----MESSAGE-BEGIN---- <1987120102404000> From: *Hobbit* 2-Dec-1987 10:20:40 To: security Subj: [2413] virus alert [This has been all over numerous other mailing lists; some of you may not have seen it yet. _H*] Virus Invades Lehigh University Last week, some of our student consultants discovered a virus program that's been spreading rapidly throughout Lehigh University. I thought I'd take a few minutes and warn as many of you as possible about this program since it has the chance of spreading much farther than just our University. We have no idea where the virus started, but some users have told me that other universities have recently had similar problems. The virus: the virus itself is contained in the stack space of COMMAND.COM. When a pc is booted from an infected disk, all a user need do to spread the virus is to access another disk via TYPE, COPY, DIR, etc. If the other disk contains COMMAND.COM, the virus code is copied to the other disk. Then, a counter is incremented on the parent. When this counter reaches a value of 4, any and every disk in the PC is erased thoroughly. The boot tracks are nulled, as are the FAT tables, etc. All Norton's horses couldn't put it back together again... :-) This affects both floppy and hard disks. Meanwhile, the four children that were created go on to tell four friends, and then they tell four friends, and so on, and so on. Detection: while this virus appears to be very well written, the author did leave behind a couple footprints. First, the write date of the command.com changes. Second, if there's a write protect tab on an uninfected disk, you will get a WRITE PROTECT ERROR... So, boot up from a suspected virus'd disk and access a write protected disk - if an error comes up, then you're sure. Note that the length of command.com does not get altered. I urge anyone who comes in contact with publicly accessible (sp?) disks to periodically check their own disks. Also, exercise safe computing - always wear a write protect tab. :-) This is not a joke. A large percentage of our public site disks has been gonged by this virus in the last couple days. Kenneth R. van Wyk, User Services Senior Consultant, Lehigh University Computing Center (215)-758-4988 ----MESSAGE-END---- ----MESSAGE-BEGIN---- <1987120104125300> From: "Louis S. Graham" (GC-CDSI) 2-Dec-1987 11:52:53 To: security@RUTGERS.EDU Subj: [690] All related computer crimes and out come. To all interested parties, I have been assigned to give a computer security briefing on how essential computer security is needed here at this ARMY site. Any information anyone can provide me with in reference to computer crimes, what the out come of the event was, if possible, what kind of controls were put in place because of the incident. Also what ever material you may have relating to this subject will be greatly appreciated. Louis Graham, EDP Security Analyst ----MESSAGE-END---- ----MESSAGE-BEGIN---- <1987120116402000> From: uunet!kitty!larry@RUTGERS.EDU (Larry Lippman) 3-Dec-1987 00:20:20 To: security@RUTGERS.EDU Subj: [1856] Vehicle Locating Devices > Does anyone know where to conveniently purchase some kind of device > to place in a car to track where that car is going? If you have a minimum of $ 10K to spend, you can do it "the right way"... There is a company called Ocean Applied Research (O.A.R.) in San Diego which manufacturers sophisticated radio direction finders and locating transmitters. The direction finders are available in various models which cover frequency ranges from LF (0.05 MHz) to UHF (520 MHz). These direction finders provide an a polar oscillographic display of bearing and relative signal strength. These systems use stationary antennas of the Adcock-type for fixed or marine installation, and of a low-profile ferrite loop type for vehicular or aircraft installation. The O.A.R. direction finding equipment is fairly compact, and is suitable for permanent or temporary installation aboard ships, aircraft and vehicles. O.A.R. direction finding equipment is extensively used for search and rescue operations, animal tracking for natural sciences research, location of unlawfully-operated radio transmitters, and for "other" purposes. O.A.R. is considered the "Cadillac" of non-milspec direction finding apparatus (you don't even want to _know_ the cost of equivalent military-grade apparatus). O.A.R. does manufacture transmitters for tracking purposes, although most of their transmitters are intended for oceanographic studies. <> Larry Lippman @ Recognition Research Corp., Clarence, New York <> UUCP: {allegra|ames|boulder|decvax|rutgers|watmath}!sunybcs!kitty!larry <> VOICE: 716/688-1231 {hplabs|ihnp4|mtune|utzoo|uunet}!