 3-5 1993, Fairfax, Virginia Sponsor: ACM SIGSAC Hosts: Bell Atlantic and George Mason U In cooperation and participation from: International Association of Cryptologic Research IEEE Communications Society TC on Network Operations and Management IEEE Computer Society TC on Security and Privacy C A L L F O R P A P E R S Topics of interest ================== The purpose of this new conference is to bring together researchers and practitioners of computer and communication security. The emphasis is on the security requirements of the industrial and commercial sectors, e.g. telecommunications, finance, banking, etc. The primary focus is on high quality original unpublished research, case studies and implementation experiences. We also encourage submission of papers addressing the social and legal aspects of security. Conference proceedings will be published by ACM. Selected papers, with suitable revisions, will be considered for publication in upcoming special issues of the Communications of the ACM and IEEE Communications Magazine. Topics of interest include: Communications & Information Security: Theory and Techniques Access Control Cryptanalysis Digital Signatures Intrusion Detection Audit Cryptosystems Formal Models Randomness Authentication Crypto. Prtcls Hash Functions Viruses and Worms Authorization Database Sec. Integrity Zero Knowledge Applications,Case Studies & Experiences Cellular and Wireless LAN Security Security APIs Smart Cards Electronic Commerce Network Firewalls Security Arch. Telecom. Sec. Enterprise Security Open Systems Security Security Mgmt. WAN Security Social and Policy Issues Cryptographic standards Legal Issues Information Priv. Tech. Export Instructions for Authors ======================== Authors should submit five copies of their papers to Ravi Ganesan at the address below by May 15, 1993. Papers should not exceed 7500 words (approx. 15 single spaced pages of 11pt), and should not have been published or submitted else where. As the review process will be anonymous, names and affiliations of authors should appear only on a separate cover sheet. Authors will be notified of review decisions by July 15, 1993. Camera ready copies of accepted papers are due back by August 15, 1993 for inclusion in the Conference proceedings. Program Committee ================= Victoria Ashby, MITRE Steve Bellovin, AT&T Bell Labs. Whitfield Diffie, SUN Microsystems Taher El Gamal, RSA Deborah Estrin, Univ. of Southern CA Joan Feigenbaum, AT&T Bell Labs. Virgil Gligor, Univ. of Maryland Li Gong, ORA Corp. Richard Graveman, Bellcore Sushil Jajodia, George Mason U Paul Karger, GTE Carl Landwehr, NRL E. Stewart Lee, Univ. of Toronto Giancarlo Martella, Univ. of Milan Michael Merritt, AT&T Bell Labs Jonathan Millen, MITRE Clifford Neuman, USC Info. Sci. Inst. Steven Rudich, CMU Rainer Rueppel, R3 Security Engg. Eugene Spafford, Purdue Univ Jacques Stern, DMI-GRECC Michael Wiener, BNR Yacov Yacobi, Bellcore Organizers ========== General Chairs Dorothy Denning Raymond Pyle Georgetown U Bell Atlantic Reiss 225 7th Floor, 11720 Beltsville Drive Georgetown, DC 20057 Beltsville, MD 20705 denning@cs.georgetown.edu rpyle@socrates.bell-atl.com Program Chairs Ravi Ganesan Ravi Sandhu Bell Atlantic George Mason U 7th Flr, 11720 Beltsville Drive ISSE Dept. Beltsville, MD 20705 Fairfax, VA 22030 ravi@socrates.bell-atl.com sandhu@sitevax.gmu.edu Ph#: (301) 595-8439 Proceedings Chair and Treasurer Local Arrangements Chair Victoria Ashby Catherine Hoover MITRE George Mason U 7525 Coleshire Drive, Center for Professional Development McLean, VA 22102 Fairfax, VA 22030 ashby@mitre.org Ph#:(703) 993-2090 ------------------------------ Date: Mon, 22 Feb 93 15:30:48 EST From: Marshall D. Abrams Subject: Call for Papers: Computer Security Applications Conference CALL FOR PAPERS AND PARTICIPATION Ninth Annual Computer Security Applications Conference December 6 - 10, 1993 Orlando Marriott Internation Drive Orlando, Florida The Conference The Information Age is upon us, along with its attendant needs for protecting private, proprietary, sensitive, classified, and critical information. The computer has created a universal addiction to information in the military, government, and private sectors. The result is a proliferation of computers, computer networks, databases, and applications empowered to make decisions ranging from the mundane to life threatening or life preserving. Some of the computer security challenges that the community is faced with include: * To design architectures capable of protecting the sensitivity and integrity of information, and of assuring that expected services are available when needed. * To design safety-critical systems such that their software and hardware are not hazardous. * To develop methods of assuring that