Subject: RISKS DIGEST 13.74 REPLY-TO: risks@csl.sri.com RISKS-LIST: RISKS-FORUM Digest Thursday 20 August 1992 Volume 13 : Issue 74 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator Contents: California Woman Convicted in Computerized Income Tax Refund Scheme (Nigel Allen) High-tech, discriminatory bathrooms... (Gary Friedman) Secret Service -- the TV show (Stephen Tihor) Novell Netware protection? (Fred Cohen) Risks of Relying on Computerized Records in Court (Mark Rasch) Barclays Voice-Mail system reveals card numbers (Adrian Howard) Voting machine failure reveals lack of backup plan (John Long) Macs becoming popular in Bulgaria (Klaus Brunnstein) Gold Card with wrong name, odd riders (Jane Beckman) PRIVACY Forum reminder (Lauren Weinstein) The RISKS Forum is moderated. Contributions should be relevant, sound, in good taste, objective, coherent, concise, and nonrepetitious. Diversity is welcome. CONTRIBUTIONS to RISKS@CSL.SRI.COM, with relevant, substantive "Subject:" line. Others may be ignored! Contributions will not be ACKed. The load is too great. **PLEASE** INCLUDE YOUR NAME & INTERNET FROM: ADDRESS, especially .UUCP folks. REQUESTS please to RISKS-Request@CSL.SRI.COM. Vol i issue j, type "FTP CRVAX.SRI.COMlogin anonymousAnyNonNullPW CD RISKS:GET RISKS-i.j" (where i=1 to 13, j always TWO digits). Vol i summaries in j=00; "dir risks-*.*" gives directory; "bye" logs out. The COLON in "CD RISKS:" is essential. "CRVAX.SRI.COM" = "128.18.10.1". =CarriageReturn; FTPs may differ; UNIX prompts for username, password. For information regarding delivery of RISKS by FAX, phone 310-455-9300 (or send FAX to RISKS at 310-455-2364, or EMail to risks-fax@cv.vortex.com). ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. Relevant contributions may appear in the RISKS section of regular issues of ACM SIGSOFT's SOFTWARE ENGINEERING NOTES, unless you state otherwise. ---------------------------------------------------------------------- Date: Tue, 18 Aug 92 23:34:25 EDT From: Nigel.Allen@lambada.oit.unc.edu Subject: California Woman Convicted in Computerized Income Tax Refund Scheme Here is a press release from the U.S. Justice Department. California Woman Convicted in Income Tax Refund Scheme To: National Desk, California Correspondent Contact: U.S. Department of Justice, 202-514-2007 FRESNO, Calif., Aug. 18 /U.S. Newswire/ -- Acting Assistant Attorney General James A. Bruton and the United States Attorney for the Eastern District of California, George L. O'Connell, announced Monday, Aug. 17, that Enedina Ochoa of Turlock, Calif., 26, was convicted by a federal jury on Friday, Aug. 14, of one count of conspiracy to defraud the government and 20 counts of assisting others in filing false income tax refund claims with the Internal Revenue Service. The jury trial lasted four days before United States District Judge Oliver W. Wanger. Wanger ordered Ochoa held in custody pending sentencing. Ochoa's scheme exploited the Internal Revenue Service's newly implemented electronic filing system, which allows filers of refund claims to receive their refund checks in one or two days. By causing large numbers of false refund claims to be electronically filed, Ochoa and her co-conspirator, Karleena Pulido, fraudulently obtained approximately $100,000 from the Internal Revenue Service. Most of the criminal activity involved 1991 federal income tax returns filed earlier this year. Ochoa and Pulido, a Turlock income tax preparer who pled guilty two weeks ago to conspiracy to defraud the government and 29 counts of assisting others in filing false claims for income tax refunds, engaged in a scheme to electronically file false refund claims with the I.R.S. by recruiting individuals to provide their real names and social security numbers for use by Pulido on false Forms W-2 which Pulido fabricated. Ochoa then assisted the recruited individuals in electronically filing these false refund claims with the I.R.S. from electronic return transmitters such as Cash-N-Dash, an income tax transmittal and check cashing service headquartered in Fresno. Ochoa and Pulido then divided divided the refund proceeds among themselves and the individuals they recruited. The long-standing I.R.S. system of filing paper returns requires a taxpayer to wait several weeks before receiving a refund check. Ochoa and Pulido face a maximum sentence of ten years imprisonment and a fine of $250,000 for the conspiracy convictions and five years imprisonment for each conviction of assisting in the filing of a false claim. Sentencing is set for Oct. 19, and Oct. 26, for Pulido and Ochoa, respectively, before Wanger. The case is the result of an extensive and ongoing