|
|
ARCHIVE: Rutgers 'Security List' (incl. misc.security) - Archives (1988)
DOCUMENT: Rutgers 'Security List' for March 1988 (27 messages, 23375 bytes)
SOURCE: http://securitydigest.org/exec/display?f=rutgers/archive/1988/03.txt&t=text/plain
NOTICE: securitydigest.org recognises the rights of all third-party works.
START OF DOCUMENT
-----------[000000][next][prev][last][first]---------------------------------------------------- From: NET%"dasys1!rodd@rutgers.edu" 2-MAR-1988 23:00 To: misc-security@RUTGERS.edu
>Tie the operation of the software to a piece of hardware. i.e.,
>send a piece of HW that can be read by the PC. Perhaps it has to
>be inserted in the joystick loop, perhaps it has to be plugged on
>to an RS-232 port, etc.
Not very convienent if your PC is in a cabinet. Also if you're running in
a multitasking environment you will either run into dongle conflicts if
they don't allow passthru or will wind up with your machine in the middle
of the room to be able to plug in three feet worth of dongles :-)
-- Rod --
Rod Dorman {allegra,philabs,cmcl2}!phri\
Big Electric Cat Public Unix {bellcore,cmcl2}!cucard!dasys1!rodd
New York, NY, USA {sun}!hoptoad/
[Moderator note: *What* is a "dongle"?? _H*]
-----------[000001][next][prev][last][first]---------------------------------------------------- From: STGEORGE%unmb.bitnet@rutgers.edu 3-MAR-1988 17:29 To: security@rutgers.edu
Do any of you know any court cases, completed or pending, which involve enforcement of the Electronic Communications Privacy Act of 1986? Thanks in advance.
-----------[000002][next][prev][last][first]---------------------------------------------------- From: Larry Hunter <hunter_larry@YALE.ARPA> 3-MAR-1988 22:54 To: "Robert W. Baldwin" <BALDWIN@xx.lcs.mit.edu> Cc: security@aim.rutgers.edu
Does anyone have infomation about the capabilities and limitations
of police radars for speed checking. I'm looking for both technical
limitations of the devices and for procedural limitations that are
necessary to make a ticket stand up in court....
Although I've never looked for it in print, I've heard that some states
require a radar gun to be calibrated periodically (like hourly). If
you challenge a radar ticket in court by asserting that the gun was out
of calibration, the prosecutor should have to produce evidence that the
gun had been appropriately calibrated. If the ticketing officer didn't
bring his calibration records with him to court that day, you'd probably
win.
Larry
-----------[000003][next][prev][last][first]---------------------------------------------------- From: williams@nrl_css.arpa 4-MAR-1988 10:05 To: Clement Taylor <CGTAYLO%erenj.bitnet@rutgers.edu> Cc: security@ARAMIS.rutgers.edu
There has been some discussion of these issues on the RISKS ARPAnet mailing list. I don't know how or if this list can be forwarded into BITNET, but the person to ask is the moderator, Peter Neumann. From the current issue: The RISKS Forum is moderated. Contributions should be relevant, sound, in good taste, objective, coherent, concise, nonrepetitious. Diversity is welcome. Contributions to RISKS@CSL.SRI.COM, Requests to RISKS-Request@CSL.SRI.COM. For Vol i issue j, FTP SRI.COM, CD STRIPE:<RISKS>, GET RISKS-i.j. Volume summaries in (i, max j) = (1,46),(2,57),(3,92),(4,97),(5,85). Good Luck! Jim Williams
-----------[000004][next][prev][last][first]---------------------------------------------------- From: Clive Dawson <AI.CLIVE@MCC.COM> 4-MAR-1988 14:40 To: goldstein%star.DEC@SRC.DEC.COM Cc: SECURITY@aim.rutgers.edu
Andy-- Many thanks for providing that legal analysis regarding export of cryptographic software. It was all most interesting and informative. There's one point at the end which could use some further clarification, however: If there is any reason to believe or suspect that a non-U.S. or non-Canadian national will gain access to that bulletin board, an export to a third country should be assumed and a license is required.. Let's say that a given bulletin board could somehow be confined within the U.S. borders. It is still the case that a LOT of non-U.S. or non-Canadian nationals will have access to it, be they permanent residents, foreign students, etc. Is it really true that export to a third country must be assumed in this case? I'm guessing that Digital itself has a lot of employees in this category. Surely they are not barred from looking at cryptographic software, or are they? Even if they sign confidentiality agreements with Digital, I would be surprised if the State department would consider this sufficient for export control purposes in general. I guess what we need here is a clear definition of what "export" means for the purpose of these statutes. Clive Dawson
-----------[000005][next][prev][last][first]---------------------------------------------------- From: Will Martin __ AMXAL_RI <wmartin@almsa_1.arpa> 4-MAR-1988 18:47 To: Clement Taylor <CGTAYLO%erenj.bitnet@rutgers.edu>
[Moderator note: part 1 of 2. _H*]
Here is a compilation of data on the CHRISTMA EXEC virus which I collected
from postings in the RISKS Digest:
Regards, Will Martin
***Begin Included Messages***
From: minow%thundr.DEC@decwrl.dec.com (Martin Minow ML3-5/U26 223-9922)
Date: 11 Dec 87 11:55
Subject: Yet another virus program announcement fyi
From CRTNET, number 115. From T3B%PSUVM.BITNET.
Subject: Christmas Virus Warning
If you are at a CMS site and receive a program called CHRISTMA EXEC, please
(a) warn your postmaster and (b) discard the exec (or keep a copy for the
postmaster to look at, but DO NOT RUN IT). This exec paints a Christmas
tree on your screen and then sends itself to everyone named in either your
NAMES or NETLOG files. The result is potentially serious stress on Bitnet
and on your local spool system, and possibly a few system crashes here and
there as the number of reader files soars and exceeds the maximum. The
Christmas tree isn't all that pretty, and the joke is pretty mean.
