RISKS-LIST: RISKS-FORUM Digest Tuesday 21 March 1989 Volume 8 : Issue 43 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator Contents: Outdated codes made US missiles useless (Henry Cox) Risks of dying batteries (Henry Cox) Things to do with a computer... (Joe Morris) Possible Cancer Risks from Cellular Phones? (Mike Trout) Supreme Court and Copyrights (ark) Mitnick plea bargain (Rodney Hoffman) Re: Risks of telephone access to your bank account (Phil R. Karn) Internet Security Plans (Vin McLellan) Duplicates due to network lossage? (*Hobbit*) ---------------------------------------------------------------------- Date: Tue, 21 Mar 89 10:25:50 EST From: henry cox Subject: Outdated codes made US missiles useless [ From the Montreal Gazette, 21 March 1989 ] OUTDATED CODES MADE U.S. MISSILES USELESS WASHINGTON (Reuter) - The White House said yesterday obsolete electronic-launch codes were fed into an unspecified number of US land-based nuclear missiles several years ago, making them temporarily useless. "In 1986, a few of the missiles in one squadron at Malstrom Air Force Base were found to contain outdated codes. The actual number of missiles involved in the incident remains classified; however, the ... [sic] alert rate remained above 98 per cent," spokesman Marlin Fitzwater said. The base Fitzwater referred to is a Strategic Air Command installation in west-central Montana. He said the outdated codes, which would have kept air force personnel from launching the missiles in the event of war, were discovered during an annual code change. The presidential spokesman said launch codes for the 1000 US Minuteman strategic missiles are changed every year, as are codes at the country's 100 launch centres. "Presumably, the situation has been corrected," he said. Fitzwater's comments were prompted by a report in the Washington Times, a right-wing newspaper with strong ties to the White House, which said it confirmed the error after an eight-month investigation. While Fitzwater said the exact number of missiles found to be inoperable is secret, he said: "There weren't very many of these missiles involved." The newspaper reported five of the 1000 US land-based missiles, each armed with three nuclear warheads, were temporatilily disabled but it said the incident raises questions about the security and safeguards of all of them. Henry Cox [Also noted by in today's Ottawa Citizen.] ------------------------------ Date: Tue, 21 Mar 89 10:06:56 EST From: henry cox Subject: Risks of dying batteries DYING BATTERIES CALL THE POLICE [ From the Montreal Gazette, 21 March 1989 ] CLEVELAND (Reuter) -Dozens of calls to police and fire-emergency lines have been traced to cordless telephones that short-circui and dial 911 as their batteries start to die, officials said yesterday. One suburban police deparment said it received as many as 25 such calls a day. A Cleveland police communications expert said it appears failing batteries caused the devices to emit pulses that sometimes duplicated a 911 call. [ Aside from the obvious nuisance factor, there is clear risk if emergency personel are accustomed to receiving many such calls - they may attribute the next inexplicable call to a faulty phone. Henry Cox ] ------------------------------ Date: Tue, 21 Mar 89 12:57:36 EST From: Joe Morris (jcmorris@mitre.arpa) Subject: Things to do with a computer... The following item, reproduced in its entirity (without permission) from the 20 March issue of Digital Review (a DEC-oriented weekly) is both relevent to security discussions and funny to boot (pun intended). COMPANY "SAW" SECURITY PROBLEM FOR MICROVAXES You neven know what people are going to do next with a MicroVAX. System managers at London's Midland Bank, one of Great Britain's largest clearinghouses, originally felt that their MicroVAXes should be located in the wholesale systems department. But the folks who run MIS at Midland decided that this solution was not secure enough, and that the company's computer room would provide a safer location. The security of the computer room, however, was called into question one weekend afternoon. "On a Saturday, one of my guys went into the computer room and saw a carpenter in the process of modifying the room," said Jamie May, project manager for the wholesale systems department at Midland. This carpenter was using two of the MicroVAXes as a kind of workbench to try and balance the wood he was sawing. "The dealers can sometimes be animals, but the computers would have been a lot better off and secure in the dealing room," May added. ------------------------------ Date: 21 Mar 89 18:27:32 GMT From: miket@brspyr1.brs.com (Mike Trout) Subject: Possible Cancer Risks from Cellular Phones? I recently had a discussion with a major electronics guru for a local television station. We were talking about microwave transmitters (radar speed guns, garage door openers, that sort of thing), when he made a dramatic statement that shocked me: he claimed that cellular phones were extremely hazardous and probably highly carcinogenic. This is completely outside my area of expertise, so I can only repeat what he said. He claimed that the frequency wavelengths used for cellular phone radio transmissions were just about equal to the diameter of the human brain