|
|
ARCHIVE: Rutgers 'Security List' (incl. misc.security) - Archives (1989)
DOCUMENT: Rutgers 'Security List' for October 1989 (97 messages, 71072 bytes)
SOURCE: http://securitydigest.org/exec/display?f=rutgers/archive/1989/10.txt&t=text/plain
NOTICE: securitydigest.org recognises the rights of all third-party works.
START OF DOCUMENT
-----------[000000][next][prev][last][first]---------------------------------------------------- Date: 2 Oct 89 06:06:00 GMT From: MISS026@ecncdc.BITNET (GREENY) To: misc.security Subject: re: Alarm systems
> IR Detectors...
What do these detect?
They detect infrared energy in the area....a fresnel lens directs any and
all infrared onto a pyrodetector, and some electronics determine whether or not
it should be classified as an alarm or not....usually this is done via "Pulse
counting" which is a method whereby the detector counts the number of pulses
of energy that it has detected within a certain period of time (usually a{
2-3 second period...)....At the security system which I consult for, we set
this to TWO...makes for a good trade off between preventing false alarms due to
air vents moving plants, and the ability to detect a person...NO they will
not detect through the glass....although a good shot of sunlight right
into the lens of the detector will trigger it....simple solution -- keep the
drapes drawn...
Glass breakage sensors -- what do these detect?
There are two types: Ones which "listen" for the frequencies of breaking
glass (audio discrimination) and the usual ones which sense low-level
vibrations such as would be caused by someone attempting to pry open the
windows...
The Radio Shack ones work via mercury type switches that when shaken enough
close a contact and trigger the alarm....they are not tooo reliable...The ones
at the security company I consult for use Terminus sensors, and run them into
a "processor" that makes heads or tails out of the signals comming from the
detectors on the windows....Otherwise thunder and rumbling trucks would set
them off all the time...
My personal favorite is a sensor known as the "ShatterBox" by Sentrol which
is an audio discriminator....of course if you have these armed at night and
then break a glass, you will set off the alarm...
My personal recommendation is to go with a system from a professional
company because there is a lot of grunt work involved in fishing all the
wires for a hardwired system (wireless systems are good, but another topic
altogether..) and in choosing the best protection for your home. Also, if
anything goes wrong, they get to fix it, and you wont have to listen to the
wife (if you're married) saying "I told you it should have been done by a
company! *whine*". Furthermore, they can and should be able to hook you up
to a central monitoring station for a nominal fee (we charge $21.50/month)
which will provide you with some neat features. 1) Assuming your phone lines
dont get cut, then when the alarm goes off, it will send a packet of data
via digital communicator to the central station over your phone line (it
seizes the line even if someone is on the phone or it is off the hook) and
tells them what zone got triggered....2) they call you back unless it's a
panic zone and ask for a password....3) if you provide the correct one they
dont send the police/fire dept/paramedics....4) if not, then they do...
5) if you arent there, they call a list of valid "keyholders" and tell them
the alarm went off, and call the cops/fire dept/ambulance....6) you can have
other sensors such as high/low temperature sensors, sump pump failure
(flood) sensors, etc...wireless panic buttons (even with a hard wired
system) and a variety of other goodies...
Also, if the company you choose is up on things, then they will use recessed
magnetic contacts that you will never see on the doors/windows...about the
only thing you will see is the smoke detectors if you have fire coverage,
and the shock sensors on the doors/windows (although these are practically
invisible...), the control keypad(s) in the designated area, and the alarm
CPU in the basement/closet of your home....
The CPU should have a battery backup, and recharge automatically. Stay
away from the Radio Shack system, it uses lots of C or D cells and they are
a pain...also, no digital communication is available, and they only offer
their tape dialer which many police stations hate...also the panel is not
zoned, which makes servicing a complete bear...
More questions? Drop me some E-mail...I'm experiencing hard drive problems
right now so I'm not on every day like I used to be, but I am here about
3 times a week...
Bye for now but not for long...
Greeny
BITNET: MISS026@ECNCDC
Internet: MISS026%ECNCDC.BITNET@CUNYVM.CUNY.EDU
GEnie: GREENY
Macnet: GREENY
-----------[000001][next][prev][last][first]---------------------------------------------------- Date: 2 Oct 89 18:33:07 GMT From: CI60UCU@VM.TCS.TULANE.EDU (Charlene Charette) To: misc.security Subject: Re: Home Security Systems
I used to work for a security company (residental and commerical) and one of my
co-workers here at the University used to install residental and commerical
systems (he still does installations on a part-time basis). The following
answers are a combination of our knowledge:
>What's a good book on do-it-yourself home security systems?
Guy did not know of any good, current books available.
>What are the trade-offs of do-it-yourself vs. a professional security
>company?
The main advantage is that the professionals are knowledgeable and experienced
(providing they are not one of the many fly-by-night alarm company that are
popping everywhere). The secondary advantage involves monitoring; alarm
signals are sent to a central station who can then call the police, fire dept.,
your work number, etc. when your alarm goes off.
>How do I protect my home without overtly annoying the neighbors, police,
>etc. with false alarms.
Most of the newer alarms allow you to set a time limit on sirens with 15 mins
being the usual time limit. Some cities have ordinances on siren time
durations and I would suggest that you check for these. (Some cities require
that alarm systems be registered. You should check this also.)
>Radio Shack sells "glass breakage detectors". These are ~1" diameter
>"pucks" that stick to the glass and are wired to an alarm.
>* What do these sense?
These sense high-pitched sounds such as glass breaking. Alarm technicians test
them by rattling keys.
>* If they are in the corner of a picture window, and the
> other side of the window is broken but the glass under the puck remains
> intact will they trigger?
Yes, it should; but it is dependant on the range of the detector.
>* If they are impact-sensitive, will a truck or plane rumbling by set
> them off?
Yes, if they are too sensitive. Some can be adjusted, others not.
>How about area detectors, infra-red or sonic? We have no pets to set
>them off but:
You may not have any pets to set them off, but I have seen them set off by rats
and roaches (yes, we have *BIG* roaches here). Guy says they are good, but
stay away from cheap detectors or you will be plagued with false alarms.
>* Can IR detectors see movement through windows? Wouldn't want the
>paper boy setting them off by mistake.
No, the detectors don't sense "movement". They sense changes in heat. If you
were to hold a large piece of cardboard in front of you and move it slowly in
front of an IR detector, you could pass it undetected.
>* How about changes in ambient IR levels caused by the sun coming in
>through a window or the furnace going on or off?
Yes, temperature changes will trigger the detectors. Don't point them at
windows, fireplaces, air ducts, furnaces, etc.
>* Are the sonic types sensitive to noises outside the house?
They should be.
>* Will, say, thunder shake the house enough to trigger a motion detector?
It shouldn't.
>I see both wired and wireless alarm systems for sale. Since I have good
>attic and basement access, I am tending toward the wired sort. The
>wireless types seem to need occasional battery replacement. Aside from
>this are there reliability concerns wrt. either style?
Guy advises staying away from wireless systems as they are not as reliable.
Although he is not as familiar with the newer wireless sytems available, he
said the older systems had no low battery indicator. A low battery can cause
false alarms; and of course, a dead battery is useless.
If you have any further questions, please feel free to ask.
PS: Guy said if you pay his expenses he'd gladly come up and give you a hand.
:-)
-----------[000002][next][prev][last][first]---------------------------------------------------- From: Paul=Zonfrillo%SQA%Banyan@thing.banyan.com 4-OCT-1989 22:17:37 To: SECURITY@vm.tcs.tulane.edu
Yes indeed, Dongles are alive and well! My company, Banyan Systems Inc. makes PC-based WAN/LAN software and uses such a device for copy protection as well as and upgrade. Our "server key" is a straight-thru device that sits on the pralell port. Users can also purchase additional "option keys" to enable additional operating systems options such as TCIP routing, that can be loaded on/off the server via these option keys . As far as reliability goes, in six years, we have NEVER had one burn out. (this is according to tech support). Our software encodes to the key after it has been loaded on the server. The option is also attractive because it does not take up any slots in the server. In short: Dongles seem to be an effective but unobtrusive form of copy protection. Paul Zonfrillo SQA Engineer, Banyan Systems Inc. Paul=Zonfrillo%SQA%BANYAN@thing.banyan.com
-----------[000003][next][prev][last][first]---------------------------------------------------- From: barry@ads.com 4-OCT-1989 23:12:18 To: security@ucbvax.berkeley.edu
There is a cracker on the loose in the internet. This is the information I have so far. Traces of the cracker were found at the Institute for Advanced Studies in Princeton. He also left traces at one of the Super computer centers. Both CERT and the FBI have been called. The technique that is being used is as follows: 1) He has a modified telnet that tries a list passwords on accounts. Username forwards and backwards, username + pw, etc. 2) He seems to have a program call "ret", that is breaking into root. 3) He seems to be getting a list of victim machines via people's .rhosts files. 4) He copies password files to the machines that he is currently working from. 5) He is good about cleaning up after himself. He zeros out log files and other traces of himself. 6) The breakins are occurring bwtween 10pm Sunday night and 8am Monday morning. 7) He seems to bring along a text file of security holes to the machines he breaks into. 8) Backtracing the network connections seem to point to the Boston area as a base of operations. The sys admin at IAS found a directory with the name ".. " (dot dot space space). The files I mentioned above were found in this directory. Barry Lustig barry@ads.com Advanced Decision Systems (415) 960-7300
-----------[000004][next][prev][last][first]---------------------------------------------------- Date: 3 Oct 89 20:04:00 GMT From: cc@sisl.co.uk (Chris Corbett) To: misc.security Subject: Unix security products, A survey
I am carrying out a survey of security products that are
available for Unix machines. The idea is to collect together a review of
the available products. It will be a "snapshot" of the various ways in
which security can be added to unix, together with a brief description
of the main features of each.
This review would then be posted onto the net, and hopefully updated
from time to time.
I am focussing on the following areas:
1. Single level security products for Unix machines. Products that
give a C2 level of assurance or something like it.
2. Multilevel security for unix machines. Products that give
higher levels of assurance (B1 and up).
3. Products that support either of these levels of security over
networks of machines.
I am *not* collecting information on encryption devices/smart cards etc.
In order to jolt your memory I am already aware of the following in
each of these categories.
1. BOKS
2. The Addamax and Secureware kits for system V and BSD. (I would be
interested to know of any manufacturer that has announced machines
running either of these two); AT&T's MLS Unix; Unix System 5.4.2 which
is said to be going to include B1 security as part of the
standard product.
3. None (well its a much trickier problem).
Any information or pointers that anyone can send me would be very welcome.
Names of further people to talk to would also be useful. Thanks in advance.
I should also state for the record that I am not associated commercially
with any company that makes any products of this type. I am an interested third
party who would like to get an overview of the current situation.
-----------------------------------------------------------------------------
Chris Corbett cc@sisl.uucp +44 252 811818 Fax +44 252 811435
Secure Information Systems Ltd, Sentinel House, Harvest Crescent,
Ancells Park, Fleet, Hampshire GU13 8UZ. UK.
-----------------------------------------------------------------------------
-----------[000005][next][prev][last][first]---------------------------------------------------- Date: Wed, 23 Aug 89 17:13:11 BST From: ORG5NMC@cms1.ucs.leeds.ac.uk 5-OCT-1989 16:05:31, ORG5NMC@cms1.ucs.leeds.ac.uk To: SECURITY@pyrite.rutgers.edu, SECURITY@pyrite.rutgers.edu
> Why is there so little awareness of the way many third-party software
> packages open vulnerabilities in even the perfectly managed C2
> commercial systems?
I don't think its just a matter of third party software being poor
security-wise. The vendor of the machines I work on (not IBM) seems
to have a very poor record (security-wise) when it comes to their
own "add on" s/w let alone third party. I see time after time
new features introducing old bugs.