A word to the wise. Your postmaster will thank you. Michael Sperberg-McQueen
------------------------------
From: davy@intrepid.ecn.purdue.edu (Dave Curry)
Subject: IBM invaded by a Christmas virus
Date: Sat, 12 Dec 87 10:02:24 EST
(From the Lafayette (Indiana) Journal & Courier, December 12, 1987. Quoted
without permission.)
IBM Woes -- Computerized grinch jams the mail
BINGHAMTON, N.Y.- A computerized Grinch invaded IBM's electronic
mail Friday.
An illegal software-style so-called Christmas card sent through
IBM's electronic mail jammed desk-top computer terminals, spokesman
Joseph E. Dahm said.
The so-called virus program forced plant officials to turn off
internal links between computer terminals and mainframe systems to
purge the message, Dahm said.
IBM sources say the link was off from 45 minutes to 90 minutes
depending on the location.
The program is known as a virus because it enters computer programs
and replicates itself automatically.
Curious employees who read the message titles "Christmas" in the
morning electronic mail discovered an illustration of a Christmas tree
with "Holiday Greetings" superimposed on it. A caption advised "Don't
browse it, it's more fun to run it."
"That was the hook," an IBM source said. "A lot of people thought
they could take a peek and then kill the message, but once opened, it
was too late."
The program automatically entered a security log listing contacts
made from the individual computer terminal, duplicated and mailed
itself to new victims.
Like a Pandora's Box, once opened, the program rarely accepted
commands to stop, sources said. Operators who turned off their
terminals to stop the Christmas message lost electronic mail or
unfinished reports not filed in the computer.
This article seems to have a lot of things in it that the reporter didn't
understand. I assume that the "terminals" in question are really PC's
connected to the mainframes; for one thing. Plus, I presume the "Don't
browse it" refers to the VM/CMS "BROWSE" command used for looking through
files, and not just to the regular English word.
Does anyone have any more info from a source which understands all the
big words?
--Dave Curry, Purdue University
------------------------------
Date: Mon, 14 Dec 87 09:38:55 est
From: Franklin Davis <fad@Think.COM>
Subject: IBM invaded by a Christmas virus
This article seems to have a lot of things in it that the reporter didn't
understand. I assume that the "terminals" in question are really PC's
connected to the mainframes; for one thing.
Probably the users were connected by 3270 type terminals (or
emulations on a PC) which use a half-duplex block mode protocol. If
you turn off such a terminal your session is aborted, and you lose
current edits. It is also very difficult to interrupt an executing
program, since it "owns" the line. There is a "system-attention" key,
but a busy system may take literally minutes to respond. (I'm glad I
don't have to use an IBM mainframe any more!! :-)
--Franklin Davis Thinking Machines Corp. fad@think.com
------------------------------
Subject: IBM Xmas Prank
Date: Fri, 18 Dec 87 10:03:57 -0500
From: Fred Baube <fbaube@note.nsf.gov>
From Friday's Washington Post, excerpted without permission.
"The message popped onto desktop screens in IBM offices around
the country and even crossed the Atlantic and Pacific oceans,
showing up in IBM outposts in West Germany, Italy and Japan."
[as pictured X
in the article] X X
X X X
X X X X
X X X X X
X X X X X X
X X X X X X X
X
X
X
A very happy Christmas and my best wishes for the next year.
Let this run and enjoy yourself.
Browsing this file is no fun at all. Just type Christmas.
________
"The message that bedeviled IBM was a comparatively benevolent
one and did not, as computer tricksters' creations sometimes do,
destroy other material in the system .. [although] rapidly
producing electronic gridlock."
"The culprit is unknown .. but preliminary investigation suggests
that the message originated outside the company. IBM's mail
system is attached to those of several other institutions."
"From start to finish, the message survived only hours .."
"Does the world's biggest and most advanced computer company feel
embarassed about its Christmas chain ? 'We didn't want it to
happen, but we anticipated something like this might be attempted
and we were prepared to deal with it.'"
Questions:
(1) An incoming message can contain an executable program,
that can easily be run ?
(2) Such a message can be remailed under its contained program's
control, presumably with the name of the last victim in the
"From:" field ?
(3) Can IBM trace it to an originator, or was anonymity possible ?
(4) How/where can readers of RISKS submit something similar ?
(strictly for professional testing purposes)
(5) Is the Internet similarly vulnerable ?
The prank seems to be benign, and therefore beneficial.
IBM seems to have dealt with it effectively (or have they ?).
Browsing this message is no fun at all. Just type Christmas ..
[Bay Area folks can read a long front-page article by John
Markoff on viruses in today's SF Chronicle-Examiner. PGN]
------------------------------
Date: Mon, 21 Dec 87 15:22:26 EST
From: Ross Patterson <A024012%RUTVM1.BITNET@CUNYVM.CUNY.EDU>
Subject: Re: IBM Christmas Virus
There have been several messages to RISKS lately about the
CHRISTMAs EXEC virus on IBM's network. This was an extension of the
same problem on BITNET and its European counterpart, EARN. Since I
raised the general alarm about it, I'd like to answer a few questions.
The virus used two standard CMS files, called NAMES and NETLOG, to
help it infect other users. The NAMES file contains a list of userids
and system names that you correspond with frequently, allowing you to
abbreviate them to a mnemonic nickname when sending mail, files, or
interactive messages. I composed this mail by sending to "RISKS",
which my NAMES file lists as user RISKS on system KL.SRI.COM. You can
also list phone numbers, paper addresses, etc. There is a commonly
available program that will print off a personal phonebook from your
NAMES file ("Traveling Sidekick" from the days BB - Before Borland).
The NETLOG file lists all users you've sent mail or files to, or
received them from. It's a very nice audit trail when you're trying
to remember where you got that copy of Space Wars.
After typing the Christmas Tree on your terminal, the virus
proceeded to read both the NAMES and NETLOG files to get a set of
target addresses. It then sent a copy of itself to each of them, and
finally deleted itself.
>I assume that the "terminals" in question are really PC's
>connected to the mainframes; for one thing.
The terminals mentioned are generally IBM 3270's, and PC's with
IRMA-type cards. The virus ran on the host system, not on the PC.