cavity. This, he claimed, accelerated by the fact that the receiver is always held up against the human skull, sets up highly dangerous conditions within the human brain. He said that ten years or so from now we're going to see an explosive increase in brain tumors among cellular phone users. He also claimed that some cellular units were far more hazardous than others, but that ALL of them are carcinogenic. He said he won't even work on them, and wouldn't wish a cellular phone on his worst enemy. This guy is rather eccentric at times, but his knowledge of electronics is legendary. His co-workers seemed to share his opinions; one of their technicians was severely injured some years back by climbing on a transmission tower during a high-intensity transmission. Whether this guy knows anything about human physiology is another question. Is this nonsense, an urban myth, or is this actually a matter of risk? Michael Trout BRS Information Technologies, 1200 Rt. 7, Latham, N.Y. 12110 (518) 783-1161 ------------------------------ Date: Tue, 21 Mar 89 14:44:59 EST From: ark@europa.UUCP Subject: Supreme Court and Copyrights The US Supreme Court decided yesterday that state governments, including state universities, are immune to copyright laws. I wonder what effect this will have on the software industry? ------------------------------ Date: 20 Mar 89 18:43:17 PST (Monday) From: Rodney Hoffman Subject: Mitnick plea bargain An article by Kim Murphy in the 16 March 1989 'Los Angeles Times' reports on the disposition of the case against Kevin Mitnick, "who prosecutors said was as dangerous with a keyboard as a bank robber with a gun." [See RISKS 7.95 and 8.3 for earlier reports.] Edited excerpts from the latest article: Mitnick pleaded guilty to one count of computer fraud and one count of possessing unauthorized long-distance telephone codes. He admitted penetrating a DEC computer in Mass., secretly obtaining a copy of a sophisticated computer security program which the company had spent $1 million to develop. The program, said Mitnick's attorney, was designed to alert companies when their computers had been penetrated by hackers like Mitnick. Mitnick never attempted to sell or distribute the program, he said. Mitnick also admitted possessing 16 unauthorized MCI long-distance codes than enabled him to make long-distance telephone calls without charge. A prosecutor said Mitnick used the codes to make connections to computers. Mitnick faces one year in prison. Under a plea agreement with the government, he must also submit to three years' supervision by probation officers after his release from prison. Prosecutors said they agreed to a 12-month sentence because the amount of financial damage was relatively low. DEC lost about $100,000 to $200,000 in computer "down time" investigating the security program theft. As part of the plea agreement, prosecutors agreed to dismiss two additional counts charging Mitnick with illegally accessing the Leeds Univ. computer in England and separate charge related to the DEC computer program. ------------------------------ Date: Mon, 20 Mar 89 13:50:29 EST From: karn@thumper.bellcore.com (Phil R. Karn) Subject: Re: Risks of telephone access to your bank account Brint Cooper makes the point that cellular phone isn't "telephone", it's radio. True enough, the braindamaged ECPA notwithstanding. But even calls placed between conventional telephones can, on occasion, be almost as easily intercepted. To demonstrate: 1. Obtain or set up a standard TVRO (Television Receive Only) satellite earth station. The receiver should have a "composite video" output jack (now pretty much standard, since VideoCipher descramblers need them). 2. Connect the aforementioned composite video jack into the RF input of a garden variety "shortwave" (HF) communications receiver set for single sideband (SSB) reception. 3. Aim the satellite dish at one of the AT&T Telstar satellites and find a transponder that doesn't seem to be carrying video. 4. Tune around below 6 MHz or so with the SSB receiver. Rumor has it that dedicated circuits belonging to travel reservation services have been heard in this manner. Phil ------------------------------ Date: Tue, 21 Mar 89 08:56:29 PST [From: Vin McLellan] Subject: Internet Security Plans INTERNET COMPUTER NETWORK TO USE CODE TO ENSURE PRIVACY By VIN McLELLAN, c.1989 N.Y. Times News Service BOSTON -- Officials of Internet, the computer network that ties together hundreds of academic, government and corporate networks, are planning to begin a program that will permit users to send messages to one another in what is intended to be an unbreakable code. At present, users communicating over the network have little privacy. Sophisticated users can easily intercept and read messages. This lack of security has increasingly worried computer experts as the use of the networks has spread. For many scientists and engineers, the networks have become a mainstay in their communications, used to exchange research results as well as carry on conversations that would otherwise occur over the telephone. Under the new system, not only can an encrypted message be sent but the message will carry concealed information that will leave no doubt for the recipient that the person who says he sent the message