/ <> FAX: 716/741-9635 {G1,G2,G3 modes} "Have you hugged your cat today?" ----MESSAGE-END---- ----MESSAGE-BEGIN---- <1987120221554700> From: *Hobbit* 4-Dec-1987 05:35:47 To: security@RED.RUTGERS.EDU Subj: [742] Best control wrench Note that since the control shell is only .0125 inch thick at the bottom of the keyway where the holes are, and the proposed tool must exert *no* tension between the plug and the control shell, you have a difficult machining problem here. Do such tools actually exist, and do they work at all well given the relatively tight tolerances involved [which can probaby vary from lock to lock within a certain amount]?? Obviously there will be one tool per keyway, but even something with an exact keyway fit and a short little pin on the bottom may still torque the normal shear line enough to confuse matters. _H* ----MESSAGE-END---- ----MESSAGE-BEGIN---- <1987120223450800> From: 4-Dec-1987 07:25:08 To: security@ubvm Subj: [1410] Computer security systems. Frankly, this computer security issue is the biggest load of bilge I've ever heard. It seems so obvious that most computers should not be open, the whole issue is a waste of bandwidth. Banks have safes. Houses and cars have locks. I doubt that the proponents of "open-systems" leave their houses and cars unlocked. Our society suffers the inconvenience of security not because the society as a whole is bad, but rather because a select few are bad. And so we must all suffer the inconvenience. Those who think systems should be open must also believe that all people are good. Talk about a pipe|dream. History has proven that computer security is necessary. Those who choose to ignore this are either destined to repeat history, or should see the reality of things. I don't want to really get into politics here, but consider this example. Why do the soviets and the u.s. have such an arms buildup? Why do we spend so much on security? Gracious, the soviet secretary general has never even SEEN this country. The answer is simple. Because neither country can ASSUME the other won't try something. That would be reckless, and there is too much at stake. Computers (and any security for that matter) must work on the same principles. One cannot ASSUME safety. One must ensure it. ----MESSAGE-END---- ----MESSAGE-BEGIN---- <1987120301450800> From: David Millman 4-Dec-1987 09:25:08 To: SECURITY@red.rutgers.edu Subj: [1002] Lock Query I inherited an "Abloy" lock on my front door. Was wondering if the lock theory experts on this list have had any experience or comments about this sort of lock. It's a bit conventional: metal-key-in-hole-in-cylinder. But the the key and the hole have very little orientation (much less than Medeco) and, when turning the cylinder, there seems to be a very loose fit. Locksmiths in the area (Manhattan, lots of lock stores) don't know anything about it. And the original owner said you have to send proof of purchase to scandinavia to key a duplicate key. Is this lock of any theoretical interest? ----------------------------------------------------------------------------- David Millman arpa: dsm@cunixc.columbia.edu Sr. Analyst/Programmer bitnet: dsmus@cuvma Columbia U Computer Center uucp: ...rutgers!columbia!cunixc.columbia.edu!dsm ----MESSAGE-END---- ----MESSAGE-BEGIN---- <1987120306385400> From: Mike Linnig 4-Dec-1987 14:18:54 To: security@RED.RUTGERS.EDU Subj: [1928] RE: Re: Picking locks on pay phones I worked as a teleco lineman one fall (an engineering co-op job). As part of that work we had to go around and extract the cash boxes from the payphones. They gave us a large ring of keys (not a master key). Incidentally, we never really touch the coins, they fall into a coin box that gets replaced when we open up the phone. As for the phones being alarmed, I really don't believe it. Except for high crime areas maybe. On one occasion we had a phone that would not open at all. The key mechinism was jammed (it came from a high school -- I wonder who jammed it?). I got to try and break into the phone -- fun fun. We tried drilling out the lock. We trashed a drill bit or two doing it but we managed to get a nice