Subject: RISKS DIGEST 16.02 REPLY-TO: risks@csl.sri.com RISKS-LIST: RISKS-FORUM Digest Tuesday 3 May 1994 Volume 16 : Issue 02 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator ***** See last item for information on RISKS (comp.risks) ***** Contents: NEW YORKER article on library automation (Jon Jacky) Information Warfare: GM vs VW (Mich Kabay) TechWar: Cell Phone Jamming (Mich Kabay) Green Card Con Artists Exposed! (Bonnie L. Mahon via D.R. Hilton) New firewalls book - a great risk reducer (Ray Kaplan) Re: Drunk in charge (John Simutis, Andy Ashworth, Dan Astoorian) Boot Prom commits Denial of Service Attack (Butch Deal) Staying Informed of Security & Privacy Issues (David Johnson) Info on RISKS (comp.risks), contributions, subscriptions, FTP, etc. ---------------------------------------------------------------------- Date: Mon, 2 May 1994 21:10:10 -0700 From: Jon Jacky Subject: NEW YORKER article on library automation The April 4, 1994 issue of the NEW YORKER had a long article by Nicholson Baker on library automation: "ANNALS OF SCHOLARSHIP: Discards". It runs from pages 64 through 87. My issue also came with a flyer stapled to the cover with the headline, "THE TRASHING OF AMERICA'S GREAT LIBRARIES." Baker reports that when most libraries replace their paper card catalogs with on-line systems, they simply discard the card catalogs. Baker argues that the card catalogs are an irreplaceable resource, and contain much scholarly content which is not carried over into the new systems. Baker also argues that the on-line systems often suffer from poor data quality, and make some kinds of searches (particularly subject searches) more difficult. RISKS readers will find much of interest about the difficulties of maintaining integrity and consistency in very large databases. Baker reports one instance where all instances of "Madonna" were replaced with "Mary, Blessed Virgin, Saint," causing reclassification of recent works by Ms. Ciccone. Some letters responding to the article appear in the May 2, 1994 NEW YORKER. - Jon Jacky, jon@radonc.washington.edu, University of Washington, Seattle ------------------------------ Date: 03 May 94 09:19:36 EDT From: "Mich Kabay [NCSA]" <75300.3232@CompuServe.COM> Subject: Information Warfare: GM vs VW (cont'd) >From the Reuter newswire via Executive News Service on CompuServe (GO ENS): "BONN, April 30 (Reuter) - The German car manufacturer Volkswagen, accused by rival Opel of industrial espionage, on Saturday denied a magazine report that incriminating material had been found in the office of an employee. Der Spiegel magazine said on Saturday prosecutors found a computer disc containing plans for a high-tech small car factory in the office of Jaero Arthur Wicker, office manager of production head Jose Ignacio Lopez de Arriortua." The article continues with the following key points: o Lopez used to work for General motors; he's accused of having stolen confidential files when he was hired by VW. o VW claims the disk has plans submitted to both GM and VW and rejected by both companies. o The situation is under investigation by both German and US authorities. o The newest scuttlebutt is that GM has asked German prosecutors to investigate daughter Begona Lopez, whom they accuse of having stolen a disk containing information on cost reductions at GM. [Comments by MK: sounds like a tabloid newspaper's version of a rivalry between movie stars.] Michel E. Kabay, Director of Education, National Computer Security Assn [That would be a REALLY SMALL car factory if it were to fit into the office of Jaero Arthur Wicker, Jaerodynamically at least. PGN] ------------------------------ Date: 03 May 94 09:19:40 EDT From: "Mich Kabay [NCSA]" <75300.3232@CompuServe.COM> Subject: TechWar: Cell Phone Jamming >From the Reuter newswire via Executive News Service on CompuServe (GO ENS): "KINSHASA, April 30 (Reuter) - Zaire's main cellular telephone company, at loggerheads with a rival firm trying to muscle in on its territory, said on Saturday its signals were being deliberately jammed. Jim Galan, head of coordination at Telecel, said five or six microwaves had been trained on its main antenna for the last four days, drowning out many calls made from central Kinshasa." The article explains that the jamming