[mod.risks] RISKS-3.38

RISKS@CSL.SRI.COM.UUCP (08/17/86)

RISKS-LIST: RISKS-FORUM Digest,  Sunday, 17 August 1986  Volume 3 : Issue 38

           FORUM ON RISKS TO THE PUBLIC IN COMPUTER SYSTEMS 
   ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Contents:
  Computer gives away California state funds (Rodney Hoffman)
  High-Tech Sex Ring: Beware of Whose Database You Are In! (Peter G. Neumann)
  Computer Viruses (Chris McDonald, Paul Garnet, Matt Bishop)
  Computer Viruses and Air Traffic Control (Dan Melson)
  Re: Traffic lights in Austin (Bill Davidsen)

The RISKS Forum is moderated.  Contributions should be relevant, sound, in good
taste, objective, coherent, concise, nonrepetitious.  Diversity is welcome. 
(Contributions to RISKS@CSL.SRI.COM, Requests to RISKS-Request@CSL.SRI.COM)
  (Back issues Vol i Issue j available in CSL.SRI.COM:<RISKS>RISKS-i.j.
  Summary Contents in MAXj for each i; Vol 1: RISKS-1.46; Vol 2: RISKS-2.57.)

----------------------------------------------------------------------

Date: 15 Aug 86 13:51:39 PDT (Friday)
From: Hoffman.es@Xerox.COM
Subject: Computer gives away California state funds
To: RISKS@CSL.SRI.COM

From the Los Angeles Times, August 15 1986, page 2:

  A computer error caused California's check-writing system to 
  issue $4 million in interest-payment checks to bondholders
  who hold a type of bond on which no such payments were due.
  Deputy state Treasurer Liz Whitney explained that those bonds
  are of the "zero coupon" type, which are held for a period of
  years and redeemed with accumulated interest at maturity
  rather than bearing interest on a monthly or yearly basis.
  The treasurer's office learned of the error last Friday, she
  said, when a recipient inquired about the check's validity,
  and stop-payment orders were issued.  By Wednesday, all but
  a few checks totaling $33,000 had been recovered.

No further details  are given about the nature of the computer error.

	-- Rodney Hoffman

------------------------------

Date: Fri 15 Aug 86 19:37:38-PDT
From: Peter G. Neumann <Neumann@CSL.SRI.COM>
Subject: High-Tech Sex Ring: Beware of Whose Database You Are In! 
To: RISKS@CSL.SRI.COM

From the San Francisco Chronicle, Friday 15 August 1986:

  POLICE SAY ARRESTS IN MARIN SMASHED HIGH-TECH SEX RING
  by Torri Minton and Katy Butler
  
  A sophisticated prostitution ring that kept computerized records on more
  than 12,000 patrons has been broken after a three-month investigation,
  authorities in San Jose said yesterday.  The ring, known as EE&L
  Enterprises, collected $3.5 million a year dispatching at least 117
  prostitutes by electronic beeper to cities all over Northern California from
  a computerized command center in San Rafael, according to San Jose vice
  Lieutenant Joe Brockman.  ``It's a top-class operation -- the largest
  prostitution ring, to our knowledge, in Northern California," Brockman said.
  He said that the business took in more than $25 million during the eight
  years it was in business...
  
  Records seized by police ... included customers' names, telephone numbers,
  credit card numbers, sexual preferences and comments by the prostitutes...
  The office was equipped with four desks, several IBM computers, a
  photocopier, a paper shredder and a wall poster announcing that ``Reality is
  nothing but a collective hunch.''
  
On-line SuperCalifornication?

------------------------------

Date: Fri, 15 Aug 86  7:47:01 MDT
From: Chris McDonald  SD <cmcdonal@wsmr06.arpa>
Subject: Computer Viruses
To: RISKS FORUM    (Peter G. Neumann -- Coordinator) <RISKS@CSL.SRI.COM>

                   [This is included because so many of you do 
                    not seem to know the Cohen reference.  PGN

Robert Stroud references a paper by Fred Cohen on "Computer Viruses."  The full
text of the paper can be found in several public souces.  The most available
for US readers is the minutes of the 7th DoD/NBS Computer Security Conference,
Sept 24-26, 1984, pages 240-263.  The paper is not exclusively concerned with
any one particular operating system.  It defines a "virus" as "a program that
can infect other programs by modifying them to include a possibly evolved copy
of itself."  The paper references Ken Thompson's acceptance speech on the
Turing Award, "Reflections on Trusting Trust," which was published in the
August 1984 "Communications of the ACM."  The reference, however, is only for
purposes of illustrating what Fred proposes is a "limited" virus. 

