Subject: RISKS DIGEST 14.66

Subject: RISKS DIGEST 14.66
REPLY-TO: [email protected]

RISKS-LIST: RISKS-FORUM Digest Tuesday 1 June 1993 Volume 14 : Issue 66

FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS
ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Contents:
Possible RISK in data retrieval? (Dale Drew)
X application to finger (Nandakumar Sankaran)
Re: Fake ATM Machine Steals PINs (Brinton Cooper)
COMPASS '93 ANNOUNCEMENT (14-17 June) (Dolores Wallace) [Extended Early Reg]

The RISKS Forum is a moderated digest discussing risks; comp.risks is its
Usenet counterpart. Undigestifiers are available throughout the Internet,
but not from RISKS. Contributions should be relevant, sound, in good taste,
objective, cogent, coherent, concise, and nonrepetitious. Diversity is
welcome. CONTRIBUTIONS to [email protected], with appropriate, substantive
"Subject:" line. Others may be ignored! Contributions will not be ACKed.
The load is too great. **PLEASE** INCLUDE YOUR NAME & INTERNET FROM: ADDRESS,
especially .UUCP folks. REQUESTS please to [email protected].

Vol i issue j, type "FTP CRVAX.SRI.COM<CR>login anonymous<CR>AnyNonNullPW<CR>
CD RISKS:<CR>GET RISKS-i.j<CR>" (where i=1 to 14, j always TWO digits). Vol i
summaries in j=00; "dir risks-*.*<CR>" gives directory; "bye<CR>" logs out.
The COLON in "CD RISKS:" is essential. "CRVAX.SRI.COM" = "128.18.10.1".
<CR>=CarriageReturn; FTPs may differ; UNIX prompts for username, password.

For information regarding delivery of RISKS by FAX, phone 310-455-9300
(or send FAX to RISKS at 310-455-2364, or EMail to [email protected]).

ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY.
Relevant contributions may appear in the RISKS section of regular issues
of ACM SIGSOFT's SOFTWARE ENGINEERING NOTES, unless you state otherwise.

----------------------------------------------------------------------

Date: Thu, 20 May 93 12:26:27 PDT
From: [email protected] (Dale Drew)
Subject: Possible RISK in data retrieval?

Has anybody seen this? I can forsee many potential risks in an on-line
data retrieval system involving Probationers. How do the Probation Officers
call in to check or (:gasp:) update their data? I've asked BI Inc., but
have not heard a reply:

BOULDER, Colo., May 12 /PRNewswire/ -- BI Inc. (NASDAQ-NMS: BIAC), the
nation's leading provider of electronically monitored systems for corrections,
today announced receipt of notification from the United States Patent Office
of issuance of a patent to BI on April 20, 1993. BI's newly granted patent
includes the application presented in the BI PROFILE(TM) automated
administrative caseload management system.
At no cost to corrections agencies, BI PROFILE provides automated
administrative caseload management via a computer located at BI Monitoring
Corp.'s central station. Probationers are assigned individual PIN numbers and
security passwords, and required to call a 900 number once a month to report
any administrative changes. BI's computer asks the callers a series of
questions (i.e., change in home telephone number, address, employment, etc.).
Each call placed averages 2 or 3 minutes in duration and is charged to the
probationer's home telephone bill. Considered exception reporting, BI PROFILE
only provides reports to corrections agencies if probationers fail to call in
on their pre-assigned monthly date or if any status changes are reported
during the calls. Prior to BI PROFILE, administrative caseload management of
probationers has been via a manual system which has put a significant burden
on corrections agencies as the number of probationers continues to rise at the
federal, state and local levels.
Additional options available on BI PROFILE are features to insure that
probationers are calling from the designated telephone number, that
probationers have not previously called in for the month, collection of
monthly probation supervision fees and 800 telephone service for the indigent
population. BI has additional patents pending on these and other BI PROFILE
options as well.
BI PROFILE services are offered to the corrections market by BI through
its wholly owned subsidiary, BI Monitoring Corp. (BIMCORP). "BI PROFILE is
another service offering from BI Monitoring Corporation that is the direct
result of BI's strategy to expand its recurring revenue base," said John K.
Fulda, Jr., BI's corporate vice president in charge of BI Monitoring. "We
believe that the BI PROFILE family of services offers tremendous growth
potential for BI Monitoring Corporation in the years ahead," he concluded.

