Subject: RISKS DIGEST 15.37 REPLY-TO: risks@csl.sri.com RISKS-LIST: RISKS-FORUM Digest Monday 3 January 1994 Volume 15 : Issue 37 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator Contents: Hacker nurse makes unauthorised changes to prescriptions (John Jones) Customs Data Diddling (Mich Kabay) Credit cards again (Mich Kabay) Tax Frauds (Mich Kabay) Re: Can SETI signals bear viruses? (Robert Ayers, Dave Weingart, James Abendschan) "When H.A.R.L.I.E. Was One" by Gerrold (Rob Slade) Request for help with RISKy situation (Alan Wexelblat) The RISKS Forum is a moderated digest. Its USENET equivalent is comp.risks. Undigestifiers are available throughout the Internet, but not from RISKS. Contributions should be relevant, sound, in good taste, objective, cogent, coherent, concise, and nonrepetitious. Diversity is welcome, but not personal attacks. CONTRIBUTIONS to risks@csl.sri.com, with appropriate, substantive "Subject:" line; others may be ignored! Contributions will not be ACKed; the load is too great. **PLEASE** include your name & legitimate Internet FROM: address, especially .UUCP folks. If you cannot read RISKS locally as a newsgroup (e.g., comp.risks), or you need help, send requests to risks-request@csl.sri.com (not automated). BITNET users may subscribe via your favorite LISTSERV: "SUBSCRIBE RISKS". Vol i issue j, type "FTP CRVAX.SRI.COMlogin anonymousYourName CD RISKS:GET RISKS-i.j" (where i=1 to 15, j always TWO digits). Vol i summaries in j=00; "dir risks-*.*" gives directory; "bye" logs out. The COLON in "CD RISKS:" is vital. CRVAX.SRI.COM = [128.18.30.65]; =CarriageReturn; FTPs may differ; UNIX prompts for username, password. WAIS and bitftp@pucc.Princeton.EDU are alternative repositories. IF YOU CANNOT GET RISKS ON-LINE, you may be interested in receiving it via fax; phone +1 (818) 225-2800, or fax +1 (818) 225-7203 for info regarding fax delivery. PLEASE DO NOT USE THOSE NUMBERS FOR GENERAL RISKS COMMUNICATIONS; as a last resort you may try phone PGN at +1 (415) 859-2375 if you cannot E-mail risks-request@CSL.SRI.COM . ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. Relevant contributions may appear in the RISKS section of regular issues of ACM SIGSOFT's SOFTWARE ENGINEERING NOTES, unless you state otherwise. ---------------------------------------------------------------------- Date: Mon, 3 Jan 94 10:09:41 GMT From: John Jones Subject: Hacker nurse makes unauthorised changes to prescriptions The Guardian (21st December, 1993) reports the conviction of a male nurse who hacked into a hospital's computer system and modified entries, including prescriptions. The hacker: - prescribed drugs normally used to treat heart disease and high blood pressure to a 9 year old with meningitis. This change was spotted by a ward sister; - prescribed antibiotics to a patient in a geriatric ward. These drugs were administered to the patient, with no apparent adverse reaction; - "scheduled" an unnecessary X-ray for a patient; - "recommended" a discharge for another patient. The hacker gained access to the computer system after learning the password through observing a locum doctor having trouble logging in. He qualified as a nurse in 1989. He is reported to have undergone a considerable personality change as the result of a road accident in 1984. As well as developing a fascination for computers and other hi-tec equipment, he had apparently developed a "lack of sensitivity to the consequences of his actions". He had been sacked for unprofessional behaviour in 1990, but was re-employed in 1992 at the same hospital. He pleaded guilty to unauthorised modification of computer records. He offered no explanation for his actions, but denied any malicious intent. He was jailed for 12 months. John Jones (jgj@dcs.hull.ac.uk) ------------------------------ Date: 02 Jan 94 21:12:25 EST From: "Mich Kabay / JINBU Corp." <75300.3232@compuserve.com> Subject: Customs Data Diddling >From the Associated Press newswire via Executive News Service (GO ENS) on CompuServe: Customs-Whistleblower, By Michael White, Associated Press Writer SAN DIEGO (AP, 30 Dec 1993) -- Some of what Mike Horner regards as his best work ultimately destroyed his career as a U.S. Customs Service inspector on the Mexican border. Horner left the service after alleging that intelligence reports he filed identifying suspected drug smugglers and their vehicles were deleted from Customs' computer network." This article and another by the same author detail the apparent data diddling