Subject: RISKS DIGEST 13.42 REPLY-TO: risks@csl.sri.com RISKS-LIST: RISKS-FORUM Digest Sunday 19 April 1992 Volume 13 : Issue 42 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator Contents: Chicago has a single point of failure (Bryan MacKinnon) Re: FAA crash (Howard Israel) More delays at East Bay air traffic control center (PGN) Drugs by EMail (PGN) Potentially disastrous bug in MacInTax (Edgar Knapp) Automagically generated phone books (PGN) Re: Risks of editors -- Mass Pike (Carl Ellison) Re: Long call wait for London Ambulances (Brian Tompsett) Re: FBI wiretaps (Eric S. Raymond) Re: Intercept legislation (Bob Weiner, Donn Parker) Credit-card fraud (Bruce Bigelow and Dwight Daniels) Harper's article on Personal Data for Sale SURVEY: Is Big Brother Watching You? (Lorrayne Schaefer) The RISKS Forum is moderated. Contributions should be relevant, sound, in good taste, objective, coherent, concise, and nonrepetitious. Diversity is welcome. CONTRIBUTIONS to RISKS@CSL.SRI.COM, with relevant, substantive "Subject:" line. Others may be ignored! Contributions will not be ACKed. The load is too great. **PLEASE** INCLUDE YOUR NAME & INTERNET FROM: ADDRESS, especially .UUCP folks. REQUESTS please to RISKS-Request@CSL.SRI.COM. Vol i issue j, type "FTP CRVAX.SRI.COMlogin anonymousAnyNonNullPW CD RISKS:GET RISKS-i.j" (where i=1 to 13, j always TWO digits). Vol i summaries in j=00; "dir risks-*.*" gives directory; "bye" logs out. The COLON in "CD RISKS:" is essential. "CRVAX.SRI.COM" = "128.18.10.1". =CarriageReturn; FTPs may differ; UNIX prompts for username, password. ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. Relevant contributions may appear in the RISKS section of regular issues of ACM SIGSOFT's SOFTWARE ENGINEERING NOTES, unless you state otherwise. ---------------------------------------------------------------------- Date: Thu, 16 Apr 1992 09:36:26 -0500 From: Bryan MacKinnon Subject: Chicago has a single point of failure On April 13, 1992, Chicago experienced the closest thing to the "Chicago Fire" this century. It is not news to most people now that the forty to sixty miles of century old freight tunnels underneath the "Loop", or main downtown area, were flooded on that fateful day. It appears to be caused by a recently installed bridge piling that breached the tunnel where is passes under the Chicago River. When built, these tunnels were used for transporting coal, newsprint, and many other items on an electric railway. The risks to computing were/are significant. Although no longer used to transport freight, they are now used as conduits for communication cables (fiber, etc) that connect together the city's main business district. Furthermore and more damaging, the tunnels connect the basements of numerous buildings which are now flooded. These flooded basements are home to telephone and electrical equipment, most of which were disabled for days. The loss so far to the city is easily over $500M and expected to exceed $1B. But the main reason that I submit this message to risks is more to do with a classic design flaw of any complex system, in this case, a city: Chicago has a single point of failure. Bryan MacKinnon, Fermi National Accelerator Lab Batavia, IL 60510 (within spectating distance of Chicago). ------------------------------ Date: Wed, 15 Apr 92 15:04 EDT From: hmi@neptune.att.com (Howard Israel) Subject: Re: FAA crash (RISKS-13.37) A software bug in a crucial FAA computer, one that programmers had identified and had planned to fix Friday, acted up Wednesday morning before they could get to it, shutting down the computer and disrupting Northern California air traffic for about 2 1/2 hours. A spokesman for the Federal Aviation Administration said a back-up computer system immediately kicked in and that while departing flights were held back at many airports, no planes in the air during the shutdown were ever endangered. [San Jose Mercury News, 9 Apr 1992] ---Howard Israel, AT&T Bell Labs, 201 386 4678 ------------------------------ Date: Sun, 19 Apr 92 13:06:58 PDT From: "Peter G. Neumann" Subject: More delays at East Bay air traffic control center The Oakland Air Route Traffic Control Center in Fremont CA had receivers for 12 of its 50 radio frequencies go dead on 17 April 1992. The partial outage lasted for about 1.5 hours and delayed 36 outgoing flights from San Francisco (up to 27 minutes), 7 from Oakland, and one from San Jose. The reason was undetermined. [Source: San Francisco Chronicle, 18 Apr 1992, p.A13] ------------------------------ Date: Sun, 19 Apr 92 12:59:54 PDT From: "Peter