On another subject (slightly related) what do readers think
vendors should do to deter the writing of "home-grown" poorly
written privileged s/w that effectively opens up systems? Is
it just a matter of education or trying to make it difficult
for s/w to make mistakes?
Neill.
-----------[000006][next][prev][last][first]---------------------------------------------------- Date: Wed, 23 Aug 89 16:27:45 EDT From: Gary Buhrmaster <TJF@CORNELLC> 5-OCT-1989 16:35:00, Gary Buhrmaster <TJF@CORNELLC> To: security@ubvm, security@ubvm
In the IBM world, a promise to run 15% faster than the competition usually makes the sale to the DP manager. That manager is rarely concerned that the package happens to run faster because it runs the users in privleged mode, and the saleman is unlikely to volunteer that information. His competitor might, but he probably has his own hooks for some other function that he would prefer you not notice. It is getting better. While still a rare occurance, DP managers are learning to ask what special facilities or privleged functions that packages require, and then require that the package support the underlying security facilities. In the MVS world, that often means some sort of statement of integrity, and interface to RACF or ACF2. The driving force is often the EDP Auditor. While they may not understand computers (it is not their job,) they do exchange information between themselves as to what packages are the biggest abusers, and they do know the right questions to ask. After all, their interest is in understanding the risk of losing their companies assets, and programs that allow access to those assets without authorization are dangerous.
-----------[000007][next][prev][last][first]---------------------------------------------------- From: Chess Ferrier <chess@ibmpcug.co.uk> 5-OCT-1989 16:50:03 To: misc-security@ukc.ac.uk
HOW CAN A PS/2 PASSWORD BE REINITIALISED ?
You use the REFERENCE DISK to set a PS/2 PASSWORD for the first time.
You use OLDPW/NEWPW to change the current PASSWORD.
But how do you re-invoke the password facility for the following situation:
1 The password had been set.
2 The password was removed by entering a blank value as a new password.
(OLDPW/ <Enter>)
You can no longer set the password via the REFERENCE DISK as it reports that
the password is already set.
You can not change the password from 'blank' to something else via the normal
'CHANGE PASSWORD' process as you are no longer required to enter a password
when the system is turned on.
The only way I know to over come this situation is to remove the PS/2's battery
for about 20 minutes, and then rerun the system automatic configuration, and
the REFERENCE DISK's SET PASSWORD facility.
The above method is a real pain. I'm hoping that there is another way.
Is there another way ?
P.S. - Is there a way to find out the current power-on password value.
Thanks in advance for any help.
----------------------------------------------------------------------------
Mr Chess Ferrier
ESSO ENGINEERING (EUROPE) LIMITED.
Apex Tower, High Street, New Malden, Surrey, KT3 4DJ.
01-949-8459
-----------------------------------------------------------------------------
--
Automatic Disclaimer:
The views expressed above are those of the author alone and may not
represent the views of the IBM PC User Group.
-----------[000008][next][prev][last][first]---------------------------------------------------- From: feo@cbnewsl.ATT.COM (francis.e.o brien) 5-OCT-1989 22:20:16 To: misc-security@att.att.com
I'm interested in installing my own home security system. My house is mostly pre-wired, which makes the installation of a wired system relatively simple. The only problem is finding systems. So far the choice is Radio Shack. I haven't located any other distributors of alarm systems who sell to the general public. Most places insist on installaing and of course providing a monitoring service. Can anyone provide me with the name of some dealers that I can deal with directly? Thanks.
-----------[000009][next][prev][last][first]---------------------------------------------------- From: jearly@lehi3b15.csee.lehigh.edu (John Early) 5-OCT-1989 22:52:42 To: misc-security@rutgers.edu
>What's a good book on do-it-yourself home security systems? If you find one, let me know, too. If you do-it-yourself, it is cheaper and more secure(only you know the details of your system) but you might not think of everthing the pro's might. Personally, I don't let ANYBODY know the details of the systems I install, and I would not trust ANY company that doesn't have a good rep. >How do I protect my home without overtly annoying the neighbors, police, >etc. with false alarms. Don't have false alarms--seriously, they ARE annoying, and unless the only function an alarm system does is call YOUR phone, you will annoy someone. Some police dept. don't mind having auto-dialers call them, some do...check with the local and/or state police. >Radio Shack sells "glass breakage detectors". These are ~1" diameter >"pucks" that stick to the glass and are wired to an alarm. >* What do these sense? They are mercury switches (can be set to be normal open or closed) and change state when tilted more than a certain (preset) degree. If someone can break (or cut) just part of a window, they won't sense it. They are most sensitive to rotational motion around the center axis, so I did one installation where the window loop is always active, but the windows can be opened or closed without triggering the sensor...and trucks won't set them off. Do your best to hide them so that a potential intruder won't notice them and take precationary steps. >How about area detectors, infra-red or sonic? We have no pets to set >them off but: Some IR detectors are sensitive enough to measure through glass...most aren't. Sunlight WILL set them off...seen that happen more than once. Ultrasonic motion detectors shouldn't detect noise, per se, but if the thuder knocks a book off a shelf (had that happen to me once) it will. >I see both wired and wireless alarm systems for sale. I always use closed loop wired systems. And redundant systems in special areas. Don't forget to check back-up batteries at least 1/month! I think that any DIY can manage a good security system, if s/he thinks it out ahead of time, and tries to think like an intruder. Pay attention to small details--e.g. don't install an auto-dialer then forget to protet your phone wire entrance. Radio shack has good stuff...probably enough for the average home security needs. Hope this helps. John Early jearly@lehi3b15.csee.lehigh.edu JPE1@Lehigh.Bitnet
-----------[000010][next][prev][last][first]---------------------------------------------------- From: letni!doug@texbell.swbt.com (Doug Davis) 5-OCT-1989 23:21:14 To: misc-security@attctc.dallas.tx.us
>* What do these sense?
These are mercury filled switches which you can set the "sensitivity"
by providing the inital tilt of the switch. I use them in my car
for things like tee-tops. (substatute velcro for the double stick tape)
and they work reall well. For glass breakage they are only moderate
I would suggest them only if tape is to obnoxious and you can't affored
the "real ones" based off of piezo elements.
>* Can IR detectors see movement through windows?
No, not unless they were paper thin, Ultra sonics can't even see thru
that.
>* How about changes in ambient IR levels caused by the sun coming in
>through a window or the furnace going on or off?
Usually two slow in both cases, I once walked across a room that was
protected via IR detectors, it took half an hour to cross 20 feet, but
I won the bet. I suspect sonics are foolable in a similer fashion,
but *I* can't do it.
>* Are the sonic types sensitive to noises outside the house?
Not unless its very very loud and in their detection range.
>* Will, say, thunder shake the house enough to trigger a motion detector?
I use both and we have lots and lots of thunder storms, the shaking of
the house has never set them off.. Books falling from the shelf across
the room will though.
IR detectors love heating element furnaces, and steam radiators,
generally anything that changes temperature quickly will set them
off.
Ultrasonic detectors love ceiling fans, and air vents (if they are
set too sensitive)
>I see both wired and wireless alarm systems for sale.
Yeas, most wireless "broadcast" somehow, and like any RF signal it
is subject to distortion caused by outside interference. Also
someone else my have an alarm system using the same codes and/or
frequencys that could cause yours to appear to false alarm. While
wired alarms are subject to "rodent abuse." Like when the squirrel
that has made your attic its home desides to "borrow" a chunk of alarm
wire for its nest.
Wired is by far more reliable, and more work ;-)
Think closed loop, that *IS* the way to go, also the more loops the
better, that way you can still have a partial alarm system when
a loop goes out.. Thats not good, but it's thousands of times better
than not having an alarm.
Look real carefully at off the shelf "base units" most of them are
low grade trash, generally in this area you get what you pay for.
doug
--
Doug Davis/1030 Pleasant Valley Lane/Arlington/Texas/76015/817-467-3740
{sys1.tandy.com, motown!sys1, uiucuxc!sys1 lawnet, attctc, texbell} letni!doug
"Everything in this article is a Jolt Cola hallucination and in no way
exhibits any signs of being remotely connection to any reality."
-----------[000011][next][prev][last][first]---------------------------------------------------- From: simsong@prose.cambridge.ma.us (Simson L. Garfinkel) 5-OCT-1989 23:48:32 To: security@rutgers.edu
I am in the process of installing a rather sophisticated security and access
control system in my home. Deadbolts and strike reinforcement are a good first
step, but the reality is that if somebody kicks hard enough, they will
probably just take the frame out of the wall, unless you have a steel frame
around a steel door.
It's really not worthwhile to go to that trouble, though, because people will
just come through the windows unless you have bars or security screens on
them. If your goal is to keep somebody out physically, you will probably
have to turn your house into a fortress.
What's a good book on do-it-yourself home security systems?
_The_Truth_About_Self_Defence_, available from the Police bookshelf,
603-224-6814, 800-624-9049.
What are the trade-offs of do-it-yourself vs. a professional security
company?
Assuming you want central office monitoring, it is generally easier to get
hooked up with a professional system. Most systems cost in the $1K-$2K price
range, and they do a very good job, so unless you have done this stuff a lot,
you are probably better off with something professional.
It's also a question of how much you value your time, how close what you want
is to what is available off-the-shelf, and wether or not you want to use a
radio-controlled system.
How do I protect my home without overtly annoying the neighbors, police,
etc. with false alarms.
Don't have false alarms. They are typically caused by friends setting the
system off, wind blowing doors open, auto-headlights setting off IR detectors,
and things like that.
Radio Shack sells "glass breakage detectors". These are ~1" diameter
"pucks" that stick to the glass and are wired to an alarm.
* What do these sense?
Vibration. Other units can actually detect the sound of breaking glass.
* If the other side of the window is broken but the glass under
the puck remains intact will they trigger?
Yes.
* If they are impact-sensitive, will a truck or plane rumbling by set
them off?
Only if it breaks the glass.
* Can IR detectors see movement through windows? Wouldn't want the
paper boy setting them off by mistake.
Not unless you have windows made out of NaCl. Salt windows are typically
only found in laboratories, in circles of 1", for IR spectroscopy.
* How about changes in ambient IR levels caused by the sun coming in
through a window or the furnace going on or off?
Depends on the detector. Some of the newer detectors will only trigger if
two or three beams are broken in succession, and these tend not to go off
with slow changes in temperature.
* Are the sonic types sensitive to noises outside the house?
Ultrasonic detectors are generally not used anymore, since they are
very susceptable to background things that make ultrasonics (like pipes).
* Will, say, thunder shake the house enough to trigger a motion detector?
Not of you have an IR detector, since they detect moving heat sources,
rather than just movement.
I see both wired and wireless alarm systems for sale.
Wireless systems scare me, because of the potential for jamming. With
wireless systems, there is a version which is called supervised wireless,
in which the central station constantly polls the remotes and asks them if
they are still working, and gives you an alarm when they fail. The more
expensive ones will even send out messages when their batteries start
to go.
On the other hand, you can move a wireless system if you do. And they
are much cheaper to install.
-----------[000012][next][prev][last][first]---------------------------------------------------- From: GREENY <MISS026@ecncdc.bitnet> 6-OCT-1989 0:20:11 To: <security@pyrite.rutgers.edu>
> IR Detectors...
What do these detect?
They detect infrared energy in the area....a fresnel lens directs any and
all infrared onto a pyrodetector, and some electronics determine whether or not
it should be classified as an alarm or not....usually this is done via "Pulse
counting" which is a method whereby the detector counts the number of pulses
of energy that it has detected within a certain period of time (usually a{
2-3 second period...)....At the security system which I consult for, we set
this to TWO...makes for a good trade off between preventing false alarms due to
air vents moving plants, and the ability to detect a person...NO they will
not detect through the glass....although a good shot of sunlight right
into the lens of the detector will trigger it....simple solution -- keep the
drapes drawn...
