Subject: RISKS DIGEST 17.55
RISKS-LIST: Risks-Forum Digest Monday 18 December 1995 Volume 17 : Issue 55
FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator
***** See last item for further information, disclaimers, etc. *****
Contents:
NY Stock Exchange halted for one hour this morning (PGN)
Laser Shows and Aircraft (Chuck Weinstock)
Electronic food stamps failure (Jeremy J Epstein)
Medical diagnosis by computer (Gretchen Herbkersman)
Timing cryptanalysis and its hardware analog (Michael Kaelbling)
Invitation to the CFP'96 Technology Fair (Simson L. Garfinkel)
"netfuture" announcement (Steve Talbott)
Taxing data (George Janczyn)
Re: Something funny about the funny pages item (Sidney Markowitz)
Re: Anonymity (Steve Bellovin)
Re: Classified Disks Lost--Court Martial (Andy Ashworth, Peter Horsburgh,
Robin Kenny)
CERT Advisory CA-95:18 - Widespread Attacks (CERT)
ABRIDGED info on RISKS (comp.risks)
----------------------------------------------------------------------
Date: Mon, 18 Dec 95 13:59:58 PST
From: "Peter G. Neumann" <
[email protected]>
Subject: NY Stock Exchange halted for one hour this morning
Tomorrow's papers will undoubtedly have some coverage on the the NY Stock
Exchange, which opened an hour late this morning. From what I can glean
from various preliminary sources, the weekend had been spent upgrading the
system software. However, at 9:15 this morning, it was discovered that
there were serious communications problems in the software between the
central computing facility and the specialists' displays. The problem was
diagnosed and fixed by 10:00am, and the market reopened at 10:30. It was
the first time since 27 December 1990 that the exchange had to shut down.
The Chicago Mercantile Exchange, Boston Stock Exchange, and Philadelphia
Stock Exchange all waited until the NYSE opened as well.
------------------------------
Date: Tue, 12 Dec 95 11:58:20 EST
From: Chuck Weinstock <
[email protected]>
Subject: Laser Shows and Aircraft
An article on the Dow-Jones news service (which I presume means that it is
also in the Wall Street Journal) discusses the risks of display lasers
(mostly used instead of the old carbon-arc spotlights to call attention to a
place) co-existing with aviation. Some of the interesting tidbits:
The Luxor in Las Vegas has a beam which reflects off of a waterfall. When
the water pressure of the fall weakens, the reflections cause problems for
the nearby airport. A check valve has been installed to shut the beams
down when the water pressure drops too low.
A McDonnell Douglas study found that 45% of participants crashed a flight
simulator when exposed to a laser beam while making a turn.
Several incidents of laser blinding have been reported by pilots. Example:
A pilot for Southwest Airlines, took off from Las Vegas's McCarran
International Airport. About three miles into the flight he was blinded by
a flash of brilliant light, requiring his fellow pilot to grab the controls.
The FDA has ordered a halt to laser light shows within 20 miles of any Las
Vegas airport as a result of such incidents.
The Las Vegas Hilton has installed TCAS(!) - Traffic Collision Avoidance
System which will shut off its lasers if it senses any type of aircraft in
their path. But the system is unreliable with aircraft below 1,200 feet.
This reminds me that laser blinding played an important role in a recent Tom
Clancy novel.
Chuck Weinstock
------------------------------
Date: Mon, 18 Dec 1995 11:08:38 -0500
From: JEREMY J EPSTEIN <
[email protected]>
Subject: Electronic food stamps failure
An old risk repeated: The December 15 issue of the Fort Worth (Texas)
Star-Telegram reports that the computers used for tracking food stamps in
Texas failed, and some merchants were unable to accept cards. The system
normally processes 350,000 transactions per day. For some reason (not
explained in the article), only some of the 14,000 retailers who accept the
card were affected. As of when the article was published, the computers had
been out for about a day, and the problem was not yet fixed.
------------------------------
Date: Mon, 18 Dec 95 08:55:40 PST
From:
[email protected] (Gretchen Herbkersman Dept 5428)
Subject: Medical diagnosis by computer
Meet the Doctor: A Computer That Knows a Few Things ---- By Laura Johannes
is a very scary article on page B1 of the 18 Dec 1995 Wall Street Journal.