G. Neumann" Subject: Drugs by EMail Two men have been arrested for selling cocaine via the Charles Schwab company EMail, where they had been employed in the back-room of the San Francisco office. The company has a vigilant policy against drugs in the workplace, although the National Institute of Drug Abuse estimates that 10 percent of the country's workforce regularly uses drugs while at work. [Source: San Francisco Chronicle, 18 Apr 1992, p.A13] ------------------------------ Date: 15 Apr 92 08:32:31 GMT From: knapp@cs.utexas.edu (Edgar Knapp) Newsgroups: comp.sys.mac.announce Subject: Potentially disastrous bug in MacInTax Summary: MacInTax miscalculates tax data [Forwarded to RISKS by nick@dcs.edinburgh.ac.uk] [NOTE from the moderator: I have no way to confirm this bug report but given the critical date and the fact that the IRS isn't going to care whose fault it was, and the standard software warranty doesn't promise anything to the purchaser anyway, I hope you will agree with me that approving this article is the right thing to do at this time. ---Werner ] There is a recalculation bug in MacInTax which can lead to income not being reported. The problem occurs when opening a previously saved tax data file. MacInTax often and reproducibly fails to correctly incorporate certain types of income (1099-Misc, for instance). This can lead to IRS audits and penalties, since income reported on the return and income reported directly to the IRS don't match. The work-around for the problem is to force a recalculation of the income entered into MacInTax, by unchecking and rechecking the Routing Information box of at least one of the affected 1099s in "FORM 1099: Miscellaneous Income Statement". ChipSoft is aware of the bug, but prefers to call it an inadvertent inaccurate recalculation problem. Also, even though this is not 100% reproducible, make sure you save you return before selecting "Open Notes..." from the Windows menu, or La Bomba may make tax time even more taxing. Edgar (knapp@cs.utexas.edu) ------------------------------ Date: Fri, 17 Apr 92 17:07:55 PDT From: "Peter G. Neumann" Subject: Automagically generated phone books SRI just issued an errata sheet on the new telephone directory. * The parking lot and road overlay on the building graphic was printed upside down, with North and South reversed. It sure looked strange. * The Office of Corporate Compliance was erroneously listed as the Office of Corporate Complaints in the list of FREQUENTLY USED PHONE NUMBERS. Perhaps they know something I didn't. I didn't think the correct listing would be frequently used, although the erroneous one might. ------------------------------ Date: Thu, 16 Apr 92 11:47 EDT From: Carl_Ellison@vos.stratus.com Subject: Re: Risks of editors -- Mass Pike The Massachusetts Turnpike handed out a nicely printed flier the other day, advertizing their maintenance plans (and trying to get some PR, no doubt). This flier included the sentence "Since the initial turnpike was opened to traffic in 1957, billions of vehicles have traveled over the 135-mile road and its 260 brides [sic], and these facilities are showing the ravages of time and traffic." This example is just cute -- but representative. In the inefficient old days, so many different humans were involved in the process ending with typesetting that typos like this almost never made it into print. We have made editors, spelling checkers, grammar checkers (all of which allow that typo to happen). How are we going to get back the level of checking we had when it took 5 different people to get something printed? [The opera The Bartered Bride is often cited in print as The Battered Bride. But don't forget that some typos are inserted rather intentionally by frustrated typesetters. I have one dandy that cannot be repeated here. PGN] ------------------------------ Date: Thu, 16 Apr 92 11:12:13 GMT From: Brian Tompsett Subject: Re: Long call wait for London Ambulances (RISKS-13.38) From the BBC Radio 4 programme "Punters" broadcast this morning 16th April 92. An item was about the long time callers have to wait for the London Ambulance Service to answer the phone after an emergency call (999). The programme mentioned several cases where callers waited up to 15 minutes for the central Ambulance control room to answer the phone. During that time the BT (Phone Company) operators are handling the call. The operators tell of hearing people die on the other end of the phone while the ambulance station plays a recorded message "please hold all lines are busy and we will get to you as soon as possible". A