Subject: RISKS DIGEST 17.53

Subject: RISKS DIGEST 17.53

RISKS-LIST: Risks-Forum Digest Monday 11 December 1995 Volume 17 : Issue 53

FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

***** See last item for further information, disclaimers, etc. *****

Contents:
Announce: Timing cryptanalysis of RSA, DH, DSS (Paul C. Kocher)
Spectrum Insanity (Lauren Weinstein)
Risks of automated library circulation systems (Richard I. Cook)
"Computer Crime: A Crimefighter's Handbook", Icove/Seger/VonStorch (Rob Slade)
Denial of service attack: sabotaged electrical panel (Jon Mellott)
Re: False Alarms in Digital Systems (Todd W Burgess)
Re: Alarm and alarm-silencing risks in medical equipment (Rob Seaman)
Re: Alarm and alarm-silencing risks (Bob Schuchman)
InfoWarCon (Europe) '96 (Winn Schwartau)
ABRIDGED info on RISKS (comp.risks)

----------------------------------------------------------------------

Date: Sun, 10 Dec 1995 13:34:50 -0800
From: [email protected] (Paul C. Kocher)
Subject: Announce: Timing cryptanalysis of RSA, DH, DSS

I've just released details of an attack many of you will find interesting
since quite a few existing cryptography products and systems are potentially
at risk. The general idea of the attack is that secret keys can be found by
measuring the amount of time used to to process messages. The paper
describes attacks against RSA, fixed- exponent Diffie-Hellman, and DSS, and
the techniques can work with many other systems as well.

My research on the subject is still in progress and the current paper does
not include many of my findings. I will eventually publish a full paper,
but am releasing a preliminary draft now to alert the community as quickly
as possible. A copy of the abstract is attached at the end of this message
and the full text can be downloaded in PostScript format from:

ftp://ftp.cryptography.com/pub/kocher_timing_attack.ps
ftp://ftp.cryptography.com/pub/kocher_timing_attack.ps.gz

I've also made an HTML version which is accessible at:

http://www.cryptography.com

(The HTML uses subscripts and superscripts which aren't supported in older
web browsers. The PostScript version is the "official" one and looks
nicer.)

The results have already been seen by Matt Blaze, Martin Hellman, Ron
Rivest, Bruce Schneier, and many others. While the full significance of the
attack is not yet known, I think everyone who has seen it considers it
important (including Netscape who awarded me a $1000 bugs bounty prize).

ABSTRACT. Cryptosystems often take slightly different
amounts of time to process different messages. With network-
based cryptosystems, cryptographic tokens, and many other
applications, attackers can measure the amount of time used
to complete cryptographic operations. This abstract shows
that timing channels can, and often do, leak key material.
The attacks are particularly alarming because they often
require only known ciphertext, work even if timing
measurements are somewhat inaccurate, are computationally
easy, and are difficult to detect. This preliminary draft
outlines attacks that can find secret exponents in Diffie-
Hellman key exchange, factor RSA keys, and find DSS secret
parameters. Other symmetric and asymmetric cryptographic
functions are also at risk. A complete description of the
attack will be presented in a full paper, to be released
later. I conclude by noting that closing timing channels
is often more difficult than might be expected.

Paul Kocher

*********************************************************************
VERY IMPORTANT: If you send me e-mail, please understand that I
probably won't have time to respond to all who write. Please keep
messages SHORT and send them to [email protected] (**not** my
netcom address -- misdirected messages will be ignored). PGP when
used for e-mail is not vulnerable to the attack. Please state in
your note whether you would like a reply.
********************************************************************

Paul C. Kocher Independent cryptography/data security consultant
E-mail: [email protected] (please see above before replying)

[Paul's paper makes superbly interesting reading.
Its implications are quite far reaching. PGN]

------------------------------

Date: Sat, 9 Dec 95 12:39 PST
From: [email protected] (Lauren Weinstein)
Subject: Spectrum Insanity

Spectrum Insanity [Originally written for TELECOM]

Greetings. With so much of the country's attention (rightly) focused on the
budget battles regarding Medicare, Medicaid, Environmental and Education
funding and similar critical issues, it's easy to forget some of the other
issues that play directly into the ongoing budget debate--issues that
directly affect telecommunications.