CONTACT: Joanna Manley of BI, 303-530-2911; or Tom Dean of
Innovative Research, 212-421-2543, for BI

[Dale Drew, Sr. Information Security Specialist, BT North America, Inc.
(408) 922-6004 [email protected]]

------------------------------

Date: Fri, 21 May 93 13:54:00 EDT
From: [email protected]
Subject: X application to finger

Here is an interesting episode.

I run an X application (public domain) that, given a list of remote sites and
a list of userids, periodically "finger"s the sites, searching to see if the
named users are logged on. If yes, they are updated on a small screen window.

Following is a mail I received from the security officer at one of the
sites...It was interesting to note that sys admins *are* on the lookout
for even those minor chances of hacking

-------- The mail --------

I assume since you're logged into the console, you have some responsibility
for machine.cs.univ.edu:

It appears that somebody may have cracked your system, and is using it as a
base to attempt to break into other systems: every six minutes, some process
on your machine contacts the finger daemon on cs.anotheruniv.edu and attempts
to see who is logged on. This is generally taken as an attempt to extract
usernames, preparatory to hacking the system.

Strangely, this seems to be correlated to your being logged in. It appears
to have started on May 12th. I've ignored it before now since until this
point it has been only a minor annoyance. We would appreciate your looking
into this matter, and seeing that it ceases.

Nandakumar Sankaran, Graduate Student, Computer Science Department

G34, Jordan Hall, Clemson University, Clemson, SC 29634 (803) 656 6979
[email protected]

------------------------------

Date: Wed, 19 May 93 17:13:49 EDT
From: Brinton Cooper <[email protected]>
Subject: Re: Fake ATM Machine Steals PINs

<[email protected]> describes the now-well-known fake ATM scam for capturing
account and PIN numbers for subsequent forging in order to relieve consumers
of the burden of large account balances. Recall that the ATM "scam artists"
obtained permission from officials of the shopping Mall where the scam took
place.

He asks, "How are you supposed to stop this new trick???" Like many RISKS,
you don't "stop" the trick but you minimize the RISK:

1. You needn't be the first in your block to use the new ATM.

2. Watch for announcements from your bank or credit union of new
locations. Our credit union announces in its newsletter *every* new ATM which
it owns/installs (i.e., were members pay no fee for access). One could have
been suspicious of the (around here) then-uncommon installation in local
groceries, but they were announced as mentioned.

3. You could always phone the bank whose name appears on the
ATM. If there's no name, who's running the machine?

_Brint

------------------------------

Date: Tue, 1 Jun 93 11:37:52 EDT
From: Dolores Wallace <[email protected]>
Subject: COMPASS '93 ANNOUNCEMENT

[FOR SOME REASON THE CONFERENCE MANAGEMENT DID NOT SEND THIS ANNOUNCEMENT
TO RISKS UNTIL 1 JUNE, WHICH IS AFTER THE ANNOUNCED DEADLINE FOR DISCOUNTED
REGISTRATION. Karen Ferraiolo (see below) has agreed to give a special
deal to RISKS SUBSCRIBERS, SO THAT YOU MAY REGISTER UNTIL THE END OF THIS
WEEK AT THE REDUCED RATE. However, she asks that you let her know ASAP.
We do not generally run conference announcements in full, but in light of
the closeness of the date and the special consideration for RISKS readers,
it seemed appropriate. This conference has always been closely related to
the RISKS subject matter. PGN]