>Plus, I presume the "Don't
>browse it" refers to the VM/CMS "BROWSE" command used for looking through
>files, and not just to the regular English word.
Both, actually. The intent was obviously to stop the reader from
going further down into the file, where the real purpose of the
program was quite obvious. The language used (IBM's REXX) is usually
interpreted, so the program was sent in source form. Anyone who
bothered to read below the second screen-full (like all of us paranoid
Systems Programmers) began to see the trouble. It was slightly
cloudy, as all the variable names were in German, but seeing was fair
to good.
>The culprit is unknown
That is no longer the case. The culprit has been tracked down,
and barred from access to his/her system. A note to that effect was
broadcast to a number of mailing lists by the General Secretary of
EARN. The source system had recently been attached to the West German
section of EARN, and the user who started it all only intended to send
a greeting to a few friends. To quote a TV commerical, "... and
they'll tell two friends, and so on, and so on, ...".
> .. but preliminary investigation suggests
>that the message originated outside the company. IBM's mail
>system is attached to those of several other institutions."
Quite so. No one seems quite sure which of the gateways between
BITNET/EARN and IBM's internal network, VNET, passed the first copy of
the virus. It matters very little, since it found the VNET
environment even more conducive to reproduction than BITNET/EARN.
VNET'ers apparently keep much larger NAMES files than BITNET'ers. It
wasn't long before the links were carrying more CHRISTMA EXEC's than
anything else.
>"From start to finish, the message survived only hours .."
Per copy, perhaps. The first known instance of infection was at
about 1300 GMT on Wednesday, December 9. Within BITNET, it was
generally stamped out by the following Monday, December 14. On VNET,
it didn't show up until a day later, and was mostly killed in a
massive network shutdown on Friday.
>(1) An incoming message can contain an executable program,
> that can easily be run ?
Yes. Please remember that the Internet is not the only network
style in the world. In BITNET and VNET, mail is just another case of
file transfer. File transfer is performed by the sender, not the
receiver. These are store-and-forward networks, so the path from
system A to system B need not be intact for the duration of the
transfer. The viral program was transferred as a normal file, not as
mail.
>(2) Such a message can be remailed under its contained program's
> control, presumably with the name of the last victim in the
> "From:" field ?
It wasn't mailed. Thus, there wasn't any From: field, etc. It
did carry the system name and userid of the most recent victim, but
not any trace-back information.
>(3) Can IBM trace it to an originator, or was anonymity possible ?
A task force of BITNET and EARN systems programmers traced it back
to its source, by the usual disease-control procedures:
Doctor: "Miss X, you've got a nasty case of viral <Y>. Who have
you had contact with recently?".
Miss X: "Just a moment, I'll check my notebook."
A byproduct of the tool used to transmit the virus is an entry in
the NETLOG file listing the userid and system name of anyone it was
sent to, making it easier than usual for Miss X to remember. In some
cases, the user had suppressed the NETLOG facility, but that is the
exception, not the rule.
>(4) How/where can readers of RISKS submit something similar ?
> (strictly for professional testing purposes)
Noplace safely. Please don't try it on anything but an isolated
network, and then coldstart your spool afterwards.
>(5) Is the Internet similarly vulnerable ?
Not to this one. It plays on several things that the Internet
doesn't have:
1) A large number of IBM VM/CMS systems. The program would only
run in a CMS environment. There is no reason one couldn't write
something similar in any other language, though.
2) A suitable file transfer system. FTP doesn't apply. It must
provide a way for a user to receive an unsolicited file, in a
runnable form.
3) A good method of determining targets. The CMS NAMES and NETLOG
files provided an excellent source of information. I suppose in
a Unix environment, ".alias" and "/etc/aliases" would be ok, but
.alias is comparatively rare, while NAMES files are almost
universal in CMS.
>The prank seems to be benign, and therefore beneficial.
That is being debated in several circles. I, for one, agree with
you.
>IBM seems to have dealt with it effectively (or have they ?).
Yes, they have.
>Browsing this message is no fun at all. Just type Christmas ..
The lesson of this one is the same as for PC viruses: Never run
something you don't recognize. When the virus first appeared, several
people suggested that it was the work of students, and that it might
be used negatively in an ongoing argument over whether students belong
on BITNET. When we heard that "professionals" inside IBM were also
running programs they didn't recognize, that particular suggestion
vanished.
This virus was quite sly, in that by sending itself to people
listed in your NAMES and NETLOG files, those people would recognize
the source (you) as a friend, and be generally less inquisitive, until
things got nasty. Lesson #2: Even your friends sometimes make
mistakes.
Ross Patterson, Rutgers University
[RISKS received an unusually large number of messages on this subject --
from Fred Baube, John Owens (2), Allan Pratt, Anne Louise Gockel, and
Bruce O'Neel. I started trying to edit them down, but rapidly gave
up that strategy -- inordinate overlap. So, I will take a new tack,
which is to put out Ross' message -- which was the most comprehensive --
and then give Fred, John, Allan, Anne and Bruce first priority if THEY
wish to comment marginally or additionally thereupon. Please be terse
-- and avoid replicating ALL of the foregoing text in your messages,
as some of you have been doing. (One of the joys of mailers?) PGN]
------------------------------
Organization: The MITRE Corp., Washington, D.C.
Subject: The Christmas Card Caper, (hopefully) concluded
Date: Mon, 21 Dec 87 11:45:03 EST
From: Joe Morris (jcmorris@mitre.arpa) <jcmorris@mitre.arpa>
The following item was posted on the VMSHARE bulletin board. It describes
the origin of the CHRISTMAS EXEC file, and makes valid points about the
inability of computer systems to automatically recognize some types of
ill-behaved programs quickly enough to prevent damage to a network.
(VMSHARE is a closed bulletin board operated for the use of VM installations
who are members of SHARE, the large IBM mainframe user group. Shadow copies
of the VMSHARE traffic are distributed to many other nets, including VNET
and BITNET.)
