From: CSBVAX::MRGATE!NEUMANN@KL.SRI.COM@SMTP 19-AUG-1988 20:29 To: ARISIA::EVERHART Subj: RISKS DIGEST 7.37 Date: Fri, 19 Aug 88 13:54:58 PDT From: RISKS FORUM (Peter G. Neumann -- Coordinator) Subject: RISKS DIGEST 7.37 Sender: NEUMANN@KL.SRI.COM To: RISKS-LIST@KL.SRI.COM Message-ID: <12423756907.15.NEUMANN@KL.SRI.COM> RISKS-LIST: RISKS-FORUM Digest Friday 19 August 1988 Volume 7 : Issue 37 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator Contents: Virus insurance (Rodney Hoffman) Blind faith in overly electronic locks (Leonard N. Foner) Fewer Charges Now Require a Signature (Kian-Tat Lim) Re: Danger of Sensitive Car Electronics (Hugh Davies) The RISKS Forum is moderated. Contributions should be relevant, sound, in good taste, objective, coherent, concise, and nonrepetitious. Diversity is welcome. CONTRIBUTIONS to RISKS@CSL.SRI.COM, with relevant, substantive "Subject:" line (otherwise they may be ignored). REQUESTS to RISKS-Request@CSL.SRI.COM. FOR VOL i ISSUE j / ftp kl.sri.com / login anonymous (ANY NONNULL PASSWORD) / get stripe:risks-i.j ... (OR TRY cd stripe: / get risks-i.j ... Volume summaries in (i, max j) = (1,46),(2,57),(3,92),(4,97),(5,85),(6,95). ---------------------------------------------------------------------- Date: 17 Aug 88 15:39:55 PDT (Wednesday) From: Rodney Hoffman Subject: Virus insurance A front-page article by James Daly in the August 15 `ComputerWorld' surveys availability of insurance against computer viruses. Excerpts: ... A recent survey of insurers providing computer security policies revealed an industry with not only a dearth of knowledge about viruses but an inability to determine whether policyholders are now or will ever be covered. And at least one underwriter has also begun to specifically reject virus protection.... Even where virus protection is not specifically excluded, an enormous gray area exists. "We're looking into it, but we're not sure it would be covered anyway," said [one insurer]. Others put it more bluntly. "I don't think you'll see coverage ever offered," said [a computer security lawyer].... At a recent American Bankers Association conference, a speaker from Lloyds of London said the number of outstanding computer crime-related claims would devastate the industry if they were all brought to fruition. And the virus outbreak has made a bad situation even worse.... Additionally, it has always been difficult to put a dollar value on information, and some assert that if everyone hit by a virus made a claim, the courts would be tied up for eons just figuring out how much the data was worth. ... The deductible on many [computer security] policies ... often begins at around $10,000, but may skyrocket to $3 million at large banks.... One underlying problem, most underwriters admit, is that they cannot keep pace with changes in the technology.... The Surety Association of America, a quilt of nearly 600 insurance underwriters, has formed a committee to begin reworking some of its policies, and computer viruses "will certainly be on the agenda," said [the assoc. V.P.].... "We're doing like everyone else: trying to understand the technical aspects of the virus," said [one insurance company senior V.P.]. "Maybe then we will be able to relate it to some coverage." ------------------------------ Date: Thu, 18 Aug 88 00:03:05 EDT From: foner@wheaties.ai.mit.edu (Leonard N. Foner) Subject: Blind faith in overly electronic locks I work at a rapidly-growing company in Cambridge (currently about 160 people) that just recently expanded to the third floor of our current building. Prior to the expansion, we had a keypad on the first-floor door that would be used to open the door from the outside. To open the door from the inside, you turned a mechanical latch that overrode the electric one (probably a spring-coupled system like many other standard electric latches). The second floor was locked with a completely nonelectronic lock, and is the main entrance for visitors and other such people. Well. Shortly after we expanded to the third floor, the main door to the space acquired a locking device which was essentially a metal plate bolted to the top of one door in a double door. (The other door just uses the up-and-down slides that lock it in place in the floor and ceiling unless you've got the first door open---you've probably seen the type). When the door with the metal plate is closed, it contacts a very strong electromagnet mounted at the top of the frame that holds the door shut with a theoretical strength of about a metric ton. This magnet is controlled by a motion sensor mounted on the inside of the space, on the wall to one side of the door. The motion sensor presumably is wired to the central alarm system (i.e., not in series with the actual electromagnet). Stop and think a moment about the implications of this. Think you've got them all? It gets