RISKS-LIST: RISKS-FORUM Digest Wednesday 22 February 1989 Volume 8 : Issue 29 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator Contents: Overloaded computer delays (overworked) commuters (Steve Graham) Chicago Phone Freak Gets Prison Term (Patrick Townson via Cliff Stoll) Computer Confinement (Joseph M. Beckman) Police officers sentenced for misuse of PNC (Nigel Roberts) The word "virus" causes panic (Nigel Roberts) Re: Faking Internet mail (Steve Bellovin, Kevin S. McCurley) ---------------------------------------------------------------------- Date: Tue, 21 Feb 89 14:31:14 EDT From: Owen Plowman [Really Steve Graham] Subject: Overloaded computer delays (overworked) commuters This message actually comes to you from Steve Graham (sgraham@cnseq1.oracle.com), and not from me (Owen Plowman). - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - You might find this interesting. It is a 'COMMUTER BULLETIN' published by Government of Ontario [GO] Transit. I and everyone using the system was affected by it. [GO Transit trains serve a wide area around Toronto, transporting commuters between the downtown area and surrounding communities. I believe that the trains are operated for the Provincial Government by Canadian National Railways] February 15, 1989 SIGNAL COMPUTER DELAYS RUSH-HOUR GO TRAINS Homebound GO Train riders were subjected to delays of up to 80 minutes on Monday and Tuesday evenings. The delays were caused by a shortage of capacity in the new computer recently installed by CN Rail to control the signalling on its main line between Toronto and Hamilton. In the late afternoon, this line is heavily used over its entire length, and the computer has not been able to process signal and routing requests as rapidly as the traffic requires. GO's Lakeshore trains use this line and were seriously affected. Also delayed were trains on the Milton, Georgetown, Bradford and Stouffville lines, whose equipment encountered the signal problems between Union Station and GO's maintenance facility in Mimico. Compounding the delays were several locomotive malfunctions as well. CN hopes to have the computer problem solved by the end of this week. In the meantime, the railway is altering its operating procedures in order to minimize further impact on GO riders. GO apologizes for this inconvenience. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Steve Graham, Oracle Corporation Canada, Toronto, Ontario, M5J 2M4 Opinions expressed in this message are those of the author. ------------------------------ Date: Mon, 20 Feb 89 01:36:57 est From: cliff%cfa204@harvard.harvard.edu (Cliff Stoll) Subject: Chicago Phone Freak Gets Prison Term From: telecom@eecs.nwu.edu (TELECOM Moderator) [From Patrick Townson] Newsgroups: comp.dcom.telecom Subject: Chicago Phreak Gets Prison Term Date: 17 Feb 89 06:47:45 GMT X-TELECOM-Digest: volume 9, issue 65, message 1 of 5 An 18 year old telephone phreak from the northside/Rogers Park community in Chicago who electronically broke into U.S. military computers and AT&T computers, stealing 55 programs was sentenced to nine months in prison on Tuesday, February 14 in Federal District Court here. Herbert Zinn, Jr., who lives with his parents on North Artesian Avenue in Chicago was found guilty of violating the Computer Fraud and Abuse Act of 1986 by Judge Paul E. Plunkett. In addition to a prison term, Zinn must pay a $10,000 fine, and serve two and a half years of federal probation when released from prison. United States Attorney Anton R. Valukas said, "The Zinn case will serve to demonstrate the direction we are going to go with these cases in the future. Our intention is to prosecute aggressively. What we undertook is to address the problem of unauthorized computer intrusion, an all-too-common problem that is difficult to uncover and difficult to prosecute..." Zinn, a dropout from Mather High School in Chicago was 16-17 years old at the time he committed the intrusions, using his home computer and modem. Using the handle 'Shadow Hawk', Zinn broke into a Bell Labs computer in Naperville, IL; an AT&T computer in Burlington, NC; and an AT&T computer at Robbins Air Force Base, GA. No classified material was obtained, but the government views as 'highly sensitive' the programs stolen from a computer used by NATO which is tied into the U.S. missle command. In addition, Zinn made unlawful access to a computer at an IBM facility in Rye, NY, and into computers of Illinois Bell Telephone Company and Rochester Telephone Company, Rochester, NY. Assistant United States Attorney William Cook said that Zinn obtained access to the AT&T/Illinois Bell computers from computer bulletin board systems, which he described as '...just high-tech street gangs'. During his bench trial during January, Zinn spoke in his own defense, saying that he took the programs to educate himself, and not to sell them or share them with other phreaks. The programs stolen included very complex software relating to computer design and artificial intelligence. Also stolen was software used by the BOC's (Bell Operating Companies) for billing and accounting on long distance telephone calls. The Shadow Hawk -- that is, Herbert Zinn, Jr. -- operated undetected for at least a few months in 1986-87, but his undoing came when his urge to brag about his exploits got the best of him. It seems to be the