From: noam@neabbs.UUCP (NOAM KLOOS) 7-OCT-1989 2:51:08 To: hp4nl!misc-security Subj: [1892] datacrime II CATE'S CURE FOR DATA CRIME On or after the 12th of October, an undetermined number of computer 'viruses' are scheduled to start erasing the data of their unsuspecting hosts. One virus in particular, known as 'DATACRIME II', is an especially nasty specimen, as it not only spreads very rapidly, but also formats the hard disk of any computer it infests, permanently destroying all of the contents. DATACRIME was first detected in the Netherlands, and the leading computer publication of that country, PERSONAL COMPUTER MAGAZINE, commissioned computer expert Rikki Cate to write an 'antidote' program for its readers. Cate, an American who lives in the Netherlands, is a programmer specialized in this kind of work. Cate's Cure was an overnight sensation. Featured on radio, television and in Holland's leading newspapers, thousands of copies were distributed within the first few days and it has already inspired a number of hastily composed imitations. Even the Dutch police have begun distributing a version of their own. Cate's Cure, however, claims superiority to all of these. It is much faster, it actually removes the virus, it repairs damaged programs, it automatically searches all the directories on the hard disk, and it provides permanent protection against formating of the hard disk or new infections by the virus. None of the other programs released have any of these features. This is believed to have been confirmed in an independent test carried out by the Dutch Railways. In view of the huge demand and the clear anxiety indicated by that, Cate has decided, with the approval of PCM, to make the antidote more widely available on disk. Additional information can be obtained from her directly by calling 31-20-981963 in Amsterdam. Fax: 31-20-763706, telex 12969 neabs nl, Fido 2:280/2, electronic mail 31-20-717666, all marked to her attention. From: Homer 10-OCT-1989 8:05:12 To: "Security List." Subj: [480] Re: Home Security Systems The radio shack motion sensors for windows are mercury switchs. They depend on the sensor being thorougly moved to another postion to set the switch off. In this sense it is impossible to set them off with mild vibrations. You have to really destroy the glass where they are. They can be set to almost tripped. This would make them more likely to trip, but if they move the wrong way they wont go off. Its a circular tube with merc in it and a switch at one end. From: Bob Dixon 10-OCT-1989 8:39:16 To: security@pyrite.rutgers.edu Subj: [542] Re: AT&T_Alarms Some things to think about concerning RF security systems. What frequency range do they use? Do they generate RFI? Are they susceptible to interference from other transmitters located nearby (such as 1kw in the house? Can the remote units be tested automatically from the central unit? Are the remote units battery powered? If so, is battery failure detected? Can the receiver be rendered ineffective by a local transmitter on the same frequency? Bob Dixon Ohio State University From: 10-OCT-1989 9:09:50 To: security@pyrite.rutgers.edu Subj: [840] How to track people down? This may or may not be an appropriate topic. If not, please excuse the posting... I am about to make an attempt to find some 200 people. The only information I have to go on is their full name and an old (5-10 years) address. My question is basically, how? What types of information would be helpful and available? What types of information is public? Are there any on-line services which would be useful in locating people? If so, what types of information is readily available? --------------------------------------------------------------------------- Brad Haynes | Internet: bhaynes@ducvax.auburn.edu c/o U.P.E. | Bitnet: BHAYNES@AUDUCVAX 106 Dunstan Hall | Auburn University, Alabama 36849 | (205) 826-0479 | From: howard@hasse.ericsson.se (Howard Gayle) 10-OCT-1989 9:47:02 To: misc-security@sunic.sunet.se Subj: [1025] Email addresses on business cards risky? Several of my friends recently joined a medium-size Swedish firm. (Name withheld, but it is definitely *not* Ericsson.) They all wanted to have their electronic (email) addresses on their business cards, but the firm's security manager would not allow this. He claimed that the host names in the addresses would, collectively, reveal sensitive information. I am very skeptical of this claim. By collecting a reasonably large sample of cards, one could probably estimate the number of file servers at the firm, but I don't see how that could help a cracker. The firm does not do classified or military work, and is not on the Internet (Nordunet). Has anyone heard of similar policies at other firms? Does anyone see any real risks of email addresses on business cards? As usual, please email to me; I'll summarize if response warrants. -- Howard Gayle TN/ETX/T/BG Ericsson Telecom AB S-126 25 Stockholm Sweden howard@ericsson.se uunet!ericsson.se!howard Phone: +46 8 719 5565 FAX : +46 8 719 9598 Telex: 14910 ERIC S From: Frank Tompkins 10-OCT-1989 10:17:09 To: security@ohstvma Subj: [1575] site policies Greetings: As a new subscriber to this list, please redirect me if the following question(s) are better answered elsewhere. We have a TCP/IP based campus network, growing rapidly for about a year and a half, that has primarily been used by academic types (faculty & students). There is growing pressure to allow administrative users access to MVS mainframe (via IBM's 5798-FAL product offering, dialing to VM VTAM). The physical implementation includes thick and thin ethernet cabling, a Proteon router, some fiber cable, IBM type 1?? cabling, a bridge here and there, and a 56kb link to the rest of the Internet. My two part question, the results of which I will refer to my management to help them decide some policy issues, is as follows: 1) Other than the well known ease with which thick Ethernet cables can be tapped and passing data extracted, are there other weak spots (security wise) that we should be aware of regarding the physical links, and 2) What are the policies (briefly) that other campuses have regarding allowing confidential administrative data to flow over Internet links. Please answer directly to me to avoid wasting network bandwidth with what is probabily a thoroughly hacked over issue. If there is enough interest, I will post a summary. Also, if there are any archived documents or discussions regarding this issue, please direct me to them. Thank you all. Frank Tompkins (TOMPKINS@AKROMVM) / (TOMPKINS@VM1.CC.UAKRON.EDU) Systems Programmer University of Akron Akron, Ohio 44325-3501 From: Charlene Charette 10-OCT-1989 10:43:41 To: security@pyrite.rutgers.edu Subj: [3622] Re: Home Security Systems I used to work for a security company (residental and commerical) and one of my co-workers here at the University used to install residental and commerical systems (he still does installations on a part-time basis). The following answers are a combination of our knowledge: >What's a good book on do-it-yourself home security systems? Guy did not know of any good, current books available. >What are the trade-offs of do-it-yourself vs. a professional security >company? The main advantage is that the professionals are knowledgeable and experienced (providing they are not one of the many fly-by-night alarm company that are popping everywhere). The secondary advantage involves monitoring; alarm signals are sent to a central station who can then call the police, fire dept., your work number, etc. when your alarm goes off. >How do I protect my home without overtly annoying the neighbors, police, >etc. with false alarms. Most of the newer alarms allow you to set a time limit on sirens with 15 mins being the usual time limit. Some cities have ordinances on siren time durations and I would suggest that you check for these. (Some cities require that alarm systems be registered. You should check this also.) >Radio Shack sells "glass breakage detectors". These are ~1" diameter >"pucks" that stick to the glass and are wired to an alarm. >* What do these sense? These sense high-pitched sounds such as glass breaking. Alarm technicians test them by rattling keys. >* If they are in the corner of a picture window, and the > other side of the window is broken but the glass under the puck remains > intact will they trigger? Yes, it should; but it is dependant on the range of the detector. >* If they are impact-sensitive, will a truck or plane rumbling by set > them off? Yes, if they are too sensitive. Some can be adjusted, others not. >How about area detectors, infra-red or sonic? We have no pets to set >them off but: You may not have any pets to set them off, but I have seen them set off by rats and roaches (yes, we have *BIG* roaches here). Guy says they are good, but stay away from cheap detectors or you will be plagued with false alarms. >* Can IR detectors see movement through windows? Wouldn't want the >paper boy setting them off by mistake. No, the detectors don't sense "movement". They sense changes in heat. If you were to hold a large piece of cardboard in front of you and move it slowly in front of an IR detector, you could pass it undetected. >* How about changes in ambient IR levels caused by the sun coming in >through a window or the furnace going on or off? Yes, temperature changes will trigger the detectors. Don't point them at windows, fireplaces, air ducts, furnaces, etc. >* Are the sonic types sensitive to noises outside the house? They should be. >* Will, say, thunder shake the house enough to trigger a motion detector? It shouldn't. >I see both wired and wireless alarm systems for sale. Since I have good >attic and basement access, I am tending toward the wired sort. The >wireless types seem to need occasional battery replacement. Aside from >this are there reliability concerns wrt. either style? Guy advises staying away from wireless systems as they are not as reliable. Although he is not as familiar with the newer wireless sytems available, he said the older systems had no low battery indicator. A low battery can cause false alarms; and of course, a dead battery is useless. If you have any further questions, please feel free to ask. PS: Guy said if you pay his expenses he'd gladly come up and give you a hand. :-) From: (Marshall D. Abrams) 10-OCT-1989 11:14:56 To: security@pyrite.rutgers.edu Subj: [4029] Fifth Annual Computer Security Applications Conference Fifth Annual Computer Security Applications Conference formerly the Aerospace Computer Security Applications Conference December 4-8, 1989 Westward Look Hotel, Tucson, Arizona Sponsored by IEEE Technical Committee on Privacy and Security American Society for Industrial Security Aerospace Computer Security Associates Conference Highlights Keynote Speaker Luncheon Speakers ----------- ---------------- Senator Dennis DeConcini Mr. Charles. T. Force (D - Arizona) NASA Mr. Dave Fitzsimmons Cartoonist, Arizona Daily Sun Distinguished Lecture in Computer Security "INFOSEC: Where Are We Going?" --------------- Mr. Stephen T. Walker Trusted Information Systems Tutorial Program Monday, 4 December 1989 "Secure System Design - An Introduction" Mr. Morrie Gasser, DEC "Database Security" Ms.Teresa Lunt, SRI Tuesday, 5 December 1989 "Secure System Design - Advanced" Dr. Virgil Gligor, University of Maryland "A New Approach to Network Security" Mr. Jerome Lobel, Lobel Consulting "Computer Crime" Ms. Gail Thackeray, Arizona Assistant Attorney General Technical Program Wednesday - Friday, 6-8 December 1989 Technical Paper Sessions + Architecture for Trusted Systems + Network Security + Cryptographic Applications + Architecture and Mechanisms + Security Policy and Models + Risk Management + Software Development for Security + Data Base Security I & II + Security for Command and Control + Audit Applications + Trusted Distribution Panel Sessions + Computer Crime + Data Base Design for MLS + TCB Subset Issues + Human Issues + Gemini Users + International INFOSEC Standards + Integrity + Shoot Out at the OSI Security Corral + Civil Sector Security + Security Standards for Open Systems + Space Station Information Security + Data Integrity and Security for Computer Aided Acquisition and Logistics Support (CALS) Special Events Biosphere II: a prototype of the Earth for the future Sonora Desert Museum: living animals and plants of the Sonoran Desert Region Additional Information For a copy of the advance program, which includes rates, schedule, registration form, and special activities, contact: Diana Akers, Publicity Chair, (703) 883-5907 akers%smiley@gateway.mitre.org Victoria Ashby, Co-Chair, (703) 883-6368 ashby%smiley@gateway.mitre.org The MITRE Corporation, 7525 Colshire Dr., McLean, VA 22102 If your organization wishes to consider placing a related exhibit at the conference, a limited number of spaces are available on a first come - first serve basis. For information, contact: Robert D. Kovach, Exhibits Chair, (202) 453-1182, rkovach%nasamail@ames.arc.nasa.gov Advance Programs will be available early September. Please request one at that time. Conference proceedings and videotape of the Distinguished Lecture will be available. Program Subject To Change From: 10-OCT-1989 20:08:40 To: security@pyrite.rutgers.edu Subj: [325] Request of DES implementation Hello there, I would much appreciate it if U could send me the DES Unix implementation. I am a freshman in Ohio Wesleyan University and I have also implemented the DES in C, but I don't know how efficiently... I would like 2 check it with mine... Thank U in advance, John Haritos, 1989 Bitnet%"JAHARITO@OWUCOMCN" From: nagle@well.sf.ca.us (John Nagle) 10-OCT-1989 20:52:43 To: misc-security@uunet.uu.net Subj: [594] Re: Dongles are still alive Dongles are dead. There are many ads for them in PC Tech Journal, but no mainstream package uses them. Market resistance to them is severe. The Software Publisher's Association dropped their scheme for an industry-standard unit some several years ago. However, it's worth noting that the Nitendo Game System has a hardware protection device that makes it extremely difficult to make a third-party game cartridge. Attempts to reverse-engineer this system have been successfully made, but they require opening up chips and using a scanning electron microscope. John Nagle From: ddefend@urbana.mcd.mot.com (Dan Defend) 10-OCT-1989 21:38:12 To: misc-security@ncar.ucar.edu Subj: [5686] Dialback modem summary I previously posted a query regarding security modems with dialback capability. Thanks to all who responded. Listed below is a summary of responses that I received. ----- Dan Defend Motorola Microcomputer Division ARPA: ddefend@urbana.mcd.mot.com UUCP: uunet!uiucuxc!mcdurb!ddefend ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: Dialback Modem Summary ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: Check out Datagram DCE224. Datagram Corp. 11 Main St. E. Greewich, R.I. 02818. They have been bought by Memotech, of Canada, I believe. My sales rep is Rick Wester, in San Ramon, CA. 415-831-4838. I have two of these units, they are cheap and work well. -- ...uw-beaver!pilchuck!phred!jeffp {Jeff Parke} Genie : JEFFP | DELPHI : JEFFPARKE | CIS : 71511,1512 ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: From hughes@hughes.network.com Sun Jul 2 17:43:05 1989 Cermetek Security modem, Cermetek Microelectronics Inc, Sunnyvale, Ca, 800-862-6271 * Note: This modem provides a separate (secret) dialback line but max. * speed is 1200 baud. Holds up to 25 passwords/callback numbers. I have used this modem years ago. It was great until you had a large bank of phones. We then used the "Defender". ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: From security@pyrite.rutgers.edu Tue Jul 4 14:01:55 1989 "FINAL CLOSEOUT/SRICE SLASHED! Lockheed-Getex modems now priced below our cost! ..300/1200-baud ..Choice of security levels including selective and nonselective callback ..Non-hayes compatible and any computer...that has industry standard RS-232C port " can use it "... NOW $29 + $4 S/H Item # H-4206-7344-195 COMB 1-800-328-0609 I have got two of them. I am using one of them right now, with a Lear Siegler Terminal. The other one is for my PC. ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: From: uiucuxc!uts.amdahl.com!kelly (Kelly Goen) try NEC and Cermetek they both make callback models the NEC allows additionally modem adminstration from a remote site i.e. another NEC however... all phone line comm is essentially insecure BOA knows this but they still use the modems and my code for it!!grin!! ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: No modem which uses a simple dialin line for dialout is secure. There is no way for the modem to ensure that when it makes the phone line offhook that the dial tone it hears is from the phone company rather than from a spoofing intruder. There are special phone lines (ie, "ground-start"), but they require that the modem use circuitry which supports that ability. The simplest way to handle the problem is to use one or several incoming lines for callback requests, then use separate modems on separate phone lines to place the outgoing calls. Some phone companies also allow phone lines which do not allow incoming calls, and these can be used for the callback lines. I think there may be security modems which do support exactly this, but they are so expensive it may be simpler to roll your own ct/login. --- Scot E. Wilcoxon sewilco@DataPg.MN.ORG {amdahl|hpda}!bungia!datapg!sewilco Data Progress UNIX masts & rigging +1 612-825-2607 uunet!datapg!sewilco I'm just reversing entropy while waiting for the Big Crunch. ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: From uiucuxc!uxc.cso.uiuc.edu!iuvax!ames!garp!/dev/null Tue Jun 20 09:33:04 1989 Why do you want a dial-back modem? Security? Or simply to avoid long distance charges? I suggest that you implement this with host software. It's a lot cheaper. -simson ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: Two methods, 1) A product called "Defender", a modem or rack or modems where each person has an ID, and that ID relates to a telephone number. After you call in and give your phone number (fron the terminal), the Defender calls you back. There is another option that instead of typing your number in with a terminal, you can put it in with a touch tone phone. That option eliminates hackers searching for a modem. 2) Another system involves an electronic card that puts out a 5 digit password that changes every minute. By having to put in your "PIN" number and this 5 digit code, it ensures that the caller (from wherever) 1) is you (because of the PIN) and is in possetion of the electronic card (Because of the 5 digit password). I forgot the name of the 2nd system. The Defender is available in single modem prices. (I don't know how much). Jim Hughes Hughes@network.com ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: From: virchaux%CLSEPF51.BITNET@cunyvm.cuny.edu (Jacques Virchaux EPFL-SIC) As we actually use this kind of modem without the dial-back capability, it seems to be interesting for you : OSI8224A. As there are a lot of possibilities and new series including speed up to 9600 bauds, I give you the address : Octocom Systems, Inc. 255 Ballardvale Street Wilmington, MA 01887 * Note: Octocom modem only calls back one number until you physically * reset the modem to call another. If you need more than this simple dial-back, maybe you want to know a complete security system, which can be used with simplest modems : DataLOCK 4000. MicroFrame, Inc. 2551 Route 130 Cranbury, New Jersey 08512 (609) 395-7800 ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: From: 12-OCT-1989 5:38:57 To: SECURITY@pyrite.rutgers.edu Subj: [738] Unix crypt in Canada > I seem to recall that Unix systems exported from the United States >have a weaker form of crypt() Weaker, yes, you could say that: SunOS shipped to Canada doesn't have crypt at all. The version is called "3.5EXPORT" (I haven't opened my 4.x boxes yet :-). Haven't noticed any other differences, but of course I don't work with the native version. Must be that immense border we share with you-know-who, although it'd be a heck of a cold swim with a 1/4" cassette clenched in your teeth. And now that you mention it, the guy I work with did take a vacation in Cuba a year ago... Chip Campbell VAX System Manager, Physics Division Ontario Cancer Institute, Toronto Bitnet: syschip@utoroci also bitnet: @ociphy.oci.utoronto.ca From: jimkirk@outlaw.uwyo.edu (Jim Kirkpatrick) 12-OCT-1989 6:09:03 To: security@pyrite.rutgers.edu Subj: [1228] Privacy vs on-line library First, this may be more of a talk.politics item, but then there have been previous discussions here about privacy vs Social Security number etc. Earlier this year I remember reading articles about the government wanting libraries to turn over records of who checked out what book, apparently so they could find out if anybody has been reading subversive material. Libraries (via whatever library associations exist) told the government to piss off, and they weren't going to hand over such records (or keep them) because it violated freedom of privacy and freedom of information. I applaud this. Our University library recently joined a regional conglomerate to obtain on-line library catalog access (CARL - Colorado Area Regional Library, or something like that), which also includes things like an on-line encyclopedia. However, to use the encyclopedia, one must enter their bar code from their library card. I tend to object to this on the same grounds as stated above, that they have no business keeping records of who looks at which databases. I can walk into the library and read the bloody thing without presenting an ID, why should on-line use be made more restrictive? Any comments on the privacy issues here? From: Edward J. Rovera 13-OCT-1989 18:25:42 To: security@pyrite.rutgers.edu Subj: [1755] User forms for RACF changes We are just now getting into running RACF on our MVS system and one of the problems I (as the de facto Security Administrator) am encountering is that the folks making requests to me for access to protected resources invariably do not provide sufficient information. This necessitates my responding with 'what do you mean?' and the possibility of the requester doing the same thing means *really* dragging the process out. What I'd like to find are some references to books or papers on how to design the paper (or electronic) forms used by people (usually resource owners or their agents) to submit requests to the RACF Security Administrator. I'd also like to know how other RACF sites using centralized administration deal with the entire process of granting and restricting access to protected resources. References to papers or books on this topic would also be welcomed. I would think that this might not be of general interest to list readers so if you could respond directly to me, those on the SECURITY list who are not RACF users would probably appreciate it. Anyone who *is* interested in whatever I learn is welcome to contact me for copies. Thank you in advance for any assistance. - Ed Rovera +-------------------------------------+ | Ed Rovera | | UUCP: ...!ucbvax!ucsfcgl!cca!er9006 | | BITNET: EJR9006@UCSFVM | | Voice: (415) 476-3119 | | US Mail: | | University of California, | | San Francisco | | Information Technology Services | | San Francisco, Ca. 94143-0704 | | SHARE Installation Code: UCS | +-------------------------------------+ From: cc@sisl.co.uk (Chris Corbett) 13-OCT-1989 19:07:04 To: inset!ukc!misc-security Subj: [2012] Unix security products, A survey I am carrying out a survey of security products that are available for Unix machines. The idea is to collect together a review of the available products. It will be a "snapshot" of the various ways in which security can be added to unix, together with a brief description of the main features of each. This review would then be posted onto the net, and hopefully updated from time to time. I am focussing on the following areas: 1. Single level security products for Unix machines. Products that give a C2 level of assurance or something like it. 2. Multilevel security for unix machines. Products that give higher levels of assurance (B1 and up). 3. Products that support either of these levels of security over networks of machines. I am *not* collecting information on encryption devices/smart cards etc. In order to jolt your memory I am already aware of the following in each of these categories. 1. BOKS 2. The Addamax and Secureware kits for system V and BSD. (I would be interested to know of any manufacturer that has announced machines running either of these two); AT&T's MLS Unix; Unix System 5.4.2 which is said to be going to include B1 security as part of the standard product. 3. None (well its a much trickier problem). Any information or pointers that anyone can send me would be very welcome. Names of further people to talk to would also be useful. Thanks in advance. I should also state for the record that I am not associated commercially with any company that makes any products of this type. I am an interested third party who would like to get an overview of the current situation. ----------------------------------------------------------------------------- Chris Corbett cc@sisl.uucp +44 252 811818 Fax +44 252 811435 Secure Information Systems Ltd, Sentinel House, Harvest Crescent, Ancells Park, Fleet, Hampshire GU13 8UZ. UK. ----------------------------------------------------------------------------- From: Jim.Thompson@central.sun.com (Jim Thompson Sun Dallas IR) 17-OCT-1989 23:57:40 To: hackers_guild@ucbvax.berkeley.edu Subj: [1878] Another Virus (sigh) FYI: it seems the NASA DECnet network SPAN is under attack from a DECnet virus. DCA, in its typical overreaction, has hit the explosive bolts on the ARPA-Milnet mailbridges, effecting TCP/IP traffic on the Internet. It helps to keep in mind that the Internet is not the only place where worms/viruses are a major problem. Date: Mon, 16 Oct 1989 17:54:34 PDT From: Vince Fuller To: barrnet-people@argus.stanford.edu, barrnet-alert@argus.stanford.edu FYI. The mailbridges are apparently still up and advertising routes, but are refusing to forward any packets. What this means for us is that our default route through Ames is useless and that automatic fall-over to SRI is not possible (because BR8 is still generating default). As a temporary measure, I have disabled EGP on BR8 so that we can follow the default through SRI (this will allow us to get to ARPANET-connected sites, which are few but better than nothing...) --Vince P.S. Sorry for the duplicates, but this seemed like it needed maximum distribution. Subject: Re: Mailbridges closed. Date: Mon, 16 Oct 89 16:22:51 -0700 From: "Milo S. Medin" [NASA ARC NSI Project Office] cc: nsfnet-cert@merit.edu, vcerf@nri.reston.va.us There is an active SPAN DECNET worm that is cracking poorly configured systems at this time. If this is why DCA closed the MailBridges, there is some serious bogosity going on! This virus ONLY propagates via DECNET. Milo Date: Mon, 16 Oct 89 18:19:12 EST From: Hans-Werner Braun To: nsfnet-cert@merit.edu Subject: Mailbridges closed. Cc: vcerf@nri.reston.va.us We got a call from Vint Cerf that DCA has closed the Mailbridges because of some apparent attack of worms or martians or huns or something like that. We do not have further information at this time, as far as I know. -- Hans-Werner From: ecd@sei.cmu.edu (Edward DeHart) 18-OCT-1989 1:05:04 To: misc-security@rutgers.edu Subj: [2357] Ultrix 3.0 breakins CERT Advisory October 17, 1989 DEC/Ultrix 3.0 Systems Recently, the CERT/CC has been working with several Unix sites that have experienced breakins. Running tftpd, accounts with guessable passwords or no passwords, and known security holes not being patched have been the bulk of the problems. The intruder, once in, gains root access and replaces key programs with ones that create log files which contain accounts and passwords in clear text. The intruder then returns and collects the file. By using accounts which are trusted on other systems the intruder then installs replacement programs which start logging. There have been many postings about the problem from several other net users. In addition to looking for setuid root programs in users' home directories, hidden directories '.. ' (dot dot space space), and a modified telnet program, we have received two reports from Ultrix 3.0 sites that the intruders are replacing the /usr/bin/login program. The Ultrix security hole being used in these attacks is only found in Ultrix 3.0. Suggested steps: 1) Check for a bogus /usr/bin/login. The sum program reports: 27379 67 for VAX/Ultrix 3.0 2) Check for a bogus /usr/etc/telnetd. The sum program reports: 23552 47 for VAX/Ultrix 3.0 3) Look for .savacct in either /usr/etc or in users' directories. This may be the file that the new login program creates. It could have a different name on your system. 4) Upgrade to Ultrix 3.1 ASAP. 5) Monitor accounts for users having passwords that can be found in the /usr/dict/words file or have simple passwords like a persons name or their account name. 6) Search through the file system for programs that are setuid root. 7) Disable or modify the tftpd program so that anonymous access to the file system is prevented. If you find that a system that has been broken into, changing the password on the compromised account is not sufficient. The intruders do remove copies of the /etc/passwd file in order to break the remaining passwords. It is best to change all of the passwords at one time. This will prevent the intruders from using another account. Please alert CERT if you do find a problem. Thank you, Ed DeHart Computer Emergency Response Team Email: cert@sei.cmu.edu Telephone: 412-268-7090 (answers 24 hours a day) From: jordan@morgan.com (Jordan Hayes) 18-OCT-1989 10:45:28 To: misc-security@uunet.uu.net Subj: [1090] security of FAXen A funny thing happened to my office-mate Doug and I the other day. His phone rang, and he answered it ... after a few seconds, the following transpired: Doug: "Hey, Jordan -- what calls you up and beeps at you?" Jordan: "Huh?" Doug: "C'mere ..." I was too late. It had already hung up. 30 seconds later, his phone rang again. Doug: "Here it is again! C'mere!" Jordan: (listening for a second) "Hey, it's a FAX machine calling you ... let's forward it to our machine ..." So we got an unintentional FAX. It was pretty interesting. It was from an Advertising Firm with some Very Large Clients. It was the monthly sales report. We're happy to report that they are doing quite well for themselves! Needless to say, they were trying to send a FAX to somewhere in Virginia, Area Code 703, and they neglected to dial ``1'' first. In New York City, we have so many telephones that we have prefixes that are XnX where ``n'' is 0 or 1, so they look like area codes if you don't dial 1. Is there any work being done in the area of security or authentication for FAXen? /jordan From: rogerc@sauron.columbia.ncr.com (Roger Collins) 18-OCT-1989 11:25:35 To: misc-security@backbone.usenix.org Subj: [1463] USA Today: "Hackers can tap into free trip" A relative sent me this recent clipping from USA Today (sorry, don't have the date). ----------------------------- snip-snip ------------------------------ Attention, hackers: Here's your chance to break into a computer system and walk away with a grand prize. The "hacker challenge" dares any hacker to retrieve a secret message stored in a KPMG Peat Marwick computer in Atlanta. [... stuff deleted ...] This challenge is being sponsored by LeeMah DataCom Security Corp., a Hayward, Calif., consulting firm that helps companies boost computer security. The winner gets an all-expense paid trip for two to either Tahiti or St. Moritz, Switzerland. Hackers with modems - devices that connect PCs to phone lines - must dial 1-404-827-9584. Then they must type this password: 5336241. >From there, the hacker is on his own to figure out the various access codes and commands needed to retrieve the secret message. The winner will be announced Oct. 24 at the Federal Computer Show in Washington. ----------------------------- snip-snip ------------------------------ I tried to dial the number and got a sound I had never heard before. My Hayes Smartmodem 2400 didn't recognize it either. Does anyone else have more info. about this contest? Got any ideas why I can't get connected? What operating system is it? -- Roger Collins NCR - Engineering & Manufacturing Columbia Domain: rogerc@ncrcae.Columbia.NCR.COM Uucp: (ncrsd | ncrlnk)!ncrcae!rogerc From: Michael Van Norman 213_825_1206 19-OCT-1989 0:34:40 To: security@pyrite.rutgers.edu Subj: [214] Re: REINIALISING PS/2 PASSWORDS Next to the speaker on the earlier PS/2's is a pair of jumper pins. If you short these while the machine is being powered up, the password will be