better. It turns out that when the system was installed, *no one was told* that there was a motion sensor on the inside. The door automatically locked at 6pm. Immediately thereafter, somebody tried to get out on his way to the airport, stopped a moment just inside the door to check something on his person, and tried to open the door. Surprise. With the magnet on, turning the (unlocked) knob does nothing, because the door is physically held closed. Further, we had someone on the outside (coincidentally) who was trying to get in. What *they* didn't know (again, because the alarm company didn't tell anyone else what they were doing) was that they had to hit the # key on the keypad after entering the combination. So the keypad was essentially inoperable, too. It turned out that it took about fifteen minutes for us to open the door, from either direction. No one on the inside was moving enough for the motion sensor to notice them (they were pushing on the door, to no avail, or typing on an alarm control panel which seemed dead and was, in fact, not connected to anything). Eventually, someone happened to step back and scratch their head or something, at the same time someone was pulling on the outside of the door, and it magically and mysteriously opened with no effort at all. No one knew why the door had unlocked, so the person who was now late for the airport departed, while we opened the adjoining door so we could close the magnetically locked one to figure out what was going on without risking being locked in. It took us another fifteen minutes to finally notice the correlation between movement and the magnet. (Since the magnet turning off is not audible, unlike a latch retracting, we had to park one person leaning on the door to guarantee that we'd know when it opened. And the motion sensor, since it looks sideways across the door, and very high off the ground, is not very sensitive to short or medium people walking *toward* the door.) Another few minutes of work yielded the procedure for the keypad, and we were all set---or were we? I had had bad misgivings about the magnet from the moment I had seen workmen installing it, and it turns out that they have been borne out. Consider, for example, that there is no switch, not anywhere, that is directly in series with the magnet's power supply. Any failure of the motion sensor, its wiring to the alarm, or the alarm itself could jam the magnet on, with no remedy except unscrewing the (obviously nonmagnetic and probably aluminum) casing of the magnet and cutting the leads. Given that the case has about ten phillips-head screws, I wouldn't like to try this in a fire---especially when you consider how long it generally takes to find a phillips-head screwdriver and a pair of diagonals... Incidentally, the alarm and the magnet are battery-backed. Even a fire that killed the 120V power would not unlock the door, and if it burned through or shorted, as appropriate, the correct wires, you can guess the outcome. So once I realized how insanely they had designed the system (what's wrong with an ordinary latch?), I went to our chief administrative officer, who's also in charge of things like alarms, and asked her to put a manual override on the magnet. I drew a schematic to indicate that the switch should be in series with the magnet itself, not connected to the alarm's logic. It only took *three days* to convince her of the necessity for the change... I also asked how the fire marshall could possibly approve such a dangerous fire exit. She gave the incomprehensible answer that the alarm people *were* firemen. Since I'm not aware that the fire department routinely double-dips by working as alarm installers in their off hours, I let it drop there. I'll probably ask the fire marshall to come take a look if things don't improve. So the alarm people, who were initially rather startled that we didn't trust their alarm to work perfectly in all cases, even in the event of a fire, said that asking for a switch wasn't totally a new concept, and installed one (no doubt anything they can charge us a bundle for makes good sense to them). This switch is the sort that is labelled "Pull in case of fire" and generally makes it look like it's a bad thing to pull the switch casually (it looks pretty non-resettable). This makes me hesitant to test it. However, the fact that the switch is on the wall under the motion sensor, rather than between the magnet and the alarm (which is in a room on the *opposite side* of the door from the motion sensor) makes me believe that the switch is simply in series (or parallel, if it's normally-open) with the motion sensor. This removes one point of failure (the motion sensor), but still leaves all of its wiring and the central alarm's logic circuits, which have already (in two weeks of operation) demonstrated themselves to be unreliable. (No one could get