The new telecommunications rewrite, which is nearing completion in Congress,
shows signs of having many of the same negative attributes as the screenplay
with too many authors, or the animal designed by committee. In short, it's
highly questionable whether it will do more good than harm. Its various
aspects have become so controversial that various news outlets have started
refusing to run ads supporting one side or the other, for fear their own
interests will be compromised.

The bill covers a lot of ground, but I'd like to focus here on only one
aspect--what happens when politics attempts to drive technology. In the
search for the holy grail of simultaneously crafting a "balanced budget",
tax cuts, and technological reforms, the concept of "spectrum auctions" has
moved into center stage. A simple concept really: He has the most bucks
gets the spectrum. One thing's for sure, if this sort of policy had been in
effect during the formative years of broadcasting, the multitude of non-pay,
commercially-sponsored television and radio outlets we have today would be
very unlikely to exist, and the stifling effects on technical innovation
would be difficult to predict.

But now a fascinating development is occurring which could directly affect
every radio and television listener/viewer. In case you haven't noticed,
the hot topic in broadcasting these days is "digital broadcasting".
Experiments are in progress regarding both satellite and terrestrial digital
radio broadcasting, with a range of both technical and "political" arguments
surrounding every step. The FCC wants terrestrial television broadcasters
to convert to digital as well. The promises of the technology are indeed
seductive--"perfect" (?) pictures, multiplexing of multiple channels in the
bandwidth currently used for one channel, and so on. Of course, the
standards for these transmissions have yet to be completely nailed down, the
cost of the technology will be high for the short to medium term at least
(and this *isn't* necessarily HDTV we're talking about), and it's decidedly
unclear whether consumers are really all that interested--at least when it
comes to either buying expensive converter boxes (just what most people
want, more boxes hanging off their sets!) or junking all their TVs, VCRs,
and other related equipment for new expensive digital ones.

The cost to broadcasters to meet such an FCC mandate will be very high. It
was recognized early on that if such a conversion was ever to succeed, a
transition period, which the FCC initially pegged at 20 years, would be
necessary. Broadcasters would be allocated a new slice of spectrum that
they could use for digital services while simultaneously continuing their
existing analog transmissions on their existing channel. At the end of the
(presumably successful) transition period, they would turn the analog
spectrum back to the government for reassignment. Not only will the
broadcasters need to spend vast amounts for this conversion, the cost to
consumers, over the 20 year transition period, could be enormous.

But as Congress has searched for new revenue sources, the idea came up that
rather than provide the non-pay, commercially sponsored broadcasters with
the spectrum for the transition, that spectrum should be "auctioned off"
instead to the highest bidders. There are a number of problems with this,
including the fact that it says nothing about public interest--it speaks
only to who has the most bucks. And while many broadcasters aren't exactly
poor (though many operate on surprisingly thin margins) there are other
interests (mainly cellular, PCS, and other services whose main income stream
is derived from well-heeled business users and investors) who have vast
financial resources and could probably out bid anyone else for anything.

The arguments over this have been raging. And now, it appears that the
latest plan floating around is that the broadcasters won't have to try
out bid for spectrum necessary to meet FCC mandated digital transition
requirements. But here's the kicker--the new idea is to force the
transition to occur in only *seven* years. By 2002, everyone is supposed to
have converted to super-deluxe digital broadcasting. That's the television
broadcasters *and* all consumers. Does it seem just a wee bit unlikely that
such a schedule can be met? Are consumers going to be willing to see all
their television equipment converted to door stops in a rush to provide
"digital quality" pay-per-view and home shopping channels?

And what of the quality of technology that will result from this sort of
politically driven "mad rush" towards the future? This all makes about as
much sense (and is as likely to succeed) as the laws on the books in
California that have mandated that something like 20% of the cars sold in
the state must be electric powered within the next 7 years or so. The fact
that no such vehicles exist with specs, performance, or affordable prices
that could meet such goals didn't deter the enactment of the laws.