------------------------------
Date: Mon, 18 Dec 1995 10:20:12 +0100
From: Michael Kaelbling <
[email protected]>
Subject: Timing cryptanalysis and its hardware analog
Paul Kocher's announcement in RISKS-17.54 about timing attacks to find
secret keys reminds me of an analogous (and analog) attack that can be made
on chip cards.
Since chip cards can fall into attackers' hands, not only must the
encryption algorithms run in a fixed and independent amount of time, but the
hardware must consume a fixed and independent amount of power for all
branches through the critical code. Attackers have been known to use
sensitive measurements of the current drawn during the authentication phase
to determine keys.
Timing attacks can be based on apparent optimizations in software
multiplication of long numbers.
Current (amp) attacks can even be used against single-cycle multiplications,
if the hardware designers are not careful.
"Softies" might be surprised by what the hardware reveals about their code
and data.
Michael Kaelbling
------------------------------
Date: Sun, 17 Dec 1995 10:01:53 -0500
From:
[email protected] (Simson L. Garfinkel)
Subject: Invitation to the CFP'96 Technology Fair
Many RISKS readers are familiar with the annual conference on Computers,
Freedom and Privacy. For those of you who are not, CFP is the leading
conference exploring issues having to deal with the complex interactions of
computers, privacy, and our legal system. Past conferences have been heavily
attended by law enforcement, academics, and journalists, has been a place
where people on different sides of complex issues such as national
cryptography policy can get together and talk things out. This year's
conference sponsored, in part, by the National Science Foundation, the John
D. and Catherine T. MacArthur Foundation, America Online, IBM, News Corp,
and the Freedom Forum First Amendment Center. You can get more information
about CFP at
http://web.mit.edu/cfp96
This year, CFP will be having a technology fair. I am one of the people who
is putting the fair together.
We are looking for companies and individuals who are interested in
exhibiting. We have identified the following key areas that we are
interested in:
People to invite for the technology fair:
* Internet Filtering Technology
* Voice and Data Encryption
* Smart Cards
* Secure Payment Systems
* Public Access Internet
* Personal Dossiers Building Technology
* Crime Tracking
* Internet Monitoring & Marketing
The fair will be on Wednesday, the 27th of March. It will be open to the
public, and there will be no admission charge. We estimate that there will
be at least 400 attendees form the conference, plus another 1000 from the
MIT and surrounding Boston/Cambridge high-tech community. We can provide you
with a table and electricity, plus a connection to the Internet, if that
would be useful.
If you are interested in exhibiting at the fair, please send mail to me
(
[email protected]) or to
[email protected]
Simson L. Garfinkel, CFP 96 Programming Committee
------------------------------
Date: Thu, 7 Dec 1995 18:39:08 EST
From:
[email protected] (Steve Talbott)
Subject: "netfuture" announcement
O'Reilly & Associates 101 RT. 21C Ghent, New York 12075 1-518-672-5103
WHAT TO DO WHILE WAITING FOR THE NEXT WAVE OF INTERNET BACKLASH
O'Reilly & Associates is establishing the "netfuture" mailing list. This is
a moderated list to which O'Reilly editor, Steve Talbott, will post
approximately weekly pieces concerning high-technology trends in relation to
individual responsibility. Some of these pieces will be selections from his
own forthcoming collection of provocations, "Daily Meditations for the
Computer-entranced."
Technology and the Net: Who Is Responsible?
The "netfuture" list will have a focus similar to the well-known and
estimable comp.risks newsgroup, with this difference: "netfuture" will
look beyond the generally recognized issues such as privacy, access, and
dangerous computer glitches, seeking especially to address those deep
levels at which we half-consciously shape technology and are shaped by
it. What is half-conscious can, after all, be made fully conscious, and
can become material for public discussion and policy-making. As we wait
for the second wave of Internet backlash, what better to do than try to
understand the forces that have propelled the Net so dramatically onto
center stage amid near worship on the one hand, and (among a few)
something more like dread?
Once "netfuture" is under way, a companion, unmoderated discussion list
may be launched, based on the advice of participants.
Steve Talbott is author of "The Future Does Not Compute -- Transcending the
Machines in Our Midst," currently available from O'Reilly & Associates.