Joe Morris (jcmorris@mitre)
Append on 12/19/87 at 20:10 by Melinda Varian <BITNET: MAINT@PUCC>:
The following statement, from a member of the EARN Board, answers the
queries about the origin of the CHRISTMA EXEC. Clausthal-Zellerfeld
is quite a new VM installation. When Heinz Haunhorst, of their staff,
was notified that the first appearances of the virus on the networks
originated at his node, he pursued the matter vigorously and skillfully.
Helmut Woehlbier, of the Technical University of Braunschweig, also did
an excellent job in helping to determine the originating node.
<> <> <> <> <> <> <> <> <> <> <> <> <> <> <> <> <> <>
Date: Wed, 16 Dec 87 18:33:58 GMT
Sender: EARN Technical Group <EARNTECH@EB0UB011>
From: Michael Hebgen <$02@DHDURZ1>
Comments: To: EARN Executive <EARNEXEC@IRLEARN>,
EARN Board of Directors <EARN-BOD@IRLEARN>
Comments: cc: German EARN Executive <DEARNEX@DHDURZ1>,
German EARN node administrators <DEARNADM@DEARN>,
Heinz Haunhorst <HENRY@DCZTU1>,
"Dr. Gerald Lange" <LANGE@DCZTU1>,
Otto Bernd Kirchner <KIRCHNER@DS0IBM1>
To: Melinda Varian <MAINT@PUCC>
Subject: CHRISTMAS EXEC
Dear colleagues,
after some very sophisticated detective work it is clear that the origin
of the CHRISTMAS EXEC is the EARN node DCZTU1. A student there has writ-
ten this EXEC to send christmas greetings to his colleagues and another
student has used it without knowing what he is doing (as many of our
network users) and started the explosion.
The node DCZTU1 has already blocked the Userid of the author and done
all necessary steps. Every node in the network can be the next starting
point of a similar explosion and distribute virus programms or other
bad things.
As far as I know the EDP-systems there is no way to prevent users from
their own mistakes. The only solution I can think of for this type of
behaviour is to observe "EDP-hygiene":
If you receive an executable file (EXEC, CLIST, program) from another
might be unknown user do NOT execute without control because it
can result in gross missdemanour and serious damage.
Check all EXECs/CLISTs, what they are doing, before you execute them
and check all executable programs, where they come from and what
they do.
As in normal life uncontrolled behaviour may result in serious
consequences (I am not going to mention AIDS). You as a user are
responsable for all what you are doing.
I propose to include such statements (in better english formulation) into
the CODE OF CONDUCT and to start an "enlightenment" process for the end-
users
Best regards, merry christmas (without tree) and a happy new year
Michael Hebgen
EARN director of Germany and
General secretary of EARN
*** APPENDED 12/19/87 20:10:47 BY PU/MELINDA ***
ADDED NOTE FROM JOE MORRIS:
Did any contributor suggest how the message jumped from EARN (or BITNET) into
VNET? Supposedly the gateways (one at Yorktown, I believe) are monitored
closely so that the ability of a message to cross without supervision
is quite limited. I'm told that a few years ago there was something of a
major flap when a meeting of relatively high IBM brass was shown a message
Melinda Varian (the BITNET source of the EARN message I forwarded) had sent
to an IBM'er via VNET (WITH the permission of IBM...upper management in IBM
just hadn't been aware of the arrangement). My guess would be that it came
through an account on a customer machine but assigned to an IBM'er who could
pass mail into the IBM network.
Thought for the week: was this supposed to be a demonstration of a computerized
Christmas distribution TREE?
Second thought on the word "tree" (swiped from an undergraduate thesis at
MIT from the 60's):
Problems are posed by fools like me,
but only heuristics can search a tree.
Joe Morris
-----------[000006][next][prev][last][first]---------------------------------------------------- From: mgrant@cos.com 4-MAR-1988 21:08 To: security@rutgers.edu, BALDWIN@xx.lcs.mit.edu
The police radar's that I've played with have had an audio feedback. With the audio feed back, you hear an obnoxious buzzing and whistling which represents the doppler shift comming back from the object you are clocking. I found that by listening and watching, I could very accuratly determine exactly who I was aiming at, even with 2 or more cars comming at me. I would point the gun at an aproacing car and I'd hear a high pitched whine, point it away and the whine would go away. Point it at two cars and I'd hear 2 whines at different pitches. Moving the gun twards one car made one whine louder and the other softer. Of course, I've very rarly seen police officers actually holding the radar guns. Most of them I've seen were aimed forward or backwards attached to the window in the left rear. I can't imagine that it would be too easy to figure out who exactly you were aiming at with the gun in this position. -Mike Grant
-----------[000007][next][prev][last][first]---------------------------------------------------- From: Wes Williams <GZT.EWW@oz.ai.mit.edu> 5-MAR-1988 10:17 To: BALDWIN@xx.lcs.mit.edu Cc: security@rutgers.edu, GZT.EWW@oz.ai.mit.edu
The procedures vary widely from state to state as well as from the local municipality and counties. The research you need to do starts on the local level and will be interesting. I have found that the following can be true: 1. Local police departments may require periodic testing of the units by an in/outside tech type that will validate the Radar unit for safety (rads) as well as the degree of accuracy for the unit. 1a. This may be out of date as well as never done. 1b. State requirements may be downgraded and be illegal. 1c. There may be no requirements (state or local). 1d. The testing (when performed inside) may be done by someone that does not have the qualifications nor the capabilities. 2. Find out if the locality is a constantly watched spot. A police eye (ie: trained observer) that is on the scene and is familiar with the traffic patterns as well as the time involved for a car to pass point A and get to B is as good (in some cases) as the Radar gun. This is also subject to state and local laws. 3. Final note..... READ THE TICKET! In general, a typo or misprint anywhere on the ticket is the real loophole. You can be away clean. Luck... -------
-----------[000008][next][prev][last][first]---------------------------------------------------- From: Douglas Allen Luce <dl2p+%sdcsvax@andrew.cmu.edu> 5-MAR-1988 13:54 To: sdcsvax!misc-security@rutgers.edu