spokesman for the Ambulance workers union (NUPE) claimed that the cause was due to a combination of undermanning and the implementation of a new computerised call handling system. He accused the computerised system of "just losing calls in the system". He also claimed the number of deaths in north London became so acute that the computer system was withdrawn. A spokesman for the Ambulance service indicated that they are going through the normal number of "teething troubles" that one gets when introducing any new system or techology, and no one had anything to worry about. When the system was working properly in about 6 months all calls will be handled within 30 seconds. At that point we can rely on a computer system that is 100% reliable and safe. [Moving off of computers here] When Challenged about the long waits for calls to be answered, he agreed that they were occurring. He said that the Ambulance service must run like any other business and compared it to the Bus and Rail services. He pointed out that he could no more be expected to answer all the calls at peak times than those other services could. The phrase "businesses operating economically and efficiently" was mentioned more than once. He also blamed the public for calling them too much and clogging the lines. In the light of my recent comments on the media let me note that this program was probably prepared in the wind up to the recent General Election and held in the can as being too "political". My worries: there is a chance that some computerised systems will not be seen as safety critical, but rather as mundane and ordinary. This might be particularly the case (where in the UK) there is a movement to stop some public services being seen as "special" and to run them like "any other commercial entity". No special care will then be taken in their commission. Others may make other interpretations. I found it hard to document this in a politically neutral way. Brian Tompsett, Computer Science, University of Hull ------------------------------ Date: 17 Apr 92 05:06:16 GMT From: eric@snark.thyrsus.com (Eric S. Raymond) Subject: Re: FBI wiretaps (Karn, RISKS-13.41) In the middle of a long, thoughtful post on the proposed FBI wiretap bill, Phil Karn made a point which I think can stand some elaboration. In social as well as physical systems, there is no action without equal and opposite reaction. In considering the cost/benefit of *any* law which trades off a loss of privacy and personal freedom against the suppression of criminal activity, we need to evaluate the countermeasures available to criminals. Often, these countermeasures render the law ineffective --- so that honest people are left to suffer only the costs and never see the anticipated benefits. The proposed wiretap bill clearly has this defect. The facilities the FBI wants to mandate can be defeated with inexpensive end-to-end encryption devices. Thus, supporters of the bill can only maintain their position and the FBI's advantage by intending to ban such encryption devices. I don't propose to address the damage to our civil liberties that would entail just now, nor the dangerous precedent it would in turn set, except to opine that I would *far* rather live with whatever percentage of criminal activity wiretaps could theoretically suppress than with the potential for systematic governmental mischief implied by wiretaps and encryption bans. The argument I prefer to make here is that a ban on encryption devices would itself have the same *pragmatic* defects as the wiretap bill. Prohibition does not work; criminals would still use and sell encryption devices, and only the honest would be exposed to government error and malice. It is all too easy to imagine the wiretap bill as the beginning of an action/reaction spiral in which each further encroachment upon the liberties of honest people is `justified' by criminal adaptations to the last one. If you consider this implausible, take a moment to consider the disastrous histories and perverse effects of gun control and the "war on drugs". We have seen this cycle before. Let's not start another one. Eric S. Raymond = eric@snark.thyrsus.com (mad mastermind of TMN-Netnews) ------------------------------ Date: Fri, 17 Apr 92 12:53:07 -0400 From: rsw@cs.brown.edu (Bob Weiner) Subject: Re: Intercept legislation (Parker, RISKS-13.41) Your article to RISKS suggests that the FBI's proposed legislation to provide unsecure hooks in telecommunications equipment is necessary to prevent serious crime. Could you explain to the readers how such legislation will help the