17-Aug-86 10:31:40-PDT,9007;000000000000

17-Aug-86 10:31:40-PDT,9007;000000000000
Mail-From: NEUMANN created at 17-Aug-86 10:29:30
Date: Sun 17 Aug 86 10:29:30-PDT
From: RISKS FORUM (Peter G. Neumann -- Coordinator) <[email protected]>
Subject: RISKS-3.38
Sender: [email protected]
To: [email protected]

RISKS-LIST: RISKS-FORUM Digest, Sunday, 17 August 1986 Volume 3 : Issue 38

FORUM ON RISKS TO THE PUBLIC IN COMPUTER SYSTEMS
ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Contents:
Computer gives away California state funds (Rodney Hoffman)
High-Tech Sex Ring: Beware of Whose Database You Are In! (Peter G. Neumann)
Computer Viruses (Chris McDonald, Paul Garnet, Matt Bishop)
Computer Viruses and Air Traffic Control (Dan Melson)
Re: Traffic lights in Austin (Bill Davidsen)

The RISKS Forum is moderated. Contributions should be relevant, sound, in good
taste, objective, coherent, concise, nonrepetitious. Diversity is welcome.
(Contributions to [email protected], Requests to [email protected])
(Back issues Vol i Issue j available in CSL.SRI.COM:<RISKS>RISKS-i.j.
Summary Contents in MAXj for each i; Vol 1: RISKS-1.46; Vol 2: RISKS-2.57.)

----------------------------------------------------------------------

Date: 15 Aug 86 13:51:39 PDT (Friday)
From: [email protected]
Subject: Computer gives away California state funds
To: [email protected]

From the Los Angeles Times, August 15 1986, page 2:

A computer error caused California's check-writing system to
issue $4 million in interest-payment checks to bondholders
who hold a type of bond on which no such payments were due.
Deputy state Treasurer Liz Whitney explained that those bonds
are of the "zero coupon" type, which are held for a period of
years and redeemed with accumulated interest at maturity
rather than bearing interest on a monthly or yearly basis.
The treasurer's office learned of the error last Friday, she
said, when a recipient inquired about the check's validity,
and stop-payment orders were issued. By Wednesday, all but
a few checks totaling $33,000 had been recovered.

No further details are given about the nature of the computer error.

-- Rodney Hoffman

------------------------------

Date: Fri 15 Aug 86 19:37:38-PDT
From: Peter G. Neumann <[email protected]>
Subject: High-Tech Sex Ring: Beware of Whose Database You Are In!
To: [email protected]

From the San Francisco Chronicle, Friday 15 August 1986:

POLICE SAY ARRESTS IN MARIN SMASHED HIGH-TECH SEX RING
by Torri Minton and Katy Butler

A sophisticated prostitution ring that kept computerized records on more
than 12,000 patrons has been broken after a three-month investigation,
authorities in San Jose said yesterday. The ring, known as EE&L
Enterprises, collected $3.5 million a year dispatching at least 117
prostitutes by electronic beeper to cities all over Northern California from
a computerized command center in San Rafael, according to San Jose vice
Lieutenant Joe Brockman. ``It's a top-class operation -- the largest
prostitution ring, to our knowledge, in Northern California," Brockman said.
He said that the business took in more than $25 million during the eight
years it was in business...

Records seized by police ... included customers' names, telephone numbers,
credit card numbers, sexual preferences and comments by the prostitutes...
The office was equipped with four desks, several IBM computers, a
photocopier, a paper shredder and a wall poster announcing that ``Reality is
nothing but a collective hunch.''

On-line SuperCalifornication?