hole through the lock cylinder. Well, that was fun, but it got us no where. It still wouldn't open. We decided to take the phone off of the wall. The mounting bracket was designed so that you only had access to the mounting screws if the phone was unlocked. I really don't remember how we did it, but we got it off of the wall (probably by brute force -- I had a BIG partner). By the way, no alarms went off. No police arrived on the scene. Remember this was in a high school -- If they alarmed phones in general, I wouldn't expect them to have the high school phone disabled. Anyway, we managed to get the damn thing open by lots of prying with large screwdrivers (used as crowbars) and some hammering. The phone was totally worthless -- but we got the money back to the telco (the phone had to be replaced anyway, can't leave them until they fill up with coins). This was a small telco in southern indiana, Bell systems and GTE may do things differently. Mike ps. Don't do this with your phones, someone MAY get annoyed (grin) ----MESSAGE-END---- ----MESSAGE-BEGIN---- <1987120307122500> From: bzs@bu-cs.bu.edu (Barry Shein) 4-Dec-1987 14:52:25 To: psw@wolfgang.arpa Subj: [569] master key security One would think the decision to re-key or not would be settled by a conversation between the University's and their Insurance company's lawyers. Unless they don't mind leaving the campus in a situation where claims might be disallowed based on a lack of minimally acceptable security practices. Most University's self-insure up to a high deductible ($100K is not unusual) but something as global as this can easily threaten that deductible. -B ----MESSAGE-END---- ----MESSAGE-BEGIN---- <1987120308184000> From: gwyn@brl-smoke.arpa (Doug Gwyn ) 4-Dec-1987 15:58:40 To: misc-security@uunet.uu.net Subj: [2178] Re: Home Locksmith Courses >might have an opinion (uh-oh! I'm asking for it) on the worth of the >so called 'home locksmith' courses that one sees advertised in magazines. The Belsaw locksmithing course is fairly good, and you end up with a key machine that is adequate for most routine key cutting. You also have the opportunity to purchase supplies, and as I recall you can start a subscription to the National Locksmith magazine, which gets you bonded. Most communities require practicing non-student locksmiths to be registered; some have started to require certification tests. It is a good idea to comply, since otherwise they might run you in for possession of "burglar tools". (This despite the fact that very few actual burglars use locksmithing tools, except possibly for automobile door opening tools.) Once you have your student locksmith card and National Locksmith subscription, it isn't too difficult to get locksmith supply companies to deal with you. You might consider investing in a supply of professional business cards, saying something like "Joseph M. Blow -- Security Consulting Services". When I was at Rice, a group of students set up a small firm "Richard E. Ingram Associates" and had letterheads printed, etc. It doesn't take very much to gain some degree of credibility in the business world. You can also perhaps get a limited amount of equipment and supplies from a company like Curtis that supplies the corner 7-11 key shop. They're mostly good for key blanks and of course key machines. The "Curtis code clipper" was a handy little portable device for making keys by code; that and a Curtis Master padlock code book would get you into a lot of places (because people often don't erase the code number printed on the face of Master padlocks). I even had a favorable Dun & Bradstreet rating for a while as a result of dealing with Curtis. If you're going to get into the locksmith business, please make sure you develop a good sense of professional ethics, not using your skills to trespass or cause damage or loss to others. ----MESSAGE-END---- ----MESSAGE-BEGIN---- <1987120308505800> From: csi!csib!lgold@spam.istc.sri.com (Lynn Gold) 4-Dec-1987 16:30:58 To: psw@wolfgang.arpa (Phil Wherry) Subj: [658] Re: master key security >I can say from more-or >less first-hand experience that a college administration's reaction is to >merely shrug their shoulders and cross their fingers in the wake of a fairly >major breach of master key security. Columbia University was the same way. There were two or three sets of master keys MISSING, yet they did not want to re-key the locks. I