Subject: RISKS DIGEST 13.14 REPLY-TO: risks@csl.sri.com RISKS-LIST: RISKS-FORUM Digest Sunday 16 February 1992 Volume 13 : Issue 14 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator Contents: Police Foil Million Pound Hacking Plot (Ed Urbanowicz) Phone May Trap Kidnapper (Antony Upward) Australian Government Bungles Private Data (Les Earnest) Third Chicago Airport Selection (William E. Mihalo) Carpal Syndrome reports rise sharply (Jeff Helgesen) Patent Foul-up (Laurence Leff) Computer Virus Catalog: Jan.1992 edition (Klaus Brunnstein) Re: Dutch police arrest hackers (Brinton Cooper, Martin Minow) Automated Phone Systems (Michael J. Clark, via Allan Meers) [Humor] International finance (David B. Benson) The RISKS Forum is moderated. Contributions should be relevant, sound, in good taste, objective, coherent, concise, and nonrepetitious. Diversity is welcome. CONTRIBUTIONS to RISKS@CSL.SRI.COM, with relevant, substantive "Subject:" line. Others may be ignored! Contributions will not be ACKed. The load is too great. **PLEASE** INCLUDE YOUR NAME & INTERNET FROM: ADDRESS, especially .UUCP domain folks. REQUESTS please to RISKS-Request@CSL.SRI.COM. Vol i issue j, type "FTP CRVAX.SRI.COMlogin anonymousAnyNonNullPW CD RISKS:GET RISKS-i.j" (where i=1 to 13, j always TWO digits). Vol i summaries in j=00; "dir risks-*.*" gives directory; "bye" logs out. The COLON in "CD RISKS:" is essential. "CRVAX.SRI.COM" = "128.18.10.1". =CarriageReturn; FTPs may differ; UNIX prompts for username, password. ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. Relevant contributions may appear in the RISKS section of regular issues of ACM SIGSOFT's SOFTWARE ENGINEERING NOTES, unless you state otherwise. ---------------------------------------------------------------------- Date: Sun, 16 Feb 92 14:47:09 PST From: "Peter G. Neumann" Subject: Police Foil Million Pound Hacking Plot Ted Urbanowicz of Stow, Ohio, sent in an item from the 30 Jan 1992 issue of Computing (UK). I have abstracted. Police have charged a woman under the Computer Misuse Act following a million pound hacking incident at a leading city finance company. Elaine Borg, a computer operator at fund managers Henderson Financial Investment Services, is accused of hacking into the company's computer system between 1 Oct 1991 and 19 Jan 1992 with intent to defraud it of a million pounds. Borg was charged in London's City Magistrates' Court under Section Two of the Act, which covers unauthorised access to systems with the aim of assisting a more serious crime, such as fraud or blackmail. Her activities were being monitored for several days before she was apprehended. Oddly, the managing director of Henderson was quoted as saying that it would have been difficult to complete the fraud, because it would have required collusion at the other end. But the article noted that Borg faces a second charge of conspiracy with another person, Richard Hollands, while another man, Keith Cheeseman, was also arrested in connection with the fraud, but not charged because of extradition problems. Cheeseman is wanted by the FBI in connection with a multimillion pound bond theft in London two years ago. The COMPUTING article closed with a note on a recent National Computing Centre report (Security Breaches Survey, NCC, Oxford Road, Manchester M1 7ED UK; contact David Lindsay, phone 44 6355524040), which estimates that security breaches cost UK industry 1.1 billion pounds a year. ------------------------------ Date: Fri, 7 Feb 92 15:14:51 -0800 From: Les Earnest Subject: Australian Government Bungles Private Data [Reposted with permission from the ClariNet Electronic Newspaper newsgroup. For more info on ClariNet, write to info@clarinet.com or phone 1-800-USE-NETS.] SYDNEY, AUSTRALIA, 1992 FEB 6 (NB) -- Australian government officials are ducking for cover as yet another case of personal data misuse "hits the fan." More than 6,000 households received official letters containing personal and financial details about others. Recipients of what should have been a routine Department of Social Services letter about child allowances were shocked to see a list of information about others, sometimes neighbors. The data included name, address, bank account details, tax file number, and income. One recipient said: "I was looking at the back of the letter, assuming the information I saw was meant as an example, when a neighbor rang to say she was reading all about me on the letter she had just received. I felt sick, knowing that my private affairs had been revealed like that. They say 'give us your details - you can trust us' but we can't, can we?" Officials from the department have given two explanations so far, though it may be some time before the complete story