Shipping a piece of hardware that must be plugged into the computer before the software will run has been tried, with only moderate success. There are a couple ways to circumvent this scheme, both fairly straightforward: copy the piece of hardware or remove or rewrite the piece of code in the program that checks to see if the hardware is where it should be. I've only seen this implemented for very small computers; Atari 8 bit machines and commodore 64 computers. Basically, a small jumpered plug was inserted into the joystick port. The program then matched out signals through the joystick port to see if the plug was there. Finding the code in the programs wasn't a complex job; one could pull up a machine language debugger and monitor the joystick port for accesses. From there, the code could be broken down and the part that controlled access replaced with an "ok" code. One would no longer need a piece of hardware to run the program. Also, these plugs were fairly simple to copy. All one had to do was to crack open the device (I think they called them "dongles," a name I hate for some reason), look at the way the inside worked (usually simple, a jumper or two) and then make a new one out of a $.75 joystick plug and a few pieces of wire. A company would generally have a single "dongle" to run all their programs; pirates had only to make one "dongle" to run a whole family of programs. I haven't seen it implemented for the PC's or anything above, but I would think that the same measures could be taken to circumvent copy protection. Douglas Luce Carnegie Mellon
-----------[000009][next][prev][last][first]---------------------------------------------------- From: Russ_Housley.XOSMAR@xerox.com 7-MAR-1988 14:27 To: security@rutgers.edu Cc: Housley.XOSMAR@xerox.com
In the 4-Mar-88 edition of Security Digest, hp-sdd!dag@hp-lsd.hp.com suggests that "operation of the software to a piece of hardware." Some vendors of equipment for use on Ethernets (or IEEE 802.3 networks) do just as he suggests. The software checks the 48-bit source address of the host it is running on. If the address is different than expected, the software fails to work. This scheme has failed (i.e., not permitted legal software to function correctly) when the equipment had a second Ethernet port installed. In this case, the equipment had two 48-bit source addresses, and the software checked the "wrong" one. Russ Housley <Housley.XOSMAR@XEROX.COM> Xerox Special Information Systems Vista Laboratory
-----------[000010][next][prev][last][first]---------------------------------------------------- From: "David M. Balenson" <balenson@mimsy.umd.edu> 9-MAR-1988 14:26 To: misc-security@seismo.css.gov
Can anyone provide any information concerning the use of the AMD DES chip within the SUN workstations (e.g., 3/50, 3/140, 3/160, 3/180)? I understand that the CPU boards have any empty socket which will accomodate the AMD chip (AmZ8068) and that the kernel has to be reconfigured to make use of the chip. Is that all there is to it? Will this permit the 'des' command to use the AMD chip, rather than use software? I have also heard that two additional chips may or may not be necessary -- one is a TTL support chip, the other a PAL. What exactly are these chips for? Are they necessary, or not? Is anyone out there, in particular anyone at SUN, currently using the AMD chip? Thanks. David M. Balenson (balenson@icst-ssi.arpa) National Bureau of Standards (301) 975-2910
-----------[000011][next][prev][last][first]---------------------------------------------------- From: tjfs@otter.hple.hp.com 9-MAR-1988 15:25 To: misc-security@ucbvax.berkeley.edu
Dan Keizer writes: > security by non-disclosure is no security at all. I *totally* agree. If more people believed this, we wouldn't have the problems we have now with exporting crypt, ... It seems to me it's a philosophical battle between those who say "we won't tell you anything about it to make it more secure" and those who say "if we can't study it, we can't tell if it is secure (and it probably isn't)". With the advent of decent public key encryption, one-way encryption of passwords etc it seems to me a *good thing* that security systems become more understood so that the state of the art continues to advance. Tim
-----------[000012][next][prev][last][first]---------------------------------------------------- From: Will Martin __ AMXAL_RI <wmartin@ALMSA_1.ARPA> 10-MAR-1988 21:16 To: security@aim.rutgers.edu
Back on 25 Feb., I posted a note about a local (St. Louis) newspaper advice column which stated baldly that the SSA would give people info about an individual if you gave them their SSN. Here are the relevant paragraphs from that original posting: >If they cannot answer your questions directly, they may be willing to >give you her Social Security number. You can then trace her whereabouts >through the Social Security Administration. > >At 63, she may have retired, and if she is receiving Social Security >payments, you might be able to get her current address. If she is >deceased, the SSA should be able to tell you that, also. I promised that, when I had time, I would check with the SSA office here and let the list know what they said about this -- was it true or not? Well, I finally had a chance to check today. The word from them is that the SSA will NOT give an inquirer info about a person just because that inquirer provides the subject's SSN. What they will do, though, is to take information from the inquirer, and then write the subject of the inquiry a letter, saying something like, "John Smith, who claims to be your cousin, is trying to get in touch with you. His name, address, and phone are: xxxxxx. You may contact him there if you wish to." In other words, they will act as a conduit to the party whose SSN is provided, but will not give out information about that person to another. (I didn't think to go into detail about just what the SSA would do if the person was listed as deceased, unfortunately.) This actually strikes me as being very helpful, and more likely to be something that the SSA would do theoretically than that they are likely to do in real life! I was asking this as an hypothetical question, showing the SSA representative the newspaper column, and wasn't actually asking them to DO anything. I wouldn't be surprised if this was something so out-of-the-ordinary, so unlike standard procedure, that it would be next to impossible to get the SSA to do this in reality. After all, to do the search and write the letter would take some hours of time, and, considering SSA employees are rated on how many cases they can process in a day, it would be a rare find indeed to locate one who would be willing to delay normal processing, buck the system, and do an inquiring stranger this favor! Nonetheless, from a privacy issue standpoint, the info I got was reassuring. At least the SSA claims it will not wantonly distribute data about you to anyone who happens to know your SSN. Regards, Will Martin
-----------[000013][next][prev][last][first]---------------------------------------------------- From: eachus@mitre_bedford.arpa 11-MAR-1988 22:42 To: iconsys!bryan@uunet.uu.net
The communications on exporting the DES algorithm which have
appeared on the net recently are ALL correct. Huh? What did you just
say? Read on.