in on Saturday. The alarm company insisted that the logic had gotten wedged because someone had entered their combination "too quickly" on the keypad outside. I don't know whether to believe them---and assume that the engineer who designed the alarm is incompetent---or disbelieve them---and assume that the maintenance guys are incompetent. Neither is very reassuring in the face of this non-overrideable lock.) So we're left with a system that is difficult to test (sometime late at night I will almost certainly disassemble the various pieces to see where the wires go, and thus where the switch is in the circuit), unfriendly (the motion sensor is not very sensitive, requiring people to often walk back and forth, jump up and down, or wave things to get out), insecure (sticking a piece of paper on a coat hanger between the gap in the two doors and waving it vigorously enough should open them, if it's a sufficiently large piece of paper), and dangerous (multiple points of failure all leading to being locked in). Whatever became of good, old-fashioned mechanical locks? To top it off, the second floor just got an electronically controlled latch (not an electromagnet, but again with no obvious mechanical override), and it, too, is attached to a motion sensor... ------------------------------ Date: Fri, 19 Aug 88 00:29:09 PDT From: lim@csvax.caltech.edu (Kian-Tat Lim) Subject: Fewer Charges Now Require a Signature (L.A. Times) Fewer Charges Now Require a Signature By Albert B. Crenshaw, the Washington Post Los Angeles Times, August 18, 1988, page IV-3 WASHINGTON - A hotel in Richmond, Va., discovers some telephone charges after a guest has checked out. No problem. An employee telephones the guest and tells him the hotel will simply put the charges on his credit card. A restaurant in Washington demands a credit card number when taking reservations. If the guests fail to show, a $15 charge is placed on the credit card. A busy professional spots an appealing item in a catalogue, dials an 800 number and says, "Ship it and put it on my credit card." These transactions, like millions of others in today's charge-it world, have one thing in common. A charge was recorded on a credit card but no signed document changed hands. Signatures Not Required The signature, in fact, is rapidly becoming obsolete in credit card transactions. Having a customer sign a slip when he or she buys something is already "less significant than it was" in the past, said Dan Brigham of Visa International. Credit cards today are evolving into "a national payment system," said Spencer Nilson, publisher of the Nilson Report, a California-based newsletter that tracks the credit card industry. "It allows you to do things you cannot do with cash," such as make long-distance transactions, Nilson said. "That is what people pay interest for, what they pay fees for," and as the system becomes increasingly electronic "the trend is for more transactions to be without signatures," he added. "Nothing in the law specifically requires a signature" in a credit card transaction, said Elgie Holstein of Bankcard Holders of America, a Virginia-based consumer group. "The issue is positive identification of the card member," said Philip Riese of American Express. This can be done several ways -- by comparing the signature on the card to the one on the charge slip, by using a personal identification number similar to those for automated teller machines, and by "what is known generically as 'signature on file,' " Riese said. In the third case, which arises mostly in telephone transactions, the burden is on the merchant to ascertain the cardholder's identity, though American Express helps by providing an address-verification system that matches the cardholder's address against the one to which merchandise is to be sent. In some cases signatures are being dropped for in-person transactions, especially where signing a slip may be viewed as an impediment to a speedy sale. For example, Visa and Arby's, the roast beef chain, are experimenting with putting fast food on plastic. In an effort to keep the fast food fast, they require no signature for purchases under $25. The clerk merely "swipes" the customer's Visa card through a magnetic stripe reader, which checks a "hot sheet" to see if the card is OK. If it is, then the customer is on his way. The experiment promises to put fast food where mail order and other forms of remote marketing have been for years. The appeal to these marketers is obvious. Customers enjoy the convenience and merchants find they are able to capture more impulse business -- sales that would be lost if the buyer had to write out a check and mail it in. While acknowledging the convenience, hover, many customers feel just a bit nervous at this "loosey goosey" system, as Holstein termed it, of telephone and other signatureless transactions. But lawyers