guess they figure that the amount in labor (union wages) isn't worth paying when everything the school cares about is insured anyway.... --Lynn ----MESSAGE-END---- ----MESSAGE-BEGIN---- <1987120313024100> From: decvax!felix!chuck@ucbvax.berkeley.edu (Chuck Vertrees) 4-Dec-1987 20:42:41 To: Subj: [862] Re: master key security >What will the administration do if they find such a lock has >been removed by brute force? I once worked at a high school and they had just this problem. Someone had compromised the master and they were faced with finding a solution. This particular school was constructed in a campus type arrangement with ten buildings, each with eight exterior doors. Keying was in a master/submaster/ individual scheme, layered as appropriate. The school system had their own internal locksmith department, doing all the keying themselves. Budgets being what they are, they took the cheap way out. They designated two exterior doors in each building to be re-keyed and plugged all the others with epoxy. Chuck V. ----MESSAGE-END---- ----MESSAGE-BEGIN---- <1987120313390900> From: Bob Kusumoto 4-Dec-1987 21:19:09 To: security@rutgers.edu Subj: [1096] Re: Picking locks on pay phones I don't know about these new phones that other companies other than MaBell are putting out but the old standard pay phones are not alarmed. They have 8 tumbler locks on them so it is VERY difficult to pick these open. I have heard stories about people hooking up a van to a pay phone to pull it out and the axle was ripped out from the van. Another story from the north (Canada) was to pour water into the coin slot, let it freeze over then hit the phone so it splits open. The reason why the phone company switch to these more secure pay phone was that people were breaking into the older models and they needed to collect more money (by the way, the phone company spends aprox $1800 per pay phone plus any other extras they want to add like a light or special set-up for it). Hope this information helps. Bob Kusumoto Internet: kus3@sphinx.uchicago.edu BITNET: kus3@sphinx.uchicago.bitnet UUCP: ...{!inhp4!gargoyle,!oddjob}!sphinx!kus3 ----MESSAGE-END---- ----MESSAGE-BEGIN---- <1987120401574400> From: uunet!kitty!larry@RUTGERS.EDU (Larry Lippman) 5-Dec-1987 09:37:44 To: security@RUTGERS.EDU Subj: [3628] Submission for misc.security (Coin telephone security) > He told me that they were alarmed, and that if you open > one even with a key at the wrong time, telco will phone the police. If this is true, it only applies to newer electronic coin telephones, and NOT the traditional single-slot coin telephones such as the WECO free standing types (1A, 1C series) or the WECO "panel-mounting" types (2A, 2C series). The only thing close to an "alarm" is that some coin telephones had a coin "bank" [the proper term] with an electrical contact on the top. When the bank gets full of coins, a ground is effectively placed on this contact. This ground is placed in series with a resistor which places a high resistance ground to one side of the telephone line. This condition can be periodically scanned by automatic equipment in the central office to ascertain if a coin telephone bank is full. Actually, I have only seen this done on some early multi-slot coin telephones during the 1960's, and I don't believe this feature was even provided on single-slot coin telephones. Coin telephone repairpersons usually have no keys for access to the coin bank portion of a coin telephone. There is actually no need for them to have access, since all repairs can be made with the upper housing opened. Opening the upper housing gives no access to the coin bank; you would need something like string and chewing gum :-) to extract any coins from the bank. Restricting coin bank keys to coin collection (and not repair) personnel gives telephone companies a better sense of security. Coin banks have a sliding cover with an interesting lever mechanism; the coin banks are intended to be provided with a wire seal. With the seal intact, the bank can be inserted and removed from a coin telephone ONLY ONCE. There is no way to remove a full coin bank and open the cover to get access to the coins without breaking this seal. Quite frankly, telephone company security personnel seem more paranoid about employee theft from coin telephones than from theft committed by the general public. Occasionally, a malfunctioning coin collection