investigation of electronic filing fraud by special agents of the Internal Revenue Service's Criminal Investigation Division, and was prosecuted by Department of Justice Tax Division Trial Attorneys Eric C. Lisann and Floyd J. Miller. It is the first prosecution of this type of crime in this judicial district, and is one of only a very few such cases that have gone to trial anywhere in the United States since the inception of the Internal Revenue Service's electronic filing system. Acting Assistant Attorney General James Bruton stated, "This conviction serves as notice that the federal government is committed to early detection and prosecution of electronic filing schemes. Blatant abuse of the Internal Revenue Service's computerized refund program will not be tolerated." According to Rick Speier, chief of the Internal Revenue Service's Criminal Investigation Division in San Jose and Fresno, "as the use of electronic filing increases, the Internal Revenue Service will continue to be vigilant in identifying electronic filing schemes organized by unscrupulous individuals who seek to exploit the system for criminal purposes." ------------------------------ Date: Mon, 17 Aug 92 15:24:12 PDT From: garyf@puente.Jpl.Nasa.Gov (Gary Friedman) Subject: High-tech, discriminatory bathrooms... The Santa Monica, CA Municipal Pier has recently added new "high-tech" public restrooms that are discriminatory about to whom they will dispense water. Like many of the new breed of restrooms increasingly found in airports, both the urinals and the washbasins have an infrared proximity sensor which turns the water on and off for you; there's no need to ever touch a control. A nine-year-old who was with me stood in front of a washbasin I had just used, and got mad when the faucet wouldn't turn on for him. Nothing he tried, including covering the sensor with his hand, would work. Only after I suggested jumping up and down and waving his hands above his head did the faucet finally acknowledge that a human was there and grant the public resource, and then promptly quit a few seconds later when his hands moved down to be washed. I know the problem of people leaving conventional faucets running unattended is ancient, and that many solutions have been tried in the past to combat it; such as the mechanical push button which will let the water run for anywhere from 1 to 15 seconds, depending on the maintenance history. I see in this new electronic twist to an old problem two new RISKS, one of which is rather serious: 1) Discrimination against short people. This being a public area, it is reasonable to expect children. (It's doubtful that any health epidemic might result from this; after all most kids don't wash their hands and don't prepare food in eating establishments.) 2) I saw no manual overrides for the controls; I assume that if a power failure were to occur (as a result of a natural disaster; not difficult to imagine in California) it would also cut off the water delivery, a crucial resource during such times. Often during a disaster the electricity is the first thing to go out, while the water flow is much more reliable. This new solution unnecessarily couples the two while providing no perceivable advantages over the older mechanical methods, exacerbating worst-case scenarios. (This gets added to my ever-expanding list encompassing electronic tire pressure gages, electronic carpenter's level, computerized office building directories, microprocessor-based wire strippers, etc. for having no advantages over the prior art but catastrophically fail when the batteries die.) -Gary Friedman Gary Friedman, Jet Propulsion Laboratory - NASA, 4800 Oak Grove Drive, Pasadena, CA 91109 (818) 306-6193 {cit-vax,elroy,psivax}!devvax!garyf ------------------------------ Date: 17 Aug 1992 12:24:24 -0400 (EDT) From: Stephen Tihor 212 998 3052 Subject: Secret Service -- the TV show Last night NBC broadcast an episode of "Secret Service" in NY at least that featured a straightforwards nut who wants to kill the President plot and then a rather confusing account of their high technology defense of a fuzzy city power system against sabotage by a fired employee. I hope someone taped it and caught the exact wording of the disclaimer at the end because it was hard to follow the logic and determine what was the original incident and what was Hollywoodisms. The piece was prefaced with a brief discussion some of the risks of power outages. The expert quickly diagnosed the problem as a VIRUS. Persistent references to virus in the context of a electric power control system seemed odd. Since they appeared to be running pre-existing VIRUS checking software on the system