COMPASS '93
Eighth Annual Conference On Computer Assurance:
Systems Integrity, Software Safety, and Process Security

June 14-17, 1993
Gaithersburg, MD

U.S. Department of Commerce
Technology Administration
National Institute of Standards and Technology

COMPASS IEEE Aerospace and Electronics Systems Society
Sponsors IEEE National Capital Area Council

In Cooperation with British Computer Society

Conference Arca Systems, Inc.
Sponsors ARINC Research Corporation
Control Systems Analysis, Inc.
CTA, Inc.
IBM
Logicon, Inc.
National Institute of Standards and Technology
Naval Research Laboratory
Naval Surface Warfare Center
Systems Safety Society
TRW Systems Division
U.S. General Accounting Office

The goal of COMPASS, an acronym formed from COMPuter ASSurance, is to advance
the theory and practice of the creation and use of critical systems through
the medium of scientific and engineering meeting and publications. COMPASS
expresses the idea of "Pointing the Way" and of "enCOMPASSing" many
technologies and technical disciplines. The logo, a variation of yin-yang
overlaying a compass rose, symbolizes both of these ideas. We invite you to
participate in COMPASS activities and increase the benefits of COMPASS.

Monday, 14 June 1993
--------------------
8:00 am Registration Opens
9:00 am - 4:00 pm Tutorials (Parallel Sessions)

1. "Formal Methods with Automated Support Using PVS", John
Rushby, SRI International

This tutorial provides an introduction to formal methods with
special focus on the use of automated support tools such as
PVS, a Prototype "next generation" Verification System that
attempts to provide the benefits of powerful and effective
automation for an expressive specification language. Worked
examples will be demonstrated "live" and include examples from
hardware design, fault tolerance, and real-time.

2. "Federal Criteria (New Orange Book)", Janet Cugini, NIST

This tutorial, on the preliminary draft of the Federal
Criteria for Information Technology Security, will cover
background, future work, protection profiles, TCB functional
components, development assurance requirements, and evaluation
assurance requirements. It includes constructing a protection
profile and the seven defined protection profiles.

Tuesday, 15 June 1993
---------------------
8:00 am Registration Opens

9:00 am Welcome
James H. Burrows
Director, Computer Systems Laboratory, NIST

Opening Remarks
Judith Bramlage, COMPASS '93 General Chair

9:15 am Program Information
John J Marciniak, COMPASS '93 Program Chair

9:30 am Keynote
Peter Neumann, SRI International
"Myths of Dependable Computing: Shooting the Straw
Herrings in Midstream"

10:30 Break

11:00 am Technical Session 1 "Verification Technology"
Moderator: Connie Heitmeyer, Naval Research Laboratory

"A Tool for Reasoning about Software Models", Sidney
Bailin, CTA, Inc.

"An Incremental Protocol Verification Method for ECFSM-based
Protocols", C. Huang, National Cheng Kung University

"A Verifier for Distributed Real-Time Systems with Bounded
Integer Variables", Farn Wang and Al Mok, University of Texas

1:00 pm Lunch

2:00 pm Special Topics (Invited talks)
Moderator: Peter Neumann

"Global Protection against Limited Strikes (Trusted
Software Methodology)", Carol Taylor, National Security Agency

"Application of the High Trust Process Model to
Complexity Management and System Architecture in the
SDI", John McHugh, University of North Carolina, and Greg
Chisholm, Argonne National Laboratory

3:00 pm Break

3:30 pm Special Topics continued

"Using Ada in Secure Systems", Roberta Gotfried,
Hughes Aircraft Company

"A Risk-Based Approach to Cost-Benefit Analysis of
Software Safety Activities", Stephen C. Fortier, Intermetrics,
and James Bret Michael, Argonne National Laboratory

4:30 Adjourn from NIST

7:00 pm Birds of a Feather (Parallel Sessions; held at Marriott)
"Processes (Capability Maturity Model)", John Baumert, CSC
"Standards for Formal Methods", Roger Fujii, Logicon, Inc.

