Vol summaries in risks-i.00 (j=0); "dir risks-*.*<CR>" gives directory; bye logs out. ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. Relevant contributions may appear in the RISKS section of regular issues of ACM SIGSOFT's SOFTWARE ENGINEERING NOTES, unless you state otherwise. ---------------------------------------------------------------------- Date: Fri, 07 Dec 90 10:02:00 EDT From: Marjory Blumenthal <MBLUMENT@NAS.BITNET> Subject: COMPUTERS AT RISK: Safe Computing in the Information Age COMPUTERS AT RISK: Safe Computing in the Information Age National Research Council, System Security Study Committee Computers play a crucial role in virtually every facet of modern life in the United States, from transportation safety to business and banking transactions to health care. Yet as computer systems become more prevalent, sophisticated and interconnected, society becomes more vulnerable to poor system design, accidents that disable systems, and computer viruses and other attacks on computer systems. The result may be economic disaster, threats to human life, and compromise of confidential information held in computer databases. Increased use of computer networks, as well as a general rise in computer literacy, make it likely that the nation's computer security problems are just beginning. Computers at Risk, a new report from the Computer Science and Telecommunications Board of the National Research Council, presents a comprehensive agenda for developing nationwide policies and practices for computer security. Specific recommendations are provided for industry and for government agencies engaged in computer security activities. The recommendations are fully developed and wide ranging, addressing the roles of specific agencies, expansion of current programs, cooperation between government and industry, and more. The volume outlines problems and opportunities in computer security research, recommends ways to improve the research infrastructure, and suggests topics for investigators. Computer system vulnerabilities are analyzed, and government security efforts are evaluated. Business executives, government security specialists, hardware and software developers, system managers, researchers, educators, and computer users will find this book vital to their understanding of computer security issues. CONTENTS: Executive Summary Overview and Recommendations: Computer System Security Concerns, Trends, The Need to Respond, Toward a Planned Approach, Nature of Security, Putting the Need for Secrecy into Perspective, Building on Existing Foundations, Recommendations Concepts of Information Security: Security Policies, Management Controls, Risks and Vulnerabilities, Securing the Whole System Technology to Achieve Secure Computer Systems: Specification vs. Implementation, Models, Services, Trusted Computing Base, Communications Programming Methodology: Programming Languages, Specifications, Formal Specification and Verification, Hazard Analysis, Development Process, Procurement, Scheduling, Education and Training, Management Concerns, What Makes Secure Software Different, Recommended Approaches Criteria to Evaluate Computer and Network Security: Security Evaluation Criteria, Assurance Evaluation, Trade-offs in Grouping of Criteria, Comparing National Criteria Sets, Reciprocity, System Certification vs. Product Evaluation Why the Security Market Has Not Worked Well: The Market for Trustworthy Systems, Concerns of Vendors, Federal Government Influence, Export Controls, Consumer Awareness, Regulation The Need to Establish an Information Security Foundation: Attributes and Functions, Other Organizations, Charter and Startup Considerations, History of Government Involvement, Security Practitioners Research Topics and Funding: A Proposed Agenda, Directions for Funding Security Research Bibliography, Appendixes, Glossary ISBN 0-309-04388-3; 1990, 320 pages, 6 x 9, paperbound, $19.95 [I have received so many requests for this information yesterday and today that it seemed useful to include it in RISKS forthwith. PGN] PGN] ------------------------------ Date: Thu, 6 Dec 90 15:00:32 PST From: Peter Denning <pjd@riacs.edu> Subject: Computers Under Attack COMPUTERS UNDER ATTACK Intruders, Worms, and Viruses Edited by Peter J. Denning ACM Press and Addison-Wesley, 1990, 554pp $18.50 ACM members, $20.50 others On behalf of ACM Press and the authors of the 38 articles brought together in this edition, I am proud to announce that our book on the subject of attacks on computers is now available. This subject continues to receive ongoing attention in the national press -- for example, the recent discovery of $12M of toll fraud at the NASA Johnson Space Center, Operation Sun Devil, an Esquire