is making cellular phone use impossible for Telecel's 4000 Kinshasa users. It is generally believed that a new company, Comcell, which is supported by the Zairian government, is using the frequencies originally assigned to Telecel by that same government. Legal action is in the works. [MK comments: RISKS of doing high-tech business where the rule of law is weak. Example of Information Warfare a la Winn Schwartau.] Michel E. Kabay, Director of Education, National Computer Security Assn ------------------------------ Date: Mon, 2 May 1994 20:02:25 GMT From: rosidivi@rintintin.Colorado.EDU (J Doe) Subject: Disbarrable under Tenn. Code (Canter/Seigel) Reply-To: drhilton@kaiwan.com Subject: Green Card Con Artists Exposed! Keywords: green card canter lawyers For Immediate Release October 13,1988 Contact: Bonnie L Mahon The Florida Bar Tampa Office Telephone: 813/875-9821 SUPREME COURT GRANTS ATTORNEY'S PETITION TO RESIGN PERMANENTLY TALLAHASSEE, Oct.13-- The Florida Supreme Court has granted attorney Laurence A. Canter's petition to resign permanently, effective November 7, 1988. Canter, of 240 North Washington Boulevard, Sarasota, was charged with numerous violations of the attorney disciplinary rules including neglect, misrepresentation, misappropriation of client funds and perjury. Several of the complaints against Canter involved his failure to file the necessary or appropriate documents with the United Stated Immigration and Naturalization Services in matters of permanent residency and work visas. In addition, Canter refused to refund clients' funds and neglected to notify his clients that he has been suspended from the practice of law as a result of a previous discipline. The Florida Bar further alleges that Canter committed perjury by filing a false affidavit with the Bar and while testifying under oath in a deposition. These charges resulted after an audit of Canter's trust account by the Bar showed that trust funds were held in Canter's account during the time period when he denied any funds were present. Canter was born in 1953 and admitted to The Florida Bar in 1980. The resignation without leave to apply is not final until time expires to file motion for rehearing and if filed, determined. The filling of a motion for rehearing shall not alter the effective date of this resignation. As an official agency of the Supreme Court of Florida, The Florida Bar and its Department of Lawyer Regulation are charged with the administration of a statewide disciplinary system to enforce Supreme Court rules of professional conduct for all lawyers. ------------------------------ Date: Mon, 2 May 1994 23:51:07 -0700 (MST) From: RayK Subject: New firewalls book - a great risk reducer Cross post to RISKS (via mail submission), comp.security.announce and comp.protocols.tcp-ip news groups, and a few other various places. Sorry if you see this more than once. Re: Firewalls and Internet Security - Repelling the Wily Hacker. Ray Kaplan - May 2, 1994 Buy this book! Gentle folk, Here is a risk reducer. With the wholesale rush to Internet connectivity, it's about time someone sat down and wrote a good book about how to do this exercise safely! And, sure enough, Cheswick and Bellovin have done just that, Heaping superlatives on something of which you are enamored is always problematic - the possibility of overstatement looms large. Accordingly I`ll cut to the chase. Buy this book! I do not get any money for saying this - I just believe you are well justified in getting it on your reading list - today. In May of this year, Addison Wesley is releasing an excellent new book by Bill Cheswick and Steve Bellovin: Firewalls and Internet Security - Repelling the Wily Hacker. ISBN 0-201-63357-4. It will retail for $26.95. Bulk purchases: 800- 238-9682, individual orders: 800-824-7799 (FAX 617-944-7273). Email orders over the Internet from bexpress@aw.com (no they don`t take plastic via Email). For those that are net-challenged, U.S. snailmail orders from Addison-Wesley, c/o Arlene Morgan, 1 Jacob Way, Reading, MA 01867 USA. Rumors loom large that at least one of the authors (Ches?) will be at Interop with copious quantities of this work of art. As dues of superlative authorship that is destined to be popular, I hope they both get writer`s cramp