one might suspect the "main frame" was an IBM PC or Apple Macintosh running standard software rather than a real tiem control system or perhaps something larger and safer. Interesting references were made to viruses lurking WITHIN modems. Then they identified the source of the attacking codes as the local font storage in what appeared to be a old DECwriter dot matric printer. With some external clues the agents attempt to confront the criminal in house, which is wired with many falling metal screen, sounds effects, and gas but which lacks reinfored walls. The culprit is classic middle aged computer geek who appears uncaring about possible loss of life although the agents do not mention to him the risk of a life sentence of death penalty of others die as a result of his sabotage. He refuses to help them disarm the problem. The expert has announced that this is a logic bomb and eventually realizes that since the bug code is not in the copy of the system on disk as long as they shutdown without writing memory to disk they can reboot bug free. So a brief deliberate blackout is used to save the city. I am obvious very curious about the TRUE FACTs of this can if the show plans to show such other SS triumphs in the war on electronic crime as almost destroying Steve Jackson Games. [Program also noted by johana!tsw@apple.com (Tom Watson)] ------------------------------ Date: Wed, 19 Aug 92 8:28:12 EST From: cohen@fitmail.fit.qut.edu.au (Mr Fred Cohen) Subject: Novell Netware protection? I have been doing exhaustive tests on Novell Netware protection, and I cannot believe these people can sell their product on the basis that it is the most secure. If it is, we are in big trouble!! "Read Only" files are successfully infected by DOS viruses! "Directory protection" works exactly the opposite of how the manual claims! IN 3 DIFFERENT PLACES!!! Several protection bits work from a MacIntosh, but not from DOS machines!! What kind of network protection doesn't work when the user uses a different machine to login?!? Protection based in the user's machine and not on the server!!! A shareware product successfully gathers passwords from the net as they are entered by the users! For $35 I can get every password on your network (if I choose to pay the shareware licensing fees to be honest about it) Passwords can be ANYTHING - including nothing at all! The supervisor password on our network is empty, so anyone on the net can login with no password (we are physically isolated - but how about some password controls!) So-called Execute Only protection does not prevent companion viruses from working, and prevents the sys admin from verifying program integrity, prevents backup and restore of execute-only files, and thus is a great hindrance to protection! This was the results of the first 2 DAYS of experiments! If we can find this many problems in 2 days (while not explicitly trying to look for these kinds of holes), I can't imagine anyone claiming this system to be the best available security. But who knows? In the next few days we will be looking at Unix based servers! FC ------------------------------ Date: Wed, 19 Aug 92 11:46 EDT From: Rasch@DOCKMASTER.NCSC.MIL Subject: Risks of Relying on Computerized Records in Court Joe Konstan reports that CALL TRACE would pick up the identity of the individual responsible for making the harassing telephone calls even if RETURN CALL did not. He notes that "the switch does know who placed the call..." However, this assumes that the switch itself (which is computer software, after all) is operating properly, and isn't the cause of the problem. Even assuming no "bug" in the switch, there is always the (very real) danger that the switch can be compromised by unauthorized users (insiders or "hackers"). What this teaches us is that, as computerized systems become more vulnerable to attack and compromise, their reliability is compromised. As a lawyer and former (computer crime) prosecutor, I can assure you that computerized information is *routinely* accepted as reliable and frequently forms the basis for criminal prosecutions and convictions. Telephone toll records, credit card records, bank statements and the like are admitted into evidence as "business records" without even a fleeting inquiry into the manner in which they were created. For the most part, Courts "assume" that these records are reliable. While computerized summaries and computer generated reports (created for litigation) are subject to greater scrutiny, they all suffer from the MEGO effect (My Eyes Glaze Over). If I can't understand it, it must be right. Generally, there is little harm to this. For the most part, computer generated