To subscribe to the "netfuture" mailing list, address an e-mail message to:
[email protected]
No "Subject" is needed. The first line in the body of your message should
read like this (but with your name substituted for "John Doe"):
subscribe netfuture John Doe
Within the next day or so (usually much sooner) you should get a reply
message welcoming you to the list and explaining how to participate. If you
don't get the initial reply, or if you have other problems or questions,
please send e-mail to:
[email protected] -- tell us when you
sent your message and include your telephone number.
If you have more than one computer account or read e-mail on several
different services, be sure to send your subscription request from the place
where you want to read "netfuture". Our system automatically reads your
e-mail address from your subscription-message and registers you at that
particular address.
[If your FROM: address is different from your desired address,
you'd better complain to Steve directly. I suggested they should
fix that problem, or at least respect the REPLY-TO field, but apparently
they can't. It is extraordinary how much mail I get with FROM:
addresses to which I cannot answer. PGN]
------------------------------
Date: Mon, 18 Dec 1995 11:49:05 -0800 (PST)
From: George Janczyn <
[email protected]>
Subject: Taxing data (Re: Alvarez, RISKS-17.54)
I recently became victim of a virus that erased the FAT on my hard disc.
Because my most recent backup was about three weeks old (highlighting
another well-known RISK), I was obliged to seek the services of a data
recovery company.
After the work was done, the bill included a charge for sales tax. It was
explained to me that sales tax must be collected because of the process
involved, to wit: they salvaged the data (minus FAT) from my hard drive and
saved it temporarily on another drive. After reformatting my hard drive,
they reconstructed the FAT and copied the data back again. The fact that
they placed "new" data on an empty hard drive is what triggers the sales
tax. (I'm in California.)
George J. Janczyn, T.S. Automated Systems Mgr, Geisel Library, 0175-K
University of California, San Diego, La Jolla, CA 92093 619-534-1282
------------------------------
Date: Sat, 16 Dec 1995 12:25:16 -0800
From:
[email protected] (Sidney Markowitz)
Subject: Re: Something funny about the funny pages item (Alvarez, RISKS-17.54)
RISKS-17.54 had a short mention about an NPR piece on IRS policies on taxing
cartoonists. I didn't hear that piece, but the description in RISKS cannot
be correct. Sales tax is a state thing, not from the IRS. There is an issue
right now concerning the California State Board of Equalization's attempts
to collect sales tax on printed comic book original pages, which may be what
was mentioned on NPR. Since the BOE is trying to tax the sale of the
documents (claiming that they are commercial illustrations and taxable and
not author's literary manuscripts, which are not), it is the case that
transmitting cartoons electronically may not be taxable. The only reference
to this I have found on the net doesn't say much, but see
http://www.insv.com/cbldf/cases.html under the heading "San Francisco,
California". That's a page at the Comic Book Legal Defense Fund web site,
home page
http://www.insv.com/cbldf/
-- sidney markowitz <
[email protected]>
[Also noted by Eric Amick <
[email protected]>. PGN]
------------------------------
Date: Fri, 15 Dec 95 21:10:01 ESTF
From:
[email protected]
Subject: Re: Anonymity (Schwartau, RISKS-17.54)
> I've heard of this penet.fi happening to another person.
> Anyone else? Any ideas?
Paranoia is an occupational disease in the computer security business.
I try to watch out for it myself...
You are automatically allocated an anonymous account if you ever send mail
to someone else's anonymous account. You can do this directly, or
indirectly via a mailing list -- if an anonymous account is a subscriber,
even indirectly, the mail to them will be routed through penet -- and you'll
get your own id.
Now -- a few years ago, and possibly still, there were some attacks aimed at
discovering who owned which anonymous ids. There are, after all, people who
want to know who posts to alt.sex.gerbils or the like -- think of your
favorite extremist politician.
--Steve Bellovin
[The automatic enrollment was noted by a score of respondents!
RISKS was also swamped with war stories of previous spoofings of .fi,
often using forged e-mail. Apparently, anon.penet.fi now requires
passwords (which themselves are spoofable). And don't forget that
monitoring incoming traffic and outgoing traffic can enable someone
to identify the [apparent] sender's FROM: address unless multiple
layers of anonymity are used. Or you can be tricked into answering
a message that can reveal YOUR identity! Or any of several other
horrible risks. Perhaps we need a comp.risks.anonymous.
Caveat emptor. Beware of Anonymous Bosch.