did indeed send it. The recipient will also know with certainty that the message has not been altered. Developers of the technology say the encryption will provide users with ``digital envelopes'' that cannot be opened except by the addressee, and the contents will have ``digital signatures'' that cannot be forged. The encryption will be offered to 400 computer networks that are tied by the Internet network. The system will be based on one devised by RSA Data Security Inc. of Redwood City, Calif., that uses ``public key encryption'' techniques developed in the late 1970's by federally financed researchers at the Massachusetts Institute of Technology. PKE, as the encryption technique is known, involves two ``keys,'' one public and one secret. Each user has a secret key and a public one that is published in a directory, just as phone numbers are. Someone uses the recipient's public key to send a message and the recipient uses his secret key to decode it. The Internet proposal comes just as RSA and the Digital Equipment Corp. of Maynard, Mass., have agreed to give Digital full access to the same technology that Internet proposes to use. DEC is expected to announce the agreement today. Digital officials said they expected to integrate RSA's technology into a broad array of software and hardware products. ``The events of the past two years have shown that security has now become a necessary aspect of reliable distributed computing,'' said Robert Schleelein, manager of strategic relations for Digital's network and communications group. He was referring to numerous recent cases in which intruders have entered computer networks. The agreement between Digital and RSA could give Digital a competitive edge in providing future computer equipment to users of the networks who want to take advantage of its new encryption technology. It will also probably mean that RSA's public key encryption technology, which is proprietary, could become the encryption standard on computer networks. ``Those of us who are involved in setting standards don't like to include in a standard anything that is a proprietary technology,'' noted Dr. Stephen Kent, chairman of the Internet Task Force on Privacy. ``Adopting RSA, we have violated that rule of thumb, but we've done it with the full knowledge that we were doing it, and because we felt there were no other viable alternatives.'' Kent, chief scientist at BBN Communications Inc., in Cambridge, Mass., said the Internet standard was the result of more than two years of joint efforts by representatives from BBN, the Mitre Corp., the Xerox Corp., Digital, Texas Instruments Inc., University College in London, the Lawrence Livermore National Laboratory and the Commerce Department's Institute of Standards and Technology. Digital's adoption and explicit endorsement of the RSA technology is itself a ``tremendous advance in information security,'' said John O'Mara, executive director of the Computer Security Institute, an association of 3,000 corporate data security officers. ------------------------------ Date: Tue, 21 Mar 1989 14:41:56 EST From: *Hobbit* Subject: Duplicates due to network lossage? Has anyone else been receiving complaints about lots of duplicate messages from people at particular sites? Some of these poor victims are getting on the order of 25 copies of one message. I've done some queue-watching and it appears that the SMTP dialog in these cases flies right along, no problem, until the . after the DATA, whereupon the remote host just sits there [ostensibly trying to deliver the message], and my end times out and requeues the message. Meanwhile the foreign end, not particularly caring that the sender nuked the connection, finally figures out what it was doing and delivers the message. While (stuck) repeat... We've been having some network problems down here over the past couple of days, but one would think that once the connection is open and the dialog is running, you wouldn't get an inordinate delay *ONLY* after the DATA is sent. What's going on with these sites? Below I have included a list of offenders I could find on the Security list. Any ideas? I'm running regular ole sendmail, and everything's working fine otherwise; it's just that these hosts refuse to acknowledge receipt of the message. They are running a bunch of different mailers, as well, so it isn't a problem with a particular type of mailer [although I've seen that sort of thing in the past]. _H* "slow" hosts follow: AI.AI.MIT.EDU, asd.wpafb.af.mil, bbn.com, BCO-MULTICS.ARPA, cam.unisys.com, CCA.cca.com, CCINT1.RSRE.MOD.UK, cs.ucla.edu, EDN-VAX.ARPA, gateway.mitre.org, ibm.com, maths.bath.ac.uk, MITRE.ARPA, mitre-bedford.ARPA, mitre-gateway.arpa, mizar.usc.edu, msc.umn.edu, MWUNIX.MITRE.ORG, nems.arpa, opus.cray.com, prime1.lancashire-poly.ac.uk, RADC-TOPS20.ARPA, rand.org, relay.cs.net, relay.mod.uk, sdcrdcf.arpa, stony-brook.scrc.symbolics.com, stripe.SRI.com, tis.llnl.gov, ucbarpa.berkeley.edu, UCBVAX.BERKELEY.EDU, vaxa.isi.edu, vax.bbn.com, venera.isi.edu, wb3ffv.ampr.org [I still get a monster BARFlist each time I send an issue. I try to be charitable before axing an address or a site. ("Clean up your axe?") PGN] ------------------------------ End of RISKS-FORUM Digest 8.43 ************************ -------