cleared from memory. This is the easiest way I know of to do it. From: Jeffrey R Kell 19-OCT-1989 1:18:47 To: security@pyrite.rutgers.edu Subj: [272] Re: Home Alarms Are their any alarm systems that will interface with a PC? I've seen plenty of 'switch controllers' but don't recall seeing anything that resembled alarm sensors (though presumably if you can sense a switch open/closed, the same logic applies to alarm sensors). From: Marc Cygnus 19-OCT-1989 2:08:04 To: misc-security@uunet.uu.net Subj: [1109] IR sensors: can they be tripped w/ a lo pwr IR laser? Glass usually absorbs a quantifiable amount of the IR energy passing through it... could, then, a fair- to high-quality IR sensor be made to trip by either focusing a 3'-4' spot of IR energy on an opposing wall or a finer spot directly on the device itself? The IR source I've in mind would be from a relatively low power IR laser (in the range of 10 - 100 mW). This is a serious question. I've in mind risk assessment... in the case where a company or institution might be victims of harassment (albeit of a very technical nature). Any ideas? If anyone could give me an idea of the (wavelength) sensitivity band of one or more detectors (if you _know_; please, no guesses or approximations based on the fact that the detector senses `infra-red'... I can do that, too :-), it would help. -marcus- -- ----------------------------------------------------------------------------- "Opinions expressed above are not necessarily those of anyone in particular." `...but do YOU own a | ARPA: cygnus@vax1.acs.udel.edu homemade 6ft Tesla?' | UUCP: {yourpick}!cfg!udel!udccvax1!cygnus From: CNSM CCR _ Rob Rothkopf 19-OCT-1989 2:47:16 To: security@pyrite.rutgers.edu Subj: [3044] RE: Home Alarm Installations, R.S. Setups I've installed a burglar alarms using all Radio Shack equipment; The whole deal is fairly inexpensive ($120? for the main unit, $100 phone dialer, switches, etc) and wiring is straightforward (well, as straightforward as wiring a system can be :-). However, if you have any pets, motion/heat/pressure mat sensors are out of the picture. A note of caution... be careful not to pinch wires when running them and stapling them to walls.. this can build resistance in the circuit and cause false alarms (a closed system trips when the total circuit resistance exceeds a certain level). The vibration sensing switches are prone to strong winds, airplanes, truck horns triggering them; therefore, use on windows instead of foil tape (for cosmetic reasons) would have to be more than one for a big pane to be effective with all the switches having fairly low sensitivity. Still, I encountered something interesting with these switches wired in series: the alarm is being triggered for no apparent reason, calm winds, everyone inside sitting around the house. When the resistance in the circuit was checked I found it to be over 500 ohms more than what it should have been.. troubleshooting the circuit I found the resistance in each switch to vary, one by over 100 ohms... seconds later the same switch read 7 ohms.?! Hmm... So far this problem hasn't been fixed *but* resistance in the circuit still seems like something to look out for.. make sure not to staple through wires inadvertently! RE: the mercury glass breakage switches - Usually for windows people have three options if they're using the closed circuits: either the mercury switch, vibration switch or foil tape. In a previous posting it was said that the mercury switch is impractical and it should be hidden so a burglar doesn't see it. I disagree. Part of the effectiveness of the system is its visibility (it even comes with window stickers). The foil tape most often used is ineffective on big windows (e.g. glass doors) if put around the perimeter. While the tape *is* sensitive to breakage, if the middle is cut carefully, entrance can be obtained without the alarm being triggered. The "glass breakage sensor" follows the same theory that the glass will be broken enough to cause a shift triggering the alarm. 5 of one, etc. It's more a matter of cosmetics at that point. Also, as silly as it might seem to put a vibration sensor on a wall or room, there *have* been cases where burglars have broken in that way.. if you're running a wire already it might be worth an extra few dollars to drop a vibration sensor here and there on some wall areas.. Overall, the Radio Shack support staff was VERY helpful and cooperative when exchanging parts, etc. Prices are reasonable and there are enough accessories to build virtually any setup you would want... Many loops make debugging/altering the system much easier (as someone already pointed out [good suggestion!])... Hope this info. is helpful to someone.. From: "W. K. (Bill) Gorman" <34AEJ7D@cmuvm.bitnet> 20-OCT-1989 23:32:48 To: Security Digest Subj: [262] locks (again) We are considering the purchase of a vault for secure storage of such items as tapes, etc. How secure are Sargent & Greenleaf combo locks? What do we get for their "anti-manipulation" feature - just an extra key lock that immobilizes the combination dial? From: (Stephen Tihor) 21-OCT-1989 0:06:26 To: Subj: [453] Grumann Breakin Kid with a Wargames dialer popped in to a small Gruman engineering system. Grumann seems to have been very sloppy since what the CBS newspeople who interviewed me ("Indpendant Computer Expert") said was that he go into a privileged maintenance account. Presumably FIELD. Of course Grumann does their own maintenance so its propbably their fault not DEC's if its a guessable password. But they let the kid in, tracked him back, and had him arrested. From: GREENY 21-OCT-1989 0:43:55 To: Subj: [720] re: Home alarm distributors > I haven't located any other distributors of alarm systems who sell to the > general public... most can't according to the sales agreements that they have, or cant according to some vague laws. There are companies out there though that do sell alarm equipment try the following company and ask for a catalog: MCM Electronics 650 Congress Park Drive Centerville, OH 45459-4072 (513) 434-0031 FAX: (513) 434-6959 1-800-543-4330 Hope this helps... Bye for now but not for long... Greeny BITNET: MISS026@ECNCDC Internet: MISS026%ECNCDC.BITNET@CUNYVM.CUNY.EDU GEnie: GREENY MacNet: GREENY Disclaimer: I just picked the catalog out at random from my book rack...I'm not endorsing anything....or anyone... From: GREENY 21-OCT-1989 1:11:47 To: Subj: [1397] re: wireless systems > there is a version which is called supervised wireless, in which the central > station constantly polls the remotes ... Nope.....not the Central Monitoring Station, but rather the alarm CPU in your basement/utility closet....every 10-15 seconds the sensor puts out an "I'm here " signal to the CPU, and the CPU remembers it.....if it doesn't get a blip then it waits another 15 seconds or so and sees if it gets one again...if it doesnt, then it sends a signal to the Central Monitoring Station saying "Supervisory on Zone ##" where ## is the number of the zone that died... of course if someone is sophisticated to jam your xmitters (319.5 MHZ for those of you wondering...) then they could also just cut your phone line and unless you have a cellular dialer, or high security connection then you are out of luck.... Also, the newer wireless systems (such as the ITI SX-V) has sensors that have the brains to send a "Hey CPU, my battery is dying" signal to the CPU so that the CPU can call the central monitoring station, and then they will call either you and your dealer, just your dealer, or just you....then your dealer can come out and replace the batteries for you -- or if you can find the proper equivilent then you can do it yourself... l8r... bye for now but not for long Greeny BITNET: MISS026@ECNCDC Internet: MISS026%ECNCDC.BITNET@CUNYVM.CUNY.EDU GEnie: GREENY MacNEt: GREENY From: Marcus 21-OCT-1989 1:53:47 To: misc-security@uunet.uu.net Subj: [1640] home security Radio Shark is pretty expensive considering the quality and options they sell. Try some place like Aritech. (1-800-432-3232 for a catalog and make up a security company name for your mailing address) They carry much more stuff, and have the advantage of *KNOWING* their merchandise. (Try going to your local Radio Shark and asking them about how the controller *works*) They have good technical support, too. As far as the other poster's remark that a do it yourselfer might miss something the pros might not: That's true, but a do it yourselfer can do a lot of things the pros won't think of, or recommend. Examples are: wireless units with magnets between the VCR and the TV (move them and the alarm goes off - I don't sit with my alarm on when I watch movies), wireless units in the jewelry box (a fun one), wireless (or wired, at that) units between stereo components and stereo cabinet, etc. When I worked for a burgular alarm company, we never did anything like that because we could not rely on our customers not setting the darn things off constantly. Things that do it yourselfers *DO* forget: Horns/sirens outside, but not wired into the loop so that they can be disabled safely. Bells outside in cabinets where they can be reached (even if the bell cabinet is alarmed,a bell can be totally silenced with a can of polyurethane spray insulation) Making perimeter alarm units hidden. If they can't see them, they can't be scared off by them. We used to use a mix of perimeter alarms and then at least 1/3 as many interior alarms - stuff like between the doors to the master bedroom, computer room, etc. --mjr(); From: GREENY 21-OCT-1989 2:23:37 To: Subj: [1979] re: RF security systems WAS: AT&T Alarms > what frequency range do they use? 340 MHz or 319.5 MHz are the ones that I have seen... > Do they generate RFI? Doesn't everything nowdays? :-U Seriously though, they don't generate anything too much...or believe me, we'd have heard about it from our clients... > Are they suceptable to interferrence from other transmitters nearby... Not really, the signals are coded with a "House Code" that each transmitter has to be individually programmed to use, and there are about 10,000 possibilities for these....'course anything is possible... > Are the remote units battery powered? If so, is battery failure detected? YES! Why else would you want to install a wireless system, if you had to run wires to the individual sensors for power? Just add two more wires, and presto! you have a hardwired alarm... In reality, the sensors send a special signal to the CPU when their battery starts to die (3-5 years on the lithium ones in there now...), and the CPU calls the Central Station and tells them....then the Central station contacts your dealer....Your CPU also informs you that the battery is dying when you attempt to arm the alarm (you get a TROUBLE signal on Zone ##).... Also, the zones are all supervised, and the sensors send a signal to the cpu every 60 seconds or so saying "YO! I'm Here!"....if not, then a SUPERVISORY signal shows up... > Can a receiver be rendered inneffective by a transmitter on the same > frequency? Yes, but since all the xmitters are supervised, and since the transmissions are coded, all the bogus transmitter would do would be to jam the signal, and if the central station gets 47 Supervisory signals in 5 minutes from the same alarm panel, then they will call the police... Oh yeah, all the above is referencing ITI products.... bye for now but not for long Greeny BITNET: MISS026@ECNCDC Internet: MISS026%ECNCDC.BITNET@CUNYVM.CUNY.EDU GEnie: GREENY MacNet: GREENY Disclaimer: Nope, no way, it just couldn't be -- my fault.. From: hubcap@hubcap.clemson.edu (Mike Marshall) 25-OCT-1989 9:55:13 To: misc-security@gatech.edu Subj: [294] Re: Privacy vs on-line library * Any comments on the privacy issues here? They gotta do it that way. Your organization is site licensed to have access to that database. If Joe Blow walks off the street into the campus library and uses the database, it would violate the license agreement. -Mike hubcap@clemson.edu From: jonhaug@ifi.uio.no (Jon Haugsand) 25-OCT-1989 10:20:52 To: security@rutgers.edu Subj: [1480] Re: Privacy vs on-line library Ah, at last some interesting discussion... I am currently doing my master thesis, and part of the work is definition and classification of security and security policies. I have some problems with 'privacy' In a book discussing the Norwegian privacy act [Dj\o nne 1987: "Personregisterloven, med kommentarer"], privacy is defined as: 'A person has personal interest in 1) discretion, 2) information correctness, 3) knowing what information processing that may cause consequences for him/her, and 4) sanctity of private life. And moreover: 5) the interface to the authorities should keep "a human face", 6) the vulnerability of databases should be minimized, and 7) people should be protected from unreasonable use of power by the authorities.' (Abstracted and translated by me.) The central point in the act itself is to 1) enable individuals to determine data collected on him or her, to get incorrect information corrected and to get irrelevant information deleted, and 2) regulate who is allowed to collect, process and store what information in electronic computers. (There are more, but this is what I myself find 'central'.) If security is defined as "a system's ability to maintain confidiality, integrety and availability of information", where does privacy fit? Another question: Do you agree with the above 'definition' of privacy? Does your contry's privacy act (if you have one) agree? --- --- --- Jon Haugsand Ifi, Univ. of Oslo, Norway jonhaug@ifi.uio.no From: "Michael J. Chinni, SMCAR_CCS_E" 25-OCT-1989 11:10:24 To: Jim Kirkpatrick Subj: [2113] Re: Privacy vs on-line library Cc: security@pyrite.rutgers.edu Jim, Question, does your library card identify you as Jim Kirkpatrick, or does it just identify you as being from your university? > that they have no business keeping records of who looks at which databases. What makes you think that this is required because they are keeping records of who looks at what? > I can walk into the library and read the > bloody thing without presenting an ID, why should on-line use be made > more restrictive? You can walk into the library and read the thing, because the library is supported by the university and assumes that nobody NOT from the university will use it (or at least the use will be minimal). I can think of a very good reason that some form of ID is required. I assume (I may be wrong on this part) that your card identifies what library it is for. I also assume that your library pays a fee for access to this network (or at least for access to the encyclopedias). The network needs to prevent unauthorized access by people from non-member libraries. To do this it requires you to enter your library card bar code as a means to verify that you are indeed from a member library and are therefore authorized to use that system. Another reason (variation on the above) is that the member libraries are billed based on the usage by their people. This requires that the network know what library you are from when using this system. I agree with you that the keeping of a database of who looks at what is wrong, but I disagree with your assumption that this is the reason that the bar code is required. /\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/ Michael J. Chinni Chief Scientist, Simulation Techniques and Workplace Automation Team US Army Armament Research, Development, and Engineering Center User to skeleton sitting at cobweb () Picatinny Arsenal, New Jersey and dust covered workstation () ARPA: mchinni@pica.army.mil "System been down long?" () UUCP: ...!uunet!pica.army.mil!mchinni /\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/ From: jimkirk@outlaw.uwyo.edu (Jim Kirkpatrick) 25-OCT-1989 11:51:01 To: MCHINNI@pica.army.mil Subj: [2471] Re: Privacy vs on-line library Cc: SECURITY@pyrite.rutgers.edu Responding to my recent query on library systems, Michael Chinni asks -- >Question, does your library card identify you as Jim Kirkpatrick, or >does it just identify you as being from your university? To clarify, the library card is actually just a bar-code sticker slapped on the back of my normal University ID card. Thus the card itself identifies ME, has my picture, and social security number (printed AND embossed!). Also, to clarify, to access either the on-line encyclopedia or a database of newspaper/magazine articles, I must enter my bar code number AND my last