FBI intercept calls that are encrypted at the transmitting phone and decrypted at the receiving end, which one would assume serious criminals could easily equip themselves with? If it can, then I buy your point. If it can't, then one has the clear possibility of abuse without the clear possibility of utility in the most serious cases. Bob ------------------------------ Date: 17 Apr 1992 13:59:53 U From: "Donn Parker" Subject: Re: Intercept legislation [response to Bob Weiner] Thanks for your inquiry. Criminals' use of crypto is a separate problem from the intercept issue. It was addressed by the ill-fated DOJ-sponsored Senate bill S266. Easily obtained crypto products will provide a new absolute right of privacy of communication that will obviously be used by some criminals--probably the worst ones. However, the court-ordered intercept will still be of great use for clear text criminal communications. I have interviewed over 150 computer criminals and find many of them to be pretty dumb, lazy, and not very careful some of the time. For example, consider how dumb Gotti and his pals were to have their conversations compromised even when they knew the Feds were intensely investigating them. Therefore, I conclude that there will still be many communications among and from suspected criminals in the clear for which the intercept capability will be valuable. Donn ------------------------------ Date: Fri, 17 Apr 92 14:40:05 PDT From: [anonymous] Subject: Credit-card fraud Computer hackers slick at credit card fraud, say police (by Bruce V. Bigelow and Dwight C. Daniels, Copley News Service) SAN DIEGO An electronic web of young computer hackers who use high-tech methods to make fraudulent credit card charges and carry out other illegal activities nationwide has been uncovered by San Diego police. The informal underground network has been trading information "to further their criminal careers," said Detective Dennis Sadler. The hackers know how to break computer security codes, create credit card accounts and make fraudulent credit card purchases, among other things, he said. "These kids can get any information they want on you. Period," said Sadler, who works in the San Diego Police Department's Northern Division. "We didn't believe it until it was demonstrated to us." As many as 1,000 "hard-core" hackers across the United States have shared such data, Sadler said, although it's unclear how many have actually used the information to commit crimes. "It's been going on for at least four years," he said. He estimated that illegal charges to credit cards could total "millions of dollars." Computer criminals "don't go out and charge a thousand dollars every day," Sadler said. "But they have the access and the means to do it any time they want." A crucial break in the case occurred late March, said Sadler, when an out-of-state hacker was picked up in San Diego and agreed to cooperate with police and the FBI. Detectives brought the hacker to a San Diego computer store that has provided equipment and technical assistance to authorities, according to a source familiar with the investigation. Sadler refused to discuss details, however, saying that the investigation is continuing. Scores of arrests are pending nationwide, he said. In recent months, the investigation has led to two arrests in Ohio and the seizure of computers and related material in New York City, the Philadelphia area and Seattle. Yet, Sadler said, those cases represent only an "offshoot" of the main investigation. A San Diego hacker who was questioned by authorities says the case appears to be as big as "Operation Sun Devil," a continuing federal investigation into computer crimes that prompted raids in San Diego and 11 other cities almost two years ago. Typically, fraudulent credit card charges are racked up by computer criminals who illegally gather detailed information from computerized accounts on file at credit reporting agencies, banks and other businesses. Electronic trespassers can use a credit card holder's name, address and other personal information gleaned from account files to fraudulently verify purchases, a crime known in hacker vernacular as "carding." Such methods make catalog purchases by telephone a cinch. Smooth-talking hackers have even acquired haircuts and meals by verifying their credit card purchases with personal information, Sadler said. "There's one kid who bragged about using the same credit card number for eight months," Sadler said. The hackers have learned how to break personal security codes for automatic teller machines, Sadler