Glass breakage sensors -- what do these detect?
There are two types: Ones which "listen" for the frequencies of breaking
glass (audio discrimination) and the usual ones which sense low-level
vibrations such as would be caused by someone attempting to pry open the
windows...
The Radio Shack ones work via mercury type switches that when shaken enough
close a contact and trigger the alarm....they are not tooo reliable...The ones
at the security company I consult for use Terminus sensors, and run them into
a "processor" that makes heads or tails out of the signals comming from the
detectors on the windows....Otherwise thunder and rumbling trucks would set
them off all the time...
My personal favorite is a sensor known as the "ShatterBox" by Sentrol which
is an audio discriminator....of course if you have these armed at night and
then break a glass, you will set off the alarm...
My personal recommendation is to go with a system from a professional
company because there is a lot of grunt work involved in fishing all the
wires for a hardwired system (wireless systems are good, but another topic
altogether..) and in choosing the best protection for your home. Also, if
anything goes wrong, they get to fix it, and you wont have to listen to the
wife (if you're married) saying "I told you it should have been done by a
company! *whine*". Furthermore, they can and should be able to hook you up
to a central monitoring station for a nominal fee (we charge $21.50/month)
which will provide you with some neat features. 1) Assuming your phone lines
dont get cut, then when the alarm goes off, it will send a packet of data
via digital communicator to the central station over your phone line (it
seizes the line even if someone is on the phone or it is off the hook) and
tells them what zone got triggered....2) they call you back unless it's a
panic zone and ask for a password....3) if you provide the correct one they
dont send the police/fire dept/paramedics....4) if not, then they do...
5) if you arent there, they call a list of valid "keyholders" and tell them
the alarm went off, and call the cops/fire dept/ambulance....6) you can have
other sensors such as high/low temperature sensors, sump pump failure
(flood) sensors, etc...wireless panic buttons (even with a hard wired
system) and a variety of other goodies...
Also, if the company you choose is up on things, then they will use recessed
magnetic contacts that you will never see on the doors/windows...about the
only thing you will see is the smoke detectors if you have fire coverage,
and the shock sensors on the doors/windows (although these are practically
invisible...), the control keypad(s) in the designated area, and the alarm
CPU in the basement/closet of your home....
The CPU should have a battery backup, and recharge automatically. Stay
away from the Radio Shack system, it uses lots of C or D cells and they are
a pain...also, no digital communication is available, and they only offer
their tape dialer which many police stations hate...also the panel is not
zoned, which makes servicing a complete bear...
More questions? Drop me some E-mail...I'm experiencing hard drive problems
right now so I'm not on every day like I used to be, but I am here about
3 times a week...
Bye for now but not for long...
Greeny
BITNET: MISS026@ECNCDC
Internet: MISS026%ECNCDC.BITNET@CUNYVM.CUNY.EDU
GEnie: GREENY
Macnet: GREENY
-----------[000013][next][prev][last][first]---------------------------------------------------- Date: 4 Oct 89 16:58:50 GMT From: CTM@cornellc.BITNET (Homer) To: misc.security Subject: Re: Home Security Systems
The radio shack motion sensors for windows are mercury
switchs. They depend on the sensor being thorougly moved to
another postion to set the switch off. In this sense it is
impossible to set them off with mild vibrations. You have
to really destroy the glass where they are. They can be
set to almost tripped. This would make them more likely to trip,
but if they move the wrong way they wont go off.
Its a circular tube with merc in it and a switch at one end.
-----------[000014][next][prev][last][first]---------------------------------------------------- From: noam@neabbs.UUCP (NOAM KLOOS) 7-OCT-1989 2:51:08 To: hp4nl!misc-security
CATE'S CURE FOR DATA CRIME
On or after the 12th of October, an undetermined number of computer
'viruses' are scheduled to start erasing the data of their unsuspecting
hosts. One virus in particular, known as 'DATACRIME II', is an
especially nasty specimen, as it not only spreads very rapidly, but also
formats the hard disk of any computer it infests, permanently destroying
all of the contents.
DATACRIME was first detected in the Netherlands, and the leading
computer publication of that country, PERSONAL COMPUTER MAGAZINE,
commissioned computer expert Rikki Cate to write an 'antidote' program
for its readers. Cate, an American who lives in the Netherlands, is a
programmer specialized in this kind of work.
Cate's Cure was an overnight sensation. Featured on radio, television
and in Holland's leading newspapers, thousands of copies were
distributed within the first few days and it has already inspired a
number of hastily composed imitations. Even the Dutch police have begun
distributing a version of their own. Cate's Cure, however, claims
superiority to all of these. It is much faster, it actually removes the
virus, it repairs damaged programs, it automatically searches all the
directories on the hard disk, and it provides permanent protection
against formating of the hard disk or new infections by the virus. None
of the other programs released have any of these features. This is
believed to have been confirmed in an independent test carried out by
the Dutch Railways.
In view of the huge demand and the clear anxiety indicated by that, Cate
has decided, with the approval of PCM, to make the antidote more widely
available on disk. Additional information can be
obtained from her directly by calling 31-20-981963 in Amsterdam. Fax:
31-20-763706, telex 12969 neabs nl, Fido 2:280/2, electronic mail
31-20-717666, all marked to her attention.
-----------[000015][next][prev][last][first]---------------------------------------------------- Date: 6 Oct 89 03:56:00 GMT From: MASROB@UBVMSC.CC.BUFFALO.EDU (CNSM CCR - Rob Rothkopf) To: misc.security Subject: RE: Home Alarm Installations, R.S. Setups
I've installed a burglar alarms using all Radio Shack equipment; The whole deal is fairly inexpensive ($120? for the main unit, $100 phone dialer, switches, etc) and wiring is straightforward (well, as straightforward as wiring a system can be :-). However, if you have any pets, motion/heat/pressure mat sensors are out of the picture. A note of caution... be careful not to pinch wires when running them and stapling them to walls.. this can build resistance in the circuit and cause false alarms (a closed system trips when the total circuit resistance exceeds a certain level). The vibration sensing switches are prone to strong winds, airplanes, truck horns triggering them; therefore, use on windows instead of foil tape (for cosmetic reasons) would have to be more than one for a big pane to be effective with all the switches having fairly low sensitivity. Still, I encountered something interesting with these switches wired in series: the alarm is being triggered for no apparent reason, calm winds, everyone inside sitting around the house. When the resistance in the circuit was checked I found it to be over 500 ohms more than what it should have been.. troubleshooting the circuit I found the resistance in each switch to vary, one by over 100 ohms... seconds later the same switch read 7 ohms.?! Hmm... So far this problem hasn't been fixed *but* resistance in the circuit still seems like something to look out for.. make sure not to staple through wires inadvertently! RE: the mercury glass breakage switches - Usually for windows people have three options if they're using the closed circuits: either the mercury switch, vibration switch or foil tape. In a previous posting it was said that the mercury switch is impractical and it should be hidden so a burglar doesn't see it. I disagree. Part of the effectiveness of the system is its visibility (it even comes with window stickers). The foil tape most often used is ineffective on big windows (e.g. glass doors) if put around the perimeter. While the tape *is* sensitive to breakage, if the middle is cut carefully, entrance can be obtained without the alarm being triggered. The "glass breakage sensor" follows the same theory that the glass will be broken enough to cause a shift triggering the alarm. 5 of one, etc. It's more a matter of cosmetics at that point. Also, as silly as it might seem to put a vibration sensor on a wall or room, there *have* been cases where burglars have broken in that way.. if you're running a wire already it might be worth an extra few dollars to drop a vibration sensor here and there on some wall areas.. Overall, the Radio Shack support staff was VERY helpful and cooperative when exchanging parts, etc. Prices are reasonable and there are enough accessories to build virtually any setup you would want... Many loops make debugging/altering the system much easier (as someone already pointed out [good suggestion!])... Hope this info. is helpful to someone..
-----------[000016][next][prev][last][first]---------------------------------------------------- Date: 6 Oct 89 16:54:00 GMT From: TIHOR@ACF6.NYU.EDU (Stephen Tihor) To: misc.security Subject: Grumann Breakin
Kid with a Wargames dialer popped in to a small Gruman engineering system.
Grumann seems to have been very sloppy since what the CBS newspeople who
interviewed me ("Indpendant Computer Expert") said was that he go into a
privileged maintenance account. Presumably FIELD. Of course Grumann does
their own maintenance so its propbably their fault not DEC's if its a guessable
password. But they let the kid in, tracked him back, and had him arrested.
-----------[000017][next][prev][last][first]---------------------------------------------------- Date: 6 Oct 89 19:59:50 GMT From: JEFF@utcvm.BITNET (Jeffrey R Kell) To: misc.security Subject: Re: Home Alarms
Are their any alarm systems that will interface with a PC? I've seen plenty of 'switch controllers' but don't recall seeing anything that resembled alarm sensors (though presumably if you can sense a switch open/closed, the same logic applies to alarm sensors). <Jeff>
-----------[000018][next][prev][last][first]---------------------------------------------------- Date: 8 Oct 89 07:46:00 GMT From: MISS026@ecncdc.BITNET (GREENY) To: misc.security Subject: re: wireless systems
> there is a version which is called supervised wireless, in which the central > station constantly polls the remotes ... Nope.....not the Central Monitoring Station, but rather the alarm CPU in your basement/utility closet....every 10-15 seconds the sensor puts out an "I'm here " signal to the CPU, and the CPU remembers it.....if it doesn't get a blip then it waits another 15 seconds or so and sees if it gets one again...if it doesnt, then it sends a signal to the Central Monitoring Station saying "Supervisory on Zone ##" where ## is the number of the zone that died... of course if someone is sophisticated to jam your xmitters (319.5 MHZ for those of you wondering...) then they could also just cut your phone line and unless you have a cellular dialer, or high security connection then you are out of luck.... Also, the newer wireless systems (such as the ITI SX-V) has sensors that have the brains to send a "Hey CPU, my battery is dying" signal to the CPU so that the CPU can call the central monitoring station, and then they will call either you and your dealer, just your dealer, or just you....then your dealer can come out and replace the batteries for you -- or if you can find the proper equivilent then you can do it yourself... l8r... bye for now but not for long Greeny BITNET: MISS026@ECNCDC Internet: MISS026%ECNCDC.BITNET@CUNYVM.CUNY.EDU GEnie: GREENY MacNEt: GREENY
-----------[000019][next][prev][last][first]---------------------------------------------------- Date: 8 Oct 89 23:36:00 GMT From: XA3I@purccvm.BITNET (Robert Allinson) To: misc.security Subject: Personal Computer Viruses
I am puzzled by the statement made by certain individuals. The statement was made that a virus can be put on an un-formatted disk and it can "virusize" your personal computer!!! Is this true? Is it possible to put a virus on an un-formatted disk? s this tru even transfer a virus If so, HOW? It does not make sense. In my view you have to format the disk in the first place to install data on it! correct? Please reply to : Robert Allinson XA3I@PURCCVM [Moderator tack-on: Depends on the type of PC, of course. Replies to him only, please... _H*]
-----------[000020][next][prev][last][first]---------------------------------------------------- From: Homer <CTM@cornellc.bitnet> 10-OCT-1989 8:05:12 To: "Security List." <security@pyrite.rutgers.edu>
The radio shack motion sensors for windows are mercury
switchs. They depend on the sensor being thorougly moved to
another postion to set the switch off. In this sense it is
impossible to set them off with mild vibrations. You have
to really destroy the glass where they are. They can be
set to almost tripped. This would make them more likely to trip,
but if they move the wrong way they wont go off.
Its a circular tube with merc in it and a switch at one end.