article about computer pirates breaking in to the Bell System, and the recent splashy appearance of the NRC report, "Computers at Risk". The purpose of this book is to tell the story of attacks on computers in the words of those who are making the story and who see the broad perspective in which it is taking place. We have painstakingly selected the articles and have provided connective material to bring out the global context and show that the problem is not purely technology, not purely people, but a product of the interaction between people and computers in a growing worldwide network. After and introduction and preface by me, the articles are arranged in six parts. Most of these have been previously published, but there are a few new pieces specifically commissioned for this volume. PART I: THE WORLDWIDE NETWORK OF COMPUTERS Worldnet and ARPANET by Denning, overview of networks by Quarterman, reflections by Thompson, survey of computer insecurities by Witten. PART II: INTRUDERS Reflections by Reid, Wily hacker story by Stoll, a followup commentary by Mandel, and a business perspective by Wilkes. PART III: WORMS Internet worm overview by Denning, perspectives on the Morris worm by MIT's Rochlis et al, Purdue's Spafford, and Utah's Seeley, executive summary of Cornell Report, Morris indictment and trial summary by Montz, original worm paper by Shoch and Hupp. PART IV: VIRUSES Virus overview by Denning, BRAIN and other virus operation by Highland, virus primer by Spafford et al, viral protection in MS/DOS by Brothers, and a perspective on viruses by Cohen. PART V: COUNTERCULTURES Computer property rights by Stallman, cyberspace literature by Paul Saffo, a dialog on hacking and security by Dorothy Denning and Frank Drake. To order the book, run to your local bookstore or call ACM Press Order Department. For credit card orders only call 800-342-6626 or in Maryland and outside the continental US call 301-528-4261 and for mail orders ACM Order Department, P. O. Box 64145, Baltimore, MD 21264. The price for ACM members is $18.50 and for nonmembers $20.50. BE SURE TO INCLUDE YOUR ACM MEMBER NUMBER AND THE BOOK ORDER NUMBER (706900). ----------------------------- Date: 7 Dec 90 17:23:55 GMT From: hollombe@ttidca.tti.com (The Polymath) Subject: ``Hackers Accessed NASA's Phones'' (Re: RISKS-10.65) According to yesterday's news NASA has flatly denied the theft ever took place. Their spokesperson said their normal annual phone bill is about $3 million and it wasn't possible for someone to steal $12 million worth of phone services from them (i.e.: They'd be detected long before things got that far out of hand). Jerry Hollombe, M.A., CDP, Citicorp(+), 3100 Ocean Park Blvd., Santa Monica, CA 90405 (213) 450-9111, x2483 {csun | philabs | psivax}!ttidca!hollombe ------------------------------ Date: Fri, 7 Dec 90 10:42:30 est From: Gary_Cattarin@dg_support.ceo Subject: Response to article on "Legion of Doom" sentencing (RISKS-10.65) CEO document contents<: The article that appeared in risks 10.65 from Emmanuel Goldstein of "2600" Magazine displays a callous immaturity to the realities of the business world. I'm not going to quibble over the exact nature of the sentences handed out. The clear point, and yes, the "message" that the authorities tried to get across (but was clearly lost on the author of that article) is that unauthorized access to someone else's computer is just plain wrong, no matter what was or was not done during that access. We've heard that point reiterated numerous times in this journal, and I'm sure the hackers of the world have heard it and usually discounted it, but let me put it in the vein of the realities of modern business. Mr. Goldstein, I don't know a thing about your magazine. I don't know your organization's finances, staffing, etcetera, or if you even have any of them. I don't know what you do for a living. I do know that in my business, we are faced with an intensely competetive global marketplace in which we fight to survive. We are faced with the realities of staff shortages compounded by further cuts. We are faced with shortages of resources, yet we still must get the job, or it will mean the end of our jobs, and probably the end of the company as well. We would LOVE to have enough time to do everything perfect. We'd LOVE to devise security systems that could foil you and your clan. And we could probably come pretty damn near doing it; we've got some pretty good heads here - most likely some heads who have done their share of hacking as well. But we can't dedicate that kind of time to staving off a bunch of obnoxious intruders, just as Bell South didn't. Bell South dedicated their personel to doing the business they were involved in, as rightly they