surfaces. The letters had correct data on the front, but incorrect data on the reverse. The first explanation was that the laser print run had faltered, and when it was restarted, the letters were printing front and back, one step out of sync. The second (and expected) excuse was that there was a glitch in the computer program which had been imported. Unfortunately for the Australian government, this was not the first incident of its type, and a large public storm is rising over the rapid increase in the amount of data held in a central computer in Australia's capital, Canberra. ------------------------------ Date: Sat, 08 Feb 1992 09:28:21 cst From: "William E. Mihalo" Subject: Third Chicago Airport Selection The selection process for the third Chicago airport continues to generate controversy (see a previous issue of Risks Digest). In this particular case, its an excellent example of PC-based computerized mapping programs and spreadsheets being abused. A revised configuration for the Lake Calumet site (which is strongly favored by Mayor Daley), has modified the footprint for the airport. The Ford assembly plant in Hegewisch, Illinois is now spared (this plant is used for the assembly of the Ford Taurus and Mercury Sable). However the revised footprint for the airport has it crossing the stateline into Northwest Indiana. One of the runways ends within less than a mile of the Amoco Oil Refinery in Whiting. An estimated 25,000 homes, half a dozen schools and 15 churches would need to be razed to make room for the airport. The revised plan doesn't anticipate the relocation of any industrial sites. However it also calls for the draining of several hundred acres of wetlands. The fate of several lakes that are adjacent to the airport site is also in question. An estimated 50,000 people would be dislocated by the project. The second risk is one of computer spreadsheets. The original cost of the airport was $5 billion. A revised cost from Mayor Daley is $10.8 billion. However this assumes the razing of only 10,000 homes. An estimated $18 to 30 billion would be needed to raze the 25,000 homes that are within a 7 mile radius of the proposed site. Assuming a $10.8 billion dollar cost a ticket surtax of $12-15 per ticket would be levied for any flight originating or terminating from Midway and O'Hare. With the $30 billion estimate the ticket tax would be in the range of $36 - $50. The entire justification for the third airport is based on FAA data from the late 1970's which was gathered just before the deregulation of the airline industry in the United States. One question for the Risks community. Has anyone ever estimated the area of destruction that would result if a jumbo jet was to make a direct hit upon an oil refinery? Whenever the issue of safety is mentioned it is dismissed with the statement that commercial aviation is safer than driving. O'Hare was the site of a DC-10 crash in 1979 which killed several hundred people. Indiana within the past 4 years has had two crashes (one in Indianapolis, and a more recent one in Evansville) with planes going down near airports with a significant loss of life from people on the ground. William E. Mihalo wem@calumet.uucp ------------------------------ Date: Thu, 13 Feb 92 14:43:47 -0600 From: Jeff Helgesen Subject: Carpal Syndrome reports rise sharply [The following article appeared in the Chicago Tribune, 11 Feb 1990. All typos are mine; bracketed inserts are those of the original editor.] CARPAL SYNDROME REPORTS RISE SHARPLY (Jon Van, Chicago Tribune) Reports of repetitive-motion disorders have risen sixfold in recent years and now account for more than half of all occupational illnesses in the United States, a report in Wednesday's Journal of the American Medical Association noted. Physicians must work with employers, industrial designers, labor representatives and others to modify work sites so that these injuries, sometimes known as cumulative trauma disorders and sometimes as carpal tunnel syndrome, can be avoided, the report said. The U.S. Bureau of Labor Statistics found that there were 24 cases of cumulative trauma disorder for every 10,000 U.S. workers in 1990, up from 4 cases per 10,000 in 1982. Dr. David M. Rempel, director of the ergonomics laboratory at the University of California at San Francisco, said in his Journal report that several factors account for the increase. They include increased awareness of the problem, advances in medical diagnosis and an ever-accelerating pace of work. Even though the problem is growing, most physicians are ill-prepared to deal with it, Rempel and his colleagues said. ``Because of the scarcity of medical research on [the disorders],'' they wrote, ``many physicians are unable to identify