-----------[000021][next][prev][last][first]---------------------------------------------------- From: Bob Dixon <DIXON@ohstvma.bitnet> 10-OCT-1989 8:39:16 To: security@pyrite.rutgers.edu
Some things to think about concerning RF security systems.
What frequency range do they use? Do they generate RFI? Are they susceptible
to interference from other transmitters located nearby (such as 1kw in the
house? Can the remote units be tested automatically from the central unit?
Are the remote units battery powered? If so, is battery failure detected?
Can the receiver be rendered ineffective by a local transmitter on the same
frequency?
Bob Dixon
Ohio State University
-----------[000022][next][prev][last][first]---------------------------------------------------- From: <BHAYNES@auducvax.bitnet> 10-OCT-1989 9:09:50 To: security@pyrite.rutgers.edu
This may or may not be an appropriate topic. If not, please
excuse the posting...
I am about to make an attempt to find some 200 people. The only
information I have to go on is their full name and an old (5-10 years)
address.
My question is basically, how? What types of information would be
helpful and available? What types of information is public? Are there any
on-line services which would be useful in locating people? If so, what types
of information is readily available?
---------------------------------------------------------------------------
Brad Haynes | Internet: bhaynes@ducvax.auburn.edu
c/o U.P.E. | Bitnet: BHAYNES@AUDUCVAX
106 Dunstan Hall |
Auburn University, Alabama 36849 |
(205) 826-0479 |
-----------[000023][next][prev][last][first]---------------------------------------------------- From: howard@hasse.ericsson.se (Howard Gayle) 10-OCT-1989 9:47:02 To: misc-security@sunic.sunet.se
Several of my friends recently joined a medium-size Swedish firm. (Name withheld, but it is definitely *not* Ericsson.) They all wanted to have their electronic (email) addresses on their business cards, but the firm's security manager would not allow this. He claimed that the host names in the addresses would, collectively, reveal sensitive information. I am very skeptical of this claim. By collecting a reasonably large sample of cards, one could probably estimate the number of file servers at the firm, but I don't see how that could help a cracker. The firm does not do classified or military work, and is not on the Internet (Nordunet). Has anyone heard of similar policies at other firms? Does anyone see any real risks of email addresses on business cards? As usual, please email to me; I'll summarize if response warrants. -- Howard Gayle TN/ETX/T/BG Ericsson Telecom AB S-126 25 Stockholm Sweden howard@ericsson.se uunet!ericsson.se!howard Phone: +46 8 719 5565 FAX : +46 8 719 9598 Telex: 14910 ERIC S
-----------[000024][next][prev][last][first]---------------------------------------------------- From: Frank Tompkins <TOMPKINS@AKRONVM> 10-OCT-1989 10:17:09 To: security@ohstvma
Greetings:
As a new subscriber to this list, please redirect me if the following
question(s) are better answered elsewhere.
We have a TCP/IP based campus network, growing rapidly for about a year
and a half, that has primarily been used by academic types (faculty &
students). There is growing pressure to allow administrative users access
to MVS mainframe (via IBM's 5798-FAL product offering, dialing to VM VTAM).
The physical implementation includes thick and thin ethernet cabling,
a Proteon router, some fiber cable, IBM type 1?? cabling, a bridge here
and there, and a 56kb link to the rest of the Internet.
My two part question, the results of which I will refer to my management
to help them decide some policy issues, is as follows:
1) Other than the well known ease with which thick Ethernet cables
can be tapped and passing data extracted, are there other weak
spots (security wise) that we should be aware of regarding the
physical links,
and
2) What are the policies (briefly) that other campuses have regarding
allowing confidential administrative data to flow over Internet
links.
Please answer directly to me to avoid wasting network bandwidth with what
is probabily a thoroughly hacked over issue. If there is enough interest,
I will post a summary. Also, if there are any archived documents or
discussions regarding this issue, please direct me to them.
Thank you all.
Frank Tompkins (TOMPKINS@AKROMVM) / (TOMPKINS@VM1.CC.UAKRON.EDU)
Systems Programmer
University of Akron
Akron, Ohio 44325-3501
-----------[000025][next][prev][last][first]---------------------------------------------------- From: Charlene Charette <CI60UCU@vm.tcs.tulane.edu> 10-OCT-1989 10:43:41 To: security@pyrite.rutgers.edu
I used to work for a security company (residental and commerical) and one of my
co-workers here at the University used to install residental and commerical
systems (he still does installations on a part-time basis). The following
answers are a combination of our knowledge:
>What's a good book on do-it-yourself home security systems?
Guy did not know of any good, current books available.
>What are the trade-offs of do-it-yourself vs. a professional security
>company?
The main advantage is that the professionals are knowledgeable and experienced
(providing they are not one of the many fly-by-night alarm company that are
popping everywhere). The secondary advantage involves monitoring; alarm
signals are sent to a central station who can then call the police, fire dept.,
your work number, etc. when your alarm goes off.
>How do I protect my home without overtly annoying the neighbors, police,
>etc. with false alarms.
Most of the newer alarms allow you to set a time limit on sirens with 15 mins
being the usual time limit. Some cities have ordinances on siren time
durations and I would suggest that you check for these. (Some cities require
that alarm systems be registered. You should check this also.)
>Radio Shack sells "glass breakage detectors". These are ~1" diameter
>"pucks" that stick to the glass and are wired to an alarm.
>* What do these sense?
These sense high-pitched sounds such as glass breaking. Alarm technicians test
them by rattling keys.
>* If they are in the corner of a picture window, and the
> other side of the window is broken but the glass under the puck remains
> intact will they trigger?
Yes, it should; but it is dependant on the range of the detector.
>* If they are impact-sensitive, will a truck or plane rumbling by set
> them off?
Yes, if they are too sensitive. Some can be adjusted, others not.
>How about area detectors, infra-red or sonic? We have no pets to set
>them off but:
You may not have any pets to set them off, but I have seen them set off by rats
and roaches (yes, we have *BIG* roaches here). Guy says they are good, but
stay away from cheap detectors or you will be plagued with false alarms.
>* Can IR detectors see movement through windows? Wouldn't want the
>paper boy setting them off by mistake.
No, the detectors don't sense "movement". They sense changes in heat. If you
were to hold a large piece of cardboard in front of you and move it slowly in
front of an IR detector, you could pass it undetected.
>* How about changes in ambient IR levels caused by the sun coming in
>through a window or the furnace going on or off?
Yes, temperature changes will trigger the detectors. Don't point them at
windows, fireplaces, air ducts, furnaces, etc.
>* Are the sonic types sensitive to noises outside the house?
They should be.
>* Will, say, thunder shake the house enough to trigger a motion detector?
It shouldn't.
>I see both wired and wireless alarm systems for sale. Since I have good
>attic and basement access, I am tending toward the wired sort. The
>wireless types seem to need occasional battery replacement. Aside from
>this are there reliability concerns wrt. either style?
Guy advises staying away from wireless systems as they are not as reliable.
Although he is not as familiar with the newer wireless sytems available, he
said the older systems had no low battery indicator. A low battery can cause
false alarms; and of course, a dead battery is useless.
If you have any further questions, please feel free to ask.
PS: Guy said if you pay his expenses he'd gladly come up and give you a hand.
:-)
-----------[000026][next][prev][last][first]---------------------------------------------------- From: (Marshall D. Abrams) <abrams%vlad@gateway.mitre.org> 10-OCT-1989 11:14:56 To: security@pyrite.rutgers.edu
Fifth Annual Computer Security Applications Conference
formerly the
Aerospace Computer Security Applications Conference
December 4-8, 1989
Westward Look Hotel, Tucson, Arizona
Sponsored by
IEEE Technical Committee on Privacy and Security
American Society for Industrial Security
Aerospace Computer Security Associates
Conference Highlights
Keynote Speaker Luncheon Speakers
----------- ----------------
Senator Dennis DeConcini Mr. Charles. T. Force
(D - Arizona) NASA
Mr. Dave Fitzsimmons
Cartoonist, Arizona Daily Sun
Distinguished Lecture
in Computer Security
"INFOSEC: Where Are We Going?"
---------------
Mr. Stephen T. Walker
Trusted Information Systems
Tutorial Program
Monday, 4 December 1989
"Secure System Design - An Introduction"
Mr. Morrie Gasser, DEC
"Database Security"
Ms.Teresa Lunt, SRI
Tuesday, 5 December 1989
"Secure System Design - Advanced"
Dr. Virgil Gligor, University of Maryland
"A New Approach to Network Security"
Mr. Jerome Lobel, Lobel Consulting
"Computer Crime"
Ms. Gail Thackeray, Arizona Assistant Attorney General
Technical Program
Wednesday - Friday, 6-8 December 1989
Technical Paper Sessions
+ Architecture for Trusted Systems
+ Network Security
+ Cryptographic Applications
+ Architecture and Mechanisms
+ Security Policy and Models
+ Risk Management
+ Software Development for Security
+ Data Base Security I & II
+ Security for Command and Control
+ Audit Applications
+ Trusted Distribution
Panel Sessions
+ Computer Crime
+ Data Base Design for MLS
+ TCB Subset Issues
+ Human Issues
+ Gemini Users
+ International INFOSEC Standards
+ Integrity
+ Shoot Out at the OSI Security Corral
+ Civil Sector Security
+ Security Standards for Open Systems
+ Space Station Information Security
+ Data Integrity and Security for Computer Aided
Acquisition and Logistics Support (CALS)
Special Events
Biosphere II: a prototype of the Earth for the future
Sonora Desert Museum: living animals and plants of the Sonoran
Desert Region
Additional Information
For a copy of the advance program, which includes rates,
schedule, registration form, and special activities, contact:
Diana Akers, Publicity Chair, (703) 883-5907
akers%smiley@gateway.mitre.org
Victoria Ashby, Co-Chair, (703) 883-6368
ashby%smiley@gateway.mitre.org
The MITRE Corporation, 7525 Colshire Dr., McLean, VA 22102
If your organization wishes to consider placing a related
exhibit at the conference, a limited number of spaces are
available on a first come - first serve basis. For
information, contact:
Robert D. Kovach, Exhibits Chair, (202) 453-1182,
rkovach%nasamail@ames.arc.nasa.gov
Advance Programs will be available early September. Please
request one at that time.
Conference proceedings and videotape of the Distinguished
Lecture will be available.
Program Subject To Change
-----------[000027][next][prev][last][first]---------------------------------------------------- From: <JAHARITO@owucomcn.bitnet> 10-OCT-1989 20:08:40 To: security@pyrite.rutgers.edu
Hello there,
I would much appreciate it if U could send me the DES Unix
implementation. I am a freshman in Ohio Wesleyan University and I
have also implemented the DES in C, but I don't know how efficiently...
I would like 2 check it with mine...
Thank U in advance,
John Haritos, 1989
Bitnet%"JAHARITO@OWUCOMCN"
-----------[000028][next][prev][last][first]---------------------------------------------------- From: nagle@well.sf.ca.us (John Nagle) 10-OCT-1989 20:52:43 To: misc-security@uunet.uu.net
Dongles are dead. There are many ads for them in PC Tech Journal,
but no mainstream package uses them. Market resistance to them is
severe. The Software Publisher's Association dropped their scheme for
an industry-standard unit some several years ago.
However, it's worth noting that the Nitendo Game System has a
hardware protection device that makes it extremely difficult to make
a third-party game cartridge. Attempts to reverse-engineer this
system have been successfully made, but they require opening up chips
and using a scanning electron microscope.
John Nagle
-----------[000029][next][prev][last][first]---------------------------------------------------- From: ddefend@urbana.mcd.mot.com (Dan Defend) 10-OCT-1989 21:38:12 To: misc-security@ncar.ucar.edu
I previously posted a query regarding security modems with dialback
capability. Thanks to all who responded. Listed below is a summary of
responses that I received.