nature of phreaks that they have to tell others what they are doing. On a BBS notorious for its phreak/pirate messages, Shadow Hawk provided passwords, telephone numbers and technical details of trapdoors he had built into computer systems, including the machine at Bell Labs in Naperville. What Shadow Hawk did not realize was that employees of AT&T and Illinois Bell love to use that BBS also; and read the messages others have written. Security representatives from IBT and AT&T began reading Shadow Hawk's comments regularly; but they never were able to positively identify him. Shadow Hawk repeatedly made boasts about how he would 'shut down AT&T's public switched network'. Now AT&T became even more eager to locate him. When Zinn finally discussed the trapdoor he had built into the Naperville computer, AT&T decided to build one of their own for him in return; and within a few days he had fallen into it. Once he was logged into the system, it became a simple matter to trace the telephone call; and they found its origin in the basement of the Zinn family home on North Artesian Street in Chicago, where Herb, Jr. was busy at work with his modem and computer. Rather than move immediatly, with possibly not enough evidence for a good, solid conviction, everyone gave Herb enough rope to hang himself. For over two months, all calls from his telephone were carefully audited. His illicit activities on computers throughout the United States were noted, and logs were kept. Security representatives from Sprint made available notes from their investigation of his calls on their network. Finally the 'big day' arrived, and the Zinn residence was raided by FBI agents, AT&T/IBT security representatives and Chicago Police detectives used for backup. At the time of the raid, three computers, various modems and other computer peripheral devices were confiscated. The raid, in September, 1987, brought a crude stop to Zinn's phreaking activities. The resulting newspaper stories brought humiliation and mortification to Zinn's parents; both well-known and respected residents of the Rogers Park neighborhood. At the time of the younger Zinn's arrest, his father spoke with authorities, saying, "Such a good boy! And so intelligent with computers!" It all came to an end Tuesday morning in Judge Plunkett's courtroom here, when the judge imposed sentence, placing Zinn in the custody of the Attorney General or his authorized representative for a period of nine months; to be followed by two and a half years federal probation and a $10,000 fine. The judge noted in imposing sentence that, "...perhaps this example will defer others who would make unauthorized entry into computer systems." Accepting the government's claims that Zinn was 'simply a burglar; an electronic one... a member of a high-tech street gang', Plunkett added that he hoped Zinn would learn a lesson from this brush with the law, and begin channeling his expert computer ability into legal outlets. The judge also encouraged Zinn to complete his high school education, and 'become a contributing member of society instead of what you are now, sir...' Because Zinn agreed to cooperate with the government at his trial, and at any time in the future when he is requested to do so, the government made no recommendation to the court regarding sentencing. Zinn's attorney asked the court for leniency and a term of probation, but Judge Plunkett felt some incarceration was appropriate. Zinn could have been incarcerated until he reaches the age of 21. His parents left the courtroom Tuesday with a great sadness. When asked to discuss their son, they said they preferred to make no comment. Patrick Townson ------------------------------ Date: Wed, 22 Feb 89 07:54 EST From: "Joseph M. Beckman" Subject: Computer Confinement [Joseph included an article From the Washington Times (2-16-89) and commented thusly:] It is interesting that the judge wants this person to reform with computers. One would find it incongruous to direct, say, an alcoholic to work in a liquor store (a legal outlet), or an embezzler to work in another financial institution, etc. Perhaps the penalty or terms of probation should call for the abuser to stay away from that which he is abusing or using to break the law. Joseph [Article also noted by Rodney Hoffman .] ------------------------------ Date: Mon, 20 Feb 89 02:48:11 PST From: roberts%untadh.DEC@decwrl.dec.com (Nigel Roberts) Subject: Police officers sentenced for misuse of PNC SUSPENDED SENTENCES FOR COMPUTER BREAK-IN Three police officers hired by private investigators to break into the Police National Computer received suspended prison sentences at Winchester Crown Court. The private investigators also received suspended (prison) sentences, ranging from four to six months. The police officers were charged under the Official Secrets Act of conspiring to obtain confidential information from the Police National Computer at Hendon. One of the police officers admitted the charge, but the other two and the private investigators pleaded Not Guilty. The case arose out of a TV show called _Secret Society_ in which private investigator Stephen Bartlett was recorded telling journalist Duncan Campbell that he had access to the Police National Computer, the Criminal Records Office at Scotland Yard and the DHSS [Department of Health & Social Security --nr] computer. Bartlett said he could provide information on virtually any person on a few hours. He said he had the access through certain police officers at Basingstoke, Hampshire. Although an investigatation proved the Basingstoke connection to be false, the trail led to other police officers and private detectives elsewhere. Most of the information gleaned from the computers was used to determine who owned certain vehicles, who had a good credit record -- or even who had been in a certain place at a certain time for people investigating marital infidelity. -- From _Personal Computing Weekly_ dated 9/15-Feb-1989. [Of course, the actions for which the officers and others were sentenced, were not computer break-ins as such, but rather misuse of legitimate access. It seems the phrase "break-in", applied to computers, is almost as fashionable as "virus" with the media at the moment --nr] ------------------------------ Date: Mon, 20 Feb 89 02:41:19 PST From: roberts%untadh.DEC@decwrl.dec.com (Nigel Roberts) Subject: The word "virus" causes panic VIRUS HOAX CAUSED AS MUCH PANIC AS THE REAL THING Sixth-form student [high-school--nr] and _Popular Computing Weekly_ reader Michael Banbrook gave his college network managers a scare when he planted a message saying that a virus was active on the college system. Banbrook's message appeared whenever a user miskeyed a password; the usual message would be "You are not an authorised user". It was replaced by the brief but sinister: "A Virus is up and running". When the message was discovered by the college network manager, Banbrook was immediately forbidden access to any computers at the St. Francix Xavier Collegs at Clapham in South London. Banbrook, 17, told _Popular Computing Weekly_ that he believed the college has over-reacted and that he had, in fact thrown a spotlight on the college's lacklustre network security. The college has a 64 node RM Nimbus network running MS-DOS. "All any has to do is change a five-line DOS batch file" says Banbrook. "There is no security at all" Banbrook admits his motives were not entirely related to enhancing security: "I was just bored and started doodling and where some people would doodle with a notepad, I doodle on a keyboard. I never thought anyone would believe the message" Banbrook was suspended from computer science A-level classes and forbidden to use the college computers for a week before it was discovered that no virus existed. Following a meeting between college principal Bryan Scalune and Banbrook's parents, things are said to be "back to normal". -- from Popular Computing Weekly dated 9-15/Feb/89 [I think there are several lessons here. The college seems to have been using networked PCs without realising that how an informed ordinary user could change system messages for everyone on the network. The student himself doesn't seem to have been aware of the possible consequences of his "doodling" (echoes of the discussion of the need to educate people about ethics and "proper use"), and of course it is highly revealing to note the knee-jerk way everone reacted when they saw the currently fashionable buzz-word "virus" on their screens --nr] ------------------------------ From: smb@research.att.com Date: Sun, 19 Feb 89 21:10:07 EST Subject: Re: Faking Internet mail [Re: RISKS-8.27] Yes, it's just as easy to fake netnews articles. In fact, if you're a bit careful, you can not only spoof someone, you can arrange things so that the victim doesn't even see the forged article. Back when we were designing the original protocols, we discussed the security issue. Since we were using a completely unauthenticated transport medium (uucp), at least as far as the application layer was concerned, we felt that there could be no real security; consequently, we elected to omit all control messages. That decision was subsequently changed by later implementors, and there have indeed been a few problems, albeit mostly inadvertent. But the first public release of ``B netnews'' had some very serious security problems indeed; a forged control message could be used to remove every file belonging to the owner of netnews. In the best case, that was ``merely'' every stored netnews article; in the worst case -- some implementation quirks in then- current versions of the UNIX system -- the recursive remove command would run as root, and could wipe the entire file system. I don't remember why we didn't adopt a public-key system during the initial design phase; we certainly knew about them, and even had some code (the V7 xsend/xget commands) to model ours on. Most likely, we didn't see the need; we expected a maximum size of 50-100 sites, and 1-2 messages/day. --Steve Bellovin ------------------------------ Date: Sun, 19 Feb 89 22:15:54 PST From: "Kevin S. McCurley" Subject: Faking Internet mail I guess a lot of people know about faking internet mail. Since the National Science Foundation now accepts reviews of proposals via email, I wonder whether anybody there knows about this ? It is rather farfetched to think that somebody would try to fake their reviews, but I wonder if there are many other examples where individuals or organizations are leaving themselves open to fraud this way... Kevin McCurley, IBM Almaden Research Center ------------------------------ End of RISKS-FORUM Digest 8.29 ************************ -------