When technology is driven by artificially created non-technological
constraints, the result is frequently confusion, often poor design, and
almost always massive waste. It's time to take a step back and start
applying some real thought and logic to these issues, rather than letting
them be driven largely by political rhetoric. Otherwise, we're all likely
to be paying through the nose for a long time to come.

--Lauren-- http://www.vortex.com

------------------------------

Date: Thu, 7 Dec 1995 16:26:58 -0600
From: [email protected] (Richard I. Cook, M.D.)
Subject: Risks of automated library circulation systems

I received two recall notices for two books from the University of Chicago
science library. The recall notices were mailed in separate envelopes and
each listed the call number, abbreviated title, and three ID numbers
identifying the item, the loan and the patron [me]. Because faculty have
indefinite loan periods, a recall notice indicates that other patron wants
this book. Our library has a very nice bar code reading system for both the
patron's card and the book ID, making checkout and return simple and
efficient. All I needed to do was get the books and return them to the main
library which is three blocks from my home.

I recognized one of the titles but the other seemed strange. Its title was
an anglicized version of Arabic, a language that I don't read. I guessed
that a scanner had misread either one of the books I took out or someone
else's ID card had been misread as mine and the book had been mistakenly
charged to me instead of to the actual borrower. I also, briefly,
considered the most horrid of possibilities: that I had exactly the same
patron ID as another faculty member who was charging out lots of books of
which I (with indefinite loan privileges) was unaware and that one day I
would be required by a severe looking woman with reading glasses on a chain
around her neck to produce a large number of books containing not a single
character in an alphabet I recognize.

I went off to the library and explained my situation to a student helper who
looked at me as though I were a pederast and called the supervisor. The
supervisor, a most helpful and calming influence, was easily convinced that
I had not knowingly taken out a book in Arabic. She called up my patron ID
and then rapidly called up a series of screens on the computerized
circulation system. She said, after a few minutes work, that she thought
she knew what had happened. She disappeared into the stacks and, a few
minutes later, brought out a little blue book, in Arabic, that was the one
being recalled. After weeping uncontrollably at the relief of being saved
from some the horrific effort of phoning a lot of embassies trying to find a
replacement copy of a paperback book whose title and author I could not
pronounce or spell, I asked this goddess Diana to explain what had happened.

It seems that the library circulation system is organized around the "piece
ID" for each item. Piece IDs uniquely identify items and are assigned in
the order in which books enter the library. The piece ID for the book I
actually had and the one in Arabic differed by a single digit and it seems
likely that the clerk entering the recall for my book mistyped the piece ID.
But how could this happen? Wouldn't entry of a piece ID for some book that
was not charged generate some sort of error message? Well, it turns out
that the system actually handles recalls by checking the requested book IN
and then immediately charging it OUT again to the same patron ID for a
week's loan. Since one has 7 days to return a recalled book, this has the
effect of changing the indefinite loan period to a week and setting up the
necessary conditions for the automatic generation of a series of late
notices, fines, larger fines, really big fines, invalidation of library
priveleges, expulsion from the faculty, firing squads, etc. Because, in
effect, the book has to be returned to the library (from the computer's
point of view) and then charged out for a limited time, it is quite possible
for a mistyping to generate the conditions I encountered.

I was relieved to not have to visit in turn each of the Middle Eastern
faculty in the University in search of the little book. The librarian (who
had taken on the aspect of the Venus de Milo) assured me that I had only
seven books charged against my ID and that all these had reasonable call
letters derived from more placid, familiar regions of the stacks. With a
sigh and mental note to spend more time reading in the library and less at
home, I went past the human monitor checking briefcases, through the metal
detector, past the turnstile, and out into the cold, clear winter air.