-----
Dan Defend
Motorola Microcomputer Division
ARPA: ddefend@urbana.mcd.mot.com
UUCP: uunet!uiucuxc!mcdurb!ddefend
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Dialback Modem Summary
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Check out Datagram DCE224. Datagram Corp. 11 Main St. E. Greewich, R.I.
02818. They have been bought by Memotech, of Canada, I believe. My sales
rep is Rick Wester, in San Ramon, CA. 415-831-4838.
I have two of these units, they are cheap and work well.
--
...uw-beaver!pilchuck!phred!jeffp {Jeff Parke}
Genie : JEFFP | DELPHI : JEFFPARKE | CIS : 71511,1512
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
From hughes@hughes.network.com Sun Jul 2 17:43:05 1989
Cermetek Security modem, Cermetek Microelectronics Inc,
Sunnyvale, Ca, 800-862-6271
* Note: This modem provides a separate (secret) dialback line but max.
* speed is 1200 baud. Holds up to 25 passwords/callback numbers.
I have used this modem years ago. It was great until you had a large
bank of phones. We then used the "Defender".
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
From security@pyrite.rutgers.edu Tue Jul 4 14:01:55 1989
"FINAL CLOSEOUT/SRICE SLASHED!
Lockheed-Getex modems now priced below our cost!
..300/1200-baud
..Choice of security levels including selective and nonselective
callback
..Non-hayes compatible and any computer...that has industry
standard RS-232C port " can use it
"... NOW $29 + $4 S/H
Item # H-4206-7344-195
COMB
1-800-328-0609
I have got two of them. I am using one of them right now, with a
Lear Siegler Terminal. The other one is for my PC.
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
From: uiucuxc!uts.amdahl.com!kelly (Kelly Goen)
try NEC and Cermetek they both make callback models the NEC allows
additionally modem adminstration from a remote site i.e. another
NEC however... all phone line comm is essentially insecure BOA
knows this but they still use the modems and my code for it!!grin!!
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
No modem which uses a simple dialin line for dialout is secure. There
is no way for the modem to ensure that when it makes the phone line
offhook that the dial tone it hears is from the phone company rather
than from a spoofing intruder.
There are special phone lines (ie, "ground-start"), but they require
that the modem use circuitry which supports that ability.
The simplest way to handle the problem is to use one or several incoming
lines for callback requests, then use separate modems on separate phone
lines to place the outgoing calls. Some phone companies also allow
phone lines which do not allow incoming calls, and these can be used
for the callback lines.
I think there may be security modems which do support exactly this,
but they are so expensive it may be simpler to roll your own ct/login.
---
Scot E. Wilcoxon sewilco@DataPg.MN.ORG {amdahl|hpda}!bungia!datapg!sewilco
Data Progress UNIX masts & rigging +1 612-825-2607 uunet!datapg!sewilco
I'm just reversing entropy while waiting for the Big Crunch.
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
From uiucuxc!uxc.cso.uiuc.edu!iuvax!ames!garp!/dev/null
Tue Jun 20 09:33:04 1989
Why do you want a dial-back modem? Security? Or simply to avoid
long distance charges?
I suggest that you implement this with host software. It's a lot
cheaper.
-simson
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Two methods,
1) A product called "Defender", a modem or rack or modems where each
person has an ID, and that ID relates to a telephone number. After you
call in and give your phone number (fron the terminal), the Defender
calls you back.
There is another option that instead of typing your number in with a
terminal, you can put it in with a touch tone phone. That option
eliminates hackers searching for a modem.
2) Another system involves an electronic card that puts out a 5 digit
password that changes every minute. By having to put in your "PIN"
number and this 5 digit code, it ensures that the caller (from
wherever) 1) is you (because of the PIN) and is in possetion of the
electronic card (Because of the 5 digit password).
I forgot the name of the 2nd system.
The Defender is available in single modem prices. (I don't know
how much).
Jim Hughes
Hughes@network.com
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
From: virchaux%CLSEPF51.BITNET@cunyvm.cuny.edu (Jacques Virchaux EPFL-SIC)
As we actually use this kind of modem without the dial-back capability,
it seems to be interesting for you : OSI8224A.
As there are a lot of possibilities and new series including speed up to
9600 bauds, I give you the address :
Octocom Systems, Inc.
255 Ballardvale Street
Wilmington, MA 01887
* Note: Octocom modem only calls back one number until you physically
* reset the modem to call another.
If you need more than this simple dial-back, maybe you want to know a
complete security system, which can be used with simplest modems :
DataLOCK 4000.
MicroFrame, Inc.
2551 Route 130
Cranbury, New Jersey 08512
(609) 395-7800
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
-----------[000030][next][prev][last][first]----------------------------------------------------
Date: 10 Oct 89 09:55:19 GMT
From: datri@convex.UUCP ("Anthony A. Datri")
To: misc.security
Subject: re: email addr on business cardI can't see this at all. For one, "file server" is kind of a loose thing. The cards we fill out for free subscriptions to trade rags routinely ask for the numbers of machines at your site; I can't see how that could possibly be of any use. I introduced the idea of email addresses on business cards at a previous employer, but then, they were more backwards than I want to think about. The form here at Convex that you fill out to get cards has a blank on it for your address. If a company has a consistent namespace and nicely done mailers, everyone's card should say foo@company.com anyway, which wouldn't tell anyone more than the fact that you had one machine, which they could have figured out anyway. Even so, nothing's stopping them from scribbling their addresses on the back of the card anyway.
-----------[000031][next][prev][last][first]---------------------------------------------------- Date: 10 Oct 89 18:05:00 GMT From: JWM%JHUDEV@jhuvms.BITNET (Joe Meister) To: misc.security Subject: RE: How to track people down?
You might want to try a credit bureau. You will not be able to get credit information, but they often offer services that can trace name and address changes. It might cost from $2-$4 per find. Avoid services that charge just for looking. Also, some services will look for you, and others provide on-line lookups. Finally, we are an institutional user, I am not completely sure that individuals can use the service. Also, it is incredibly easier to use social security numbers. Good luck.
-----------[000032][next][prev][last][first]---------------------------------------------------- Date: 10 Oct 89 18:11:00 GMT From: A01MES1@niu.BITNET (Michael Stack) To: misc.security Subject: Re: How to track people down?
I know this isn't exactly a "high-tech" answer, but our high school reunion committee made good use of city telephone directories they found at a local library. It means lots of phone calls, and it won't help with names changed through marriage, but the results were impressive. Only about five percent of our graduating class was not found twenty-five years later, and we'd be silly to believe that at least some of those didn't want to be found. Michael Stack Northern Illinois University
-----------[000033][next][prev][last][first]---------------------------------------------------- Date: 10 Oct 89 21:07:00 GMT From: JEWALSH@fordmurh.BITNET (Jeffrey Walsh) To: misc.security Subject: Re: How to track people down...
As far as I know, and I'm not sure if this is a NY state law or a federal law, but most information held by a college/university registrar concerning name, address of record, phone number, etc., is not confidential, unless the student/alumnus specifies so. If these people have or have had a relationship with an institution of higher learning, this might be one avenue. There's always the notion of posting something in the personals of a well-read paper (eg - Village Voice) where people look for that type of thing. If the group has something in common, focus in on that -- they might be peeved if last names are involved. The key here is, of course, where do you think they are geographically centered? If anyone in the group has even a remote connection with the military, try using the locators (usually free) in the branch publications: Army Times, Air Force Times, Navy Times... Even if they've served in a unit five years ago and aren't in anymore, there's the chance that someone who served with them might still be and be able to relay you information on their whereabouts. I'm not sure about the confidentiality laws that you queried about. Sorry. If you want the address for the locator service of the service papers, write me at the address below. Jeff Walsh "JEWALSH@FORDMURH" Fordham University
-----------[000034][next][prev][last][first]---------------------------------------------------- From: <SYSCHIP@utoroci.bitnet> 12-OCT-1989 5:38:57 To: SECURITY@pyrite.rutgers.edu
> I seem to recall that Unix systems exported from the United States >have a weaker form of crypt() Weaker, yes, you could say that: SunOS shipped to Canada doesn't have crypt at all. The version is called "3.5EXPORT" (I haven't opened my 4.x boxes yet :-). Haven't noticed any other differences, but of course I don't work with the native version. Must be that immense border we share with you-know-who, although it'd be a heck of a cold swim with a 1/4" cassette clenched in your teeth. And now that you mention it, the guy I work with did take a vacation in Cuba a year ago... Chip Campbell VAX System Manager, Physics Division Ontario Cancer Institute, Toronto Bitnet: syschip@utoroci also bitnet: @ociphy.oci.utoronto.ca
-----------[000035][next][prev][last][first]---------------------------------------------------- From: jimkirk@outlaw.uwyo.edu (Jim Kirkpatrick) 12-OCT-1989 6:09:03 To: security@pyrite.rutgers.edu
First, this may be more of a talk.politics item, but then there have been previous discussions here about privacy vs Social Security number etc. Earlier this year I remember reading articles about the government wanting libraries to turn over records of who checked out what book, apparently so they could find out if anybody has been reading subversive material. Libraries (via whatever library associations exist) told the government to piss off, and they weren't going to hand over such records (or keep them) because it violated freedom of privacy and freedom of information. I applaud this. Our University library recently joined a regional conglomerate to obtain on-line library catalog access (CARL - Colorado Area Regional Library, or something like that), which also includes things like an on-line encyclopedia. However, to use the encyclopedia, one must enter their bar code from their library card. I tend to object to this on the same grounds as stated above, that they have no business keeping records of who looks at which databases. I can walk into the library and read the bloody thing without presenting an ID, why should on-line use be made more restrictive? Any comments on the privacy issues here?
-----------[000036][next][prev][last][first]---------------------------------------------------- From: Edward J. Rovera <EJR9006@UCSFVM.BITNET> 13-OCT-1989 18:25:42 To: security@pyrite.rutgers.edu
We are just now getting into running RACF on our MVS system and one
of the problems I (as the de facto Security Administrator) am
encountering is that the folks making requests to me for access to
protected resources invariably do not provide sufficient information.
This necessitates my responding with 'what do you mean?' and the
possibility of the requester doing the same thing means *really*
dragging the process out.
What I'd like to find are some references to books or papers on how
to design the paper (or electronic) forms used by people (usually
resource owners or their agents) to submit requests to the RACF
Security Administrator. I'd also like to know how other RACF sites
using centralized administration deal with the entire process of
granting and restricting access to protected resources. References to
papers or books on this topic would also be welcomed.
I would think that this might not be of general interest to list
readers so if you could respond directly to me, those on the SECURITY
list who are not RACF users would probably appreciate it. Anyone who
*is* interested in whatever I learn is welcome to contact me for
copies.
Thank you in advance for any assistance.
- Ed Rovera
+-------------------------------------+
| Ed Rovera <ejr9006@ucsfvm.ucsf.edu> |
| UUCP: ...!ucbvax!ucsfcgl!cca!er9006 |
| BITNET: EJR9006@UCSFVM |
| Voice: (415) 476-3119 |
| US Mail: |
| University of California, |
| San Francisco |
| Information Technology Services |
| San Francisco, Ca. 94143-0704 |
| SHARE Installation Code: UCS |
+-------------------------------------+
-----------[000037][next][prev][last][first]---------------------------------------------------- From: cc@sisl.co.uk (Chris Corbett) 13-OCT-1989 19:07:04 To: inset!ukc!misc-security
I am carrying out a survey of security products that are
available for Unix machines. The idea is to collect together a review of
the available products. It will be a "snapshot" of the various ways in
which security can be added to unix, together with a brief description
of the main features of each.
This review would then be posted onto the net, and hopefully updated
from time to time.
I am focussing on the following areas:
1. Single level security products for Unix machines. Products that
give a C2 level of assurance or something like it.