(Dessert will be provided)

Wednesday, 16 June 1993
-----------------------
8:00 am Registration Opens

9:00 am Keynote Address
Rona Stillman, Chief Scientist, U.S. GAO

10:00 am Break

10:30 am Technical Session 2 "Reliability Measurement"
Moderator: Reginald Meeson, Institute for Defense Analyses

"Rare Conditions - An Important Cause of Failures", Herb
Hecht, SoHaR, Inc.

"Experimental Evidence of Sensitivity Analysis Predicting
Minimum Failure Probabilities", Jeffrey Voas, Jeffrey
Payne, and Chris Michael, Reliable Software Technologies,
Corp. and Keith Miller, College of William and Mary

"Assigning Probabilities for Assurance in MLS Data Base
Design", Lucien Russell, Argonne National Laboratory

1:00 pm Lunch

2:00 pm Technical Session 3 "System Safety"
Moderator: Michael L. Brown, Naval Surface Warfare Center

"Risk and System Integrity Concepts for Safety-Related
Control Systems", Ron Bell, Health and Safety Executive (UK)

"Identifying Generic Safety Requirements", Jarrellann
Filsinger, Booz-Allen & Hamilton and J.E. Heaney,
The Mitre Corporation

"Software Safety and Program Slicing", Keith B.
Gallagher, Loyola College and NIST, and James R. Lyle, NIST

3:30 pm Break

4:00 pm Debate
Moderator: Emilie J. Siarkiewicz, Rome Laboratory
Resolved: "Productivity & Techniques of Assurance Can Co-exist"

Debaters: Peter Neumann (SRI), Charles Bonneau (Mitre),
Phil Parker (CTA, Inc.), John McHugh (UNC), and Jon Dehn (IBM)

5:00 pm Adjourn

6:30 pm Banquet (at Marriott Hotel)
Speaker: Dorothy Denning, Georgetown University

Thursday, 17 June 1993
----------------------
8:00 am Registration Opens

9:00 am Technical Session 4 "Management and Developmental Issues"
Moderator: Charles Payne, NRL

"Developing Secure Systems in a Modular Way", Qi Shi and
John McDermid, University of York

"On Security Policy Modeling", James Freeman, CTA, Inc.

"Management Aspect of Software Safety", Stephen Cha,
Aerospace Corporation

10:30 am Break

11:00 am Panel 1 "Developing Standards and Issues"
Moderator: Dolores Wallace, NIST

"MIL-STD-SDD (Software Development and Documentation)",
Raghu Singh, SPAWAR, U.S. Navy

"Software Safety Standards - A European Perspective",
Robin Bloomfield, Adelard

"ISO 9000 Standards", Taz Daughtrey, Babcock & Wilcox

"MIL-STD-882C", Michael L. Brown, Naval Surface Warfare Center

1:00 pm Lunch

2:00 pm Panel 2 "Results of Workshops/Studies"
Moderator: H.O. Lubbes, Naval Research Laboratory

"Mitre Critical Assurance Workshop", Chuck Howell,
Mitre Corporation

"An International Survey of the Industrial Applications
of Formal Methods", Susan Gerhart, National Science Foundation

"Federal Criteria (Report on Comments Workshop)", Eugene
Troy, NIST

3:30 pm Awards and Closing Ceremony

Location NIST, located in Gaithersburg, MD, is approximately 25
miles northwest of Washington, D.C. The meeting will be
held in the Green Auditorium of the Administration Building.

Social Functions
----------------
Birds of a Feather (Dessert) will be held at the Gaithersburg Marriott on
Tuesday, June 15th at 7:00 pm. A banquet with a cash bar and banquet speaker
will be held at the Gaithersburg Marriott on Wednesday, June 16th at 6:30 pm.