autographing! Details While worthwhile, well written, pace-setting, technically astute works of art are rare - this is certainly one of them. I am always hard pressed to identify any one thing as unique in its decade (especially when the decade is still in progress). Suffice it to say that this work is the most complete treatment of firewall technology and experience that is available. The availability of this work is exciting news for security firewall builders - including Internet security firewall builders - and, for the great number of people that seem to be befuddled by the complexity and the general issues of interconnecting networks. The book While my review copy (well dog-eared, now) is a bit dated (March 7, 1994), I think you can expect that it is close to the book`s final form: a standard (w=7.5in, h=9in) Addison-Wesley Professional Computing Series book like the ones that should already dot your shelves. (I don`t get any money for my obvious favorable bias toward this series. My bias is born out of the fact that the series (Brian Kernighan is the consulting editor for it) contains great authors and titles like Radia Pealman`s Interconnections - Bridges and Routers and Richard Sevens` TCP/IP Illustrated, Volume I - The Protocols.) 305 pages in 14 chapters, appendices, a bibliography, a list of "bombs" (security holes) and an index. Out of the box, the authors set the tone for their work by quoting F.T. Gramp and R.H. Morris: "It is easy to run a secure computer system. You merely have to disconnect all dial-up connections and permit only direct-wired terminals, put the machine and the terminals in a shielded room, and post a guard at the door." This is followed by a detailed discussion of the art and science of building a firewall. There is so much good stuff here, that all I can do is list the book`s contents - lest I write a tome which distracts you from picking up a copy of it ASAP. Chapters and content - from the table of contents. Getting started Introduction - Why security? - Picking a security policy - Strategies for a secure network - The ethics of computer security - Warning Overview of TCP/IP - The different layers - Routers and routing protocols - The Domain name service - Standard services - RPC-based protocols - The "r" commands - Information services - The X-11 service - Patterns of trust Building your own firewall Firewalls and gateways - Firewall philosophy - Situating firewalls - Packet-filtering gateways - Application-level gateways - Circuit-level gateways - Supporting inbound services - Tunnels - good and bad - Joint Ventures - What firewalls can`t do How to build an application-level gateway - Policy - Hardware configuration options - Initial installation - Gateway tools - Installing services - Protecting the protectors - Gateway administration - Safety analysis - why our setup is secure and fail-safe - Performance - The TIS firewall toolkit - Evaluating firewalls - Living without a firewall Authentication - User authentication - Host-to-host authentication Gateway tools - Proxylib - Syslog - Watching the network: Tcpdump and friends - Adding logging to standard demons Traps, lures and honey pots - What to log - Dummy accounts - Tracing the connection The hacker`s workbench - Introduction - Discovery - Probing hosts - Connection tools - Routing games - network monitors - Metastasis - Tiger teams - Further reading A look back Classes of attacks - Stealing passwords - Social engineering - Bugs and backdoors - Authorization failures - Protocol failures - Information leakage - Denial-of-service An evening with Berferd - Introduction - Unfriendly acts - An evening with Berferd - The day after - The jail - Tracing Berferd - Berferd comes home Where the wild things are: a look at the logs - A year of hacking Proxy use - Attack sources - Noise on the line Odds and ends Legal considerations - Computer crime statutes - Log files as evidence - Is monitoring legal? - Tort liability considerations Secure communications over insecure networks - An introduction to cryptography - The Kerberos authentication system - Link-level encryption - Network- and transport-level encryption - Application-level encryption Where do we go from here? Appendices Useful free stuff - Building firewalls - Network management