name (I found it only looks at the first 10 characters, but those 10 must be correct). So it has a table of bar codes and who they were assigned to (that's reasonable, when you check out a book and don't return it they need to know who to send the goons after :-). >> they have no business keeping records of >> who looks at which databases. >What makes you think that this is required because they are keeping >records of who looks at what? I admit the above was an overstatement. I don't know that they are keeping records of who looks at what, or if they are simply authenticating and counting usage. But I don't know they AREN'T keeping track, either. > assumes that nobody NOT from the university >will use it (or at least the use will be minimal). I would suggest that unauthorized use of the online encyclopedia is likely to be minimal as well. > I agree with you that the keeping of a database of who looks at what is >wrong, but I disagree with your assumption that this is the reason that the >bar code is required. It was a wrong assumption from the view that I don't KNOW they are keeping track, but I don't KNOW that they AREN'T. Any such system CAN be abused almost trivially and without notice to the users. One example is the repeated use over the past hundred years or so of gun registration lists to confiscate guns, despite a government's insistence such lists would never be used that way (WWII Germany was particularly brutal in this regard). I do not mention this to compare guns with books, but just to point out that governments will and do abuse their power to gain access to information they want. I would rather it be impossible for the information to exist, than to be assured (by people who don't even understand the system) that such records aren't being kept. "The price of freedom is eternal vigilance" or something like that. From: rlearn@relay.nswc.navy.mil 27-OCT-1989 0:09:51 To: security@pyrite.rutgers.edu Subj: [361] RE: Privacy vs on-line li I suspect the check is simply to verify that you are a legitimate member of the "conglomerate" and not just anyone with a desire to use the "encyclopedia" feature for which your library is paying. Who says they are going to keep score on all the users which would be a library unto itself and cost some body some money? Who would pay for that service? From: cme<%cloud9.Stratus.COM@rutgers.edu> (Carl Ellison) 27-OCT-1989 0:47:54 To: linus!misc-security<%encore.UUCP@rutgers.edu> Subj: [1009] Re: Privacy vs on-line library > . . . I can walk into the library and read the > bloody thing without presenting an ID, why should on-line use be made > more restrictive? It sounds like an accounting measure to me. Is your department charged for database usage? What I would push for is the same privacy which the census provides -- make sure no record is released (or, better, kept) of individual data, releasing info only when no specifics about individuals can be deduced from it. You might do that here by having a group ID card to be scanned -- one giving just the department ID (or whatever the accounting entity is). If you can trust the local programmers, you could depend on them to accumulate no data about *what* you're accessing -- only about how long you use the service. If you can't trust the programmers you need a pay-phone type of facility. That could be with a coin box or a time meter (like the little boxes you used to walk around with for Xerox machines -- the ones with your own odometer style copy counter). From: johnw@watnext.waterloo.edu (John Wieczorek) 27-OCT-1989 1:20:17 To: misc-security@watmath.waterloo.edu Subj: [1017] Re: Privacy vs on-line library IMHO the issue here is the management of a finite, money consuming resource in very much the same manner as your userid is on your system. The arguement can then be made that anyone can walk off the street into your universities library and read the book manually. This is a valid point, but if a large group of non-students began to use the library resources to the point that it impeded legitimate users (students) the University would then have to do one of two things; increase their expenditures to support the activities of people unrelated to them, or cut them off. Your membership in your Universities library system is your ride ticket, though it may just as easily be used to monitor the materials you read. Life's a bitch, but it is unrealitic to expect that you can use shared computing reasources without the possiblity of footprints. Ultimatley, your previous options are and will remain open, 1) go there physically have a seat and read or 2) buy a copy of the book. John Wieczorek From: "Bill Turner, Cornell University Library" 27-OCT-1989 1:48:59 To: Nick Gimbrone , security@pyrite.rutgers.edu Subj: [2012] Re: Privacy vs on-line library Cc: John Rudan , Tom Boggess As the primary technical support person for a library system, I would like to point out that there are not necessarily any privacy issues involved here. The question is whether the system is storing the ID's when they are entered, and if so, what happens to them. A good example - any library staff member can certainly (and appropriately!) find out who has what books checked out, and what books any given individual has checked out. A few programmers can even construct the borrowing history of a given individual (a moment's thought about how a library works will tell you this). The fact that something CAN be done does not imply that it is being done. A better question is whether your ID number can be, and is, correlated to your Social Security number. There's probably no good reason why it should be, although often systems are designed by people who are completely insensitive to privacy issues. Finally, however, I find your attitude that somebody owes you free online use of whatever services are offered rather amusing. If you don't want to identify yourself, walk down to the library and use the books. Presumably there are billing issues involved, where somebody is subsidising your online use of an encyclopedia, and asking you to identify yourself for that reason. I'm sure that if you went to the source and offered to establish a fund to pay for completely open use, they'd be happy to set it up. Remember that the provider of the service (the encyclopedia) has something to say about who uses it. I would guess that CARL has a site license that says they may make it available to their own community, but not the world at large. It may be that your ID is validated against a table and no information stored about your access, except possibly a counter indicating the total number of accesses for the encyclopedia. An encyclopedia company that did NOT have such a licensing strategy would quickly go broke, because of selling only one copy of each edition which somebody would put online. From: royf%pwcs@uunet.uu.net (Roy Forsstrom) 27-OCT-1989 5:59:29 To: misc-security@uunet.uu.net Subj: [1969] Re: Privacy vs on-line library >Earlier this year I remember reading articles about the government wanting >libraries to turn over records of who checked out what book It was the FBI hoping to find out if Soviet/East Block embassy employees were requesting tech/engineering materials at Columbia University. I wrote to my congressman about it and got a letter back from the FBI in DC. I helped install an on-line catalog/Library Information System called PALS at a small college here in Minnesota. Our initial setup didn't require password or barcode numbers to access the system although the feature was available. The reason to use the access code is MONEY! It cost the college about 2.5 cents per transaction. At the time, we weren't implementing circulation on the system,so students and faculty didn't have barcodes. Since the town was allowed to use the library also, we didn't want to restrict their access right off the bat. Keeping tract of who requests what is possible, if you want to spend the time and money. Most libraries don't have either. [An interesting side note, Len Deighton's latest book "Spy Hook" tells of an database that logs attempts to retrieve restricted data.] >Any comments on the privacy issues here? Remember when Bork was a candidate for the Supreme Court? A video store released a list of movies his family had rented over the past year. I think some laws were passed rather quickly after that. Sweden and England have very strict laws about who can do what with computer data. One English mailing list I'm on asked me to sign a release because they keep the list on a computer. -----------------------------------+------------------------------------------- Roy Forsstrom 612-298-5569 | Traveling makes one modest. You see Public Works Computer Services | what tiny place you occupy in the world. pwcs!royf royf@pwcs.StPaul.GOV | -Flaubert -----------------------------------+------------------------------------------- From: tkoppel@isis.cs.du.edu (Ted Koppel) 27-OCT-1989 6:29:44 To: misc-security@ncar.ucar.edu Subj: [2079] Re: Privacy vs on-line library First, Jim, I'm writing as a person who values and respects the privacy of user records. When I became a librarian I signed off on the idea that people's records are not to be shared, and so on. What I am writing is not necessarily the official policy of CARL. Still, I'll address your issues: a. In the case of the encyclopedia and other databases that are made available on Online Catalogs, we are required by the database supplier's contract to limit the use of certain databases to the primary user population of our members. What that means is that, for instance, a U Wyoming student/faculty/staff person has full access to that database (the encyclopedia, for instance), but a citizen of the state of Wyoming (not known to the University..) does not have access. If we don't restrict access to only the primary user population, then the database provider can accuse us of breach of contract, and ultimately has the right to yank the database from us. Sadly, the 'limit access on your online system' strategy is being em- braced more and more by the database suppliers (see the discussion on the Library PACS-L Bitnet mailing List). I don't see it getting better, either, because the databse suppliers are scared that too much online use is going to transalate into fewer print subscriptions, which is what really pays their bills. By the way, the CARL privacy issue is not what you think. When you come into a password-controlled database, we set a switch to "1"; when you exit, we turn it back to "0". (You can't use a password controlled database on the same password at the same time). CARL doesn't log who used what database at what time - sure, we could, but no, we're not doing so. Final note, Jim - if you're on one of the hardwired terminals at Wyoming, you're not asked for a password at all. (The hardwired terminals are all located in the various libraries there). Only the remote dialups need passwords. -- Ted Koppel CARL - Colorado Alliance of Research Libraries = BITNET: TKOPPEL@DUCAIR UUCP: uunet!isis!tkoppel or tkoppel@du.edu From: kent@wsl.dec.com 24-OCT-1989 10:54:48 To: howard@hasse.ericsson.se (Howard Gayle) Subj: [163] Re: Email addresses on business cards risky? Cc: misc-security@sunic.sunet.se DEC also won't let us put 'internal' hostnames on our business cards. We all think it's stupid, too, since everyone just writes the address on the back. chris From: Robert Allinson 24-OCT-1989 11:25:36 To: Subj: [585] Personal Computer Viruses I am puzzled by the statement made by certain individuals. The statement was made that a virus can be put on an un-formatted disk and it can "virusize" your personal computer!!! Is this true? Is it possible to put a virus on an un-formatted disk? s this tru even transfer a virus If so, HOW? It does not make sense. In my view you have to format the disk in the first place to install data on it! correct? Please reply to : Robert Allinson XA3I@PURCCVM [Moderator tack-on: Depends on the type of PC, of course. Replies to him only, please... _H*] From: Andrew Klossner 24-OCT-1989 12:01:38 To: misc-security@tektronix.tek.com Subj: [750] Re: datacrime II "In view of the huge demand and the clear anxiety indicated by that, Cate has decided, with the approval of PCM, to make the antidote more widely available on disk. Additional information can be obtained from her directly ..." I can't think of a better way to spread a virus than to launch a separate virus, publicize its dangers, then release an antidote containing the new virus. And who can make a better antitode to the first virus than its author? This is all purely hypothetical, I know nothing of Rikki Cate and have no reason to suspect her ... but you've got to be paranoid in this field. -=- Andrew Klossner (uunet!tektronix!frip.WV.TEK!andrew) [UUCP] (andrew%frip.wv.tek.com@relay.cs.net) [ARPA] From: "Anthony A. Datri" 24-OCT-1989 12:37:03 To: security@pyrite.rutgers.edu Subj: [812] re: email addr on business card I can't see this at all. For one, "file server" is kind of a loose thing. The cards we fill out for free subscriptions to trade rags routinely ask for the numbers of machines at your site; I can't see how that could possibly be of any use. I introduced the idea of email addresses on business cards at a previous employer, but then, they were more backwards than I want to think about. The form here at Convex that you fill out to get cards has a blank on it for your address. If a company has a consistent namespace and nicely done mailers, everyone's card should say foo@company.com anyway, which wouldn't tell anyone more than the fact that you had one machine, which they could have figured out anyway. Even so, nothing's stopping them from scribbling their addresses on the back of the card anyway. From: stodol@diku.dk (David Stodolsky) 24-OCT-1989 13:10:32 To: misc-security@dkuug.dk Subj: [2142] Re: Personal Health Security System > Person then deletes this AIDS info. from their card. VOILA! No more > record of their AIDS infection. Information is updated daily. If you can not show a current health certificate, encoded with a digital signature of a doctor, people give you plenty of room, unless they wish to take their chances. I will send the complete proposal to those interested, or post it, if I get three or more requests. It is about ten pages. -------------------------------------------- Secure Distributed Databases for Epidemiological Control Abstract The project's objective is to develop a personal computer-based system for control of infectious agents. The overall goal is a better understanding of affects of enhanced social facilitation and health education on disease transmission. A new theory for real-time epidemiological control, based on contact tracing, is used to design a cryptographicly secure distributed- database system providing situationally specific risk assessments that are based upon personal histories. Personal computer systems negotiate exchanges of information that permit preselection of conversation partners. The techniques used yield unprecedented protection for user's identities and data. The systems permit self- administration of questionnaires and distribution of health information, as well as communication with selected conversation partners. Information on changing health status and risk related behaviors are routinely gathered during system operation. In addition to giving users situationally specific risk assessments, these data permit new types of epidemiological analysis. A pilot project devoted to design and development of a prototype system is specified in detail. The plan includes discussions with potential organizational participants in the proposed experiment and other interested parties. -- David S. Stodolsky, PhD Routing: <@uunet.uu.net:stodol@diku.dk> Department of Psychology Internet: Copenhagen Univ., Njalsg. 