said. Further, using computers, hackers can employ a variety of techniques to obtain long-distance telephone access codes and illegally make telephone calls without paying. "People don't realize what's going on out there," Sadler said. "If you did, you'd shred your credit cards." MasterCard International reported total losses of $381 million from credit card fraud of all types worldwide in 1991, according to Warner Brown, MasterCard's director of security and fraud control in Los Angeles. Losses at Visa International amounted to $259 million in 1989, about one-tenth of a percent of Visa's worldwide sales volumes, said Gregory Holmes, a Visa spokesman in San Francisco. American Express has a policy against revealing the extent of its fraud losses, a spokeswoman said. No figures are available on how much credit card fraud is committed by hackers. "I wouldn't even hazard a guess," said Spencer Nilson, who publishes a bimonthly newsletter in Santa Monica, Calif., about the credit card industry. Customers don't learn about a fraudulent purchase until they get billed, and any overcharges are disputed for three to six months, Nilson said. At least part of the investigation is focused on credit information gathered illegally by computer from Equifax Credit Information Services, a credit reporting agency based in Atlanta. "We're still in the process of investigating, and we're working very closely with San Diego police," said Tina Black, an Equifax spokeswoman. The company, which provides credit information to lenders, is notifying consumers whose accounts were compromised, Black said. Equifax suffered no financial losses itself, and Black could provide no information about possible losses to consumers. "Right now, it looks like only a few," probably fewer than 25, she said. Equifax disclosed in February, however, that a different group of hackers, including two teen-agers from Kettering, Ohio, had infiltrated its computer, using an Equifax customer number and password code to obtain credit information and bill-paying histories of Midwestern consumers. The two juveniles, who were not identified, face federal and state charges stemming from the computer break-in, said Kettering police spokesman Jeff Caldwell. Equifax computer experts are checking to determine if computer trespassers created phony consumer files in the agency's mainframe computer. Equifax, one of the nation's three largest credit bureaus, had revenues of $1.1 billion in 1991 and possesses a database of about 170 million credit files. [An AP version of this story appeared on the front page of the San Francisco Chronicle, 18 Apr 1992] ------------------------------ Date: Wed, 18 Mar 92 12:49 EST From: [anonymous] Subject: Harper's article on Personal Data for Sale Harper's Magazine, March 1992, p.21 [Brochure] FOR SALE: DATA ABOUT YOU (From a sales brochure distributed in 1990 by Nationwide Electronic Tracking (NET), an information-brokering company located in Tampa, Florida. Last December the FBI identified NET as the center of a nationwide organization that illegally obtained and sold information, stored in government computers, about private individuals. According to the FBI, NET paid employees of federal agencies, including the Social Security Administration and the Secret Service, to procure records from various computer networks that are easily accessible to thousands of government workers. The accessed networks included the FBI's National Criminal Information Center, private credit-reporting systems, and the Social Security Administration's computer database, which holds personal data, employment histories, and salary information on about 200 million Americans.) In our complex, fast-moving society, information is a constantly changing resource. Every day billions of records and documents, containing information on millions of people, must be revised and updated. Sorting through it all for the one particular bit of information you need can be time-consuming and expensive--a frustrating series of false starts, dead ends, and legal barriers. Unfortunately, getting reliable information, and getting it quickly, can often mean the difference between success and failure. Nationwide Electronic Tracking (NET) can get the information you need--when you need it. NET is a high-speed, computer-based telecommunications network, designed to gain instant access to difficult-to-obtain "confidential" information from more than 1000 sources nationwide. Credit-bureau reports, Social Security searches, electronic cross-directories, and criminal, motor-vehicle, and driving records are just a few of the kinds of information NET can obtain faster than the competition. GUIDE TO SERVICES HOME ADDRESS PROVIDES SOCIAL SECURITY NUMBER With name and address, will conduct nationwide search for Social Security number. 