------------------------------

Date: Fri, 15 Aug 86 7:47:01 MDT
From: Chris McDonald SD <[email protected]>
Subject: Computer Viruses
To: RISKS FORUM (Peter G. Neumann -- Coordinator) <[email protected]>

[This is included because so many of you do
not seem to know the Cohen reference. PGN

Robert Stroud references a paper by Fred Cohen on "Computer Viruses." The full
text of the paper can be found in several public souces. The most available
for US readers is the minutes of the 7th DoD/NBS Computer Security Conference,
Sept 24-26, 1984, pages 240-263. The paper is not exclusively concerned with
any one particular operating system. It defines a "virus" as "a program that
can infect other programs by modifying them to include a possibly evolved copy
of itself." The paper references Ken Thompson's acceptance speech on the
Turing Award, "Reflections on Trusting Trust," which was published in the
August 1984 "Communications of the ACM." The reference, however, is only for
purposes of illustrating what Fred proposes is a "limited" virus.

[That paper includes the wonderful C compiler Trojan horse lurking
in wait for the next recompilation of the UNIX LOGIN procedure. PGN]

A close reading of the paper would reveal that very specific factors have to
exist for a "virus" to become "virulent." The most interesting facet of the
paper is really the question it raises as to whether the Bell-LaPadula and the
Biba models on mathematically defining "secure systems" even addresses the
potential of a "virus" attack.

------------------------------

Date: Fri, 15 Aug 86 12:14:22 edt
From: [email protected]
To: [email protected]
Subject: Computer Viruses

Another paper by Fred Cohen is "Recent Results in Computer Viruses", written
while at Lehigh University. The copy I have does not have a date on it, but
I believe it was written sometime around the spring of 1985.

Anybody else know of any good, technical papers on the subject?

Paul

------------------------------

From: Matt Bishop <[email protected]>
To: RISKS FORUM (Peter G. Neumann -- Coordinator) <[email protected]>
Subject: Re: Computer Viruses
Date: Fri, 15 Aug 86 07:28:27 -0700

If anyone wants to read an interesting science fiction book about computer
viruses (and things of that ilk) try reading John Brunner's "Shockwave
Rider." Briefly, it's about a man who puts computer viruses into the
worldwide data banks, enabling him to do all sorts of illegal things such as
change identities. Quite interesting, at least from the viewpoint of
computer security!
Matt Bishop

[I think we included mention of "Shockwave Rider" in RISK long ago.
However, with the interest in viruses and our large number of new
readers, I am not trying to avoid all duplication -- especially with
the distant past. PGN]

------------------------------

Date: Sat, 16 Aug 86 01:13:47 PDT
From: [email protected] (Dan Melson)
To: [email protected]
Subject: Computer Viruses and Air Traffic Control

Those who fly regularly will be somewhat relieved to note that all terminals
of the ARTS and NAS systems, except master consoles (and a few others hardwired
straight into the machine and on site) are limited in what they can input,
nor can they escape the ATC program. Furthermore, I am not aware of any
means whereby employees can access any of the FAA's computers from other than
known sites. This also explains why there are so few ATC's on any net, despite
the large amount of computer work associated with the job today.

DM
[Beware of Trojan horses bearing gifts that look like sound programs,
officially installed through proper channels. There is also the
problem of accidental viruses such as the ARPANET collapse of 27
October 1980. (See Eric Rosen's fine article in the ACM Software
Engineering Notes 6 1 Jan 81, for those of you who have not seen
it before.) PGN]

------------------------------

Date: 15 Aug 86 10:57 EST
From: davidsen%[email protected]
Subject: Re: Traffic lights in Austin
To: [email protected]
[From: Davidsen <davidsen%[email protected]>]

I would call a 2% clean failure rate a success. If the two intersections had
failed in an unsafe mode, such as green in both directions, it would not
have been acceptable. If the lights had "stuck" showing green one way and
red the other, it could have caused severe delays. For the light to cleanly
go out is probably acceptable. Most drivers seeing a light with no signal
showing will use adequate caution to prevent accidents.
-bill davidsen

ihnp4!seismo!rochester!steinmetz!--\
\
unirot ------------->---> crdos1!davidsen
chinet ------/
sixhub ---------------------/ ([email protected])

"Stupidity, like virtue, is its own reward"

------------------------------

End of RISKS-FORUM Digest
************************
-------