By the way, several Unix-centric folks also noted that ls -lu
shows the time most recently read (well, to a first approximation,
anyway), but neglected to note that can be tampered with also! PGN]
------------------------------
Date: Mon, 18 Dec 95 09:34:49 GMT
From: Andy Ashworth <
[email protected]>
Subject: Re: Classified Disks Lost--Court Martial (Kennedy, RISKS-17.54)
A "Severe reprimand" in the Royal Navy is something that will remain on the
service records of those two officers and will continue to be held against
them for the rest of their careers. The nature of the data lost should also
be taken into account when considering the severity of their punishment;
they were returning to their unit after having given a presentation on wages
- the data was therefore more likely to be of a personal confidential nature
rather than a more serious threat to UK security. If however they had just
attended a presentation on the latest thing in Communications Security I'm
sure that the punishments would have been a little more severe. (But that
still asks the question, what were they doing in a pub with sensitive
data?).
As regards the apparent lack of exposure to classified material claimed by
one of the officers, I find this quite believable. Instructor Officers, as
their title implies, are specialist instructors and would not usually be as
used to handling secure information as their colleagues.
Andy Ashworth, PO(Comms)(Sea) Royal Naval Reserve; Lloyd's Register,
29, Wellesley Road, Croydon CR0 2AJ UK +44 (0)181 681 4040 ext 4501
------------------------------
Date: Mon, 18 Dec 1995 05:35:36 EST
From: "Peter Horsburgh" <
[email protected]>
Subject: Re: Classified Disks Lost--Court Martial (Kennedy, RISKS-17.54)
As a military man, Dave knows that a "severe reprimand" can ruin an
officer's career - especially at the Commander level. If they were in the
Royal Navy - the article does not say so specifically - they will have
"incurred Their Lordship's displeasure" - now THAT is a bad thing ! As for
the embarrassment, let the punishment fit the crime - Their Lordships were
severely embarrassed... Peter Horsburgh
[email protected]
[Also noted by Robin Kenny <
[email protected]>. PGN]
------------------------------
Date: Mon, 18 Dec 95 9:38:26 EDT
From: Robin Kenny <
[email protected]>
Subject: Re: Classified Disks Lost--Court Martial (Kennedy, RISKS-17.54)
Something I've noticed in the use of British and American language is that
the British make an art out of understatement. So, having your head bashed
by an iron bar during a robbery becomes "creating an affray while committing
a criminal act" and actually killing someone is "a breach of the peace" (!)
[email protected] Melbourne, Australia UTC +10 hours
------------------------------
Date: Mon, 18 Dec 1995 12:11:33 -0500
From: CERT Advisory <
[email protected]>
Subject: CERT Advisory CA-95:18 - Widespread Attacks
CA-95:18 CERT Advisory
December 18, 1995
Widespread Attacks on Internet Sites
Over the last several weeks, the CERT Coordination Center has been working
on a set of incidents in which the intruders have launched widespread
attacks against Internet sites. Hundreds of sites have been attacked, and
many of the attacks have been successful, resulting in root compromises at
the targeted sites. We continue to receive reports, and we believe that more
attacks are going undetected.
**********************************************************************
All the vulnerabilities exploited in these attacks are known, and are
addressed by CERT advisories (see Section III).
**********************************************************************
We urge everyone to obtain these advisories and take action to ensure that
systems are protected against these attacks. Also, please feel free to
redistribute this message.
As we receive additional information relating to this advisory, we
will place it in
ftp://info.cert.org/pub/cert_advisories/CA-95:18.README
We encourage you to check our README files regularly for updates on
advisories that relate to your site.
I. Description
Intruders are doing the following:
- using automated tools to scan sites for NFS and NIS vulnerabilities
- exploiting the rpc.ypupdated vulnerability to gain root access
- exploiting the loadmodule vulnerability to gain root access
- installing Trojan horse programs and packet sniffers
- launching IP spoofing attacks
II. Impact
Successful exploitation of the vulnerabilities can result in unauthorized
root access.