records are reliable, and are relied upon in the ordinary course of business transactions. Indeed, they are frequently more reliable than the "paper" records they replaced and which were routinely accepted. However, the public must be ever vigilant against the possibility of alterations, misinterpretations, and simple errors in these records -- they are not always what they seem. Mark D. Rasch, Arent Fox Kinter Plotkin & Kahn, Washington, D.C. (202) 857-6154 Rasch@ncsc.dockmaster.mil ------------------------------ Date: Wed, 19 Aug 92 09:48:34 +0100 From: Adrian Howard Subject: Barclays Voice-Mail system reveals card numbers >From the 18/08/1992 issue of the "Independent" (a "quality" English newspaper.) All transcription mistooks are, of course, my own. Hackers pinpoint card weaknesses (John Eisenhammer --- Bonn) Barclays Bank executives in Germany were forced to admit yesterday that young hackers had made a fool of their credit card computer system. According to Hans-Hermann Schra"der, the official responsible for the Protection of Information regulations in the state of Hamburg, where the "crime" took place, the bank's computer security was "totally unsatisfactory". For the past few months, a group of youths in Hamburg have been drawing out information about individual Visa and Eurocard owners, including their credit ratings, in order to show how easily such allegedly confidential information can be used. Even worse for the bank, which has been running a massive advertising campaign in Germany for its offer of both main credit cards for the price of one, officials still cannot tell from the voice-mail computer records that anything was amiss. It was only after hearing tapes on television, with client voices on them, that Barclays officials conceded that all was not as it should be. The special voice-mail computer was used by clients confirming that they had received their cards, at which point they provided their personal numbers, and by those requesting a credit limit increase. The information was recorded, not on normal tape but digitally by a computer, and the information was later decoded by bank staff. According to Rolf Wo"rdemann, a member of Germany's main hacker organisation, the Hamburg Chaos Computer Club, voice-mail computers such as the one at Barclays are as "easy to break as a bicycle lock". Rather than prosecute Barclays officials are hoping that the hackers will be willing to co-operate, so that the bank can find out just how bad things are, and who needs new credit cards, The fact that the enterprising youths also managed, once they had accessed Barclays' computer system, to make lengthy international telephone calls at the bank's expense, will be quietly forgotten. I found this especially amusing since Barclays officials have recently been appeared on national news in the UK expounding the infallibility of cash-card machines. I find the automatic assumption the computer cannot be fouling up exceptionally irritating. The thought of having to give personal numbers over the phone is also a bit of a worry (to me anyway --- but then I'm paranoid :-) I also dislike the idea that the bank is having to ask the hackers how they did it. Shouldn't they have the expertise to find holes as apparently large as exist in the system (then again if they had the expertise, the holes wouldn't be there.) The "hackers" in the article, while not exactly represented as heros, are definitely not painted as villains either. I'm not so sure. Oh well, another Infallible-Banking-Computer-System (tm) bites the dust! aids (email: adrianh@cogs.susx.ac.uk) ------------------------------ Date: 17 Aug 92 14:46:00 EDT From: John (J.O.F.) Long Subject: Voting machine failure reveals lack of backup plan This year, I started serving as a registrar for my precinct. Our county started using computerized tallying machines this year, and everyone had to go through required training to learn how to use them. During the training meeting, I asked what would happen if a machine should completely fail. I was assured that this "probably" would never happen. I could swear that some of the sample tallying machines in the back were snickering after this remark. If there is a blackout to the machines, then voters are supposed to put their ballots into a special slot just for such emergencies. It is assumed that the electricity will come on again later during the day. (What if the power goes out 10 minutes before closing?) After the polls close, the registrar and judges are then supposed to open the special slot and send the ballots through the reader. Ballots cannot be read twice because the machine marks them as they go through. The machines