88 Voice + 45 31 58 48 86 DK-2300 Copenhagen S, Denmark Fax. + 45 31 54 32 11 From: Joe Meister 31-OCT-1989 2:43:23 To: security@pyrite.rutgers.edu Subj: [489] RE: How to track people down? You might want to try a credit bureau. You will not be able to get credit information, but they often offer services that can trace name and address changes. It might cost from $2-$4 per find. Avoid services that charge just for looking. Also, some services will look for you, and others provide on-line lookups. Finally, we are an institutional user, I am not completely sure that individuals can use the service. Also, it is incredibly easier to use social security numbers. Good luck. From: conch!steve@uunet.uu.net (Steve Froeschke) 31-OCT-1989 3:11:11 To: misc-security@uunet.uu.net Subj: [308] Re: locks (again) We use several Sargent & Greenleaf locks where I work (U.S. Navy here in Key West FL), and I've found them to one of the best. They are well built, (read HEAVY to hold :-) ), and easier than most to do combination changes on. I can highly recommend them from over 8 years of working with them. Steve From: Michael Stack 31-OCT-1989 3:36:37 To: SECURITY Digest Subj: [495] Re: How to track people down? I know this isn't exactly a "high-tech" answer, but our high school reunion committee made good use of city telephone directories they found at a local library. It means lots of phone calls, and it won't help with names changed through marriage, but the results were impressive. Only about five percent of our graduating class was not found twenty-five years later, and we'd be silly to believe that at least some of those didn't want to be found. Michael Stack Northern Illinois University From: jimkirk@outlaw.uwyo.edu (Jim Kirkpatrick) 31-OCT-1989 4:04:21 To: SECURITY@pyrite.rutgers.edu Subj: [709] Re: locks (again) (Curiously, the original question's headers did not indicate the originator thus I must reply to the list) The Sargent & Greenleaf lock is the subject of a small book on how to manipulate combination (safe & vault) locks. A friend actually bought one to play with, and it is in fact somewhat easy to open. I have an old Yale that's essentially impossible. The book describes anti-manipulation features as: tightened tolerances, added mechanical features to prevent reading contact points, and added features to create false sounds or feelings. In the S&G manipulation-resistant type, the design prevents reading contact points and would appear to be much more difficult to open than the vanilla type. From: judice@kyoa.enet.dec.com (Louis J. Judice 18_Oct_1989 2147) 18-Oct-1989 2147) 31-OCT-1989 4:29:51 To: "security@pyrite.rutgers.edu"@decwrl.dec.com Subj: [876] RE: USA Today: "Hackers can tap into free trip" I installed one of these in an installation about 2 years ago. It's a dial-back security device called a Traq-net (I believe), made by Lee-Mah Data Security. The tone is a prompt to enter a touch tone id-code. With the id-code, the device calls back the telephone # associated with the id-code, which then auto-answers or manually answers the line, establishing a modem connection. I believe there is also a provision for having it dial you at other pre-determined numbers when you are travelling. The Traq-net also logs all calls, both invalid and valid. It was a neat device, but there was significant user resistance to using it, so it eventually fell into dis-use. Combined with a strong security program it would probably work well in some environments. Lou Judice DEC Note: this posting is my opinion only and is not an endorsement of the product(s) mentioned. From: Jeffrey Walsh 31-OCT-1989 4:58:11 To: security@ohstvma Subj: [1323] Re: How to track people down... As far as I know, and I'm not sure if this is a NY state law or a federal law, but most information held by a college/university registrar concerning name, address of record, phone number, etc., is not confidential, unless the student/alumnus specifies so. If these people have or have had a relationship with an institution of higher learning, this might be one avenue. There's always the notion of posting something in the personals of a well-read paper (eg - Village Voice) where people look for that type of thing. If the group has something in common, focus in on that -- they might be peeved if last names are involved. The key here is, of course, where do you think they are geographically centered? If anyone in the group has even a remote connection with the military, try using the locators (usually free) in the branch publications: Army Times, Air Force Times, Navy Times... Even if they've served in a unit five years ago and aren't in anymore, there's the chance that someone who served with them might still be and be able to relay you information on their whereabouts. I'm not sure about the confidentiality laws that you queried about. Sorry. If you want the address for the locator service of the service papers, write me at the address below. Jeff Walsh "JEWALSH@FORDMURH" Fordham University From: Brian Kaplan 3-NOV-1989 1:04:23 To: SECURITY@UGA Subj: [331] RE: Personal Computer Viruses Doesn't make any sense. As soon as one formats a disk, all the tracks and sectors become available for data and if there was a virus written on the unformatted disk, it would be overwritten. One could always be safe and use one of the Norton Utilities and erase the disk to government specs. I would worry about it. Bye for now. From: Trond Borgen Mork 3-NOV-1989 1:41:15 To: Subj: [722] Earthquake Hello everybody ! I'm interested in information (independent stories) about the California earthquake's impact on computer systems in different companies and organizations. Any stories about prepairedness (good and bad) and consequences because of computer breakdown are highly welcome. It would be particularly interesting to hear about how consulting firms and research institutions dealing with computer security handled the disaster. However, other kinds of companies and organizations are interesting too. I'm a project leader working on information security at Moere og Romsdal Teknologisenter (MRT). MRT is a research institute in Aalesund. Aalesund is a city on the western coast of Norway. Greetings, Trond. From: JohnH 3-NOV-1989 2:06:38 To: security@ohstvma Subj: [494] A big excuse from somebody I don't even know... Sorry for bothering the list, but it's the only think I can do... Somebody who his name I forget, wrote to me asking for my DES implementetion I replied to him and said I would send you something which I didn't... The reason is that after I replied your mail message, I deleted it and thus couldn't remember your username and address to send you the files... I apologize for that and ask you to send me your address again to send you the file. Again, really sorry, I apologize John Haritos. From: *Hobbit* 3-NOV-1989 2:34:25 To: security Subj: [701] addresses It's been brought to my attention that Bitnet listservers fairly often mash From: addresses to show security@pyrite.rutgers.edu instead of the original sender of the message. Despite, of course, all my efforts to make Sendmail retain these lines. [Listserv leaves a lot to be desired.] If you're on a bitnet machine and wish to reply to a message, please read the incoming headers carefully to figure out who the message is from [and feel free to contact me if they've been muched beyond belief and you can't figure out who it's from]. Since different machines treat incoming mail differently, there's no way for me to experiment and come up with something that reliably works everywhere... _H* From: dasys1!eravin@cmcl2.nyu.edu (Ed Ravin) 3-NOV-1989 2:57:15 To: misc-security@cmcl2.nyu.edu Subj: [1073] Re: Bike Locks One thing the enlightened cyclists are doing in Manhattan is two always lock the bike up with two different kinds of locks. The average bike thief is only prepared to break one kind of locking system. The usual combination is a U-lock and a flexible cable with padlock. That means the thief would have to carry two different sets of tools to get the bike. Most streetwise bikers also take some old chain links and rivet a little loop of chain between the bicycle seat and the frame, to discourage parts theives from taking the seat. Bike theft is disgusting in this city: even your 3-speed covered with rust isn't safe. The new unit of commerce is the crack vial: as long as your bike is worth at least one vial to someone, it is a potential theft target. -- Ed Ravin | hombre!dasys1!eravin | "A mind is a terrible thing (BigElectricCatPublicUNIX)| eravin@dasys1.UUCP | to waste-- boycott TV!" --------------------------+----------------------+----------------------------- Reader bears responsibility for all opinions expressed in this article. From: JUTBAAA 5-NOV-1989 12:54:07 To: Subj: [189] PASSWORD ON ZENITH Z-286 LP DESKTOP.... IS THERE A WAY TO ERASE THE PASSWORD FROM THE EEPROM SOMETHING SHORT AND SWEET LIKE THE ONE FOR THE PS2 WILL BE APPRECIATED. Abhik Biswas Indiana University of Pennsylvania, Indiana, PA. From: TENCATI@nssdca.gsfc.nasa.gov (SPAN SECURITY MGR. (301)286_5223) 5-NOV-1989 13:36:45 To: misc-security@uunet.uu.net Subj: [445] Re: Privacy vs on-line library On a related note - Did you know that the 976- , and 1-900 people also keep track of who calls, and sells your phone numbers to advertisers in the same manner that credit card companies sell your address? I'm not sure if this is also true for 1-800 calls, since they are AT&T or another carrier company, but apparently there are no rules against selling your number. Ron Tencati NASA/Goddard Space Flight Center Tencati@Nssdca.Gsfc.Nasa.Gov From: deh@mordor.eng.umd.edu (Douglas Humphrey) 5-NOV-1989 14:15:48 To: cygnus@vax1.acs.udel.edu Subj: [615] Re: IR sensors: can they be tripped w/ a lo pwr IR laser? Cc: security@pyrite.rutgers.edu I used to do this all the time with "thermocons" which were IR sesors that a local (big) security firm placed in front of doorways to trip the drop bolt when people were walking OUT of the secured location. This was a big problem, since fooling the thermocon made the door unlatch. Even if there is no way to do it with a laser (sometimes you could not get line of sight to the sensor) then you can get a can of lighter fluid, squirt it all under the door, and then light it, which I *assure* you will trip the sensor. Remember to put the fire out before you wander through the place and steal stuff.... Doug From: gwyn@brl.mil 5-NOV-1989 14:57:28 To: security@rutgers.edu Subj: [675] Re: locks (again) >How secure are Sargent & Greenleaf combo locks? >What do we get for their "anti-manipulation" feature - just an extra key >lock that immobilizes the combination dial? It depends on the model, but in general S&G makes pretty good combination locks. "Anti-manipulation" usually indicates just what it says, that the lock design includes features especially aimed at making manipulation (the art of opening a combination lock without knowing the combination a priori) difficult. One such feature would be additional (shallow) fake notches around the periperhy of the wheels. The best feature is one that prevents using the actuator handle to apply drag to the wheel pack. From: CNSM CCR _ Rob Rothkopf 5-NOV-1989 15:38:54 To: security@pyrite.rutgers.edu Subj: [949] Alarm Tripping, Home Alarm Installation I have a home wired with all Radio Shack parts; when the main unit is tested alone without ANY loops, all works fine (keypad, panic buttons, etc). When I add any loops to it, it periodically is tripping for "no apparent reason." The loop is a straight loop consisting of only Vibration Sensors... due to the false tripping the adjusting screw has made the system useless for now as only a LARGE bang would trigger them.. but still, on a calm day, no winds, everyone still, the alarm (armed) is being set. All I could figure is something building up resistance in the circuit.. all wires are stapled to wooden structural supports or studs, the system is grounded and there is a battery backup in place. ANY ideas as to what could be causing the problem??? At times it has been flawless for periods of 2 months and then it starts happening daily!! :( --Rob Rothkopf BITNET: MASROB@UBVMS INTERNET: masrob@ubvms.cc.buffalo.edu From: OPER014@umuc.bitnet 5-NOV-1989 16:26:40 To: SECURITY@UBVM Subj: [942] ps/2 I know that shorting the 2 pins by the speaker will get you into a password protected ps/2, but I dont think it actually reinitializes the password... Its my understanding that that feature is for repair persons, and they would not necessarily be want to erase it. Please, somebody tell me if im wrong... Also a note to the more security conscious- As an occasional practical joke I gain entrance to peoples PS/2s by shorting those 2 pins with a paper clip through vent holes in the case. (I have only tried this on Model 50s). So you may want to place some kind of shield inside the box... locked, of course. incidentally, this was 'fixed' on the 50z- you have to move a jumper from one pair to the other in a group of three pins... the jumper is large enough to cover the shorted pins completely. --------------------------------------------------------------- oper014@umuc @umuc.umd.edu Jim Whats that red button do? From: swn@stingray.rice.edu (Steve Nuchia) 5-NOV-1989 17:13:36 To: misc-security@uunet.uu.net Subj: [965] Re: Email addresses on business cards risky? > DEC also won't let us put 'internal' hostnames on our business cards. The obvious solution is to have DEC-wide unique aliases recognized by the mail server on dec.com. Then put unique.id@dec.com on your cards. If you come across a CMU business card check it out -- excelent example. Not putting internal names on published documents is a good idea for two reasons. First it prevents trouble when the machine you named goes away, permanently or temporarily. Secondarily it makes it harder for the bad guys to use "traffic analysis" and similar techniques to deduce things about what DEC might be up to. Personally I think if they care enough to do that there are other ways to figure it out, but since the technical considerations align with the political in this case it seems logical to do it right. In the absence of a usable common address the "security" argument has to be fought. It is weak but not invalid, so it becomes a question of priorities. From: NESCC@nervm.bitnet (Scott C. Crumpton) 5-NOV-1989 18:02:33 To: security@pyrite.rutgers.edu Subj: [1136] RE: Home Alarm Installations, R.S. Setups > I found the resistance in each switch to vary, one by over 100 ohms... secon > later the same switch read 7 ohms.?! Hmm... I installed a RS system in my house and found this to be a major problem. It appears that RS sells the lowest quality magnetic switches possible. The only way I was able to solve the problem (short of replacing all the switches) was to wire each loop to control a 12v relay. The relay contacts were then wired to the alarm center in place of the loop. This had the effect of increasing the loop current from about .5ma to 50ma. The increased current and/or the inductive "kick" from the relay coils seems to have solved the problem. Before adding the relays I was averaging one false alarm per week. Obviously an unacceptable situation that prevented connecting the noise makers. After adding the relays I continued testing the system for 3 months with zero false alarms before connecting the noise maker. It has now been connected for about 2 years with zero false alarms. The moral of the story is that the RS stuff can be made to work reliably. But probably not by your average consumer. ---Scott. From: deh@mordor.eng.umd.edu (Douglas Humphrey) 5-NOV-1989 18:36:12 To: 34AEJ7D@cmuvm.bitnet Subj: [1737] Re: locks (again) Cc: security@pyrite.rutgers.edu To a large extent, S&Gs are the best ( or one of the best). We have them on a Mosler and and older Remington safe, both GSA certified storage containers for classified materials, the Remington at Secret and the Mosler higher than that. The Mosler is a double safe, with an S&G MP on the outside, and a special S&G on the inside (built to somebodies specifications). Your local Mosler lock people will support the S&Gs with no problem, doing yearly maintenance, etc. and getting you out of a jamb (pun intended) when you need it... I am not sure what you mean by "anti-manipulation" feature; ours are MP locks, Manipulation Proof, but that really has to do with the internals on the lock, not an external locking pawl or anything like that. By the way, don't make the mistake that a lot of people do and fail to get yearly maintenance done on the lock(s). Sure, they most likely won't need it, and you will be throwing around $100/year to the wind, except for the day that the damned thing jams on you, and you discover the extreme cost of having your safe/vault drilled... Remember that these things are designed specifically to make it hard to do this. The estimate to have one of our drilled by Mosler was many hundreds of dollars, plus materials costs (14 diamond tipped bits, 2 drills [they figure that they will burn out 2 doing this] and other assorted things) plus the cost for them to weld in a