2 hours, $10 SOCIAL SECURITY NUMBER PROVIDES HOME ADDRESS With Social Security number, will obtain name and home address. 1-2 hours, $7.50 RESIDENT IDENTIFIER Gives names of current residents at a given address. 1 hour, $10 STREET ADDRESS OF POST OFFICE-BOX RENTER With subject's name, box number, city, state, and zip code, will obtain renter's street address. 1-2 weeks, $50 NATIONAL NEIGHBOR UPDATE With subject's name and address, will obtain names, phone numbers, and addresses of up to nine current neighbors. 1-2 hours, $10 EMPLOYMENT SEARCH With name and Social Security number, will obtain current place of employment. 1 week, $75 EMPLOYMENT HISTORIES With name and Social Security number, will obtain recent places of employment and subject's earnings. last three years: 3-5 days, $100 last five years: 3-5 days, $120 last ten years: 3-5 days, $175 WORKMEN'S COMPENSATION CHECK (FLORIDA ONLY) With subject's Social Security number and last known address, will obtain any claims filed. 24 hours, $75 CREDIT REPORT Subject's credit history. 1-2 hours, $10 MOTOR VEHICLE INFORMATION With title number, vehicle number, or license plate number, will obtain name and address of owner, make of vehicle, and license plate number. Florida, Texas, or New York: 1 hour, $10 all other states: 2-4 days, $20 DRIVER'S LICENSE RECORD With driver's license number, will obtain home address, traffic violations, and DUI [Driving Under the Influence] charges. We can also obtain information with only individual's name and date of birth; add three days and $30 for this service. 24-48 hours, $15 CRIMINAL HISTORY With name, date of birth, sex, and race, will obtain criminal history. 1 week, $100 ------------------------------ Date: Fri, 17 Apr 92 07:51:03 EDT From: lorrayne@smiley.mitre.org (Lorrayne Schaefer) Subject: SURVEY: Is Big Brother Watching You? SURVEY: MONITORING IN THE WORKPLACE The purpose of this survey is to collect data for a presentation that I will give at this year's National Computer Security Conference in October. I would like to thank you for taking the time to fill out this survey. If you have any questions, you can call me at 703-883-5301 or send me email at lorrayne@smiley.mitre.org. Expand white space as needed [squeezed for RISKS to save paper], and please send your completed survey to: Lorrayne Schaefer The MITRE Corporation M/S Z213 7525 Colshire Drive McLean, VA 22102 lorrayne@smiley.mitre.org (Lorrayne Schaefer) 1. What is your title? 2. What type of work does your organization do? 3. Does your organization currently monitor computer activity? (Yes/No) a. If yes, what type of monitoring does your company do (e.g., electronic mail, bulletin boards, telephone, system activity, network activity)? b. Why does your company choose to monitor these things and how is it done? 4. If you are considering (or are currently) using a monitoring tool, what exactly would you monitor? How would you protect this information? 5. Are you for or against monitoring? Why/why not? Think in terms of whether it is ethical or unethical ("ethical" meaning that it is right and "unethical" meaning it is wrong) for an employer to monitor an employee's computer usage. In your response, consider that the employee is allowed by the company to use the computer and the company currently monitors computer activity. 6. If your company monitors employees, is it clearly defined in your company policy? 7. In your opinion, does the employee have rights in terms of being monitored? 8. In your opinion, does the company have rights to protect its assets by using a form of monitoring tool? 9. If you are being monitored, do you take offense? Managers: How do you handle situations in which the employee takes offense at being monitored? 10. What measures does your company use to prevent misuse of monitoring in the workplace? 11. If an employee is caught abusing the monitoring tool, what would happen to that individual? If your company is not using any form of monitoring, what do you think should happen to an individual who abused the tool? 12. Is it unethical to monitor electronic mail to determine if the employee is not abusing this company resource (e.g., suppose the employee sends personal notes via a network to others that are not work related)? Why or why not? ------------------------------ End of RISKS-FORUM Digest 13.42 ************************