    [That paper includes the wonderful C compiler Trojan horse lurking
     in wait for the next recompilation of the UNIX LOGIN procedure.  PGN]

A close reading of the paper would reveal that very specific factors have to
exist for a "virus" to become "virulent."  The most interesting facet of the
paper is really the question it raises as to whether the Bell-LaPadula and the
Biba models on mathematically defining "secure systems" even addresses the
potential of a "virus" attack.

------------------------------

Date: Fri, 15 Aug 86 12:14:22 edt
From: pgarnet@nswc-wo.ARPA
To: RISKS@CSL.SRI.COM
Subject: Computer Viruses

Another paper by Fred Cohen is "Recent Results in Computer Viruses", written
while at Lehigh University.  The copy I have does not have a date on it, but
I believe it was written sometime around the spring of 1985.

Anybody else know of any good, technical papers on the subject?

					Paul

------------------------------

From: Matt Bishop <mab@riacs.ARPA>
To: RISKS FORUM (Peter G. Neumann -- Coordinator) <RISKS@CSL.SRI.COM>
Subject: Re: Computer Viruses
Date: Fri, 15 Aug 86 07:28:27 -0700

If anyone wants to read an interesting science fiction book about computer
viruses (and things of that ilk) try reading John Brunner's "Shockwave
Rider."  Briefly, it's about a man who puts computer viruses into the
worldwide data banks, enabling him to do all sorts of illegal things such as
change identities.  Quite interesting, at least from the viewpoint of
computer security!
                                        Matt Bishop

       [I think we included mention of "Shockwave Rider" in RISK long ago.
        However, with the interest in viruses and our large number of new
        readers, I am not trying to avoid all duplication -- especially with
        the distant past.  PGN]

------------------------------

Date: Sat, 16 Aug 86 01:13:47 PDT
From: crash!pnet01!dm@nosc.ARPA (Dan Melson)
To: crash!noscvax!RISKS@CSL.SRI.COM
Subject: Computer Viruses and Air Traffic Control

Those who fly regularly will be somewhat relieved to note that all terminals
of the ARTS and NAS systems, except master consoles (and a few others hardwired
straight into the machine and on site) are limited in what they can input,
nor can they escape the ATC program.  Furthermore, I am not aware of any
means whereby employees can access any of the FAA's computers from other than
known sites.  This also explains why there are so few ATC's on any net, despite
the large amount of computer work associated with the job today.

                                                DM
      [Beware of Trojan horses bearing gifts that look like sound programs,
       officially installed through proper channels.  There is also the
       problem of accidental viruses such as the ARPANET collapse of 27 
       October 1980.  (See Eric Rosen's fine article in the ACM Software
       Engineering Notes 6 1 Jan 81, for those of you who have not seen
       it before.)  PGN]
     
------------------------------

Date: 15 Aug 86 10:57 EST
From: davidsen%kbsvax.tcpip@ge-crd.arpa
Subject: Re: Traffic lights in Austin
To: RISKS@CSL.SRI.COM
   [From: Davidsen <davidsen%kbsvax@kbsvax.tcp-ip>]

I would call a 2% clean failure rate a success. If the two intersections had
failed in an unsafe mode, such as green in both directions, it would not
have been acceptable. If the lights had "stuck" showing green one way and
red the other, it could have caused severe delays. For the light to cleanly
go out is probably acceptable.  Most drivers seeing a light with no signal
showing will use adequate caution to prevent accidents.
                                                            -bill davidsen

  ihnp4!seismo!rochester!steinmetz!--\
                                       \
                    unirot ------------->---> crdos1!davidsen
                          chinet ------/
         sixhub ---------------------/        (davidsen@ge-crd.ARPA)

"Stupidity, like virtue, is its own reward"

------------------------------

End of RISKS-FORUM Digest
************************
-------