plug of hardened steel and then the possibility (if you are a cleared storage facility) that the Government folks are not going to like the plug job and require that you buy a new safe door and have it put on... Big Bucks... Doug Digital Express, Inc. P.S. We didn't have to have it drilled, we were just asking... From: virtech!jje@uunet.uu.net (Jeremy J. Epstein) 9-NOV-1989 1:01:47 To: misc-security@uunet.uu.net Subj: [351] Trusted Mach, Ada & Mach I'm working on a project involving implementing a B3-level Mach system (or portions thereof) in Ada on a DARPA grant. I'd interested in hearing about other people/projects who are working on trusted Mach and/or using Ada on Mach. Please email to uunet!prcrs!abqord!jje or uunet!virtech!jje Thanks Jeremy Epstein TRW Systems Division 703-876-4202 From: Noel Del_More 9-NOV-1989 1:38:45 To: security@rutgers.edu Subj: [760] System's Security I am writing a term paper for one of my graduate courses on the subject of computer security and the effect that it, or should I say the lack of it, has had on our society. In particular I'd like to focus on corporate strategies and responses to actual and/or potential breaches of systems security which have resulted or had the potential of resulting in the loss of assets, intellectual property or sensitive data. I would appreciate receiving information concerning any bibliographic references, case studies or legal actions involving the subject of which you may be aware. In addition, I would very much like to hear about your companies' policies and strategies to prevent and/or deal with breaches of systems security. Thank you, Noel From: "Jack L. Coffman" 9-NOV-1989 2:08:48 To: security-request@pyrite.rutgers.edu Subj: [871] [869] Return-path: Date: Fri, 27 Oct 89 10:44:45 EDT From: "Jack L. Coffman" To: security-request@pyrite.rutgers.edu We at the University of Kentucky run an IDMS data base at the central computing center. Most batch updating is performed at night by our central data control staff. We do have programmers distributed in user offices who now do some batch updating to the data base. Most user departments have people who execute reports using COBOL, MARKIV, OLQ, CULPRIT, and SAS against the data base and extract files. We are at the point of deciding how to set up libraries to allow user departments to update or execute reports from the data base or extract files. Does anyone have any exeprience or words of wisdom on how to approach this decision. Are we unique in allowing user departments to update the data base? Thanks Jack L. Coffman - UKA051@UKCC Security and Contingency Planning Officer 128 McVey Hall University of Kentucky Lexington, Ky 40506-0045 (606)257-2273 From: harald@kumquat.ucsb.edu (Ommang) 9-NOV-1989 2:38:01 To: misc-security@ucsd.edu Subj: [982] Papers / books on UNIX security ? Hi ! I'm writing a paper for a Graduate class in Computer Security here at UCSB. The paper will compare security features of two operating systems that are in use all over the commercial world : Hewlett-Packard's MPE and UNIX. I have worked with MPE security for several years, so I have that covered, but I am a fairly novice user of UNIX. My question is : Can anyone out there recommend (and point to) articles and books on UNIX security. I will mostly deal with issues like password and file security, and also ways of aquiring more capabilities (i.e. system manager / superuser) than one is supposed to. Please reply by e-mail to : harald%cornu@hub.ucsb.edu ================================================================== "Born in the ice-blue waters of the festooned Norwegian coast.." - Bertrand Meyer on object-oriented programming Well, so was Harald Ommang. harald%cornu@hub.ucsb.edu From: nagle@well.sf.ca.us (John Nagle) 9-NOV-1989 7:56:27 To: misc-security@uunet.uu.net Subj: [253] Re: REINIALISING PS/2 PASSWORDS >Next to the speaker on the earlier PS/2's is a pair of jumper pins. >If you short these while the machine is being powered up, the password >will be cleared from memory. How convenient. Was this designed in, or is it a flaw? John Nagle From: GREENY 9-NOV-1989 8:20:05 To: Subj: [738] re: FAXen security > Is there any work being done in the area of security or authentication for > FAXen? well, on the fax machine that we have where I work, it has a security code that can be set (actually an 8 bit binary number). If the code is set to all 1's, then no polling can occur. If the code is set to all 0's, then anyone can poll the machine for a fax, and if the code is set anywhere inbetween then they polling fax machine must have the same security code... perhaps this Ad agency would do well to set their security codes for confidential documents? (at least I *assume* it was confidential...:-> ) Bye for now but not for long Greeny BITNET: MISS026@ECNCDC Internet: MISS026%ECNCDC.BITNET@CUNYVM.CUNY.EDU GEnie: GREENY MacNet: GREENY From: CNSM CCR _ Rob Rothkopf 9-NOV-1989 8:47:18 To: security@pyrite.rutgers.edu Subj: [1108] Universal Card System The University of Buffalo is considering the feasabilities/possibilities of establishing a "universal" card-access system for all areas of University activity. This single card would be used by all faculties including: -- University Libraries: could be used with copiers -- Records/Admissions: could be used as positive student ID -- Could be used as "meal card" -- Keyless card-entry system into student dormitories -- Miscellaneous applications including single-vote verification, purchasing, student accounts (perhaps mom and dad could "easily" add money for students to later have access to for food, etc.) We've received some literature on the "Smart Card" and how it might fill our needs; since this is the beginning of this investigation we could use any input others may have from previous experiences with card systems. If anyone has experience with/knowledge of the "Smart Card" or *any* other established card access system, I'd appreciate the advice and info. Either reply direct or through the net (some might find this info. useful) Thanks in advance. --Rob Rothkopf From: "W. K. (Bill) Gorman" <34AEJ7D@cmuvm.bitnet> 9-NOV-1989 21:08:41 To: SECURITY Digest Subj: [465] Re: Privacy vs on-line library >It was a wrong assumption from the view that I don't KNOW they are keeping >track, but I don't KNOW that they AREN'T. Any such system CAN be abused The DEA regularly raids "indoor gardening" stores, many of which can and do serve a legitimate, law-abiding clientele, without ever filing formal charges against the owners, merely to gain the computerized customer lists therefrom. If this is not the sort of abuse you refer to, it is skating very close thereto. From: davecb@nexus.yorku.ca (David Collier_Brown) 9-NOV-1989 21:28:40 To: misc-security%mnetor@uunet.uu.net Subj: [746] Re: Privacy vs on-line library > Any such system CAN be abused almost trivially and without notice > to the users. [...] the information to exist, than to be assured (by >people who don't even understand the system) that such records aren't being >kept. A specific, known example: a crossmatch between a library systems and a pharmacy system running on the same timesharing service: from pharmacy, select females with perscriptions for birth controll pills crossmatch with library for address and age print where age < 30 and city = this one. --dave c-b -- David Collier-Brown, | davecb@yunexus, ...!yunexus!davecb or 72 Abitibi Ave., | {toronto area...}lethe!dave Willowdale, Ontario, | Joyce C-B: CANADA. 416-223-8968 | He's so smart he's dumb. From: zeleznik@cs.utah.edu (Mike Zeleznik) 9-NOV-1989 21:45:00 To: security@pyrite.rutgers.edu Subj: [805] Re: Privacy vs on-line library Just wanted to point out that this issue of identification while maintaining privacy has been the subject of a number of research articles in the computer science community. One that comes to mind is: "Security Without Identification: Transaction Systems to Make Big Brother Obsolete", David Chaum, Communications of the ACM, October 1985, p1030+. Another one, less concerned with privacy, but with many references to things related to the concept of data surveillance, is: "Information Technology and Dataveillance", Roger Clarke, Communications of the ACM, May 1988, p498+. --Mike Michael Zeleznik Computer Science Dept. University of Utah zeleznik@cs.utah.edu Salt Lake City, UT 84112 (801) 581-5617 From: davecb@nexus.yorku.ca (David Collier_Brown) 9-NOV-1989 22:10:48 To: misc-security%mnetor@uunet.uu.net Subj: [906] Re: Privacy vs on-line library >Another reason (variation on the above) is that the member libraries >are billed based on the usage by their people. This requires that the network >know what library you are from when using this system. The libraries are both charged by information providers and funded by supporting organizations based on use and/or membership. When working for a supplier of some slight note, I was surprised at the conflicting needs to keep track of usage information for funding purposes (and for book-replacement estimates), and the need to **not** keep track of readership information for particular books. And yes, both are legally mandated and prohibited in differing justistictions (:-}). --dave -- David Collier-Brown, | davecb@yunexus, ...!yunexus!davecb or 72 Abitibi Ave., | {toronto area...}lethe!dave Willowdale, Ontario, | Joyce C-B: CANADA. 416-223-8968 | He's so smart he's dumb. From: *Hobbit* 9-NOV-1989 22:23:13 To: security-list-outbound@pyrite.rutgers.edu Subj: [950] Secure Distributed Databases for Epidemiological Control David Stodolsky has submitted the entire text of his paper on databases for epidemiologocal control. It is over 38Kb, so rather than post it I'm making it available via FTP for anyone interested. It's at pyrite.rutgers.edu in security/epidemic-control. I will also mail it to any non-internet recipients [who can't grab this directly] that ask for a copy... _H* --- head of David's message --- Date: 29 Oct 89 20:27:52 GMT From: stodol@diku.dk (David Stodolsky) Subject: Secure Distributed Databases for Epidemiological Control To: misc-security@dkuug.dk English update of: Stodolsky, D. S. (1989, August). Brugerforvaltet datakommunikationssystem til bekaempelse af seksuelt overfoerbare infektionssygdomme [Secure Distributed Databases for Epidemiological Control]. Research proposal submitted to the AIDS-Fund Secretariat, Danish Health Department. (Available from the author at the Psychology Department, University of Copenhagen ) From: rjg@sialis.mn.org (Robert J. Granvin) 12-NOV-1989 23:41:28 To: misc-security@uunet.uu.net Subj: [846] Re: Privacy vs on-line library > You can walk into the library and read the thing, because the library >is supported by the university and assumes that nobody NOT from the university >will use it (or at least the use will be minimal). Universities are supported by tuitions, grants and public and state funding. Universities are centers of knowledge and learning. The libraries of these universities are open and available to everyone. The information contained therein isn't restricted in any form to only students "And others as long as the use is minimal". -- ________Robert J. Granvin________ INTERNET: rjg@sialis.mn.org ____National Computer Systems____ BITNET: rjg%sialis.mn.org@cs.umn.edu __National Information Services__ UUCP: ...amdahl!bungia!sialis!rjg "Insured against Aircraft, including self-propelled missiles and spacecraft." From: "Craig Finseth" 13-NOV-1989 0:03:06 To: jonhaug@ifi.uio.no Subj: [905] Privacy vs on-line library Cc: security@rutgers.edu If security is defined as "a system's ability to maintain confidiality, integrety and availability of information", where does privacy fit? I would say that "security" is an amoral term. It refers to whether the system is performing its job properly. "Privacy," on the other hand, provides constraints on the system's goals. In particular, a system can be secure without being private. Hypothetical example: a credit bureau may operate a secure system. However, the bureau may choose to sell its data to a third party. No security breach has occurred, but a privacy breach has (in this example, at least). Another question: Do you agree with the above 'definition' of privacy? Does your contry's privacy act (if you have one) agree? (1) Yes. (2) Who knows, at least in the U.S.? (:-). Craig A. Finseth fin@msc.umn.edu [CAF13] Minnesota Supercomputer Center, Inc. (612) 624-3375 From: Jeff Suttor 14-NOV-1989 9:11:57 To: security@pyrite.rutgers.edu Subj: [549] Re: Re: Privacy vs on-line library > A few programmers can even construct the borrowing history of a given > individual (a moment's thought about how a library works will tell you this) This is not true for the Library I program for. When a circulation transaction is resolved, checked back in, the circ trans is archived but any link to the user record is zeroed out. This allows the archives to be used for stat anal but protects the privacy of the user. Most Libraries are strong believers in information rights and do whatever they can to protect the rights of their users. From: shz@packard.att.com (Seth Zirin) 14-NOV-1989 18:34:34 To: misc-security@att.att.com Subj: [675] Re: locks (again) Sargent & Greenleaf locks are very high in quality. Their manipulation resistant locks are still acceptable for use on GSA-rated classified information storage containers. LaGard and Mosler locks are no longer acceptable because they can be compromised with auto-dialers. The manipulation resistance of S&G 8400 and 8500 series locks is not derived through the use of key-locking dials although locking dials are available as an option. The action of the locks is designed to deter manipulation by preventing convenient contact between the lever nose and drive cam. S&G locks are among the best available. Seth Zirin, CPL Member Safe and Vault Technicians Association From: "Robyn Robertson GSRLR@ALASKA" 14-NOV-1989 19:09:26 To: security@pyrite.rutgers.edu Subj: [3769] How to track people down. Finding people? I have spent considerable time and effort doing this sort of work. The only solid rule for tracking people down is that there are no solid rules. In general, finding people depends upon knowing enough about the target subject(i.e. the person you want to find) to gain direction for the search. For instance, I was retained to search for a gentleman that had absconded from the Seattle area with substantial debts left behind. I knew very little about the guy other than his name, the fact that he had a trust fund administered from Los Angeles, and that he had been planning to wed a woman from Seattle when he was last heard from several weeks before. In this case, I managed to locate a marriage license in the King county (Seattle) Courthouse which yielded the name and address of the woman he had, by the time of this search, married. Although the man had covered most of his tracks pretty well, the woman he had married took no effort to obscure her path. Consequently, I had the woman's name and last known residence(in Renton, Washington, a suburb of Seattle)when I left the courthouse. Once I had this, the remaining follow up was reasonably simple. It turnt out that her prior residence she had been living in was up for sale. A visit to the real estate agent acting as broker afforded a reasonably fast face-to-face meeting with the fugative I sought. He, it developed, was handling all the business of his new wife. The real estate agaent very thoughtfully arranged the meeting, and also provided me with the seller's new home address. I tell this story as a means of illustrating an approach to finding people. While in general it is helpful to review information resources like the telephone book, Polk directory, etc., I believe that a general priciple is the best advice. Find out all you can about your target, then determine what, if any, information resources this knowledge of your target implies. If you are uncertain what information your basic knowledge of your target does imply, take what you know to an expert(like the records clerk in the city/county building where the target I mention above had filed his marriage license) and ask the expert what intelligence is necessarily implicit in the information you have as a foundation. Once this is accomplished, the remaining task is to exploit this information. As for expert assistance in developing the leads that you start with, there are as many sources for this intelligence as there are catagories worth exploiting. I know