Richard I. Cook, MD ............. Cognitive Technologies Laboratory
Department of Anesthesia and Critical Care ** University of Chicago

------------------------------

Date: Wed, 01 Nov 1995 17:15:30 EST
From: "Rob Slade" <[email protected]>
Subject: "Computer Crime: A Crimefighter's Handbook" by Icove/Seger/VonStorch

BKCMPCRM.RVW 951004 [Apologies for the delay. PGN.

"Computer Crime: a Crimefighter's Handbook", David Icove/Karl Seger/William
VonStorch, 1995, 1-56592-086-4, U$24.95

%A David Icove
%A Karl Seger
%A William VonStorch
%C 103 Morris Street, Suite A, Sebastopol, CA 95472
%D 1995
%G 1-56592-086-4
%I O'Reilly & Associates, Inc.
%O U$24.95 519-283-6332 800-528-9994 [email protected] 800-998-9938
%O 707-829-0515 fax: 707-829-0104 [email protected]
%P 464
%S Computer Security
%T "Computer Crime: a Crimefighter's Handbook"

As a guide for law enforcement personnel and systems managers, this provides a
good overview and introduction to computer crime and the actions to take
against it. Touching on crime, prevention and prosecution, the book is
practical and helpful to those needing to get a quick handle on the problem.

It is, however, easily evident that the authors are law enforcement, rather
than systems, professionals. Those expecting a technical discussion, from
the O'Reilly imprimatur, will be disappointed. The book started life as an
official FBI training manual. The explanations and concepts are elementary
-- and are intended to be so. Thus, while it might be possible to argue
(rather weakly) for the definitions of viruses, worms and other malware as
described in the book, security experts will likely feel a bit uncomfortable
with them. The abdication of discussion on encryption is not going to help
those who want to help protect their systems. (On the other hand, there is
nothing to indicate any political bias in regard to encryption.) The
bibliography, though, is of good quality, and should make up for the
technical shortcomings in this work.

I am delighted to see, for once, not only mention but actual listings of
computer laws from outside of the US. The coverage is still a bit lopsided,
with 130 of US federal and state statues and less than twenty devoted to the
rest of the world, but it's a start.

copyright Robert M. Slade, 1995 BKCMPCRM.RVW 951004

DECUS Canada Communications, [email protected], [email protected]
Author "Robert Slade's Guide to Computer Viruses" 0-387-94311-0/3-540-94311-0

------------------------------

Date: Fri, 8 Dec 95 10:59:46 EST
From: "Jon Mellott" <[email protected]>
Subject: Denial of service attack: sabotaged electrical panel

Here at the University of Florida we appear to have been the victims of a
new variant of the "pull the fire alarm before the exam" attack. This week
has been the week before finals -- known locally as "dead week" -- when many
major projects and papers are due.

On Monday afternoon someone sabotaged the main circuit breaker to the entire
Computer Science and Engineering (CSE) building. The building houses the
computer science department, elements of the electrical engineering
department, a huge computer lab and a VAX cluster used by the general
student population, and the campus network operations center. A new breaker
had to be ordered from the manufacturer in Iowa. Apparently the breaker is
not a stock item but a custom manufacturing job.

By Tuesday morning power had been restored by borrowing a breaker from the
Marston Science Library (MSL) -- really part of the same building but with
an independent main electrical panel. While power was being restored to the
CSE, the MSL had to be closed, because it didn't have power at that point. A
planned power outage was scheduled for 10p-midnight so that the new breaker,
due to arrive late Tuesday, could be installed. Unfortunately, at about
6:00p Tuesday the vandal struck again and vandalized the same breaker. At
this point we had no functioning circuit breakers on site. Another breaker
was ordered from the manufacturer at this point. Since we had been stung
twice the campus police became very aggressive. The building was declared
"sealed" by the police although no stronger measure than locking the doors
was taken to "seal" the building. The police ejected staff members who were
on site to ensure that when power was restored things would be started
correctly and in a timely manner.