2. Multilevel security for unix machines. Products that give
higher levels of assurance (B1 and up).
3. Products that support either of these levels of security over
networks of machines.
I am *not* collecting information on encryption devices/smart cards etc.
In order to jolt your memory I am already aware of the following in
each of these categories.
1. BOKS
2. The Addamax and Secureware kits for system V and BSD. (I would be
interested to know of any manufacturer that has announced machines
running either of these two); AT&T's MLS Unix; Unix System 5.4.2 which
is said to be going to include B1 security as part of the
standard product.
3. None (well its a much trickier problem).
Any information or pointers that anyone can send me would be very welcome.
Names of further people to talk to would also be useful. Thanks in advance.
I should also state for the record that I am not associated commercially
with any company that makes any products of this type. I am an interested third
party who would like to get an overview of the current situation.
-----------------------------------------------------------------------------
Chris Corbett cc@sisl.uucp +44 252 811818 Fax +44 252 811435
Secure Information Systems Ltd, Sentinel House, Harvest Crescent,
Ancells Park, Fleet, Hampshire GU13 8UZ. UK.
-----------------------------------------------------------------------------
-----------[000038][next][prev][last][first]---------------------------------------------------- Date: 12 Oct 89 14:38:10 GMT From: @cloud9.Stratus.COM (cme, Carl Ellison) To: misc.security Subject: Re: Privacy vs on-line library
> . . . I can walk into the library and read the > bloody thing without presenting an ID, why should on-line use be made > more restrictive? It sounds like an accounting measure to me. Is your department charged for database usage? What I would push for is the same privacy which the census provides -- make sure no record is released (or, better, kept) of individual data, releasing info only when no specifics about individuals can be deduced from it. You might do that here by having a group ID card to be scanned -- one giving just the department ID (or whatever the accounting entity is). If you can trust the local programmers, you could depend on them to accumulate no data about *what* you're accessing -- only about how long you use the service. If you can't trust the programmers you need a pay-phone type of facility. That could be with a coin box or a time meter (like the little boxes you used to walk around with for Xerox machines -- the ones with your own odometer style copy counter).
-----------[000039][next][prev][last][first]----------------------------------------------------
Date: 12 Oct 89 15:38:03 GMT
From: WRT@cornellc.BITNET ("Bill Turner, Cornell University Library")
To: misc.security
Subject: Re: Privacy vs on-line libraryAs the primary technical support person for a library system, I would like to point out that there are not necessarily any privacy issues involved here. The question is whether the system is storing the ID's when they are entered, and if so, what happens to them. A good example - any library staff member can certainly (and appropriately!) find out who has what books checked out, and what books any given individual has checked out. A few programmers can even construct the borrowing history of a given individual (a moment's thought about how a library works will tell you this). The fact that something CAN be done does not imply that it is being done. A better question is whether your ID number can be, and is, correlated to your Social Security number. There's probably no good reason why it should be, although often systems are designed by people who are completely insensitive to privacy issues. Finally, however, I find your attitude that somebody owes you free online use of whatever services are offered rather amusing. If you don't want to identify yourself, walk down to the library and use the books. Presumably there are billing issues involved, where somebody is subsidising your online use of an encyclopedia, and asking you to identify yourself for that reason. I'm sure that if you went to the source and offered to establish a fund to pay for completely open use, they'd be happy to set it up. Remember that the provider of the service (the encyclopedia) has something to say about who uses it. I would guess that CARL has a site license that says they may make it available to their own community, but not the world at large. It may be that your ID is validated against a table and no information stored about your access, except possibly a counter indicating the total number of accesses for the encyclopedia. An encyclopedia company that did NOT have such a licensing strategy would quickly go broke, because of selling only one copy of each edition which somebody would put online.
-----------[000040][next][prev][last][first]---------------------------------------------------- Date: 12 Oct 89 16:37:39 GMT From: jonhaug@IFI.UIO.NO (Jon Haugsand) To: misc.security Subject: Re: Privacy vs on-line library
Ah, at last some interesting discussion... I am currently doing my master thesis, and part of the work is definition and classification of security and security policies. I have some problems with 'privacy' In a book discussing the Norwegian privacy act [Dj\o nne 1987: "Personregisterloven, med kommentarer"], privacy is defined as: 'A person has personal interest in 1) discretion, 2) information correctness, 3) knowing what information processing that may cause consequences for him/her, and 4) sanctity of private life. And moreover: 5) the interface to the authorities should keep "a human face", 6) the vulnerability of databases should be minimized, and 7) people should be protected from unreasonable use of power by the authorities.' (Abstracted and translated by me.) The central point in the act itself is to 1) enable individuals to determine data collected on him or her, to get incorrect information corrected and to get irrelevant information deleted, and 2) regulate who is allowed to collect, process and store what information in electronic computers. (There are more, but this is what I myself find 'central'.) If security is defined as "a system's ability to maintain confidiality, integrety and availability of information", where does privacy fit? Another question: Do you agree with the above 'definition' of privacy? Does your contry's privacy act (if you have one) agree? --- --- --- Jon Haugsand Ifi, Univ. of Oslo, Norway jonhaug@ifi.uio.no
-----------[000041][next][prev][last][first]---------------------------------------------------- Date: 12 Oct 89 16:40:46 GMT From: jimkirk@OUTLAW.UWYO.EDU (Jim Kirkpatrick) To: misc.security Subject: Re: Privacy vs on-line library
Responding to my recent query on library systems, Michael Chinni asks -- >Question, does your library card identify you as Jim Kirkpatrick, or >does it just identify you as being from your university? To clarify, the library card is actually just a bar-code sticker slapped on the back of my normal University ID card. Thus the card itself identifies ME, has my picture, and social security number (printed AND embossed!). Also, to clarify, to access either the on-line encyclopedia or a database of newspaper/magazine articles, I must enter my bar code number AND my last name (I found it only looks at the first 10 characters, but those 10 must be correct). So it has a table of bar codes and who they were assigned to (that's reasonable, when you check out a book and don't return it they need to know who to send the goons after :-). >> they have no business keeping records of >> who looks at which databases. >What makes you think that this is required because they are keeping >records of who looks at what? I admit the above was an overstatement. I don't know that they are keeping records of who looks at what, or if they are simply authenticating and counting usage. But I don't know they AREN'T keeping track, either. > assumes that nobody NOT from the university >will use it (or at least the use will be minimal). I would suggest that unauthorized use of the online encyclopedia is likely to be minimal as well. > I agree with you that the keeping of a database of who looks at what is >wrong, but I disagree with your assumption that this is the reason that the >bar code is required. It was a wrong assumption from the view that I don't KNOW they are keeping track, but I don't KNOW that they AREN'T. Any such system CAN be abused almost trivially and without notice to the users. One example is the repeated use over the past hundred years or so of gun registration lists to confiscate guns, despite a government's insistence such lists would never be used that way (WWII Germany was particularly brutal in this regard). I do not mention this to compare guns with books, but just to point out that governments will and do abuse their power to gain access to information they want. I would rather it be impossible for the information to exist, than to be assured (by people who don't even understand the system) that such records aren't being kept. "The price of freedom is eternal vigilance" or something like that.
-----------[000042][next][prev][last][first]---------------------------------------------------- Date: 14 Oct 89 06:12:00 GMT From: MISS026@ecncdc.BITNET (GREENY) To: misc.security Subject: re: RF security systems WAS: AT&T Alarms
> what frequency range do they use? 340 MHz or 319.5 MHz are the ones that I have seen... > Do they generate RFI? Doesn't everything nowdays? :-U Seriously though, they don't generate anything too much...or believe me, we'd have heard about it from our clients... > Are they suceptable to interferrence from other transmitters nearby... Not really, the signals are coded with a "House Code" that each transmitter has to be individually programmed to use, and there are about 10,000 possibilities for these....'course anything is possible... > Are the remote units battery powered? If so, is battery failure detected? YES! Why else would you want to install a wireless system, if you had to run wires to the individual sensors for power? Just add two more wires, and presto! you have a hardwired alarm... In reality, the sensors send a special signal to the CPU when their battery starts to die (3-5 years on the lithium ones in there now...), and the CPU calls the Central Station and tells them....then the Central station contacts your dealer....Your CPU also informs you that the battery is dying when you attempt to arm the alarm (you get a TROUBLE signal on Zone ##).... Also, the zones are all supervised, and the sensors send a signal to the cpu every 60 seconds or so saying "YO! I'm Here!"....if not, then a SUPERVISORY signal shows up... > Can a receiver be rendered inneffective by a transmitter on the same > frequency? Yes, but since all the xmitters are supervised, and since the transmissions are coded, all the bogus transmitter would do would be to jam the signal, and if the central station gets 47 Supervisory signals in 5 minutes from the same alarm panel, then they will call the police... Oh yeah, all the above is referencing ITI products.... bye for now but not for long Greeny BITNET: MISS026@ECNCDC Internet: MISS026%ECNCDC.BITNET@CUNYVM.CUNY.EDU GEnie: GREENY MacNet: GREENY Disclaimer: Nope, no way, it just couldn't be -- my fault..
-----------[000043][next][prev][last][first]---------------------------------------------------- Date: 14 Oct 89 23:23:31 GMT From: rogerc@sauron.columbia.ncr.com (Roger Collins) To: misc.security Subject: USA Today: "Hackers can tap into free trip"
A relative sent me this recent clipping from USA Today (sorry, don't have the date). ----------------------------- snip-snip ------------------------------ Attention, hackers: Here's your chance to break into a computer system and walk away with a grand prize. The "hacker challenge" dares any hacker to retrieve a secret message stored in a KPMG Peat Marwick computer in Atlanta. [... stuff deleted ...] This challenge is being sponsored by LeeMah DataCom Security Corp., a Hayward, Calif., consulting firm that helps companies boost computer security. The winner gets an all-expense paid trip for two to either Tahiti or St. Moritz, Switzerland. Hackers with modems - devices that connect PCs to phone lines - must dial 1-404-827-9584. Then they must type this password: 5336241. >From there, the hacker is on his own to figure out the various access codes and commands needed to retrieve the secret message. The winner will be announced Oct. 24 at the Federal Computer Show in Washington. ----------------------------- snip-snip ------------------------------ I tried to dial the number and got a sound I had never heard before. My Hayes Smartmodem 2400 didn't recognize it either. Does anyone else have more info. about this contest? Got any ideas why I can't get connected? What operating system is it? -- Roger Collins NCR - Engineering & Manufacturing Columbia Domain: rogerc@ncrcae.Columbia.NCR.COM Uucp: (ncrsd | ncrlnk)!ncrcae!rogerc
-----------[000044][next][prev][last][first]---------------------------------------------------- Date: 15 Oct 89 16:45:20 GMT From: tkoppel@ISIS.CS.DU.EDU (Ted Koppel) To: misc.security Subject: Re: Privacy vs on-line library
First, Jim, I'm writing as a person who values and respects the privacy of user records. When I became a librarian I signed off on the idea that people's records are not to be shared, and so on. What I am writing is not necessarily the official policy of CARL. Still, I'll address your issues: a. In the case of the encyclopedia and other databases that are made available on Online Catalogs, we are required by the database supplier's contract to limit the use of certain databases to the primary user population of our members. What that means is that, for instance, a U Wyoming student/faculty/staff person has full access to that database (the encyclopedia, for instance), but a citizen of the state of Wyoming (not known to the University..) does not have access. If we don't restrict access to only the primary user population, then the database provider can accuse us of breach of contract, and ultimately has the right to yank the database from us. Sadly, the 'limit access on your online system' strategy is being em- braced more and more by the database suppliers (see the discussion on the Library PACS-L Bitnet mailing List). I don't see it getting better, either, because the databse suppliers are scared that too much online use is going to transalate into fewer print subscriptions, which is what really pays their bills. By the way, the CARL privacy issue is not what you think. When you come into a password-controlled database, we set a switch to "1"; when you exit, we turn it back to "0". (You can't use a password controlled database on the same password at the same time). CARL doesn't log who used what database at what time - sure, we could, but no, we're not doing so. Final note, Jim - if you're on one of the hardwired terminals at Wyoming, you're not asked for a password at all. (The hardwired terminals are all located in the various libraries there). Only the remote dialups need passwords. -- Ted Koppel CARL - Colorado Alliance of Research Libraries = BITNET: TKOPPEL@DUCAIR UUCP: uunet!isis!tkoppel or tkoppel@du.edu
-----------[000045][next][prev][last][first]---------------------------------------------------- From: Jim.Thompson@central.sun.com (Jim Thompson Sun Dallas IR) 17-OCT-1989 23:57:40 To: hackers_guild@ucbvax.berkeley.edu
FYI: it seems the NASA DECnet network SPAN is under attack from a
DECnet virus. DCA, in its typical overreaction, has hit the explosive
bolts on the ARPA-Milnet mailbridges, effecting TCP/IP traffic on the
Internet. It helps to keep in mind that the Internet is not the only
place where worms/viruses are a major problem.