and others who follow the industry agree that it is the merchant and the card issuer that bear the bulk of the risk. Under the Truth in Lending Act, consumers are generally protected from losses of more then $50 due to unauthorized use of their credit card. And in practice, said Holstein, the customer's chance of successfully disputing a charge "is in fact enhanced when they don't have your signature." The law specifically states that if a card issuer seeks to collect a disputed charge, "the burden of proof is upon the card issuer to show that the use (of the card) was authorized" by the cardholder, he added. Visa's Brigham said that, if a cardholder swears in an affidavit that he did not authorize a disputed transaction, "that's generally the end of it." This does not mean, however, that there is no risk for the cardholder. Nilson noted that fraud by "telemarketing" is increasing rapidly and that these thieves prey particularly on those who are not aware of their rights or who may for some reason be unwilling to assert them. Many of these scams are aimed at merchants by crooks who collect card numbers, run up a lot of charges and quickly skip before the cardholders begin to complain. But other are aimed at the cardholders themselves. Nilson said purchasers of pornography offer a fertile field for such scams. Some thieves even make deals with pornography sellers to buy the right to collect their credit card accounts. They then run up phony charges with the numbers. Often, he said, cardholders pay up for fear that any dispute would reveal what they had been involved with. In other cases, cardholders may find the issuer willing to go to court with even marginal cases if the amount involved is large enough. In addition to being a payment system, credit cards are on their way to becoming a national identity card system, as anyone who has tried to check in to a hotel recently can attest. Businesses that use credit cards as identification are "trying to confirm who you are, that you're not a phony," Nilson said. They regard the credit card "as sort of a monitor. If you don't have one it doesn't mean you're rejected but it triggers something else," such as requirement for further identification. ------------------------------ Date: 19 Aug 88 06:52:54 PDT (Friday) From: "hugh_davies.WGC1RX"@Xerox.COM Subject: Re: Danger of Sensitive Car Electronics 1) In the UK, there is a an area where two large motorways (freeways) converge (the M1 and M6) near Rugby. This area also contains 2 large radio transmitting stations - the BBC transmitter at Daventry and the Home Office transmitter at Rugby (which transmits the MSF time standard, among other things). This area is renowned for the failure rate of electronic engine management systems, which upon the cars involved being towed from the area prove to be perfectly functional. As a result, local car dealers have named the area 'the Black Triangle'. 2) The radio literature is full of instances of interference with car control systems by radio transmitters mounted in the vehicle. My last car would quite happily sound its 'seat belt warning' upon every tranmission on certain frequencies. I have also set off at least one shop (store) burglar alarm whilst transmitting when outside the shop. The phenomenon of EMC problems (Electromagnetic Compatibility) is well known in the radio, computer and communications industries. There is a large short-fall in the numbers of EMC engineers available in the industry, and in the case of the UK, there are no egress regulations anyway, which leads to a total lack of interest among manufacturers of electronic equipment. The fact that poor egress specifications also lead to poor ingress specifications also seems not to bother the manufacturers of cars, computers, radios, TVs, VCRs, etc. The EEC, through the CEPT, is about to enact an ingress specification, but it is to a very low standard, mainly aimed at preventing interference by CB. The FCC standard appears to be much better, and, by European standards, reasonably well enforced. Many digital electronics engineers are poorly trained in analogue electronics, and may not realise the magnitude of the problem. It is quite possible for the amounts of RF induced by proximity to radio transmitters to reach the Volt level, at significant currents. There are well documented problems with systems adjacent to multi-megawatt radio transmitters, such as those ecperienced in the national stadium in Jeddah. Most microcomputers are poorly, if at all screened in this respect - they are usually housed in plastic enclosures. Whilst the car is probably one of the most hostile environments known to engineers, it is quite possible for it to become more hostile yet in the prescence of large amounts of RF. Hugh Davies. ------------------------------ End of RISKS-FORUM Digest 7.37 ************************ -------