Another planned outage was scheduled for Wednesday night 10pm-3am so as to
allow the second new breaker to be installed in the MSL. By Thursday morning
we were on the path to a full recovery. There were no signs of forced entry
to the electrical closet where the main panel is housed (so we've been told)
in both of the events. After the panel was sabotaged the second time the
panel was kept under guard by the University Police until the lock had been
changed. At this point nobody has been arrested. Given that this attack
caused a great deal of hardship for a lot of students, staff and faculty,
the culprit would be a fool to advertise his or her daring. It's also worth
noting that the culprit probably put his or herself in danger in sabotaging
the panel since he or she did not cut the power at the main before
sabotaging the main breaker.

Jon Mellott, High Speed Digital Architecture Laboratory,
University of Florida ([email protected])

------------------------------

Date: Tue, 5 Dec 1995 21:40:08 -0500 (EST)
From: Todd W Burgess <[email protected]>
Subject: False Alarms in Digital Systems

All this talk about false alarms in digital systems reminded me of a
statistic I came across while doing some research into a report on the
application of microprocessors in home security systems. The False Alarm
Rate (FAR) of a home security system is 98%. As well, it would seem the
more complex the sensors, the greater the FAR.
The risks of high FARs are obvious. After numerous false alarms,
people will become conditioned not to respond. As a result, home security
alarms receive low priority by police departments. As witnessed by
several RISKS readers, alarms in hospitals receive low priority by the
care givers.
While it is better to be safer then sorry in a security or medical
environment there is something to be said about making your margin of
error too big. If we have to use such large margins of error perhaps we
need to re-think how we use digital systems in a highly complex analog world.

University of Guelph, Computer Science Major E-mail: [email protected]
URL: http://eddie.cis.uoguelph.ca/~tburgess

------------------------------

Date: Tue, 5 Dec 95 11:44:55 MST
From: [email protected] (Rob Seaman)
Subject: Re: Alarm and alarm-silencing risks in medical equipment

There has been a lot of good discussion in this thread about delivering
the right alarms - to the right people - at the right time - in the right
order - so as to have them dealt with in the right way (in a hospital
setting, in this case).

Kenneth Albanowski identified a separate risk of the direct harm caused
to patients from the simple existence of all these competing alarms from
their own and other patients' equipment. Anybody who has ever visited a
hospital, let alone been a patient, knows the reality of this second risk.

Unfortunately, proper handling of the first, more immediate, cluster
of risks requires that the second risk not be mitigated. Several
writers have told anecdotal stories of hospital staff treating alarms
in inappropriate ways. Most of us could probably add to the list of
situations in which harmful (or fatal) consequences were only avoided
through the intervention of the patients themselves, or hospital visitors,
or even other patients. The patient is the only one involved who is
unable to pass the buck - either to another person or to the machinery.

The patients and hospital visitors cannot be denied exposure to most
alarms - these people are a critical part of the safety net. In fact,
alarms should be designed to be intelligible to a lay person, and this is
also one way to address the question of sensory overload - intelligible
alarms provide more peace-of-mind than random, unexplained panic warnings.

Note that more generally, hospital staff are not much more technically
talented than the population as a whole - health care workers largely
choose their careers for reasons unrelated to technology. There is also
no particularly strong trend to weed technically challenged doctors and
nurses out of the workforce (as we can see). The patient is often as
competent as, or more competent than, the doctor at decisions that lie
outside narrow medical limits.

My own anecdote for this thread is that during the birth of our first
child, my wife was administered pitosin - the dreaded "pit", a drug
to increase the productivity of labor. Her contractions were monitored
using a simple strip chart recorder attached to some equally simple
transducer. This particular device appeared to be new to the nurses,
but I don't think their interpretation of the trace would have benefited
from any training. There was a complete lack of understanding of the
difference between a smooth sinusoid and a (very) flat-topped trace -
both peaked at 100% according to the nurses. Most of my poor wife's
contractions were pinned well above that level. We could not get them
to understand why they should turn down the drip if they planned to
agree with the doctor's instructions (which we had also been present
to hear, of course - another part of the safety net).

Finally they turned down the flow rate of the drug - but only because
we were making such a fuss (nurses that let themselves be bullied by
patients is another risk).