mechanism will cause a few coins to spill into the upper housing where a repairperson might have access to them. The proper procedure is to take the coins, place them in a special envelope, label it and seal it right away; the envelope is to be turned in to supervisory personnel as soon as possible. Some BOC security personnel seem to have nothing better to do than plant "marked" coins in the upper housing of a coin telephone, and try to bait some repairperson into not properly turning in the money. I also find amusing the following introductory paragraph as quoted from a BOC coin telephone service manual: "Social changes during the 1960s made the multi-slot coin station a prime target for: vandalism, strong arm robbery, fraud and theft of service. This brought about the introduction of the single slot coin station and a new environment for coin service." Social changes?! :-) My knowledge of coin telephones ended with the single-slot series mentioned above. I have almost no idea what happens inside the new-fangled coin telephones with CRT's and credit-card readers. <> Larry Lippman @ Recognition Research Corp., Clarence, New York <> UUCP: {allegra|ames|boulder|decvax|rutgers|watmath}!sunybcs!kitty!larry <> VOICE: 716/688-1231 {hplabs|ihnp4|mtune|utzoo|uunet}!/ <> FAX: 716/741-9635 {G1,G2,G3 modes} "Have you hugged your cat today?" ----MESSAGE-END---- ----MESSAGE-BEGIN---- <1987120405374700> From: sundc!netxcom!dgidez@seismo.css.gov (Daniel Gidez) 5-Dec-1987 13:17:47 To: seismo!misc-security@seismo.css.gov Subj: [483] Re: virus alert A word of note, working part time as a reservationist for an airlines, I came across a call from a frantic person who was trying to trace a lost bag, I asked him the contents and he explained about the virus... he told me it was to be used in some systems going overseas... it could be some college student got hold of this.... ----MESSAGE-END---- ----MESSAGE-BEGIN---- <1987120413421600> From: quintus!gregg@Sun.COM (W. Gregg Stefancik) 5-Dec-1987 21:22:16 To: security@red.rutgers.edu Subj: [2152] Locksmithing School directory and commentary A list of locksmithing schools appeared in this months National Locksmith. For those of you who can't obtain a copy I have retyped the list below: Acme School Locksmithing Divison 11350 S. Harlem Worth, IL 60482 312 361 3750 Foley Belsaw Institute 6301 Equitable Rd. Kansas City, MO 64120 800 328 7140 California Institute of Locksmithing 14721 Oxnard St. Van Nuys, Ca 91411 818 994 7426 HPC Learning Center PO Box 2093 Schiller Park, IL 60176 312 671 6445 Locksmithing Institute 1500 Cardinal Drive Little Falls, NJ 07424 201 256 4512 NRI Schools 3939 Wisconsin Ave. Washington, DC 20016 202 244 1600 NY School of Locksmithing 152 W. 42nd St. New York, NY 10036 Security Education Plus PO Box 497 Nicholasville, KY 40356 606 887 6027 Universal School of Master Locksmithing 3201 Fulton Ave. Sacramento, CA 95821 916 482 4216 I have had some experience with two of the above schools. I graduated from the Foley Belsaw Institute course which does a reasonable job of covering the basics, but the course is a bit dated. You will not learn about interchangeable cores, opening modern cars, or pushbutton locks. Foley Belsaw does provide you with the connections to obtain proper bonding and subscriptions to the two popular trade magazines (National Locksmith and Locksmith Ledger). Foley Belsaw will also provide you with locksmithing supplies at a reasonable cost, but once you make connections via the trade publications the sky is the limit. It is a wonderful way to increase your locksmithing knowledge and be right with the law at the same time. They also provide you with an extremely useful key machine which can copy keys and cut them by code w/o depth keys. I sent away for the NRI course information and found that while the course was a little better packaged than the Foley Belsaw course it cost roughly 3 times as much! I would not recommend the NRI course unless you have big bucks to burn. Gregg Stefancik Foley Belsaw Certified Locksmith quintus!gregg ----MESSAGE-END---- ----MESSAGE-BEGIN---- <1987120503290100> From: brock@pnet01.cts.com (Brock Meeks) 6-Dec-1987 11:09:01 To: crash!security@rutgers.arpa@bass.nosc.mil Subj: [849] Re: Picking locks on pay phones Steve, I have happened to get a copy of that article you read in the Blade re: the guy with the special tools. I asked at NATA, of the Medeco