If something not subject to ITAR regulations is in the public
domain, or "widely published" in the US, any citizen has a general
license to export that information. If fact you may go overseas and
speak publicly about what you know, and that will create information
subject to license requirements, qualify it for general license, and
export it. In other words, as an American citizen, your freedom of
speech does not end at the waters' edge. (The country where you give
the speech might not like what you say, but that is a different
issue.)
However, if you have information subject to ITAR regulations (no
matter how you got it), you (or your company) can be prosecuted if you
export it without State Department approval. See the "aid and
comfort" clause in the constitution. Since some crypto information is
clearly protected this way, most company lawyers "take the easy way
out" and advise the company not to export any crypto software, without
checking to see if it falls under the ITAR rules.
(Apply standard disclaimers to what follows at least twice.) Last
time I checked the "opinion" of State was that the DES algorithm was
not subject to ITAR rules, although certain implementations (usually
in the form of chips) were protected. Note that any government
employee must be vague here, either he knows all the (classified) uses
of crypto (and where is YOUR need to know) but can't tell you, or he
doesn't know and can't be more specific. Therefore the standard
procedure is to request an opinion before exporting crypto
implementations, and if you don't get something on the order of "your
application does not currently appear to fall under ITAR rules..." you
talked to the wrong person (or you really are trying to export a 300
MIP DES chip 8^> ).
If you do ACCIDENTLY export something subject to ITAR rules, you
probably won't go to jail. In any violation, your rights to free
speech must be shown to conflict with other constitutional powers, and
the balence must tilt strongly against you before the ITAR regulations
have any standing. If you intentionally violate the ITAR regs,
however you might not have any constitutional protection.
Let me give you a realistic example. You buy a Zowie 1000
portable computer and take it with you to England. Unbeknownst to
you, the Zowie 1000 is used in a test system for Stealth Bomber ECM
equiptment. You violated the ITAR regulations, but in the normal
course of events, you won't even know it, because the DoD is unlikely
to tell the Customs people which COTS (commercial off the shelf)
equipment is used on black projects. In any case your violation was
innocent and is probably protected.
Second case, an ATE specialist on the Stealth project buys a
Zowie 1000 for personal use because he uses it at work and likes it.
He takes it (and some of his software) to England on his vacation.
Dumb, and the security folk at the plant may have a long talk with
him, but if it was innocent probably no long term repercussions. The
third case of course, is he takes it with him and sells it to a
foriegn agent for $100,000 -- and twenty years hard labor. What did
you think the ITAR regulations were for anyway?
So now you know why all the weasel words. If you take my
(knowingly incoorect) advice (or someone elses) and innocently violate
the ITAR regs, I'm guilty and you are not... "So you're going to
Berlin on your vacation? Could you do me a favor? I have this
package for my sister, but the mail takes weeks. I'll give you ten
bucks for your trouble." You are only guilty if you think he's a spy
and do it anyway... Each case is different, and an awful lot depends
on intent.
It would be nice if someone who has requested and recieved (from
the government, not from a company lawyer) a recent opinion on the DES
algorithm, would post the opinion here. If no one out in net land has
a recent opinion, someone should go ahead and request one. The most
recent opinion I have seen was two companies back, and things can
change in either direction.
Robert I. Eachus
Disclaimer: Oh boy, do I need one here. If you have any intention of
exporting anything which might be subject to ITAR rules, have your
lawyer check with the State Department and get a written opinion. If
you decide to create a test case and take it to the Supreme Court,
I'll be glad to come cheer, but if you expect me to get up and say it
was all my idea, you didn't read carefully.
Second Disclaimer: I didn't ask MITRE, MITRE's lawyers, or anyone
elses lawyers for their opinion of this message, but if I did, I'm
sure that they would waffle at least as well as I did.
-----------[000014][next][prev][last][first]---------------------------------------------------- From: Wes Williams <GZT.EWW%OZ.AI.MIT.EDU@XX.LCS.MIT.EDU> 12-MAR-1988 19:19 To: GZT.EWW%OZ.AI.MIT.EDU@MC.LCS.MIT.EDU
Just by chance, the other day, I tipped over the box that the bookcase type holder for DbaseIII+ was in, and found a warning from the manufacturer that this product may be covered by the State Dept. Regs. for exporting. Thinking about an upcomming trip to a neighboring country, I was agast that I may have run afoul of customs (forgetting that I had a copy in the trunk). Is this type of program really covered under these laws?
-----------[000015][next][prev][last][first]---------------------------------------------------- From: che@pbhyf.UUCP (Mitch Che) 13-MAR-1988 19:58 To: misc-security
>[Moderator note: *What* is a "dongle"?? _H*] Every so often I feel like I've just passed through a time-warp. Unfortunately, it's always backwards. ADAPSO supported this idea which died a timely death about a year or so ago. A "dongle" refers to the little device which plugged into the back of the PC into the RS-232 port. A fair amount of research apparently went into these and some software actually shipped with this protection scheme. ADAPSO pulled its support of any kind of standard for use. Copy protection seems to be a non-issue. With the crash of the PC software industry, copy protection is just what a small company needs to go under. If your software is still copy-protected, rest assured your software is not available in my shop. -- Mitch Che Pacific Bell "Fine Corinthian leather? Of course. --------------------------------------- From fine Corinthian cows..."
-----------[000016][next][prev][last][first]---------------------------------------------------- From: Jim Duncan <jim@amon_re.cs.odu.edu> 14-MAR-1988 04:41 To: security@rutgers.edu
Years ago, when I was an avid C-64 user, my favorite word processor was
PaperClip from Batteries Included (in Toronto, I think). They allowed
(encouraged) copying their software for backup purposes; to use the program,
you had to have an electronic key, called a `dongle', plugged into one of the
joystick ports. I have seen that word used in other documentation to mean the
same thing.