very little about tennis, for instance, but I know enough that if I found that a suspect I sought was a heavy tennis player, I could certainly locate a tennis expert to tell me what organizations associated with tennis might yield the suspect's location. Failing that, if the suspect is a serious tennis player, and I have a good idea what city he might be in, I might be able to develope leads by asking questions at atheletic clubs in the area. Although this approach seems like common sense, many people tend to forget what creatures of habit we humans are, and they consequently fail to exploit the obvious when searching for someone. Nonetheless, I have found this approach fairly useful. Just find out all you can about your target, then think! One must compile all available information on the target subject, then follow it up and exploit whatever leads this information developes. =========================================================================== Robyn Robertson | The opinions expressed here are BITNET: GSRLR@ALASKA | my own Internet: GSRLS@acad3.fai.alaska.edu | P.O.Box 81638 | Fairbanks, AK 99708 | From: Linda L. Julien 14-NOV-1989 22:23:44 To: MASROB@ubvmsc.cc.buffalo.edu Subj: [341] Universal Card System Cc: security@pyrite.rutgers.edu I haven't had experience with these systems, but I don't like the idea. If a student loses this one card, they're out of luck until it's replaced. With everything separate, if you lose your keys, you can still eat, and if you lose your library card you can still get into your room. Linda Julien leira@eddie.mit.edu leira@athena.mit.edu From: gwyn@brl.mil 14-NOV-1989 22:54:44 To: security@rutgers.edu Subj: [486] Re: Privacy vs on-line library >The DEA regularly raids "indoor gardening" stores, many of which can and >do serve a legitimate, law-abiding clientele, without ever filing >formal charges against the owners, merely to gain the computerized customer >lists therefrom. If they're doing this without a warrant issued by a Federal judge, they're violating the law (as I understand it) and certainly are acting against the intentions of the fine folks who founded our system of government. Feel free to blow them away. From: 14-NOV-1989 23:30:34 To: Subj: [631] Universal Card System The first thing that comes to my mind after reading about this "Smart Card" is its potential for abuse. If it is lost or stolen, how easily can the 'old' card's access be removed from the system? Also if it is lost or stolen, will a 'backup' of its information be kept in a separate facility - imagine the concern if the student adds $500 to the card, only to have it lost or stolen moments later on the way to class. Just some thoughts that came to mind... Bill Berbenich wberbeni@gtri01.gatech.edu Office of Computing Services @gtri01.bitnet Georgia Institute of Technology From: meister@gaak.lcs.mit.edu (phil servita) 15-NOV-1989 22:59:56 To: security@pyrite.rutgers.edu Subj: [199] bike locks The kryptonite K4 bike lock now comes with a 1000 dollar guarantee against theft. this guarantee is valid everywhere but New York City. Funny that. -meister From: Nutsy Fagen 15-NOV-1989 23:19:15 To: security@pyrite.rutgers.edu Subj: [618] Sescoa hardware info I'd like to get in tough with anyone out there who's had experience with a Sescoa 3000 alarm reciever. (This applies more toward large-scale security systems, so if anyone knows of a better list to ask this on, please let me know that also) Specifically, we'll be adding a computer to it for monitoring, and would like to quiet the 'beep' while the computer is on-line. Any expensive or time-consuming mods wouldn't be too appropriate, since we plan on upgrading to a Radionics reciever with a year or two. Thanks ahead of time for any help. Mike Bunnell MJB8949@ritvax (bitnet) From: Robert Allinson 15-NOV-1989 23:35:40 To: Subj: [1101] Cellular Modems Does anyone know about the security implication on Cellular Modems. Since cellular transmissions are in the 800 frequency band, anyone with a receiver which can tune in to these hight frequency bands could listen in. Therefore, I have 2 questions: 1. How is a Cellular modem different than regular modems? (What special features does this type of modem must have.) 2. How about security? If anyone can basically "Tune" in, what implications will this lead to as far as the technological aspect of the hardware? I'd appreciate any comments on this matter. +---------------------------------------------------------------------+ : Robert C. Allinson Purdue University - Computer Technology : : Bitnet: XA3I@PURCCVM : : : : Work Phone: (317) 494-1638 Administrative Data Processing Center: : : +---------------------------------------------------------------------+ From: Frank Tompkins 16-NOV-1989 0:16:38 To: tcp-ip@utdalvm1 Subj: [14208] Site Policies Cc: security@ohstvma, ibmtcp-l@cunyvm, ibm-nets@uga Greetings, Thanks to all of you who responded to my question last month regarding site policies about the use of Ethernet/Internet and possible integrity problems. Of the 21 responses I received, almost half (9) were requests for the results. This implied a lot of interest in the topic, so I was mildly suprised that I didn't get more responses. Anyway, here's what I got (first the question again): . . . > 1) Other than the well known ease with which thick Ethernet cables > can be tapped and passing data extracted, are there other weak > spots (security wise) that we should be aware of regarding the > physical links, > and > 2) What are the policies (briefly) that other campuses have regarding > allowing confidential administrative data (user id's, passwords, > and transactions) to flow over Internet links. . . . I would be very interested in the content of your replies. We have just started Ethernet service on our academic 3081 using VM TCP/IP. There is already a good deal of pressure to allow administrative access to our 3090 running MVS. I would greatly appreciate forwarded replies, and the final conclusion you reach and why you made that decision. Thanks. . . . ********* has over 4000 (that's not a typo) VAXs, workstations, Suns, and a few large IBMs hooked via TCP/IP. The hardware is NSC hyperchannel for a backbone and their routers on local ethernets. We have lots of business data and engineering data going internally and internationally. Because of legal considerations, we have stated over and over that the network is not a secure network, and had better be treated as such. That probably has been forgotten along the way, but at least we're on record as trying to do the right thing. Hope this helps. . . . well I think the biggest issue is not not allow any non-secure machine to be directly attached to the backbone, since it then can be put in promiscious mode and monitor the traffic. There is no way to secure a PC or other workstation type machine. If it is seperated from the backbone by at least a router, then only information from that particular subnet will be potentially visible to it. folk kick about the extra cost, but i think it is essential. . . . We are currently in the process of setting up as you describe. We were also concerned about the lack of security of ethernet. As soon as it arrives I hope to switch our 8232 from VM to MVS. Since we were assured that there is little difference in most of the TCP/IP code used on the 2 operating systems we began develloping an encryption technique for use over ethernet. The authors of the BW series of ethernet software are part of our networks & communications group, in fact they both read the TCP/IP lists. The BW software now supports access via the 8232 and they expect to have the encryption facility working shortly. This will consist of a new version of the BW software together with updates to the mainframe TCP/IP software. Other changes include full color support as well as handling the YTERM TPRINT command. Kermit is used for file transfers. . . . I would be interested in a posted summary of this information, and if you find any archived documents, I'd be interested in those too. I've only been on TCPIP-L since May, but I have not seen anything on this subject there or on another list. . . . I too am interested in responses to these questions. Some members on our campus are also contemplating allowing access to "sensitive" information via the campus TCP/IP network (using Telnet, FTP, etc.). Some of our local experts feel that we have little to be concerned about. However, I read an article in the April issue of "Computer Communication Review" titled "Security Problems in the TCP/IP Protocol Suite" by S.M. Bellovin (AT&T Bell Laboratories) that got me a bit concerned. A follow up article in the July issue by Stephen Kent (BBN Communications) "Comments on 'Security Problems in the TCP/IP Protocol Suite'" pointed out inaccuracies, etc. in the first article but still did not alleviate my apprehension. In short, Mr. Kent's article seemed to say that the TCP/IP Protocol Suite isn't secure unless end-to-end encryption is used at the network layer. My questions: is the article correct? Am I interpreting the article correctly? If so, are such security mechanisms implemented on the Internet? If not, can we implement such a security mechanism on our local network even if the rest of the Internet doesn't? . . . Basically, TCP/IP is not secure, but that is more of a function of the underlying transport mechanism than it is of TCP/IP. TCP/IP typically runs in a LAN or WAN type environment. In this environment, generally all messages are physically broadcast to everybody, even if they are logically intended for one target. (There are also messages which are *supposed* to be broadcast, and *supposed* to be seen by everybody, but that is a different issue). There are numerous exceptions to this "everybody sees everything" rule, of course. Bridges and gateways serve to limit the scope of the "broadcast" of messages intended for for one destination, but within the "local" network, everybody sees everything. The idea with "everybody sees everything" is that your system looks at and throws away stuff that it sees that is really for somebody else. Obviously, it is not hard to simply keep the stuff and not throw it away. In a token ring environment, it is generally the hardware itself that is making this determination, so it is a little hard for the casual user to peek at something he shouldn't. In an Ethernet environment, it is generally the software that is making the determination, so it is usually easy for the casual user to peek at every packet that comes by. UNIX systems often have such peeking programs built in. Suppose you have an Ethernet in an engineering building for students, and another Ethernet in an administrative building for administrators. Further suppose that you want to link both of these nets into the computing center in yet a third building, using some sort of campus wide backbone. If you want to be somewhat secure, you will need to arrange bridges and gateways so that packets from the engineering building are not seen on the network in the administrative building and vice versa. However, I don't really know of any good way to keep the students from stealing each other's passwords by looking at all packets going by in the local engineering net. (This is assuming a bright and agressive student who has access to a reasonable work station on the network, of course). . . . >[paraphrased] If you want to be somewhat secure, you will need to >arrange bridges and gateways so that packets from the administrative network >(secure) are not seen on the student network (insecure) and vice versa. >However, I don't really know of any good way to keep the students >from stealing each other's passwords by looking at all packets going >by in the local [engineering] net. End-to-end encryption, of course. The whole problem is, as you say, that anyone who wants to dump packets, can. This is not a limitation of IP networks, alone. In any network if you know, or can reverse engineer the packets, you can get at unencrypted data contained in them. The minute someone logs in over the network, their password is insecure. The "simple" solutions are to encrypt packet contents, provide security at a network (rather than host), level (a la Kerberos), or scramble packets so that someone cannot reassemble them in a meaningful order. Even so, no network is secure from itself. The best that you can hope for is to make it impractical or extremely unlikely that someone will be able to violate your security in a meaningful time frame. Even THAT won't keep people from using their phone numbers, mother's name, or favorite team as a password, or even simpler, giving it to someone else to use or writing down and taping it to the underside of the keyboard. The second part of the story, however, is why be secure and how secure? What I mean is, is your desire to be secure in order to thwart deliberate malice or is it to limit your liability for negligent disclosure of confidential records? In the case of liability, your requirements might be significantly less stringent than if you were transmitting launch codes for ICBMs. . . . We are also allowing TCPIP to proliferate on campus and will have some administrative access in several months using TCP/IP. As long as we have a router between public access labs and the main backbone, they will not be able to see passwords. Even for taps they would only see passwords on that segment. We assume that all of the problems of access control remain, but are no more serious than the ones already created by dialup access. . . . The most powerful weapon to avoid ethernet snooping is physical segmentation of the network. Snoopers cannot read data that does not flow thru their ethernet. Break the network into many small pieces, and snoopers can at most see only what is on their small piece. Isolate sensitive users from others, on different segments. Never combine public PCs and administrative users on the same segment, for example. Multi-user computers are in general not a problem; it is the single-user systems where a user may install and use snooping capability without detection. . . . You might want to install MVS TCP/IP and have the admin users come in via that method. If they need access to VM, run VM/VTAM across a virtual CTCA. MVS TCP/IP has a much better interface to VTAM/CICS, and is much easier to keep unauthorized data secure by enforcing the CICS terminal transaction restrictions. If you do the DIAL method and your MVS applications do port-based security for sensitive functions, how do you ensure that J. Random Bozo doesn't DIAL MVS and end up facing a potentially highly priviledged logon screen. (We got nailed with this one on our library system) DIAL is a simple rotor system and (without VMSECURE or RACF) just dumps you into the next free SPECIAL port. Other than keeping the physical cable secure, we don't worry too much about it. Such traffic never leaves our site, and since MVS TCP assiciates a login name with a list of authorized "ports", it seems to have fixed most of the big gaping holes. . . . I remember reading (handwave: about 2 years ago, in RISKS-DIGEST) about a hospital which was putting in a network. They had pretty much decided on ethernet, when some suit found out about collisions: "You mean sometimes data is transmitted and network errors cause it to be lost!? We can't have any data get lost in a hospital!" And so they decided that they couldn't use ethernet. . . . For those of you wishing to see what other universities are/have done, please use the archives here. I maintain an 'ethics' col- lection here at UNM from the world's universities. All entries have been submitted for posting by different universities and authors. You may email or postal mail me your submissions to the collection. And you may obtain any policy by 'anonymous' ftp to unma.unm.edu, the directory is ethics. The index is 00.INDEX. I hope this helps. And yes, I will have it LISTSERV available soon. . . . We are in much the same boat here at New Mexico State Univ. There is a tremendous amount of concern over opening up network access to student records, payroll/personnel, and financial data. Our solution was to encrypt all traffic coming in to the MVS system using some kind of VAXstation encryption gizmo. This sledgehammer approach is only feasible because 1) our MVS runs on a separate CPU (so only the *currently* smaller Administrative community has to get encryption units) and 2) there is no requirement for general-purpose