folks, if they had heard of our San Diego coin bandit, they had, he is the *same* guy as in the blade; an industry legend. Seems the security folks have tracked him across the nation. He used to be a machinist. He's never hit a Medeco lock, only "old telco" boxes (whatever those are). As for the 20 minute time frame? Forget it. The guys I talked to said, "He's just about as fast as a guy with a key." The favorite story: the time he cracked a box right before jumping on an airline, in broad daylight, waiting to board a plane. ----MESSAGE-END---- ----MESSAGE-BEGIN---- <1987120503293000> From: brock@pnet01.cts.com (Brock Meeks) 6-Dec-1987 11:09:30 To: crash!security@rutgers.arpa@bass.nosc.mil Subj: [1581] Re: Picking locks on pay phones > He told me that they were alarmed, and that if yo upoen one, even with a > key at the wrong time, telco will phone the police. This is wrong, according the pay phone specialits I interviewed for an article I wrote. I was just at the North American Telecomm. Association show in Dallas, and they had a big payphone pavillion there. The only way these guys know a phone has been hit is when they come to empty it. I spoke with the folks at Medeco (they had a big display of their "virtually pick proof lock) and they verified the problem with pay phone locks. You see, it seems that with the influx of private pay phones, these guys were starting to toss "crap on the market" (crap being locks) and they cared more about profits than good security (a topic of conversation that only recently began getting any kind of hearing in the pay phone industry). BUT...cracking the lock box is not the BIG DEAL. The *real* story is that guys are ripping off the expense COMPUTER BOARDS and electronics in the upper half of the phones. These boards run some $300 or $400 a piece and according to one security analyst, "There's a huge black market for these boards." Interestingly enough, the locks protecting the electronics are far easier to pick than the coin box lock. "These guys are more worried about protecting $20-$50 in coins rather than $300-$400 in electronics," the rep from Medeco said. You figure it. ----MESSAGE-END---- ----MESSAGE-BEGIN---- <1987120508022800> From: jb7m@andrew.cmu.edu (Jon C. R. Bennett) 6-Dec-1987 15:42:28 To: security@RUTGERS.EDU Subj: [2223] Re: Computer Security Systems >I suspect that vandalism would still be rare (my basic optimism in humanity) >but when it did occur it would be drastic I tend to agree with that statement. It seems to me that the basic problem is that you are going to let all these people lose on the system and then for fun one of them is going to delete the system. However you are forgeting one thing in such a system if you kept track of deletetions and zero length over writes and the like you could take real world action against such people i.e. you can do what you want but if we catch you the results are going to be messy. Another soultion is to have a large elite, i.e. the number of people who would have total access would larger then it is now and people would get to such a postion simply by being trustable in the eyes of the current users. I don't know if any of you know of MIT's ITS(incompatable timesharing system) in which the users had free roam. When you login to ITS it tells you how many users there are on the system USERS : 5 but someone changed it to say LOSERS: 5 it was changed back and forth a few times and finaly setteled on LUSERS: 5 something that was acceptable to all. An other complaint is that someone will eat up all of the CPU or disk space but what you dont see is that if everyone is equal then if there are 5 people on the system then if everyone is using CPU munching programs then the CPU time will be split 5 ways and if someone does not need all of theirs it will be split among the rest. As far a disk space split it evenly among the users and if someone needs more they can have it by general consensus. My basic point is that the users are responsible to someone, they are responsible to the group and if that is not enough then they should not be admitted to the group. It may appear that I am contradicting my self by saying there should be a group, but I bow to reality I that there will always be people that can not be trusted but if there are allowed to use the system they it should be as equals not as subordinates. Jon Bennet jb7m@andrew.cmu.edu ----MESSAGE-END----