Transportation
--------------
BWI Limo, 301/441-2345, offers commercial van service from
Baltimore-Washington Airport to Gaithersburg area. Call for reservations.
Airport Transfer Van Service, 301/948-4515, is available from Dulles
International and Washington National Airports to Gaithersburg. The
Washington Metro has subway service to Gaithersburg. Metro can be boarded at
Washington National Airport. Take a Yellow Line train marked "Mount Vernon
Square" to Gallery Place and transfer to a Red Line train marked "Shady Grove"
to Shady Grove. Service is every 6 to 15 minutes depending on the time of
day. The Shady Grove station is approximately four miles from the Marriott
Hotel. Contact Marriott for shuttle information.

Accommodations
--------------
Conference registration does not include your hotel reservation. A block of
rooms has been reserved at the Gaithersburg Marriott Hotel, 620 Perry Parkway,
Gaithersburg, MD 20877. The hotel phone number is 301/977-8900. The special
room rate is $70.00 single or double. To register for a room, please use the
enclosed hotel reservation form and send it directly to the hotel no later
than May 31, 1993. After that date the rooms will be released for general
sale at the prevailing rates of the hotel. [PERHAPS KAREN CAN HELP NEGOTIATE
A LATER DATE HERE... PGN]

Registration Karen Ferraiolo
Information COMPASS '93 Registration
Contact Arca Systems, Inc
8229 Boone Blvd, Suite 610
Vienna, VA 22172
Phone: 703/734-5611
Fax: 703/790-0385

Technical Judith Bramlage
Information U.S. General Accounting Office
Contact 441 G Street NW
Washington, DC 20548
Phone: 202/512-6210
Fax: 202/512-6451

Driving Instructions
--------------------
>From northbound I-270 take Exit 10, Rt. 117 West, Clopper Road. At
the first light on Clopper Road, turn left on to the NIST grounds.
>From Southbound I-270 take Exit 11B, Route 124 West, Quince Orchard
Road. At the second light turn left on to Clopper Road. At the
first light on Clopper Road, turn right on to the NIST grounds. To
reach the Administration Building, turn left after passing the
guard office. Signs will direct you to visitor parking.

Transportation will be provided to and from the Gaithersburg
Marriott and NIST Monday through Thursday.

==============================

Conference Registration Card

Advance Registration (Before 30 May 1993) [4 JUNE FOR RISKS READERS]

Conference Registration (includes 1 copy of proceedings)_____
Proceedings Only _____
Extra Proceedings _____ copies _____
Tutorial #1 - Formal Methods _____
Tutorial #2 - Federal Criteria _____

Name_________________________________________________________
Company______________________________________________________
Street Address_______________________________________________
Rm. No./Mail Code____________________________________________
City, State, ZIP_____________________________________________
Country______________________________________________________
Business Telephone___________________________________________
IEEE Membership Nbr__________________________________________
Co-Sponsor Name______________________________________________
Total Amount US $____________________________________________

_____ Check here is you will be using the shuttle to and from
the Marriott and NIST (free!).

Form of Payment

_____ Check enclosed made payable to COMPASS '93. (Checks
from outside the USA must be written on a USA
bank.)
_____ MasterCard No.________________________Exp._____
_____ VISA Card No._________________________Exp._____
_____ Diners Club No._______________________Exp._____
_____ American Express No.__________________Exp._____
Authorized Signature_________________________________________

Request for refunds after 30 May 1993 will be subject to a $15
administrative fee.

See below for registration fees and mailing instructions.

"In reviewing the Institute for Electrical and Electronics Engineers' plans
for COMPASS Conferences, The Assistant Secretary of Defense (Public Affairs)
finds this event meets the standards for participation by DoD personnel under
instruction 5410.20 and DoD Standards of Conduct Directive 5500.7. This
finding does not constitute DoD endorsement of attendance which must be
determined by each DoD component."