Of course, versions of PaperClip which didn't need a dongle to operate
proliferated as crackers everywhere found the code which checked for the
dongle and detoured around it. I didn't care; PaperClip was so good, and the
manual was so well written, that, like Turbo Pascal, it was worth it to me to
have a legitimate version and the support that went with it. Batteries
Included used the same system with other software they published, like
Delphi's Oracle.
Great word, huh? I'm suprised that it didn't find its way into a book of
Sniglets. I'd like to see an etymology.
Jim Duncan, Computer Science Dept, Old Dominion Univ, Norfolk VA 23529-0162
(804)440-3915 INET: jim@cs.odu.edu UUCP: ...!sun!xanth!jim
---------- Time flies like the wind, but fruit flies like bananas. ---------
-----------[000017][next][prev][last][first]---------------------------------------------------- From: gianni stifano <STIFANO@IBACSATA> 18-MAR-1988 03:05 To: SECURITY@aim.rutgers.edu
I've just graduated and i'm very interested in security aspects in MHS. Could anyone give me some information about research on document concea= ling or document signing in an X.400 environment? Thanks in advance.
-----------[000018][next][prev][last][first]---------------------------------------------------- From: GREENY <MISS026%ECNCDC.BITNET@CUNYVM.CUNY.EDU> 21-MAR-1988 10:12 To: security@aim.rutgers.edu
What with all the viruses running about these days, I was wondering what sort of protection ATM machines have against such beasties. Specifically, I'm concerned about my $$$ in these machines. It has occurred to me that the machines which accept charge cards (such as Visa and MC), could not really verify that the PIN you key in is indeed your PIN. It takes up to 5 minutes for an authorization request to come back from a dept. store card reader when you make a purchase, yet the ATM is instanteanous.....this is wierd, either the PIN is stored on the card (read: very stupid) or the machine just ignores the PIN of credit cards..... Whats the deal? does anyone know about what actually goes on with these machines? bye for now but not for long Greeny [Moderator note: There was a discussion about these things a while back; however, I think the relevant messages have long since been rolled off to some dusty tape that I'd be hard put to locate... _H*]
-----------[000019][next][prev][last][first]---------------------------------------------------- From: NMIEP%NOBERGEN.BITNET@CUNYVM.CUNY.EDU 21-MAR-1988 15:38 To: security@aim.rutgers.edu
Maybe the latest incident on computer embezzlement? Two employees of the largest Norwegian clearing house, Bankenes Betalingsentral BBS, are charged with attempted fraud. The scheme was apparently in accordance to the old dream of redirecting transactions to other accounts. The particular day of the attempt, there were to be a large number of social security benefit transfers. The possible outcome is said to be app. ! 250 million. One of the two had an operator type job, with access to tapes. However, the whole thing was set up in such a way that it was easilly detected by regular security checks. This hopefully shows that security does work, and that the notion that no cases have ever been spotted due to security routines, is not true. Eirik Kim Pedersen
-----------[000020][next][prev][last][first]---------------------------------------------------- From: gianni stifano <STIFANO@IBACSATA> 24-MAR-1988 09:49 To: SECURITY@aim.rutgers.edu
Does anyone know TeleTrusT International? It's an international working group about the security of telematic transactions, with particular respect to digital signature obtained by RSA Public Key Cryptosystem. I'd be interested in more deep information about the opportunity to introduce TeleTrusT concepts in X.400 based MHS. Thanks in advance and sorry for my bad english.
-----------[000021][next][prev][last][first]---------------------------------------------------- From: Steve Bui <KHAAM%ASUACAD.BITNET@CUNYVM.CUNY.EDU> 24-MAR-1988 13:04 To: security@aim.rutgers.edu
Dear members: Arizona State University is in the process of getting a new security package for our systems, and would like to have your opinion, as well as any inputs on the security software topic. We would like to know: 1. Do you run both VM and MVS? 2. Which security package do you have on your Vm system (RACF, VmSecure...)? 3. Which security package do you have on your MVS system (RACF, ACF2...)? 4. Does the security package(s) perform to your satisfaction? 5. Any comment your security hits and miss? I appreciate your response to my userid, and many thanks for responding.
-----------[000022][next][prev][last][first]---------------------------------------------------- From: shafferj%BKNLVMS.BITNET@CUNYVM.CUNY.EDU 24-MAR-1988 14:51 To: security@aim.rutgers.edu
The following three messages should be of interest to this discussion.
I'm posting them with the assumption that no one else has posted the
information contained within them while the Bitnet distribution of Security
was down.
The last message of the group is particularly scary, because I'm on VMS v4.4
here and I've never heard of the bug. It would appear that our system managers
here haven't heard of it either, because there have apparently been some break-
ins lately. {See disclaimer at end!}
****************
Forwarded messages begin:
****************
From: "XMRP20000[khw]-g.c.mccoury" <pacbell!att-ih!att-cb!clyde!whuts!
mtunx!mtune!mtgzz!gcm@AMES.ARC.NASA.GOV>
Subject: Hacker hits VMS
From The Star-Ledger(Newark NJ) 3/17/88
TEEN HACKER 'INVADES' NEW SECURE COMPUTER
PARIS(Reuters)- A 19-year-old West German hacker has succeeded
in breaking into one of the world's top-selling computers,
Digital Equipment Corp.'s VAX system, in what experts say is a
new blow to confidence in computer security.
Computer specialists broke the news yesterday at a computer
conference already shocked by the arrest on Sunday of West
German hacker Steffen Wernery, 26, as he arrived to take part
in a panel debate on system security.
Wernery is a member of the Hamburg-based Chaos Computer
Club which caused a storm last year when it revealed it had
penetrated more than 100 computers around the world, including
the network of the U.S. space agency NASA.
French police announced later that Wernery had been charged
with "theft, destruction and damaging computer goods" and had
been jailed pending trial.
West German journalist and computer expert Hans Gliss, who
was also held briefly by French police when he arrived in Paris
on Sunday, said the unidentified 19-year-old from Munich had
worked out how to enter VAX computers made by Digital.
Gliss said the Munich hacker had breached the VAX system by
using material openly available from Digital, which is based in
Maynard, Mass.