should. So what happens when you invade Bell South's, or my company's computer? If you get in, just to prove you can, then tell us about it in light of your supposed "spirit of pointing out flaws that should be fixed", what has that gained you? Giddy joy, I suppose, but not much else (picture the job interview: "So, what are our technical qualifications?" "Well, sir, I'm good. I broke into 43 systems last year!"). What has it gained us? OK, we know about a flaw. You know what? We probably already did. Perhaps you don't realize it, but in the resource-short business world, we know about a LOT of flaws. We'd LOVE to fix them all. We're trying. We just don't have the resources to get it done immediately. So that leaves the door that you found. Now you'll spread word of your door via your hacker hotlines. And though you may have meant no harm, others may follow, invading our system as if it were another town on the interstate to be driven through. But can you or we be sure that all who enter mean no harm? Can you be sure that no bit was left untouched? That's all it takes: one bit, somewhere, modified, which, as readers of RISKS well know, can have monumental consequences. The downing of an airliner. A fatal safety flaw in a new car. An accounting system rendered worthless. These are major cases, but the minor ones are just as important, because once you've been invaded, you just don't know what the invader did. If you came home at night and found your front door unlocked, what do you know? Sure, you may have left it unlocked. But did anyone take advantage of that? Did they take anything? Damage anything? Leave anything unwanted inside? Steal the extra key? Are they perhaps even in your home? Didn't you check to be sure that door was locked? Maybe you did, but they came in through the window. Didn't damage anything, but still, you don't know that? OK, you checked the windows, but they came in through the skylight. You checked those? They found another way... You see, you can take care of all the obvious points of entry, but a intruder will find another point of entry. The hacker's view is that since that other point of entry wasn't blocked off, the hacker is welcome in. I don't think you'd agree if it were your home. So Bell South detected an intruder. And they chose to pursue the intrusion. How much did it cost them? Was it simply the "value" of the document? (How does one place a value on a document?) Was it simply the cost of the personel who investigated? Was it perhaps the business lost because they spent their time looking for the intruder instead of pursuing Bell South's normal business? (Remember, Bell South is in business to make money, like it or not. Your nation is build on that principle, that's why you can get food in your grocery store, unlike in Moscow.) Was it the cost of implementing modified procedures company-wide to protect against the likes of you? The cost of business lost because people company-wide spent time on these new procedures rather than pursuing their intended business? How about the cost (real and lost opportunity) of the personnel involved in the legal case, not to mention the lawyers' fees? You see, "cost" has a much more far reaching meaning than you attribute to it. And nobody can really even tell how high the final figure is, but I'll assure you, it's astronomical. In business, we've got to spend our time and resources pursuing our business. We just don't have the time, money, or resources to post guards to keep the likes of you out of every possible entry point. Until you understand that, the government is going to continue to try to send you this message. Perhaps my treatise here will save you and your colleagues a few prison terms (pity the fact that I, as a taxpayer, have to support those folks in prison!). More importantly, perhaps it will spare a few other companies the trouble that Bell South has experienced. ------------------------------ Date: Fri, 7 Dec 90 10:28:22 CST From: ables@mcc.com (King Ables) Subject: Response to article on "Legion of Doom" sentencing (RISKS-10.65) I read your article on the sentencing of some "Legion of Doom" members that was posted to comp.risks and feel compelled to make a couple of remarks. I agree that this situation is one about which we, as a community of programmers, should be concerned. But the tone of panic seems meant to persuade us emotionally rather than intellectually. > This kind of a sentence sends a message all right. The message is that the > legal system has no idea how to handle computer hacking. This, unfortunately, is very true. It is also the main reason we have the problems you describe. If the laws were written better (i.e. the issues involved were better understood by those who