that resulted in first deleting, then re-introducing, Mr Horner's records of smuggling across the US/Mexican border. Horner's allegations of malfeasance were ignored by his superiors. No one can explain how his deleted entries could have re-appeared after he left the U.S. Customers Service. White's next story is Customs Smuggling, By Michael White, Associated Press Writer LOS ANGELES (AP, 30 Dec 1993) -- Weaknesses in U.S. Customs' cargo tracking system may have opened a door for smugglers of drugs and other contraband and cost taxpayers millions of tariff dollars, according to sources and Customs records. Among the problems: False inspectors' names are showing up on cargo entry records, passing containers without inspection; and seals placed on containers bound for distant destinations are breached in transit, allowing contraband to be removed or contents stolen between the dock and inspection points." This article deals with irregularities in the computer system used to monitor the Port of Los Angeles. Key points of the article: o some bonded cargos appear to be opened illegally, allowing contraband to be removed. o some inspection records online include names of nonexistent officials; o records of suspicious shipments which should have initiated followups have been overridden with false names. o 200-400 records of in-bond cargo containers are purged each month because the Customs Service cannot trace the containers; an indendent study by the Treasury Department estimated data destruction in the thousands per month. o Some employees say that the computer system fools inspectors into relying on electronic records instead of their own initiatives when deciding which shipments to inspect. Michel E. Kabay, Ph.D., Director of Education, National Computer Security Assn ------------------------------ Date: 02 Jan 94 21:11:50 EST From: "Mich Kabay / JINBU Corp." <75300.3232@compuserve.com> Subject: Credit cards again >From the Reuter newswire via Executive News Service (GO ENS) on CompuServe: Britons Charged with Europe-Wide Credit Card Fraud LONDON (Reuter, 30 Dec 1993) - Three Britons have been charged with conspiracy in a 2.5 million pound ($3.7 million) Europe-wide credit card fraud, police said on Thursday." The article says that the Birmingham men are accused of having used fake credit cards and stole expensive products in France, Britain, Belgium and the Netherlands. Apparently other arrests are promised. Once again we see that one of the world's most frequently used network access control tokens, the common credit card, is wholly inadequate to protect the public and the banking industry against fraud. Michel E. Kabay, Ph.D., Director of Education, National Computer Security Assn ------------------------------ Date: 02 Jan 94 17:40:16 EST From: "Mich Kabay / JINBU Corp." <75300.3232@compuserve.com> Subject: Tax Frauds >From the Washington Post newswire via Executive News Service (GO ENS) on CompuServe IRS Charges Tax Preparer With $1.1 Million Fraud, By Christopher B. Daly Special to The Washington Post BOSTON, Dec. 16 - The president of a nationwide tax-preparation service was indicted today on charges that he used computers to cheat the Internal Revenue Service out of more than $1 million in one of the biggest electronic tax fraud cases on record, officials said. Richard M. Hersch, 56, of Ardmore, Pa., was accused of using his company, Quik Tax Dollars Inc. of Bryn Mawr, Pa., to file 431 false tax claims and launder $1.1 million..." The article provides details of the case. Key points: o 12 million returns were filed electronically in the 1992 tax year. o Hersch is accused of making up "145 false tax returns using fictitious names and Social Security numbers." o He then allegedly used an intermediary company, Drake Enterprises, which is not accused of wrong-doing, to forward the tax returns to the IRS. o Hersch received cheques from a local bank which assumed that the bogus returns were OK, based preliminary info from the IRS which simply certified that there were no obvious errors. Since there were no real filers, Hersch appears to have kept all the money himself. o Incidentally, Hersch has been indicted in Philadelphia on charges of stealing $262,865 from Provident Bank by passing bad cheques. He has also been indicted on charges of using other people's AmEx cards for more than $1000 in unauthorized purchases. o Mr Hersch is currently under house arrest. Comment: how did this man get to run a tax-preparation service at