Date: Mon, 16 Oct 1989 17:54:34 PDT
From: Vince Fuller <vaf@valinor.stanford.edu>
To: barrnet-people@argus.stanford.edu, barrnet-alert@argus.stanford.edu
FYI. The mailbridges are apparently still up and advertising routes, but are
refusing to forward any packets. What this means for us is that our default
route through Ames is useless and that automatic fall-over to SRI is not
possible (because BR8 is still generating default). As a temporary measure, I
have disabled EGP on BR8 so that we can follow the default through SRI (this
will allow us to get to ARPANET-connected sites, which are few but better
than nothing...)
--Vince
P.S. Sorry for the duplicates, but this seemed like it needed maximum
distribution.
Subject: Re: Mailbridges closed.
Date: Mon, 16 Oct 89 16:22:51 -0700
From: "Milo S. Medin" [NASA ARC NSI Project Office] <medin@nsipo.nasa.gov>
cc: nsfnet-cert@merit.edu, vcerf@nri.reston.va.us
There is an active SPAN DECNET worm that is cracking poorly
configured systems at this time. If this is why DCA closed the
MailBridges, there is some serious bogosity going on! This virus
ONLY propagates via DECNET.
Milo
Date: Mon, 16 Oct 89 18:19:12 EST
From: Hans-Werner Braun <hwb@merit.edu>
To: nsfnet-cert@merit.edu
Subject: Mailbridges closed.
Cc: vcerf@nri.reston.va.us
We got a call from Vint Cerf that DCA has closed the Mailbridges because of
some apparent attack of worms or martians or huns or something like that.
We do not have further information at this time, as far as I know.
-- Hans-Werner
-----------[000046][next][prev][last][first]---------------------------------------------------- From: ecd@sei.cmu.edu (Edward DeHart) 18-OCT-1989 1:05:04 To: misc-security@rutgers.edu
CERT Advisory October 17, 1989 DEC/Ultrix 3.0 Systems Recently, the CERT/CC has been working with several Unix sites that have experienced breakins. Running tftpd, accounts with guessable passwords or no passwords, and known security holes not being patched have been the bulk of the problems. The intruder, once in, gains root access and replaces key programs with ones that create log files which contain accounts and passwords in clear text. The intruder then returns and collects the file. By using accounts which are trusted on other systems the intruder then installs replacement programs which start logging. There have been many postings about the problem from several other net users. In addition to looking for setuid root programs in users' home directories, hidden directories '.. ' (dot dot space space), and a modified telnet program, we have received two reports from Ultrix 3.0 sites that the intruders are replacing the /usr/bin/login program. The Ultrix security hole being used in these attacks is only found in Ultrix 3.0. Suggested steps: 1) Check for a bogus /usr/bin/login. The sum program reports: 27379 67 for VAX/Ultrix 3.0 2) Check for a bogus /usr/etc/telnetd. The sum program reports: 23552 47 for VAX/Ultrix 3.0 3) Look for .savacct in either /usr/etc or in users' directories. This may be the file that the new login program creates. It could have a different name on your system. 4) Upgrade to Ultrix 3.1 ASAP. 5) Monitor accounts for users having passwords that can be found in the /usr/dict/words file or have simple passwords like a persons name or their account name. 6) Search through the file system for programs that are setuid root. 7) Disable or modify the tftpd program so that anonymous access to the file system is prevented. If you find that a system that has been broken into, changing the password on the compromised account is not sufficient. The intruders do remove copies of the /etc/passwd file in order to break the remaining passwords. It is best to change all of the passwords at one time. This will prevent the intruders from using another account. Please alert CERT if you do find a problem. Thank you, Ed DeHart Computer Emergency Response Team Email: cert@sei.cmu.edu Telephone: 412-268-7090 (answers 24 hours a day)
-----------[000047][next][prev][last][first]---------------------------------------------------- From: jordan@morgan.com (Jordan Hayes) 18-OCT-1989 10:45:28 To: misc-security@uunet.uu.net
A funny thing happened to my office-mate Doug and I the other day. His phone rang, and he answered it ... after a few seconds, the following transpired: Doug: "Hey, Jordan -- what calls you up and beeps at you?" Jordan: "Huh?" Doug: "C'mere ..." I was too late. It had already hung up. 30 seconds later, his phone rang again. Doug: "Here it is again! C'mere!" Jordan: (listening for a second) "Hey, it's a FAX machine calling you ... let's forward it to our machine ..." So we got an unintentional FAX. It was pretty interesting. It was from an Advertising Firm with some Very Large Clients. It was the monthly sales report. We're happy to report that they are doing quite well for themselves! Needless to say, they were trying to send a FAX to somewhere in Virginia, Area Code 703, and they neglected to dial ``1'' first. In New York City, we have so many telephones that we have prefixes that are XnX where ``n'' is 0 or 1, so they look like area codes if you don't dial 1. Is there any work being done in the area of security or authentication for FAXen? /jordan
-----------[000048][next][prev][last][first]---------------------------------------------------- From: rogerc@sauron.columbia.ncr.com (Roger Collins) 18-OCT-1989 11:25:35 To: misc-security@backbone.usenix.org
A relative sent me this recent clipping from USA Today (sorry, don't have the date). ----------------------------- snip-snip ------------------------------ Attention, hackers: Here's your chance to break into a computer system and walk away with a grand prize. The "hacker challenge" dares any hacker to retrieve a secret message stored in a KPMG Peat Marwick computer in Atlanta. [... stuff deleted ...] This challenge is being sponsored by LeeMah DataCom Security Corp., a Hayward, Calif., consulting firm that helps companies boost computer security. The winner gets an all-expense paid trip for two to either Tahiti or St. Moritz, Switzerland. Hackers with modems - devices that connect PCs to phone lines - must dial 1-404-827-9584. Then they must type this password: 5336241. >From there, the hacker is on his own to figure out the various access codes and commands needed to retrieve the secret message. The winner will be announced Oct. 24 at the Federal Computer Show in Washington. ----------------------------- snip-snip ------------------------------ I tried to dial the number and got a sound I had never heard before. My Hayes Smartmodem 2400 didn't recognize it either. Does anyone else have more info. about this contest? Got any ideas why I can't get connected? What operating system is it? -- Roger Collins NCR - Engineering & Manufacturing Columbia Domain: rogerc@ncrcae.Columbia.NCR.COM Uucp: (ncrsd | ncrlnk)!ncrcae!rogerc
-----------[000049][next][prev][last][first]---------------------------------------------------- From: Michael Van Norman 213_825_1206 <EGC4MV2@oac.ucla.edu> 19-OCT-1989 0:34:40 To: security@pyrite.rutgers.edu
Next to the speaker on the earlier PS/2's is a pair of jumper pins. If you short these while the machine is being powered up, the password will be cleared from memory. This is the easiest way I know of to do it.
-----------[000050][next][prev][last][first]---------------------------------------------------- From: Jeffrey R Kell <JEFF@utcvm.bitnet> 19-OCT-1989 1:18:47 To: security@pyrite.rutgers.edu
Are their any alarm systems that will interface with a PC? I've seen plenty of 'switch controllers' but don't recall seeing anything that resembled alarm sensors (though presumably if you can sense a switch open/closed, the same logic applies to alarm sensors). <Jeff>
-----------[000051][next][prev][last][first]---------------------------------------------------- From: Marc Cygnus <cygnus@vax1.acs.udel.edu> 19-OCT-1989 2:08:04 To: misc-security@uunet.uu.net
Glass usually absorbs a quantifiable amount of the IR energy passing through
it... could, then, a fair- to high-quality IR sensor be made to trip by
either focusing a 3'-4' spot of IR energy on an opposing wall or a finer
spot directly on the device itself? The IR source I've in mind would be from
a relatively low power IR laser (in the range of 10 - 100 mW).
This is a serious question. I've in mind risk assessment... in the case where
a company or institution might be victims of harassment (albeit of a very
technical nature).
Any ideas? If anyone could give me an idea of the (wavelength) sensitivity
band of one or more detectors (if you _know_; please, no guesses or
approximations based on the fact that the detector senses `infra-red'... I
can do that, too :-), it would help.
-marcus-
--
-----------------------------------------------------------------------------
"Opinions expressed above are not necessarily those of anyone in particular."
`...but do YOU own a | ARPA: cygnus@vax1.acs.udel.edu
homemade 6ft Tesla?' | UUCP: {yourpick}!cfg!udel!udccvax1!cygnus
-----------[000052][next][prev][last][first]---------------------------------------------------- From: CNSM CCR _ Rob Rothkopf <MASROB@ubvmsc.cc.buffalo.edu> 19-OCT-1989 2:47:16 To: security@pyrite.rutgers.edu
I've installed a burglar alarms using all Radio Shack equipment; The whole deal is fairly inexpensive ($120? for the main unit, $100 phone dialer, switches, etc) and wiring is straightforward (well, as straightforward as wiring a system can be :-). However, if you have any pets, motion/heat/pressure mat sensors are out of the picture. A note of caution... be careful not to pinch wires when running them and stapling them to walls.. this can build resistance in the circuit and cause false alarms (a closed system trips when the total circuit resistance exceeds a certain level). The vibration sensing switches are prone to strong winds, airplanes, truck horns triggering them; therefore, use on windows instead of foil tape (for cosmetic reasons) would have to be more than one for a big pane to be effective with all the switches having fairly low sensitivity. Still, I encountered something interesting with these switches wired in series: the alarm is being triggered for no apparent reason, calm winds, everyone inside sitting around the house. When the resistance in the circuit was checked I found it to be over 500 ohms more than what it should have been.. troubleshooting the circuit I found the resistance in each switch to vary, one by over 100 ohms... seconds later the same switch read 7 ohms.?! Hmm... So far this problem hasn't been fixed *but* resistance in the circuit still seems like something to look out for.. make sure not to staple through wires inadvertently! RE: the mercury glass breakage switches - Usually for windows people have three options if they're using the closed circuits: either the mercury switch, vibration switch or foil tape. In a previous posting it was said that the mercury switch is impractical and it should be hidden so a burglar doesn't see it. I disagree. Part of the effectiveness of the system is its visibility (it even comes with window stickers). The foil tape most often used is ineffective on big windows (e.g. glass doors) if put around the perimeter. While the tape *is* sensitive to breakage, if the middle is cut carefully, entrance can be obtained without the alarm being triggered. The "glass breakage sensor" follows the same theory that the glass will be broken enough to cause a shift triggering the alarm. 5 of one, etc. It's more a matter of cosmetics at that point. Also, as silly as it might seem to put a vibration sensor on a wall or room, there *have* been cases where burglars have broken in that way.. if you're running a wire already it might be worth an extra few dollars to drop a vibration sensor here and there on some wall areas.. Overall, the Radio Shack support staff was VERY helpful and cooperative when exchanging parts, etc. Prices are reasonable and there are enough accessories to build virtually any setup you would want... Many loops make debugging/altering the system much easier (as someone already pointed out [good suggestion!])... Hope this info. is helpful to someone..