write the laws) many of these problems wouldn't exist. > shared information which we now know was practically worthless. And they > never profited in any way, except to gain knowledge. Yet they are being > treated as if they were guilty of rape or manslaughter. Why is this? Whether or not you profit from something has nothing to do with whether or not it was a crime. You don't profit from beating the hell out of some homeless person in an alley, but it's still illegal. They are being treated like criminals because they participated in a criminal act. If you don't believe the activity should be considered illegal, then work to get the laws changed. Right now-- today-- at this moment-- the acts are illegal. Whether or not they SHOULD be illegal is a completely separate question. > We think it's time concerned people sent a message of their own. Three young > people are going to prison because a large company left its doors wide open > and doesn't want to take any responsibility. That in itself is a criminal act. Nope. Three young people are going to prison because they broke the law. If I walk into an unlocked jewelry store and take something, it is no less a crime. To say that the establishment deserved it because they left themselves wide open for it is hardly a justification for the action. > By blowing things way out of proportion because > computers were involved, the government is telling us they really don't know > what's going on or how to handle it. And that is a scary situation. This is absolutely true. And again, by participating and contributing our knowledge to the process, we can help to modify the process so that it makes more sense. To simply sit back and scream "foul" isn't going to make it any better. This is not to say I believe the accused received appropriate punishment, I don't. But to claim they are innocent victims of the big, bad government is not correct either. King Ables, Micro Electronics and Computer Technology Corp., 3500 W. Balcones Center Drive Austin, TX 78759 +1 512 338 3749 ------------------------------ Date: Fri, 7 Dec 90 13:39:23 EST From: Brinton Cooper <abc@BRL.MIL> Subject: Response to article on "Legion of Doom" sentencing (RISKS-10.65) Emmanuel Goldstein, Editor, 2600 Magazine, quotes from his pub: "...We consider this to be a very major and very frightening issue... Since we began publishing in 1984 we've pointed out cases of hackers being unfairly prosecuted and victimized...just a desire to learn and share information... Here we have a case where some curious people logged into a phone company's computer system...No cases of damage to the system were ever attributed to them...We think it's time concerned people sent a message of their own. Three young people are going to prison because a large company left its doors wide open and doesn't want to take any responsibility. That in itself is a criminal act..." 1. Leaving one's doors open is not a criminal act. When was was anyone ever prosecuted for failing to lock the garage door? 2. Breaking and entering is a crime in most jurisdictions. Sentences of 14 to 21 months don't sound uncommon for breaking and entering. 3. The general public has no inherent right to "information" owned by a phone company, any other company, or private individuals, except as prescribed by law...and even then, not always. Breaking and entering someone's home in order to listen to their stereo, read from their library, or peruse their family's financial files is no one's right. _BRINT ------------------------------ Date: Fri, 7 Dec 90 15:43:54 CST From: levy%fndcd.dnet@fngate (Mark E. Levy) Subject: Response to article on "Legion of Doom" sentencing (RISKS-10.65) Emmanuel Goldstein, Editor, 2600 Magazine writes: >... We think it's time concerned people sent a message of their own. Three young >people are going to prison because a large company left its doors wide open and >doesn't want to take any responsibility. That in itself is a criminal act. ... Sorry. I don't buy it. If I leave my keys in my car with the windows open, and you get in and drive off, you're still just as guilty of stealing the car as if you had to break in and "hot wire" it. I may have asked for it by leaving the keys, but that's no excuse. By the same token, you have no implied right to come into my house and "look around" just because I left the door open. It's no different with computers. Irrespective of whether of not BellSouth "left the door open," if the three you mentioned entered the system without permission, they're guilty. That in itself is enought to convict, any materials taken nonwithstanding. Case closed. I have NO sympathy for them. ------------------------------ End of RISKS-FORUM Digest 10.66 ************************