patients working in high-risk environments and are inadequately prepared to treat patients with symptomatic disorders.'' When someone applies force over and over to the same group of muscles, the same joint or the tendon, the result may be tissue tears and trauma. Other factors causing damage are awkward joint posture and prolonged constrained posture. Workers should be encouraged to watch for symptoms, especially pain, and seek medical attention early, Rempel and the co-authors said. They shouldn't be told to work through pain, the report said. ``Medical intervention for the patient with [a disorder] requires not only accurate diagnosis and appropriate therapy, but also direct involvement in changing the patient's work environment,'' the report concluded. ------------------------------ Date: Sun, 9 Feb 1992 22:49:17 GMT From: mflll@uxa.ecn.bgu.edu (Dr. Laurence Leff) Subject: Patent Foul-up This RISKS submissions concerns a computer problem with a patent application. When the patent examiner issues a final rejection of a patent, the patent office can give you a shortened time to respond. This response is an appeal to the board of patent appeals. The statutory time to respond is six months; however the patent office has the authority to shorten this time. You can extend the time given by the patent office by paying a late fee--however, late fees won't extend your total time more than the six months specified in the statute. On 08/13/91, the patent examiner issued me a final rejection of my patent. The problem concerns the date on the letter informing me of this. That letter was issued on a standardized form, PTOL-326. That form included the statement: "A shortened statutory period for response to this action is set to expire 3(three) month(s) 0 days from the DATE OF THIS LETTER." (Emphasis mine). The 3 for three months and the zero for 0 days were entered in handwriting. The date was supposed to be printed on the preprinted form under or next to the preprinted text that said "Date mailed" Unfortunately, the dot matrix printout of the date was obscured by the preprinted "Date mailed." The date printed on the letter of "08/??/91" was eighty percent obscured. It was obvious that the form was not correctly aligned in the printer. The name of the examiner was not under the heading "examiner." And the number 231 wa not under "art unit." Thus, I couldn't read it properly and read the date as 09/10/91. The slash overlapped one of the letters which appeared to be a nine. Section 1.134 of 37 of the Code of Federal Regulations states in pertinent part, "An office action will notify the applicant of any non-statutory or shortened statutory time period set for response to an Office action." The office action failed to notify me of the indicated time. Thus, "unless the applicant is notified in writing that response is required in less than six months, a maximum period of six months is allowed." (37CFR 1.134). Thus, I am arguing my response was not due for six months from the indicated date as the Patent office did not fulfill it's regulatory requirement of notifying me as specified by this section. Therefore, I requested that no fee be assessed at all. This points out the obvious risks of not aligning forms when put into printers. However, this likely human error was compounded by: 1) using a cheap nine-pin dot matrix printer with this form. If the numbers were printed with a daisy wheel printer or 24-pin printer, they would have been more readable even if printed on top of other information. 2) Using a numerical date format "08/13/91" instead of August 13, 91. One is less likely to confuse August and September than 08 and 09. Although "November" and "December" have most of their letters in common. 3) However, the patent office had the correct date in a computer system. They should have printed everything out using a laser printer including the shortened statutory time, the date of final reject and the date the response was due. All the information on the preprinted form would be printed out at the same time. This would be a simple WordPerfect merge application. ------------------------------ Date: 14 Feb 92 16:54 +0100 From: Klaus Brunnstein Subject: Computer Virus Catalog: Jan.1992 edition At the end of our winter semester, the following new entries of Computer Virus Catalog are available: INDEX.192: survey of all entries published so far (214 viruses/trojans) AMIGAVIR.192: 14 new viruses (total: 29 viruses/time bombs) MACVIR.192: 9 new viruses (all known 29 viruses/clones classified) MSDOSVIR.192: 15 new viruses (total: 99 viruses, 4 trojans) including: Amilia (Murphy Strain), AntiCAD (Jerusalem/ AntiCAD strain), FEXE & FICHV2.0 & FICHV2.1 (all: FICHV strain), Hafenstrasse (no