worked fine during the primary, but during the runoff, in which very few people voted, my machine had a memory error just a few minutes before closing. There was nothing that could be done except send another machine out to me. We only had 21 people vote the entire day (!), so we could have counted it by hand, but the elections board wouldn't allow it! What if there had been several memory failures during the day? Would there be enough backup machines to handle it? What a mess! And why are we so reliant on machines that we cannot allow humans to do something that we can do just as quickly? John Long, Raleigh, NC, jlong@bnr.ca ------------------------------ Date: 18 Aug 92 18:59 +0100 From: Subject: Macs becoming popular in Bulgaria According to a report from Vesselin Bontchev who just returned from his summer vacation in Bulgaria, Macintoshs are becoming quite popular in Bulgaria. Recently, an Apple distributor began to distribute Macs which many Bulgarians found superior to their PC clones and began to like. We strongly hope that this may not attract the interest of the well-known virus authors in Bulgaria and subsequently in other Eastern European countries. Klaus Brunnstein, University of Hamburg, Germany (August 18, 1992) ------------------------------ Date: Mon, 17 Aug 92 15:46:49 PDT From: jane@stratus.swdc.stratus.com (Jane Beckman) Subject: Gold Card with wrong name, odd riders Everyone gets credit card "pre-approval" offers in the mail, but this last one started me wondering. First off, it was addressed to "Jeffery L. Beckmann," with my correct address, down to a zip +4 code. My name is Beckman, not Beckmann (two n's), and my name is Jane G., not Jeffery L. And we won't even go into the way that my gender has gotten switched. So, how did Mr. Beckmann get associated with MY address in whomever's database? Just for grins, to see what sort of gold Mastercard he was being offered, I read the thing. It had a $10,000 credit line, and NO ONE, repeat, no one, has *ever* offered Beckman, Jane G. a card with that kind of credit line. Weirder still, to get the card, you were *required* to take out a cash advance of a minimum of $2000, up to the $10,000 limit of the card. After much searching through fine print, I found the card was offered by an institution called "First Deposit." Then I found the weirdest part---the terms would only be sent to you when you sent for your pre-approved cash advance and activated the Gold Card. In short, it could be 50% annual interest, starting to accrue from the time they send you your "advance," and you wouldn't even know it until you had taken the plunge. Even the form was strange---just a signature line and a phone number are to be provided. Normally, these forms ask for independent confirmation of credit---the usual questions about your obligations, etc., even if they are theoretically "pre-approved" (which is actually a misnomer). Several things occur to me. I could sign Jeffery Beckmann up, collect his cash advance, and skip town, if I were that sort. Who would be responsible? The mysterious Mr. Beckmann, who may not exist? For that matter, what if Jeffery Beckmann's obligations and credit history get mixed up with mine, since his address is obviously already mixed up? And speaking of, HOW did this mystery person get HIS name associated with MY address, aside from a totally superficial resemblence between last names, his not even being spelled the same as mine? What if Mr. Beckmann is an international representative of a drug cartel, and now has his address linked to mine? Will my house suddenly be of interest to some unknown authorities, who are doing computer traces of his activities? What database generated this so generous invitation, and how did it determine that Mr. Beckmann was able to qualify for such a hefty cash advance/credit limit without even knowing his real address? The RISKS here seem to cover several different aspects of our overly- databased society. -Jane G. Beckman [jane@swdc.stratus.com] ------------------------------ Date: Tue, 18 Aug 92 11:06 PDT From: lauren@cv.vortex.com (Lauren Weinstein) Subject: PRIVACY Forum reminder [Lauren Weinstein is urging people to submit their PRIVACY related stories, questions, comments, etc. to his PRIVACY Forum. Apparently not many people know of its existence, or else to consider privacy only in the more general context of RISKS. PGN] You can get info about the digest by sending a message to: privacy-request@cv.vortex.com with the words: information privacy in the BODY of the message. Submissions are explicitly solicited! --Lauren-- ------------------------------ End of RISKS-FORUM Digest 13.74 ************************