all? Aren't there any background checks for people in this kind of position? And how about some kind of verification of the fake Social Security Numbers? Is it not possible to check that the SSN is assigned to the person for whom the fake return was made? Michel E. Kabay, Ph.D., Director of Education, National Computer Security Assn ------------------------------ Date: Mon, 3 Jan 94 09:17:33 PST From: ayers@mv.us.adobe.com (Robert Ayers) Subject: Can SETI signals bear viruses? (Cantillo, RISKS-15.36) The sci-fi classic "A is for Andromeda" by Fred Hoyle is the story of a SETI signal which is exactly the plans for, and a program for, a very large computer. The excitement begins, of course, when (against the advice of one scientist) the computer is built ... ------------------------------ Date: Mon, 3 Jan 1994 09:12:52 -0500 From: phydeaux@med.cornell.edu (the person your mother warned you about) Subject: Can SETI signals bear viruses? (Cantillo, RISKS-15.36) Not sure if this has been treated seriously by industry or academia, but in Vernor Vinge's (marvelous and Hugo-winning) _A_Fire_Upon_The_Deep_, this very method was used by a malicious intelligence to take over remote systems. (In the book, one main method of communication is by a cosic equivalent of Usenet (called either the Known Net or (frequently, and accurately) the Net of a Million Lies). The Blight (abovementioned intelligence) transmitted intelligent packets to take over the remote system). Personally, I don't think that this is going to be much of a problem right now. In order for the information to wreak any real damage (unless you overload the front end with a powerful signal), the virii would need to run, and unless the evil LGMs at the other end somehow know the architecture of the system doing the decoding, I can't see that this is a serious problem. 73 de Dave Weingart KB2CWF phydeaux@cumc.cornell.edu (212) 746-3638 ------------------------------ Date: Sun, 2 Jan 1994 21:04:28 +0000 (GMT) From: unkadath!shamus@naucse.cse.nau.edu (James Abendschan) Subject: Can SETI signals bear viruses? (Cantillo, RISKS-15.36) I can't help but think you've been reading "Snow Crash" :-) The relevance is that, in the course of the narrative, it is discovered the antagonist can cause a biological "crash" of the minds of programmers who have "firmwired the binary code in the deep structures of their brain." He picked this data stream from stellar emissions recorded via a SETI-like antenna network. A bit esoteric, but it made an amusing read. (The antagonist also vaguely reminded me of H. Ross Perot; odd.) For those of you interested, the author is Neal Stephenson and the publisher is Bantam Spectra. James ------------------------------ Date: 30 Dec 93 15:28 -0600 From: "Rob Slade, Ed. DECrypt & ComNet, VARUG rep" Subject: "When H.A.R.L.I.E. Was One" by Gerrold BKHARLIE.RVW 931222 Ballantine Books 101 Fifth Avenue New York, NY 10003 or Bantam Doubleday Dell 666 Fifth Avenue New York, NY 10103 "When H.A.R.L.I.E. Was One", Gerrold, 1972/1988 HARLIE is not a virus. He/it is an experiment in artificial intelligence. For the purposes of the book the experiment is a success and HARLIE is alive: is a person. The plot revolves (slowly) around the efforts of corporate management to kill the project (and HARLIE) and the efforts of the computer (program) and its creators to stave this off. As in most of Gerrold's books, the plot is primarily there to set up dialogues in which he can expound his philosophies. (The most blatant example of this is in "A Rage for Revenge" most of which takes place in a seminar, the largest chunk of which is devoted to an illustration of the standard five-stage model of grieving.) In both versions, the "virus" is a mere diversion. It has nothing to do with the story at all, and is a discussion point between two characters, never referred to again. Indeed, in the first version it is introduced as a science fiction story, "but the thing had been around a long time before that." Make of this latter statement what you will. My resident science fiction expert can't think of what the prior story might be and ventures that this might be Asimovian self-citation. Statements have been made that the virus aspect was downplayed in the second version. This is rather ironic. The virus story gets roughly the same amount of ink in both versions, but the early one is definitely superior. HARLIE72 gives a fairly simple and straightforward account of a self-propagating program. In fact, aside