computer systems accorded trust are worthy of that trust. * To build systems of systems out of components that have been deemed trustworthy. * To build applications on evaluated trusted systems without compromising the inherent trust. * To apply to the civil and private sectors trusted systems technologies designed for military applications. * To extend computer security technology to specifically address the needs of the civil and private sectors. * To develop international standards for computer security technology. This conference will attempt to address these challenges. It will explore a broad range of technology applications with security and safety concerns through the use of technical papers, discussion panels, and tutorials. Technical papers, panels and tutorials that address the application of computer security and safety technologies in the civil, defense, and commercial environments are solicited. Selected papers will be those that present examples of in-place or attempted solutions to these problems in real applications; lessons learned; original research, analyses and approaches for defining the computer security issues and problems. Papers that present descriptions of secure systems in use or under development, or papers presenting general strategy, or methodologies for analyzing the scope and nature of integrated computer security issues; and potential solutions are of particular interest. Papers written by students that are selected for presentation will also be judged for a Best Student Paper Award. A prize of $500, plus expenses to attend the conference, will be awarded for the selected best student paper (contact the Student Paper Award Chairperson for details, but submit your paper to the Technical Program Chairperson). Panels of interest include those that present alternative/controversial viewpoints and/or those that encourage "lively" discussion of relevant issues. Panels that are simply a collection of unrefereed papers will not be selected. INSTRUCTIONS TO AUTHORS: Send five copies of your paper or panel proposal to Ann Marmor-Squires, Technical Program Chairman, at the address given below. Since we provide blind refereeing, we ask that you put names and affiliations of authors on a separate cover page only. Substantially identical papers that have been previously published or are under consideration for publication elsewhere should not be submitted. Panel proposals should be a minimum of one page that describes the panel theme and appropriateness of the panel for this conference, as well as identifies panel participant and their respective viewpoints. Send one copy of your tutorial proposal to Daniel Faigin at the address given below. It should consist of one- to two-paragraph abstract of the tutorial, an initial outline of the material to be presented, and an indication of the desired tutorial length (full day or half day). Electronic submission of tutorial proposals is preferred. Completed papers as well as proposals for panels and tutorials must be received by May 18, 1993. Authors will be required to certify prior to June 19, 1993, that any and all necessary clearances for public release have been obtained; that the author or qualified representative will be represented at the conference to deliver the paper, and that the paper has not been accepted elsewhere. Authors will be notified of acceptance by July 31, 1993. Camera ready copies are due not later than September 18, 1993. Material should be sent to: Ann Marmor-Squires Daniel Faigin Technical Program Chair Tutorial Program Chair TRW Systems Division The Aerospace Corporation 1 Federal Systems Park Dr. P.O. Box 92957, MS M1/055 Fairfax, VA 22033 Los Angeles, CA 90009-2957 (703) 803-5503 (310) 336-8228 marmor@charm.isi.edu faigin@aero.org Ravi Sandhu Student Paper Award George Mason Univ. ISSE Dept. Fairfax, VA 22030-4444 (703) 993-1659 sandhu@gmuvax2.gmu.edu Areas of Interest Include: Trusted System Architectures Software Safety Analysis and Design Current and Future Trusted Systems Technology Encryption Applications (e.g., Digital Signature) Application of Formal Assurance Methods Risk/Hazard Assessments Security Policy and Management Issues Trusted DBMSs, Operating Systems and Networks Open Systems and Composted Systems Electronic Document Interchange Certification, Evaluation and Accreditation Additional Information For more information or to receive future mailings, please contact the following at: Dr. Ronald Gove Diana Akers Conference Chairman Publicity Chair Booz-Allen & Hamilton The MITRE Corporation 4330 East-West Highway 7525 Colshire Dr. Bethesda, MD 20814 McLean, VA 22102 (301) 951-2395 (703) 883-5907 gover@jmb.ads.com akers@mitre.org ------------------------------ End of RISKS-FORUM Digest 14.35 ************************