Digital executives were in a meeting and not available for
comment, a spokeswoman said.
Rudiger Dierstein, of West Germany's national space foundation
DFVLR, said the consequences of the Munich hacker's achievement
were "terrifying."
"This person has given a full description of how to gain access
to the system and gain full control. Imagine combining the
intelligence of this hacker with a definite criminal intention,"
he said.
"Someone could take control of a satellite as they are all
computer-controlled. That is why I tremble when I hear the initials
SDI."
SDI stands for President Reagan's proposed Strategic Defense
Initiative, a space-based computer-guided defense system against
nuclear missile attack.
Dierstein said the 19-year-old had privately published his work
in a pamphlet entitled "Hints on the Use of the VMS Operating System"
but police had confiscated all the documents.
The VMS(Virtual Memory System) is the main language used in
Digital's VAX computers.
Experts said other major computer manufacturers like IBM could
not afford to be complacent as it was being shown their systems
were equally vulnerable.
Companies targeted by Chaos Computer Club "hackers" were unaware
their systems had been tampered with until the club informed West
German authorities.
Experts at the Paris conference said Wernery had fixed a meeting
with the French subsidiary of the Phillips electronic group - one
of the companies penetrated by the hackers - before leaving for France.
* Grover McCoury *
* ATT IS/Communications Laboratories *
* Middletown NJ *
****************
From: Steve Ward <cfa!ward@husc6.harvard.edu>
Subject: Re: Hacker hits VMS
Does anyone know if this is a REAL security hole in VMS or just the
usual
1) failure to change default password(s) on sys, maint, user, userp
accounts as shipped from DEC.
or
2) autologins left activated by local sys manager.
or
3) other equivalent act of stupidity.
Often these sensational stories are due to vulnerability caused by
stupidity. I have never had much trouble in "hacking" a login to a
multiuser system when testing for security, usually by just trying
the time-honored guess-the-password approach. Of course, hacking to
TEST for security on your own computers is quite different from the
vandalism and criminalism of attacking someone else's machines, whether
one is hacking through cleverness or taking advantage of the lax
management of computer systems on all os's that is out there. I know of
large numbers of machines that are accessible to the world where the
local users object strongly to being forced to periodically change
passwords or insist on using any password, including very short
passwords, last names, etc. The ability to "hack" a login is inversely
proportional to the number of login accounts on the system :-)
Of course, all os's exhibit true security hole bugs from time to time.
Is this one?
****************
From: Tony Li <sargas.usc.edu!tli@oberon.usc.edu>
Subject: Re: Hacker hits VMS
Yes, this is the result of a real hole. Do you recall the V4.4
SECURESHR bug?
Tony Li - USC University Computing Services "Fene mele kiki bobo"
Uucp: oberon!tli -- Joe Isuzu
****************
End of forwarded messages
****************
If anything further on this subject should be posted to the VAX discussion,
I'll forward it to the Security discussion.
Jim Shaffer, Jr.
ShafferJ%Bknlvms.Bitnet@cunyvm.cuny.edu
-----------[000023][next][prev][last][first]---------------------------------------------------- From: robert@pvab.pvab.se 24-MAR-1988 15:23 To: misc-security@enea.se
> The AT&T UNIX Operating System Release 2.2 and Release 3 license > agreements state that the "crypt" program, library, and associated > documentation are not to be distributed with international versions UNIX can't live without them, so they are not provided as library functions or user commands in export versions, but the complete source for all those functions is (of course) included if you buy a source license. Imagine that.
-----------[000024][next][prev][last][first]---------------------------------------------------- From: ORG5NMC@CMS1.UCS.LEEDS.AC.UK 29-MAR-1988 10:14 To: security@aim.rutgers.edu
Hello all,
glad to see this list is alive again. Thanks to all who
answered my previous query on master keys. The response was great!
I want to ask a question about computer security. Are there
any legal obligations (British or American) on a computer user
who finds a major flaw within a popular OS? How could a private
individual bring a bug to the attention of a computer manufacturer
given that site computing personnel take a dim view of anybody who
finds these bugs?
*NOTE*
These questions are for my own interest and are not meant to
represent any actual situations or occurrences.
-----------[000025][next][prev][last][first]---------------------------------------------------- From: latzko@aramis.rutgers.edu 29-MAR-1988 13:45 To: security@aim.rutgers.edu
Were yea verily used on PC class machines. Autodesk used on on their 2.6 release of AutoCad. Their response when i called them about it was 1> if it breaks within a year fed ex it back and they will fed ex a replacement. 2> after a year as 1> but with a small charge 3> if it gets stolen or misplaced you are up the creek. They suggested insuring it. After many people complained and enough people didn't buy the upgrade they tossed the idea. Other software which use dongles are Novell Netware and Banyan Vines. There is breaker software for Novell. I am not sure for Vines. /S* PS The person I talked to at AutoDesk told me someone had broken the dongle code withing 24 hours and was distributing the fix within 48.
-----------[000026][next][prev][last][first]---------------------------------------------------- From: jbn@glacier.stanford.edu 1-APR-1988 06:20 To: misc-security@decwrl.dec.com
Technically dongles can be made to work, and a number of vendors
sell them. See any issue of PC Tech Journal for ads for such gadgets.
But they are very unpopular with users, and you get nasty reviews in Byte
if you put one on your product.
The most successful dongles do something useful that the program
needs to function. Some dongles have a CPU in them, typically an 8-bit
microcontroller. If some obscure but crucial part of the processing is
performed in the dongle itself, it can be very difficult to operate the
program without it.
An excellent example is Cubicomp, which sells an animation package
that requires a special graphics board only available through Cubicomp.
There's actually nothing exciting about their graphics board; it's just
a marketing ploy, and one clever enough that few people have figured it
out yet.
These strategies are generally for high-end software. At the low
end, games, the future probably lies with compact disk technology.
But that's another story.
John Nagle
END OF DOCUMENT
| ISSN 1742-948X 01 (Online) | 2005/03/01 | Copyright 2002-2008 securitydigest.org. All rights reserved. |