and monitoring tools - Auditing packages - Cryptographic software - Information sources TCP and UDP ports - Fixed ports - MBone usage Recommendations to vendors - Everyone - Hosts - Routers - Protocols - Firewalls Bibliography - List of bombs - Index I have criticisms, complaints and suggestions. However, considering that this is such a darn fine piece of work - I hasten to get my recommendation that you buy this book out ASAP. Meantime, to whet your appetite: - Index - (a well done, 26 pages worth - you can actually find pointers to what you want to know! What a concept. - TCP ports discussion - a Comprehensive list and reasonable advice on what to do with them. - Bombs - a summarized list of the 43 major security holes that they identify. - Bibliography - Ahhhh. 19 pages of the best firewalls-related bibliography that I`ve seen. - Where to from here - excellent advice for techies and managers who don`t want to keep working at the job of firewalling or who simply want to spend a bit of resources on it only once. Kudos to the authors - buy this book. Of course - these are my own views, and they don`t necessarily reflect those of anyone - including my employer. However, in this case, they probably do. Ray Kaplan CyberSAFE, Corporation rayk@ocsg.com Formerly Open Computing Security Group (OCSG) (206) 883-8721 FAX at (206) 883-6951 2443 152nd Ave NE Redmond, WA 98052 Better living through authentication ------------------------------ Date: Fri, 29 Apr 94 15:12:34 PDT From: simutis@ingres.com (John Simutis) Subject: Re: Drunk in charge (RISKS-15.80) While I was a contract programmer at GM/EDS, there was an explicitly stated policy: it was permissible to drink alcohol, as having a beer with lunch, but ONLY if one did not plan to return to work that day. It was stated further that we were obligated to give the customer our best work, and alcohol was not consistent with that effort. John Simutis, simutis@ingres.com Alameda, California, USA ------------------------------ Date: Fri, 29 Apr 94 09:10:21 BST From: Andy Ashworth Subject: Re: drunk in charge...... (RISKS-15.80) I understand that British Rail have a policy that no personnel who can affect the safety of others is allowed to have alcohol in their bloodstream during working hours - the penalty for violating this rule is, I think, dismissal. This grouping includes engineering staff involved in the R&D of systems such as signaling. This is more than just "drunk in charge of a computer", this is, sensibly IMHO, "being under the influence of alcohol while capable of influencing the safety of others". I hope that the next time I fly in a fly-by-wire aircraft or drive my systems heavy car I can have confidence that the developers of the systems that could affect my safety applied a similar abstemious regime. Andy Ashworth, Lloyd's Register, 29, Wellesley Road, Croydon CR0 2AJ +44 (0)81 681 4723 Fax: +44 (0)81 681 4839 tcsaca@uk.co.lreg.aie ------------------------------ Date: Sun, 1 May 1994 11:31:00 -0400 From: djast@utopia.druid.com (Dan Astoorian) Subject: drunk in charge... (RISKS-15.80) Driving requires quick response time; electric work requires manual dexterity. Alcohol impairs both these things, and as noted, the dangers are obvious, immediate, and tragic. Software engineering requires very little in the way of fast responses or manual dexterity, unless one considers an inordinate number of typos a serious RISK. Moreover, the skills which *are* required to write software tend to be more of the problem-solving variety. I don't dispute that alcohol dulls these; however, when you take away one's problem solving skills, the result is that the problem doesn't get solved. I seem to vaguely recall an old study in which a group of people, some of which had been given a couple of drinks, were called upon to solve arithmetic problems of moderate difficulty, with no time limit. I believe the outcome was that those who had had the drinks took much longer to finish the problems, but their responses were *more* accurate than the teetotalers, presumably due to their awareness that they were prone to make errors. (I would therefore advise project managers to take Friday pub lunches into account when setting deadlines.) Incidentally, I'm not sure how one would distinguish between