from the dependence upon dial-up links, the parallels between the HARLIE72 virus and the actual CHRISTMA infestation fifteen years later are uncanny. Specifics include the use of an information source for valid contacts, and a mutation which loses the self-deletion characteristic. The HARLIE88 discussion is much more convoluted, bringing in malaria, spores, phages and parasites. The are even two separate invocations of the worm, one lower case and one capitalized, both with different definitions. (One refers to a logic bomb, and the other to a virus directed at a specific target. Neither definition is so used by anyone else.) The end result is a completely iconoclastic set of terminology bearing almost no relation to anything seen in real life. To further the irony, HARLIE88 could have been viral. HARLIE72 could not: part of the system was advanced hardware which did not exist in other computers. Therefore, while HARLIE72 had the ability to program other computers, such programming could never have resulted in a reproduction without the additional hardware. HARLIE88, however, was software only. To be sure, the environment included "2k channel, multi-gated, soft-lased, hyper-state" processors, roughly a million times more powerful than the home user's "Mac- 9000", but still, as one character has it, just chips. HARLIE88 *could* survive, albeit running more slowly, on other computers. However, while one character realizes that HARLIE could be "infectious" the discussion dies out without realizing that the primary tension of the story has just been eliminated. copyright Robert M. Slade, 1993 BKHARLIE.RVW 931222 Vancouver Institute for Research into User Security Canada V7K 2G6 604-984-4067 ROBERTS@decus.ca Robert_Slade@sfu.ca rslade@cue.bc.ca p1@CyberStore.ca ------------------------------ Date: Thu, 30 Dec 93 15:10:10 -0500 From: "Alan (Miburi-san) Wexelblat" Subject: Request for help with RISKy situation My bank has installed one of those bank-by-phone services. You call up, give your 10-digit account number, password is the last 4 digits of your SSN, and off you go. At the moment the transactions available are purely informational (get balance, get last 5 checks that cleared, etc.), but they say they plan to allow operational transactions (e.g. pay bills, transfer money) soon. The problems of this kind of system have been well-covered here in the past; what I need help with is also a known problem, but in this case it appears to be particularly severe. To wit: In this system, if you time out too often or enter incorrect information twice, you are transferred to a human being who is supposed to help you figure out the system. In my case I encountered this human twice. The first time I had misunderstood which subset of the account digits they wanted. When I got to the human, he could apparently see the digits I had typed and he told me the correct digits to use for my account (how helpful, I thought). I then called back and tried the new digit set, and it still failed twice. I talked to another human being who revealed that not only did he have on his screen my account #, but also he had the 4-digit password I had typed *and* the correct password. It turns out that there was a data transcription error in my account and they had a wrong SSN for me; thus the password was different than I expected. The helpful gentleman -- with NO confirmation of who I was -- provided the correct four digits to me!! ARGH! And I wasn't even *trying* to do social engineering. Now, what I would like help from RISKS readers on is how I should draft my letter of protest/alarm. To whom within the bank/government/BBB/SEC/etc should it be sent? How do I explain to them that (a) they have to guard this information at least as closely as bank-card PINs; (b) they should provide some way for me to change my password; (c) they have to train their people a whole lot better! At the moment I'm tempted to rant and rave at them, but I know a calm, well-thought-out, detailed response is more likely to get the results I want. Should I start off with a phone call? Has anyone on this list dealt successfully with similar problems? Please send suggestions directly to me; I will summarize back to RISKS and let y'all know if there is any change in the future. --Alan Wexelblat, Reality Hacker, Author, and Cyberspace Bard Media Lab - Advanced Human Interface Group wex@media.mit.edu 617-258-9168 ------------------------------ End of RISKS-FORUM Digest 15.37 ************************