strain), Michelangelo (Stoned strain), PLOVDIV 1.3 (PLOVDIV strain), SEMTEX, Sverdlov=Hymn of USSR, Violetta, ZeroHunt-411, -415 = Minnow/1 (ZeroHunt strain), VDV-853 (maybe VCS 1.0 predecessor). Moreover, the first polymorphic virus using Dark Avenger "Mutating Engine 0.9" is classified, named "Dedicated". After analysis of an accident with a UNIX shellscript virus in a European university, based on several publications of an AT&T author who described all details of the virus' code and sufficient details of his "attacks" on several UNIX systems in his enterprise, we have classified this virus under the provisional name "AT&T ATTACK virus". This information is available from the author, on specific demand; despite the fact that this classification does not contain any information helpful in programming this virus, we wish to avoid as far as possible a similar virus wave as we observer so regretfully in the PC world. This is the reason for some restrictions in distribution of the Catalog entry. All information including all other Virus Catalog entries may be received either by demand from the author or may be downloaded from our FTP site: address: ftp.informatik.uni-hamburg.de 134.100.4.42 login anonymous password your-email-adress directory: pub/virus/texts/catalog Moreover, those interested in Chaos Congress material (e.g. CCC91): these are available on the same ftp site with the same procedures in directory: pub/virus/texts/hackers Finally, we are updating the Index of Malicious MsDos Code; to avoid those inaccuracies which unfortunately were built-into the first edition (IMSDOS.791) due to misleading information from several alternate sources, Vesselin Bontchev and I decided that we *only publish information on those viruses/trojans etc which are in our Secure Malware Database*. In the next edition, it will describe about 1,150 viruses/trojans with those names/aliases which are used by major antivirus software. This edition will be available on the ftp-site early in March. All comments and critical remarks which helps us in enhancing the quality of our work and information is strongly welcomed. Klaus Brunnstein, Virus Test Center, University of Hamburg, Germany ------------------------------ Date: Tue, 11 Feb 92 9:20:16 EST From: Brinton Cooper Subject: Re: Dutch police arrest hackers (Minow, RISKS-13.13) In discusing system restoration following illegal hacker activity, Martin Minnow takes issue with the assertion, "...Every system manager that uses a legal copy of the operating system has a distribution version within easy reach." He says, in part, "Rebuilding the operating system for a small workstation takes at least a half-day. Re-editing all site-specific files, such as pasword files, network host tables, aliases..." It seems to be RISK-y behavior not to keep an image of your operating system, including the site-specific files, on tape back-up...off-line, not available via automatic de-archiving, mountable only manually, etc. What happens when disks are corrupted by more benign influences such as power surges or head crashes? _Brint [Also commented on by David Rose, dave@phoenix.pub.uu.oz.au. PGN] ------------------------------ Date: Tue, 11 Feb 92 15:47:12 PST From: Martin Minow Subject: re: Brinton Cooper's comments on system recovery Brinton Cooper notes that it is "RISK-y behavior" not to keep a fully- configured system image on tape backup, especially in order to recover from hardware errors. He is absolutely correct. However, if your system was intentionally attacked, this might be insufficient. I know of one case where the system manager not only rebuilt the system from distribution tapes, but he even went so far as to order new tapes from the manufacturer in order to avoid the minuscule risk that the attacker had physical access to the on-site tape library. Of course, only the system owner can evaluate the tradeoff between acceptable risk and the cost of protecting against that risk. Martin Minow ------------------------------ Date: Tue, 11 Feb 92 13:37:11 PST From: Allan.Meers@ebay.sun.com (Allan Meers - Sun Education/Professional Services) Subject: Automated Phone Systems >From rec.humor, a commentary on those over-optioned automated phone answering/messaging systems. AUTOMATION IN THE 20th CENTURY By Michael J. Clark The setting is a typical bedroom, a woman is in the bed asleep, next to her bed is a night stand with an alarm clock and a telephone. Suddenly the woman awakens to the sound of a strange noise in the house, she looks around, starts to panic and then picks up her phone to call the police. Woman: (Startled and panicked, talking out loud to herself in a low tone) "I-I-I-I've got to call the police, there's someone here, oh God I know there is, let's see...what's the number, (she nervously punches the numbers into the phone.) After a few rings the phone is answered, there is a delay, then we hear: "Welcome to our emergency phone mate 911, the automated emergency answering system, the latest in emergency response technology! If you are calling from a touch tone phone, please enter a 1 at the tone, enter now"......