mistakes due to being under-the-influence and those due to being under stress (perhaps due to looming deadlines), or simple inexperience or incompetence, or even honest-to-God oversights. if the QA system for critical systems doesn't catch all such types of mistake, there's already a serious problem. Obviously this is not intended as an argument against reducing the number of errors to be found by QA, but still... a bug is a bug. (I'm reminded of a phrase a colleague used to repeat: "Sure, alcohol kills brain cells. But only the weak ones.") Dan Astoorian, Mississauga, Ontario, Canada djast@utopia.druid.com ------------------------------ Date: Fri, 29 Apr 1994 20:00:45 -0400 From: Butch Deal NRL Subject: Boot Prom commits Denial of Service Attack What is the risk here? People like to put blame one other systems all the time. I see this as only a matter of misconfiguration and miscommunication among the different system admins. What do the DEC stations need to run tftp for? Shouldn't they be logging in to a non-critical partition? Shouldn't the Suns have a similar tcpwrapper installed? Maybe they should all log to some central machine, with syslog maybe. The could be several machines that can serve a diskless station. The broadcast allows them to find the right one on the local network and come on up. I do not think it is at all fair to try to blame a hardware manufacturer because the equipment worked exactly as documented, but that happens not to be the way you want it to work. butch@keep.blackmagic.com Butch Deal ------------------------------ Date: Mon May 02 10:23:44 1994 From: worldwid@uunet.uu.net (David Johnson) Subject: Staying Informed of Security & Privacy Issues STAYING INFORMED: Resources for Privacy Seekers & Computer Security Buffs by David Johnson (Copyright 1994 under the International & Pan-American Copyright Conventions) Having conducted various types of security and investigative work that has taken me to ten Asian countries, I am quite familiar with various obstacles one must hurdle to obtain hard-to-find and elusive data. Even though our computers are valuable tools, adopting a multi-faceted approach to information gathering is the most effective way to cover all the angles. Use this listing to build your own private intelligence network. COMPUTER SECURITY PUBLICATIONS PRIVACY-RELATED PUBLICATIONS Auerbach Data Security Management Full Disclosure Magazine Information Systems Security Box 244 Lowell, MI 49331 USA 210 South St. Voice: (800) 633-3274 Boston, MA 02111 USA Voice: (616) 897-7222 Voice: (800) 950-1218 Fax: (515) 897-0705 Voice: (212) 971-5000 Fax: (617) 423-2026 International Privacy Bulletin 666 Pennsylvania Ave., S.E. Computer Security, Auditing & Controls Washington, DC 20003 USA 57 Greylock Rd. Box 81151 Wellesley Hills, MA 02181 USA Privacy and Security 2001 Voice: (617) 235-2895 504 Shaw Rd., #222 Sterling, VA 20166 USA Voice: (800) US-DEBUG Computer Audit Update Voice: (703) 318-8600 Computer Fraud & Security Update Fax: (703) 318-8223 Computer Law & Security Report Computers & Security Crown House, Linton Rd., Barking Privacy Journal Essex I611 8JU, England Box 28577 Voice: (44) 81-5945942 Providence, RI 02908 USA Fax: (44) 81-5945942 Voice: (401) 274-7861 Telex: 896950 APPSCI G (North American distributor) Box 882 Privacy Laws and Business New York, NY 10159 USA Box 23 Voice: (212) 989-5800 7400 GA, Deventer, Netherlands Voice: (31) 57-0033155 Fax: (31) 57-0022244 Telex: 49295 KLUDV NL Computer Control Quarterly 1 Southbank Blvd., Level 8 (North American Distributor) S. Melbourne, Vic. 3205, Australia 6 Bigelow St. Voice: (03) 6121666 Cambridge, MA 02139 USA Fax: (03) 6295609 Voice: (617) 354-0140 Computer Security Alert Computer Security Journal Privacy Times Box 21501 600 Harrison St. Washington, DC 20009 USA San Francisco, CA 94107 USA Voice: (202) 829-3660 Voice: (415) 905-2370 Fax: (202) 829-3653 Fax: (415) 905-2234 COMPUTER SECURITY ORGANIZATIONS Computer Security Digest 150 N. Main St. Center for Computer Law Plymouth, MI 48170 USA 1112 Ocean Dr. Voice: (313) 459-8787 Manhattan Beach, CA 90266 USA Fax: (313) 459-2720 Voice: (213) 372-0198 Computing & Communications Computer Security Institute (Law & Protection Report) 360 Church St. Box 5323 Northborough, MA 01532 USA Madison, WI 