Rob Seaman ([email protected])

[email protected], http://iraf.noao.edu/~seaman
NOAO, 950 N Cherry Ave, Tucson AZ 85719, 520-318-8248

------------------------------

Date: Fri, 8 Dec 95 00:51 PST
From: Bob Schuchman <[email protected]>
Subject: Re: Alarm and alarm-silencing risks

I had a summer job while in college as a radio serviceman with a railroad.
Part of my duties required going from one station to another in the cab of a
diesel-electric locomotive. The equivalent of alarm-silencing which I
observed, was the placing of a heavy weight, such as a toolbox, on the
engineer's dead-man pedal. Apparently it was too much of a strain to keep
one foot on that pedal to avoid stopping the train.

[Although this case is not particularly computer-relevant, and is indeed
a very old problem, it is included here as another reminder of the
intricacies in designing safety mechanisms.

There were too many messages on this subject to include all of them.
However, let me editorialize on some conclusions. One of the lessons of
the RISKS archives is that no matter how many mechanisms are in place,
they can still be subverted. There is also an issue involving what
happens when a safety mechanism fails, such as a sensor. When one fails,
the system risk probabilities change, and must be reevaluated. The best
policy is to replace a faulty component as soon as possible, rather than
relying on the seeming independence of events to preclude the NEXT
failure... PGN]

------------------------------

Date: Fri, 8 Dec 1995 16:35:55 -0500
From: [email protected] (Winn Schwartau)
Subject: InfoWarCon (Europe) '96

InfoWarCon (Europe) '96
Defining the European Perspective
Brussels, Belgium
May 23-24 1996

Sponsored by:

National Computer Security Association
Winn Schwartau, President and CEO, Interpact, Inc.
Robert David Steele, Chairman & CEO, OPEN SOURCE SOLUTIONS

Information Warfare represents a global challenge that faces all
late-industrial and information age nation states. It also represents the
easiest and cheapest way for less developed nation-states and religious or
political movements to anonymously and grievously attack major nations and
international corporations.

[Contact Winn Schwartau - Interpact, Inc.
Information Warfare and InfoSec
V: 813.393.6600 / F: 813.393.6361
[email protected]
for the full program and other details regarding this conference. PGN]

------------------------------

Date: 6 September 1995 (LAST-MODIFIED)
From: [email protected]
Subject: ABRIDGED info on RISKS (comp.risks)

The RISKS Forum is a moderated digest. Its USENET equivalent is comp.risks.
SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) on
your system, if possible and convenient for you. BITNET folks may use a
LISTSERV (e.g., LISTSERV@UGA): SUBSCRIBE RISKS or UNSUBSCRIBE RISKS. [...]
DIRECT REQUESTS to <[email protected]> (majordomo) with one-line,
SUBSCRIBE (or UNSUBSCRIBE) [with net address if different from FROM:]
INFO [for further information]

CONTRIBUTIONS: to [email protected], with appropriate, substantive Subject:
line, otherwise they may be ignored. Must be relevant, sound, in good taste,
objective, cogent, coherent, concise, and nonrepetitious. Diversity is
welcome, but not personal attacks. [...]
ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY.
Relevant contributions may appear in the RISKS section of regular issues
of ACM SIGSOFT's SOFTWARE ENGINEERING NOTES, unless you state otherwise.

RISKS can also be read on the web at URL http://catless.ncl.ac.uk/Risks

RISKS ARCHIVES: "ftp ftp.sri.com<CR>login anonymous<CR>[YourNetAddress]<CR>
cd risks<CR> or cwd risks<CR>, depending on your particular FTP. [...]
[Back issues are in the subdirectory corresponding to the volume number.]
Individual issues can be accessed using a URL of the form
http://catless.ncl.ac.uk/Risks/VL.IS.html [i.e., VoLume, ISsue]
ftp://unix.sri.com/risks [if your browser accepts URLs.]

------------------------------

End of RISKS-FORUM Digest 17.53
************************