(the woman looks both shocked and puzzled as she nervously punches in a "1") "Thank you, our emergency phone mate 911 recognizes that you are calling from a touch tone phone......To serve you better your police and emergency services have set up this system to route your call to the appropriate emergency service personnel......If you are in need of police assistance enter a 5, if you require information in Spanish, enter 7, in Chinese enter 4, in Greek enter 9, in French enter 6 or Italian enter an 8, if you wish fire or medical service enter a 3 and the corresponding numerical code for the language in which you will be speaking or in need of translation......to repeat the previous information please enter 0.......Enter your code now please"......(the woman, who has now gone from fear and panic to being irritated and confused enters a 5 and waits.....) "Emergency phone mate 911 recognizes that you have requested police assistance in English....In order to better serve you, please enter the appropriate number at the tone....a 1 if your call is not an emergency, a 2 if you need information, a 3 if you are returning a call from a police official, a 4 if you are inquiring about a parking ticket, or a 5 if this is an emergency, enter your code now"........(she shakes her head and rolls her eyes and enters a 5 quite forcefully) "Emergency phone mate 911 recognizes that you have a police emergency, please enter a 1 if it is a life threatening emergency, a 2 if it is a non life threatening emergency, a 3 if there are weapons involved, a 4 if there are multiple perpetrators, a 5 if the perpetrators are non English speaking and will require a Miranda warning in any other language....Please be sure to enter the appropriate language code if you enter a 5....if the police emergency is a non life threatening rape or physical assault please enter a 7....... (the woman now has lost her temper, she punches in a 2 saying out loud "How the hell do I know if it's life threatening or not you imbecile!) "Emergency phone mate 911 recognizes that you have a police emergency that is non life threatening, emergency phone mate will now direct your call to the appropriate department for response.....please hold while your call is transferred.....(we hear ringing......, the phone is answered) "Dunkin' Donuts, may I help you?" ........ ------------------------------ Date: Wed, 12 Feb 92 14:09:10 -0800 From: dbenson@yoda.eecs.wsu.edu (David B. Benson) Subject: International finance From: dbenson@yoda.eecs.wsu.edu (David B. Benson) To: djb@vax.ox.ac.uk (Dave Benson) Subject: Bank statement Dear Dave, Forwarded to me from Yale is a bank statement from Den Danske Bank originally addressed to MATHEMATIKER, DAVID BENSON, DEPT. OF MATHEMATICS, YALE UNIVERSITY, BOX 2155, YALE ST.,NEW HAVEN,CONN.06520 USA I suspect this is yours. However, I did open it (apologies, but there was no other way to determine the original addressee) and it appears that the account is inactive. Would you like me to send this to you anyway? (Alternatively, with your authorization, I could send you the account number and the balance via this not very secure medium of email.) Sincerely, David B. Benson - - - - Date: Tue, 11 Feb 92 9:04 GMT From: DAVE BENSON To: DBENSON <@nsfnet-relay.ac.uk:DBENSON@YODA.EECS.WSU.edu> Subject: Bank statement Dear David, I seem to be plagued in life by encountering other David Bensons. There's one living just a few miles from here who shares also my middle name and exact date of birth. I have no desire to meet this doppelg"anger in case he turns out to look just like me. As far as the bank account is concerned, I tried several times in 1982 to close it, and in the end decided just to ignore it. So please do what you like with the statement of balance of zero Kroner og zero 0re. Zoodle wurgle, Dave Benson. - - - - From: dbenson@yoda.eecs.wsu.edu (David B. Benson) To: DAVE BENSON Subject: Re: Bank statement I know the feeling all too well. So far, though, none with the same middle initial nor looking like me. I'll not send along the bank statement, but I fear that now Yale will, every year, forward the statement to me -- for the rest of my life. Cheers, David [Reproduced with permission of Both Dave Bensons. But what if they start charging interest? PGN] ------------------------------ End of RISKS-FORUM Digest 13.14 ************************