53705 USA Voice: (617) 393-2600 Voice: (608) 271-6768 Info Systems Security Assn. Data Security Manual Box 71926 Box 322 Los Angeles, CA 90071 USA 3300 AA Dordrecht, Netherlands Voice: (31) 78-524400 Voice: (31) 78-334911 Fax: (31) 78-334254 Nat'l Center for Computer Telex: 29245 KAPG Crime Data 4053 JFK Library - CSULA (North American Distributor) 5151 State University Drive Box 358 Los Angeles, CA 90032 USA Hingham, MA 02018 USA Voice: (213) 225-1364 Voice: (617) 871-6600 PRIVACY-RELATED RESOURCES Information Systems Security Monitor U.S. Department of Treasury F.E.C., Inc. Bureau of the Public Debt P.O. Box 959 AIS Security Branch Centro Colon 1007-91/12-0695 200 3rd St. San Jose, Costa Rica Parkersburg, WV 26101 USA (financial & personal privacy) Voice: (304) 480-6355 BBS: (304) 480-6083 Eden Press Box 8410 InfoSecurity News Fountain Valley, CA 92728 USA 498 Concord St. Voice: (714) 556-2023 Framingham, MA 01701 USA Fax: (714) 556-0721 Fax: (508) 872-1153 (various books on privacy) Journal of Computer Security Consumertronics Van Diemenstraat 94 Drawer 537, Alamagordo, NM 88310 USA 1013 CN Amsterdam, Netherlands Voice: (505)434-1778 Voice: (31) 20-6382189 Fax: (505) 434-0234 Fax: (31) 20-6203419 (technical invasion manuals) (North American distributor) Box 10558 Burke, VA 22009 USA Privacy Hotline (800) 773-7748 Voice: (703) 323-5554 (California only) 10am-3pm, M-F ******************************************************************************* David Johnson 2421 W. Pratt Boulevard, Suite 971 President, Worldwide Consultants Chicago, Illinois 60645 Editor, Information Gatherer Newsletter U.S.A. International Investigator Tel: (800) 316-0801 (24 hrs.) Security Consultant Fax (c/o World-Con): (908) 542-1266 Privacy Strategist E-mail: worldwid@uunet.uu.net ------------------------------ Date: 3 May 1994 (LAST-MODIFIED) From: RISKS-request@csl.sri.com Subject: Info on RISKS (comp.risks), contributions, subscriptions, FTP, etc. The RISKS Forum is a moderated digest. Its USENET equivalent is comp.risks. Undigestifiers are available throughout the Internet, but not from RISKS. SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup on your system, if possible and convenient for you. BITNET folks may use a LISTSERV (e.g., LISTSERV@UGA) with SUBSCRIBE RISKS or UNSUBSCRIBE RISKS as needed. Users on US Military and Government machines should contact (Dennis Rears). UK subscribers please contact . Local redistribution services are provided at many other sites as well. Check FIRST with your local system or netnews wizards. If that does not work, send requests to (not automated). CONTRIBUTIONS: to risks@csl.sri.com, with appropriate, substantive Subject: line, otherwise they may be ignored. Must be relevant, sound, in good taste, objective, cogent, coherent, concise, and nonrepetitious. Diversity is welcome, but not personal attacks. PLEASE DO NOT INCLUDE ENTIRE PREVIOUS MESSAGES in responses to them. Contributions will not be ACKed; the load is too great. **PLEASE** include your name & legitimate Internet FROM: address, especially from .UUCP and .BITNET folks. Anonymized mail is not accepted. ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. Relevant contributions may appear in the RISKS section of regular issues of ACM SIGSOFT's SOFTWARE ENGINEERING NOTES, unless you state otherwise. ARCHIVES: "ftp crvax.sri.comlogin anonymousYourName cd risks: Issue j of volume 16 is in that directory: "get risks-16.j". For issues of earlier volumes, "get [.i]risks-i.j" (where i=1 to 15, j always TWO digits) for Vol i Issue j. Vol i summaries in j=00. "dir" (or "dir [.i]") lists (sub)directory; "bye" logs out. CRVAX.SRI.COM = [128.18.30.65]; =CarriageReturn; FTPs may differ; UNIX prompts for username, password. WAIS and bitftp@pucc.Princeton.EDU are alternative repositories. risks-15.75 gives WAIS info. FAX: ONLY IF YOU CANNOT GET RISKS ON-LINE, you may be interested in receiving it via fax; phone +1 (818) 225-2800, or fax +1 (818) 225-7203 for info regarding fax delivery. PLEASE DO NOT USE THOSE NUMBERS FOR GENERAL RISKS COMMUNICATIONS; as a last resort you may try phone PGN at +1 (415) 859-2375 if you cannot E-mail risks-request@CSL.SRI.COM . ------------------------------ End of RISKS-FORUM Digest 16.02 ************************