interactive access to MVS (we only run batch and administrative CICS, no TSO). In other words, our primary requirement is TELNET and FTP access to a "secure" (as opposed to "secure + general purpose") system, so we can get away with requiring that all traffic be encrypted. This is obviously a short-term stop-gap, but we hope it will last until something like Kerberos becomes generally available. . . . My recommendation: When in doubt, encrypt. . . . A key point would be to keep the administrative traffic off of other segments of the Ethernet by using bridges. Otherwise, it is a simple matter for someone with a PC on the Ethernet to obtain some public domain software and trap all of the packets they want. Using routers and subnets can help even more. You could put all of the admin. users on a particular subnet and help prevent people on the main network from using their IP addresses. You could also use token-ring to connect your administrative users. That would go a long way to keep traffic out of the wrong hands. . . . I am at the University of ****** - Office of the President. At this time I do not have anything to suggest, but I would like to get a summary of what you are getting and what you may do. The U* system has nine campuses, at least a couple of them are in a similar position (campus-wide TCP/IP net for academics and students, etc.). Thank you. . . . ============================================================================== At this point it appears that we will permit limited Administrative traffic on our campus net, with the following provisions: * Bridges will be used to limit users to local subnets. No unsecure nodes will be allowed directly on the backbone. * The backbone and as many other links as feasible will be optical fiber. * We anticipate installing the MVS TCPIP product and to make it the primary Administrative link. * Highly sensitive applications (payroll/grades update, etc) will NOT be permitted to be accessed through the campus internet link. * Periodic reviews of the network topology with emphasis on network integrity and security will be performed. Once again thank you all for your responses. Frank Tompkins (TOMPKINS@AKRONVM) Bitnet Systems Programmer (TOMPKINS@VM1.CC.UAKRON.EDU) Internet University of Akron Akron, Ohio 44325 From: doerschu@rex.cs.tulane.edu (David Doerschuk) 17-NOV-1989 4:06:56 To: misc-security@ames.arc.nasa.gov Subj: [337] Re: REINIALISING PS/2 PASSWORDS >Next to the speaker on the earlier PS/2's is a pair of jumper pins. PS/2 as in IBM PS/2? I didn't realize there was any password security in the PS/2. Would someone mind posting or emailing a brief explaination? Is this a DOS 4.1 thing? It sounds like its in HARDWARE! Thanks for any information. Dave doerschu@rex.cs.tulane.edu From: gdt@holmes.lcs.mit.edu (Greg Troxel) 17-NOV-1989 4:41:38 To: security@pyrite.rutgers.edu Subj: [418] tape recording of in-person converstations Is it unlawful to tape record in-person conversations without the knowledge of everyone involved? If so, is the restriction federal, or which states (particularly the People's Republic of Massachusetts) have such laws? Thanks, Greg Troxel [Moderator tack-on: This topic could be a serious flamage magnet. Replies to him, pls. Greg, could you summarize when the flood dies down? Thanx.. _H*] From: Lee Ratzan 17-NOV-1989 5:15:15 To: security@pyrite.rutgers.edu Subj: [477] controversy A recent DoE computer security newsletter states that under certain conditions "merely inserting a disk can cause one to be [virally] infected". This statement is unclear: is it an infected disk into an uninfected system which becomes infected (even without initiating an application program)? Is it inserting a clean disk into an infected system (again, with no application open)? Or what? Can you clarify under what circumstances this infection event can occur? Thanx, Lee From: hedley@imagen.imagen.com (Hedley Rainnie) 17-NOV-1989 5:48:19 To: misc-security@uunet.uu.net Subj: [500] "The Cuckoo's Egg" by Clifford Stoll The Wall Street Journal on Wed Nov 1st had a mini-book review of this book. Clifford Stoll was able to track down a hacker from W. Germany and his book relates how he did it. Whats interesting about the article is that it said the hacker used Gnu-Emacs to tamper with atrun and get su privs in that way. The article said the Gnu-Emacs is a popular program for editing/electronic mail. The book sounds interesting. Doubleday 326 pages $19.95 Hedley -- {decwrl!sun}!imagen!hedley hedley@imagen.com From: deh@mordor.eng.umd.edu (Douglas Humphrey) 17-NOV-1989 6:17:56 To: borgen%sunnvekst.uninett@norunix.eng.umd.edu Subj: [495] Re: Earthquake Cc: security@pyrite.rutgers.edu A Tandem Computers VLX system, a fault-tolerant transaction processing system, fell over flat on its back (this is a big mainframe, maybe 6 cabs of 6 feet tall and 28 inches or so wide, and weighs a LOT). It was, of course, still operating just fine flat on its back. The disks were still upright, due to their being shorter and having lower ceters of gravity. From what I have been told, it was uprighted by Tandem CEs and never missed a beat. They had an UPS for power obviously... Doug From: DXB4769@ritvax.bitnet 17-NOV-1989 6:40:02 To: security@pyrite.rutgers.edu Subj: [628] RE: Universal Card System We have a card-access system here at R.I.T. Not completely "universal",but our ID card is used for our meal plan, as well as a debit card. Cash canut be deposited on this card and used at most of the college stores. The card is also used in the Library for ID, the card and book are scanned, and the info is saved in their records. Ufortunately,they havent applied this technology to locks yet...We've still got keys for rooms, buildings, mail- boxes, and anything else you might want to lock up. Dave Bafumo Rochester Institute of Techology (Student) Criminal Justice/Computer Science BITNET: DXB4769@RITVAX CIS: 73147,3026 From: night@pawl.rpi.edu (Trip Martin) 21-NOV-1989 23:15:00 To: security@pyrite.rutgers.edu Subj: [470] Re: Privacy vs on-line library >Did you know that the 976- , and 1-900 people also keep track of who >calls, and sells your phone numbers to advertisers Mailing lists appear to be big business. I am aware of at least one hospital which sells names and addresses (and said we couldn't do a damn thing about it). I for one would like to know how widespread this practice is across all industries. -- Trip Martin KA2LIV night@pawl.rpi.edu Finite state machinist night@uruguay.acm.rpi.edu From: wcs@cbnewsh.ATT.COM (Bill Stewart 201_949_0705 ho95c.att.com!wcs) 22-NOV-1989 0:12:37 To: misc-security@att.att.com Subj: [747] Re: locks (again) An organization I used to work for once had to get an S&G lock drilled out from a secure room door. Took about 2 hours and $600 for our local specialist locksmith to do it. The problem wasn't with the lock itself - the bolt mechanism was attached to the door innards by four screws. One of the screws had come loose and wedged itself in the bolt mechanism, so the bolt wouldn't turn. The door was fairly substantial, and met medium-security specs, but nothing we couldn't have ripped open with a Sawz-All if there had been an emergency. -- # Bill Stewart, AT&T Bell Labs 4M312 Holmdel NJ 201-949-0705 ho95c.att.com!wcs # also 201-271-4712 tarpon.att.com!wcs Somerset 4C423 Corp.Pk 3 FAX 469-1355 # .... counting stars by candlelight .... From: wb8foz@mthvax.cs.miami.edu (David Lesher) 22-NOV-1989 0:45:23 To: security@rutgers.edu Subj: [1140] S&G locks, Mosler containers I believe ONLY the S&G locks are GSA approved. Also, if I am not mistaken, only Molser containers (presently class VI) are accepted. The S&G 8400 and 8500's are darn good locks. Uncle Sam uses a lot of them, not just on containers, but office doors (with a special extension & strike), and communication center vault doors. But remember, anything can be gotten into if you have enough time. A Mosler can be drilled. It is not an easy task. We go to great lengths to try and get it open before we give up and drill. It takes from four to 8 hours, IF YOU KNOW WHAT YOU ARE DOING. We bring lots of bits, but typically use big enough drill motors that they give little trouble (except when you want to lift one ;-}) If you it do it correctly, the container can be repaired and reused. If you screw up (or burn it open), you will need a new control drawer. ($$$$) -- A host is a host & from coast to coast...wb8foz@mthvax.cs.miami.edu no one will talk to a host that's close..............(305) 255-RTFM Unless the host (that isn't close)......................pob 570-335 is busy, hung or dead....................................33257-0335 From: deh@mordor.eng.umd.edu (Douglas Humphrey) 22-NOV-1989 1:24:24 To: jac@paul.rutgers.edu Subj: [1759] Re: locks Cc: security@pyrite.rutgers.edu There is a difference between a vault and a safe. The mosler safe that we use could be picked up and carried off if you had a small crane and unbolted it from the floor I guess... It is not a vault, in that it is not a room, part of a building, with a large door on it. In 'drilling a vault' and it causing the bars at the edges to be released, if the door is in the locked position already, the bars should already be released and in the jamb. I can't see where they could become 'more released'... As to the door being unusable, the only way to do that would be to have a vault door that had thermite bars and cause itself to weld shut if it thought it was being tampered with. The doors being asbestos filled, some are and some use a foam ceramic that is pretty neat. Something like space shuttle tiles... Still, a torch (the right kind) would have no real problem cutting through, nor would a cut-away wheel of correct hardness. You just have to spend a lot of time and energy. Our mosler is not fireproof, though the secure file is. The file is asbestos lined, which is most likely a problem for some government agency or another, though I don't spend any great amount of time in the safe ;-) so I guess it doesn't scare me too much. If you have a vault, in most cases it makes more sense to go through the wall(s), floor, or ceiling. They take precautions, of course, but seldom to the level that they do with the door. Remember, the real reason for the door is psychological; it looks so mean and heavy that nobody would believe that they could get through it. Not believing they can do it, they never try, and thus never do! Otherwise, wouldn't it be much more plain, and hiden away where people couldn't see it? Doug From: ARTABAR@MTUS5 22-NOV-1989 18:20:57 To: SECURITY@OHSTVMA Subj: [376] Computer monitoring What are the policies at your institution concerning monitoring of mail and other inbound files, as well as interactive chatting (TALK, TELL, IRC, etc)? Would you consider it a violation of personal security if your mail and chatting was being monitored by your institution? Just a couple of questions as food for thought. Andy From: 22-NOV-1989 18:56:03 To: security@pyrite.rutgers.edu Subj: [751] Bibliographic references for system breaches Noel asked about any bibliographic references concerning actual or potential breaches of computer security. Since s/he did not list an e-mail address I'll reply via this discussion group. "The Cuckoo's Egg" by Cliff Stoll just came out and is an interesting case study of breaches of long duration of both academic and military systems (including companies doing business with the military such as BBN, TRW and MITRE). Stoll's efforts to alert various groups met with a fair number of responses that can be characterized only as denial. Stoll, Clifford "The Cuckoo's Egg" Doubleday (c) 1989 ISBN 0-385-24946-2 --------------------------------------------------- Kevin Nordberg Dept. of Philosophy University of Scranton BITNET: NORDBERG@SCRANTON From: jad@dayton.dhdsc.mn.org (J. Deters) 22-NOV-1989 19:33:31 To: security@rutgers.edu Subj: [1123] Re: Alarm Tripping, Home Alarm Installation A frequent culprit in false alarms is moisture somewhere in the loop. "Take this simple quiz!" 1. Do you notice a higher incidence of false alarms during rainy weather, or in high humidity situations? 2. Have you done (or had done) any plumbing recently? 3. Condensation buildup on windows can seep into the surrounding woodwork and play havoc with bare splices that touch that wood. Do your windows 'fog up' now more than they did two months ago? 4. The staples you used -- were they insulated (paper or plastic)? Piercing the wire or crushing the jacket can easily cause your wonderful hidden problems. 5. Damp wood may be swelling up and putting a strain on a poorly made joint. To isolate your problem, you may consider connecting up each device on its own independent loop, or putting two or three on each loop until you can narrow it down to which device is failing. Then, test the individual wiring and device, and repair or replace as needed. Hope this helps, -j -- J. Deters jad@dayton.DHDSC.MN.ORG .\ /. "Smile -- Cthulu loathes you!" john@jaded.DHDSC.MN.ORG \_____/ From: dcdwest!sarge@ucsd.edu (Sergeant Bob Heddles) 27-NOV-1989 12:32:50 To: ???Subj: [722] Shoulder Patches request... I was wondering where I could get the unit patches (uniform) of the different police and other emergency departments of the U.S.A. and Canada? Is there a catalog company and /or store that carries them? If not would the people on the network with the affilations of the aboved mentioned departments be willing to send one to me? I am trying to build a collection of patches. Any and all help would be greatly appreciated.... Thanks, Bob -- Bob Heddles | ITT Defense Communications Division ucbvax!ucsd!dcdwest!sarge | 10060 Carroll Canyon Road sarge@dcdwest%ucsd.edu | San Diego, CA 92131 Opinions expressed are mine alone. Since no-body else wants them. From: joel achtenberg 27-NOV-1989 13:02:46 To: security@pyrite.rutgers.edu Subj: [803] RE: Universal Card System At washington university (st louis) we have a number of different cards, not a universal card. Student ID's have recently switched to a mag-strip, used for validation in the cashier's office and for access to athletic facilities, special events, etc. The same card is used in the library. A different card is available for purchase and use in laser printers and photocopy machines; money can be added as necessary. A similar, but separate card is used by the food service for students on meal plans; money is deducted from the card with each meal purchased and additional credit can be purchased. A Universal card would certainly be useful, from my point of view, but would have significant administrative problems since the various cards currently are controlled by several different departments. From: Mike Garcia 27-NOV-1989 13:24:38 To: security@pyrite.rutgers.edu Subj: [1758] Re: Privacy vs on-line library >The DEA regularly raids "indoor gardening" stores, many of which can and >do serve a legitimate, law-abiding clientele, without ever filing >formal charges against the owners, merely to gain the computerized customer >lists therefrom. It does not even have to be computerized. The Chicago police department has a squad called the "gun squad" which confiscates unregistered handguns. It is enormously successful in terms of the number of handguns seized. Reportedly one of the Chicago PD's techniques is to acquire lists of legally purchased handguns, which were purchased oustside of Chicago. These lists include the name and address of the purchaser. The Chicago PD then checks the names on the lists against the names of store and resturant owners whose places of business are located in Chicago. When a match is found, the place of business is searched. Since it is a public place, no search warrent is needed. If a handgun is found on the premises, it is seized. These lists are acquired from the US Bureau of Alcohol, Tobacco and Firearms (BATF). BATF assembles these lists by inspecting the records of gun shops near, but outside of, Chicago. It is a federal requirement that all firearm purchases be recorded, and the gun shops can not refuse BATF access to the records. In all probability, part of your library's budget is federal money. If a federal agency wants access to such information, it will have powerful tools for compelling complience. Once the feds have the data, they can do whatever they want with it, including giving it to a third party. If your library keeps track of what information you access, for whatever reason, you have no real guarantee that it will not be misused. Mike Garcia