-----------[000053][next][prev][last][first]---------------------------------------------------- Date: 17 Oct 89 19:33:16 GMT From: ecd@SEI.CMU.EDU (Edward DeHart) To: misc.security Subject: Ultrix 3.0 breakins
CERT Advisory October 17, 1989 DEC/Ultrix 3.0 Systems Recently, the CERT/CC has been working with several Unix sites that have experienced breakins. Running tftpd, accounts with guessable passwords or no passwords, and known security holes not being patched have been the bulk of the problems. The intruder, once in, gains root access and replaces key programs with ones that create log files which contain accounts and passwords in clear text. The intruder then returns and collects the file. By using accounts which are trusted on other systems the intruder then installs replacement programs which start logging. There have been many postings about the problem from several other net users. In addition to looking for setuid root programs in users' home directories, hidden directories '.. ' (dot dot space space), and a modified telnet program, we have received two reports from Ultrix 3.0 sites that the intruders are replacing the /usr/bin/login program. The Ultrix security hole being used in these attacks is only found in Ultrix 3.0. Suggested steps: 1) Check for a bogus /usr/bin/login. The sum program reports: 27379 67 for VAX/Ultrix 3.0 2) Check for a bogus /usr/etc/telnetd. The sum program reports: 23552 47 for VAX/Ultrix 3.0 3) Look for .savacct in either /usr/etc or in users' directories. This may be the file that the new login program creates. It could have a different name on your system. 4) Upgrade to Ultrix 3.1 ASAP. 5) Monitor accounts for users having passwords that can be found in the /usr/dict/words file or have simple passwords like a persons name or their account name. 6) Search through the file system for programs that are setuid root. 7) Disable or modify the tftpd program so that anonymous access to the file system is prevented. If you find that a system that has been broken into, changing the password on the compromised account is not sufficient. The intruders do remove copies of the /etc/passwd file in order to break the remaining passwords. It is best to change all of the passwords at one time. This will prevent the intruders from using another account. Please alert CERT if you do find a problem. Thank you, Ed DeHart Computer Emergency Response Team Email: cert@sei.cmu.edu Telephone: 412-268-7090 (answers 24 hours a day)
-----------[000054][next][prev][last][first]---------------------------------------------------- From: "W. K. (Bill) Gorman" <34AEJ7D@cmuvm.bitnet> 20-OCT-1989 23:32:48 To: Security Digest <SECURITY@OHSTVMA>
We are considering the purchase of a vault for secure storage of such
items as tapes, etc. How secure are Sargent & Greenleaf combo locks?
What do we get for their "anti-manipulation" feature - just an extra key
lock that immobilizes the combination dial?
-----------[000055][next][prev][last][first]---------------------------------------------------- From: (Stephen Tihor) <TIHOR@acf6.nyu.edu> 21-OCT-1989 0:06:26 To: <SECURITY@pyrite.rutgers.edu>
Kid with a Wargames dialer popped in to a small Gruman engineering system.
Grumann seems to have been very sloppy since what the CBS newspeople who
interviewed me ("Indpendant Computer Expert") said was that he go into a
privileged maintenance account. Presumably FIELD. Of course Grumann does
their own maintenance so its propbably their fault not DEC's if its a guessable
password. But they let the kid in, tracked him back, and had him arrested.
-----------[000056][next][prev][last][first]---------------------------------------------------- From: GREENY <MISS026@ecncdc.bitnet> 21-OCT-1989 0:43:55 To: <security@pyrite.rutgers.edu>
> I haven't located any other distributors of alarm systems who sell to the
> general public...
most can't according to the sales agreements that they have, or cant
according to some vague laws. There are companies out there though that
do sell alarm equipment try the following company and ask for a catalog:
MCM Electronics
650 Congress Park Drive
Centerville, OH 45459-4072
(513) 434-0031
FAX: (513) 434-6959
1-800-543-4330
Hope this helps...
Bye for now but not for long...
Greeny
BITNET: MISS026@ECNCDC
Internet: MISS026%ECNCDC.BITNET@CUNYVM.CUNY.EDU
GEnie: GREENY
MacNet: GREENY
Disclaimer: I just picked the catalog out at random from my book rack...I'm
not endorsing anything....or anyone...
-----------[000057][next][prev][last][first]---------------------------------------------------- From: GREENY <MISS026@ecncdc.bitnet> 21-OCT-1989 1:11:47 To: <security@pyrite.rutgers.edu>
> there is a version which is called supervised wireless, in which the central > station constantly polls the remotes ... Nope.....not the Central Monitoring Station, but rather the alarm CPU in your basement/utility closet....every 10-15 seconds the sensor puts out an "I'm here " signal to the CPU, and the CPU remembers it.....if it doesn't get a blip then it waits another 15 seconds or so and sees if it gets one again...if it doesnt, then it sends a signal to the Central Monitoring Station saying "Supervisory on Zone ##" where ## is the number of the zone that died... of course if someone is sophisticated to jam your xmitters (319.5 MHZ for those of you wondering...) then they could also just cut your phone line and unless you have a cellular dialer, or high security connection then you are out of luck.... Also, the newer wireless systems (such as the ITI SX-V) has sensors that have the brains to send a "Hey CPU, my battery is dying" signal to the CPU so that the CPU can call the central monitoring station, and then they will call either you and your dealer, just your dealer, or just you....then your dealer can come out and replace the batteries for you -- or if you can find the proper equivilent then you can do it yourself... l8r... bye for now but not for long Greeny BITNET: MISS026@ECNCDC Internet: MISS026%ECNCDC.BITNET@CUNYVM.CUNY.EDU GEnie: GREENY MacNEt: GREENY
-----------[000058][next][prev][last][first]---------------------------------------------------- From: Marcus <mjr@boingo.med.jhu.edu> 21-OCT-1989 1:53:47 To: misc-security@uunet.uu.net
Radio Shark is pretty expensive considering the quality and options they sell. Try some place like Aritech. (1-800-432-3232 for a catalog and make up a security company name for your mailing address) They carry much more stuff, and have the advantage of *KNOWING* their merchandise. (Try going to your local Radio Shark and asking them about how the controller *works*) They have good technical support, too. As far as the other poster's remark that a do it yourselfer might miss something the pros might not: That's true, but a do it yourselfer can do a lot of things the pros won't think of, or recommend. Examples are: wireless units with magnets between the VCR and the TV (move them and the alarm goes off - I don't sit with my alarm on when I watch movies), wireless units in the jewelry box (a fun one), wireless (or wired, at that) units between stereo components and stereo cabinet, etc. When I worked for a burgular alarm company, we never did anything like that because we could not rely on our customers not setting the darn things off constantly. Things that do it yourselfers *DO* forget: Horns/sirens outside, but not wired into the loop so that they can be disabled safely. Bells outside in cabinets where they can be reached (even if the bell cabinet is alarmed,a bell can be totally silenced with a can of polyurethane spray insulation) Making perimeter alarm units hidden. If they can't see them, they can't be scared off by them. We used to use a mix of perimeter alarms and then at least 1/3 as many interior alarms - stuff like between the doors to the master bedroom, computer room, etc. --mjr();
-----------[000059][next][prev][last][first]---------------------------------------------------- From: GREENY <MISS026@ecncdc.bitnet> 21-OCT-1989 2:23:37 To: <security@pyrite.rutgers.edu>
> what frequency range do they use? 340 MHz or 319.5 MHz are the ones that I have seen... > Do they generate RFI? Doesn't everything nowdays? :-U Seriously though, they don't generate anything too much...or believe me, we'd have heard about it from our clients... > Are they suceptable to interferrence from other transmitters nearby... Not really, the signals are coded with a "House Code" that each transmitter has to be individually programmed to use, and there are about 10,000 possibilities for these....'course anything is possible... > Are the remote units battery powered? If so, is battery failure detected? YES! Why else would you want to install a wireless system, if you had to run wires to the individual sensors for power? Just add two more wires, and presto! you have a hardwired alarm... In reality, the sensors send a special signal to the CPU when their battery starts to die (3-5 years on the lithium ones in there now...), and the CPU calls the Central Station and tells them....then the Central station contacts your dealer....Your CPU also informs you that the battery is dying when you attempt to arm the alarm (you get a TROUBLE signal on Zone ##).... Also, the zones are all supervised, and the sensors send a signal to the cpu every 60 seconds or so saying "YO! I'm Here!"....if not, then a SUPERVISORY signal shows up... > Can a receiver be rendered inneffective by a transmitter on the same > frequency? Yes, but since all the xmitters are supervised, and since the transmissions are coded, all the bogus transmitter would do would be to jam the signal, and if the central station gets 47 Supervisory signals in 5 minutes from the same alarm panel, then they will call the police... Oh yeah, all the above is referencing ITI products.... bye for now but not for long Greeny BITNET: MISS026@ECNCDC Internet: MISS026%ECNCDC.BITNET@CUNYVM.CUNY.EDU GEnie: GREENY MacNet: GREENY Disclaimer: Nope, no way, it just couldn't be -- my fault..
-----------[000060][next][prev][last][first]---------------------------------------------------- Date: 19 Oct 89 20:19:22 GMT From: OPER014@umuc.BITNET To: misc.security Subject: ps/2
I know that shorting the 2 pins by the speaker will
get you into a password protected ps/2, but I dont think
it actually reinitializes the password... Its my understanding
that that feature is for repair persons, and they would not
necessarily be want to erase it. Please, somebody tell me if im
wrong...
Also a note to the more security conscious- As an occasional
practical joke I gain entrance to peoples PS/2s by shorting
those 2 pins with a paper clip through vent holes in the case.
(I have only tried this on Model 50s). So you may want to
place some kind of shield inside the box... locked, of course.
incidentally, this was 'fixed' on the 50z- you have to move a
jumper from one pair to the other in a group of three pins...
the jumper is large enough to cover the shorted pins completely.
---------------------------------------------------------------
oper014@umuc
@umuc.umd.edu Jim
Whats that red button do?
-----------[000061][next][prev][last][first]---------------------------------------------------- Date: 21 Oct 89 20:06:42 GMT From: deh@MORDOR.ENG.UMD.EDU (Douglas Humphrey) To: misc.security Subject: Re: locks (again)
To a large extent, S&Gs are the best ( or one of the best). We have them on a Mosler and and older Remington safe, both GSA certified storage containers for classified materials, the Remington at Secret and the Mosler higher than that. The Mosler is a double safe, with an S&G MP on the outside, and a special S&G on the inside (built to somebodies specifications). Your local Mosler lock people will support the S&Gs with no problem, doing yearly maintenance, etc. and getting you out of a jamb (pun intended) when you need it... I am not sure what you mean by "anti-manipulation" feature; ours are MP locks, Manipulation Proof, but that really has to do with the internals on the lock, not an external locking pawl or anything like that. By the way, don't make the mistake that a lot of people do and fail to get yearly maintenance done on the lock(s). Sure, they most likely won't need it, and you will be throwing around $100/year to the wind, except for the day that the damned thing jams on you, and you discover the extreme cost of having your safe/vault drilled... Remember that these things are designed specifically to make it hard to do this. The estimate to have one of our drilled by Mosler was many hundreds of dollars, plus materials costs (14 diamond tipped bits, 2 drills [they figure that they will burn out 2 doing this] and other assorted things) plus the cost for them to weld in a plug of hardened steel and then the possibility (if you are a cleared storage facility) that the Government folks ar