III. Solution
The CERT staff urges you to immediately take the steps described in
the advisories and README files listed below. Note that it is important
to check README files as they contain updated information we received
after the advisory was published.
a. Using automated tools to scan sites for NFS and NIS vulnerabilities
* CA-94:15.NFS.Vulnerabilities
* CA-94:15.README
* CA-92:13.SunOS.NIS.vulnerability
b. Exploiting the rpc.ypupdated vulnerability to gain root access
* CA-95:17.rpc.ypupdated.vul
* CA-95:17.README
c. Exploiting the loadmodule vulnerability to gain root access
* CA-93:18.SunOS.Solbourne.loadmodule.modload.vulnerability
* CA-95:12.sun.loadmodule.vul
* CA-95:12.README
d. Installing Trojan horse programs and packet sniffers
* CA-94:01.ongoing.network.monitoring.attacks
* CA-94:01.README
e. Launching IP spoofing attacks
* CA-95:01.IP.spoofing
* CA-95:01.README
The CERT advisories and README files are available from
ftp://info.cert.org/pub/cert_advisories
If you find a compromise, please complete the Incident Reporting Form
that we have provided in the appendix of this advisory, and return the
form to
[email protected]. This completed form will help us better assist
you.
Note: Because of our workload, we must ask you not to send log files of
activity, but we would be happy to work with you as needed on how to
interpret data that you may collect. Also, the CERT staff can provide
guidance and advice, if needed, on how to handle incidents and work with
law enforcement.
If you see activity that indicates an attack is in progress, we encourage
you to contact other sites involved and the service providers, as well as
the CERT Coordination Center.
Contacting the CERT Coordination Center
For sensitive information, please use encrypted email.
The CERT public PGP key is available from
ftp://info.cert.org/pub/CERT_PGP.key
If you prefer to use DES, please call the CERT hotline
+1 412 268 7090
to exchange a DES key over the phone.
Other CERT contact information:
Internet email:
[email protected]
Telephone: +1 412-268-7090 (24-hour hotline)
CERT personnel answer 8:30 a.m.-5:00 p.m. EST(GMT-5)/EDT(GMT-4),
and are on call for emergencies during other hours.
Fax: +1 412-268-6989
Postal address: CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh, PA 15213-3890
USA
CERT advisories and bulletins are posted on the USENET newsgroup
comp.security.announce. If you would like to have future advisories and
bulletins mailed to you or to a mail exploder at your site, please send mail
to
[email protected].
Past CERT publications, information about FIRST representatives, and
other information related to computer security are available from
ftp://info.cert.org/pub/
Copyright 1995 Carnegie Mellon University
This material may be reproduced and distributed without permission provided it
is used for noncommercial purposes and the copyright statement is included.
CERT is a service mark of Carnegie Mellon University.
[The Copyrighted 1995 Incident Reporting Form is omitted from this
RISKS version. Send e-mail to the CERT to obtain a copy. PGN]
CERT is a service mark of Carnegie Mellon University.
------------------------------
Date: 6 September 1995 (LAST-MODIFIED)
From:
[email protected]
Subject: ABRIDGED info on RISKS (comp.risks)
The RISKS Forum is a moderated digest. Its USENET equivalent is comp.risks.
SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) on
your system, if possible and convenient for you. BITNET folks may use a
LISTSERV (e.g., LISTSERV@UGA): SUBSCRIBE RISKS or UNSUBSCRIBE RISKS. [...]
DIRECT REQUESTS to <
[email protected]> (majordomo) with one-line,
SUBSCRIBE (or UNSUBSCRIBE) [with net address if different from FROM:]
INFO [for further information]
CONTRIBUTIONS: to
[email protected], with appropriate, substantive Subject:
line, otherwise they may be ignored. Must be relevant, sound, in good taste,
objective, cogent, coherent, concise, and nonrepetitious. Diversity is
welcome, but not personal attacks. [...]
ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY.
Relevant contributions may appear in the RISKS section of regular issues
of ACM SIGSOFT's SOFTWARE ENGINEERING NOTES, unless you state otherwise.
RISKS can also be read on the web at URL
http://catless.ncl.ac.uk/Risks
RISKS ARCHIVES: "ftp ftp.sri.com<CR>login anonymous<CR>[YourNetAddress]<CR>
cd risks<CR> or cwd risks<CR>, depending on your particular FTP. [...]
[Back issues are in the subdirectory corresponding to the volume number.]
Individual issues can be accessed using a URL of the form
http://catless.ncl.ac.uk/Risks/VL.IS.html [i.e., VoLume, ISsue]
ftp://unix.sri.com/risks [if your browser accepts URLs.]
------------------------------
End of RISKS-FORUM Digest 17.55
************************