Registration Fees

NOTE: Members belong to sponsoring or cosponsoring
organizations.

Advanced (before 30 May 1993) [4 JUNE FOR RISKS READERS]
-----------------------------
Speakers,
Non- One-Day &
Members Members Students
Conference 250 315 100
Tutorial 50 70 50
Proceedings Only 20 30 20

On-Site (after 30 May 1993) [4 JUNE FOR RISKS READERS]
---------------------------
Speakers,
Non- One-Day &
Members Members Students
Conference 300 375 100
Tutorial 70 90 50
Proceedings Only 20 30 20

Fee includes coffee breaks, lunches, and social functions

Place Conference Registration Card in envelope and mail to :

Karen Ferraiolo
COMPASS '93 Registration
Arca Systems, Inc
8229 Boone Blvd, Suite 610
Vienna, VA 22172
Phone: 703/734-5611
Fax: 703/790-0385

==============================

Hotel Registration Card
Marriott Hotel, 301/977-8900

Name________________________________________________________
Company_____________________________________________________
Street Address______________________________________________
Rm. No./Mail Code___________________________________________
City, State, ZIP____________________________________________
Country_____________________________________________________
Business Telephone__________________________________________
Arrival Date________________________________________________
Departure Date______________________________________________
Number of Persons___________________________________________

Rate $70 single or double (apply 12% tax to rate). All
reservations must be received by 30 May 1993. All room
reservations must be guaranteed by a one-night deposit.
Deposit will guarantee first night availability, and will be
credited to last night of reservation. Deposit refunded if
request received 48 hours prior to reserved arrival.

Form of Payment

_____ Check enclosed made payable to The Gaithersburg
Marriott
_____ One night deposit enclosed $___________________
Guaranteed by_______________________________________Exp._____
Card No._____________________________________________________
Authorized Signature_________________________________________

Please place in envelope and mail to:

The Gaithersburg Marriott
620 Perry Parkway
Gaithersburg, MD 20877

==============================

Board of Directors
------------------
Chair: Dolores R. Wallace, NIST
Vice-Chair: Anthony Shumskas, Logicon, Inc.
Treasurer: Dario DeAngelis, Logicon, Inc.
Secretary: Michael L. Brown, Naval Surface Warfare Center
IEEE AESS: Robert Ayers, ARINC, Inc.
IEEE NCAC: Arthur Cotts
Members: Judy Bramlage, U.S. General Accounting Office
John Cherniavsky, National Science Foundation
Frank Houston, Weinberg Associates
H.O. Lubbes, Naval Research Laboratory
Juan Zumbado, IBM

Conference Committee
--------------------
General Chair: Judith L. Bramlage, U.S. General Accounting Office
Program Chair: John J. Marciniak, CTA, Inc.
Arrangements: Laura M. Ippolito, NIST
Publications: Ann Boyer, Control Systems Analysis
Publicity: Paul Anderson, Space and Naval Warfare Systems Command
Registration: Karen Ferraiolo, Arca Systems, Inc.
Treasurer: Bonnie P. Danner, TRW Systems Division
Tutorials: Michael L. Brown, Naval Surface Warfare Center

Program Committee
-----------------
Paul Ammann, George Mason University
Michael L. Brown, Naval Surface Warfare Center
Albert Mo Kim Cheng, University of Houston
Jarrellann Filsinger, Booz-Allen & Hamilton
John J. Marciniak, CTA, Inc.
Reginald N. Meeson, Jr, Institute for Defense Analyses
Matthew Morgenstern, Xerox Design Research Institute
Adam Porter, University of Maryland
James Purtilo, University of Maryland
Marvin Schaefer, CTA, Inc.
Cynthia Wright, Defense Information Systems Agency
Tony Zawilski, The Mitre Corporation

------------------------------

End of RISKS-FORUM Digest 14.66
************************