Subject: RISKS DIGEST 15.54 REPLY-TO: risks@csl.sri.com RISKS-LIST: RISKS-FORUM Digest Monday 14 February 1994 Volume 15 : Issue 54 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator **** This time, see FIRST item for information on RISKS (comp.risks) **** Contents: Info on RISKS (comp.risks), contributions, subscriptions, FTP, etc. [UPDATED] Voice-mail phreaking (Mich Kabay) Electronic Food Stamps (Mich Kabay) Another ATM "front end" fraud - this time caught (Jonathan Haruni) [Lighter Side] Risks of computer-literate babies (Robert J Woodhead) New Novel/Thought experiment... (Peter Wayner) Recent Articles of Interest (Bob Frankston) Re: Celebrity Risks -- Bill Gates (John Bush) Card Fraud and Computer Evidence (Ross Anderson) ---------------------------------------------------------------------- Date: ongoing From: RISKS-request@csl.sri.com Subject: Info on RISKS (comp.risks), contributions, subscriptions, FTP, etc. The RISKS Forum is a moderated digest. Its USENET equivalent is comp.risks. Undigestifiers are available throughout the Internet, but not from RISKS. SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup on your system, if possible and convenient for you. BITNET folks may use a LISTSERV (e.g., LISTSERV@UGA) with SUBSCRIBE RISKS or UNSUBSCRIBE RISKS as needed. Users on US Military and Government machines should contact (Dennis Rears). UK subscribers please contact . Local redistribution services are provided at many other sites as well. Check FIRST with your local system or netnews wizards. If that does not work, send requests to (not automated). IF YOU ARE ON COMPUSERVE, MCIMAIL, ETC., scream at THEM for a RISKS BBoard/redistr. CONTRIBUTIONS: to risks@csl.sri.com, with appropriate, substantive Subject: line, otherwise they may be ignored. Must be relevant, sound, in good taste, objective, cogent, coherent, concise, and nonrepetitious. Diversity is welcome, but not personal attacks. PLEASE DO NOT INCLUDE ENTIRE PREVIOUS MESSAGES in responses to them. Contributions will not be ACKed; the load is too great. **PLEASE** include your name & legitimate Internet FROM: address, especially from .UUCP and .BITNET folks. Anonymized mail is not accepted. ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. Relevant contributions may appear in the RISKS section of regular issues of ACM SIGSOFT's SOFTWARE ENGINEERING NOTES, unless you state otherwise. ARCHIVES: "FTP CRVAX.SRI.COMlogin anonymousYourName CD RISKS: GET RISKS-i.j" (where i=1 to 15, j always TWO digits) for Vol i Issue j. Vol i summaries in j=00; "dir risks-*.*" gives directory; "bye" logs out. The COLON in "CD RISKS:" is vital. CRVAX.SRI.COM = [128.18.30.65]; =CarriageReturn; FTPs may differ; UNIX prompts for username, password. WAIS and bitftp@pucc.Princeton.EDU are alternative repositories. FAX: ONLY IF YOU CANNOT GET RISKS ON-LINE, you may be interested in receiving it via fax; phone +1 (818) 225-2800, or fax +1 (818) 225-7203 for info regarding fax delivery. PLEASE DO NOT USE THOSE NUMBERS FOR GENERAL RISKS COMMUNICATIONS; as a last resort you may try phone PGN at +1 (415) 859-2375 if you cannot E-mail risks-request@CSL.SRI.COM . ------------------------------ Date: 14 Feb 94 03:20:52 EST From: "Mich Kabay / JINBU Corp." <75300.3232@CompuServe.COM> Subject: Voice-mail phreaking Hacker attempts to chase cupid away SAN FRANCISCO (UPI, 10 Feb 1994) -- Two bachelors who rented a billboard to find the perfect mate said Thursday they had fallen victim to a computer hacker who sabotaged their voice mail message and made it X-rated. Steeg Anderson said the original recording that informed callers how they may get hold of the men was changed to a "perverted" sexually suggestive message. He said the tampering occurred sometime Wednesday." [United Press newswire via Executive News Service (GO ENS) on CompuServe] The article states that Pacific Bell has been investigating other voice-mail tampering recently as well. Michel E. Kabay, Ph.D., Director of Education, National Computer Security Assn ------------------------------ Date: 14 Feb 94 03:21:03 EST From: "Mich Kabay / JINBU Corp." <75300.3232@CompuServe.COM> Subject: Electronic Food Stamps Welfare Cards (By Michael Holmes, Associated Press Writer) AUSTIN, Texas (AP, 10 Feb 1994) -- Texas plans to begin providing welfare benefits electronically this year with bank-style cards that take the place of paper coupons. The new system is designed to reduce administrative expenses, fraud and theft. [From the Associated Press newswire via Executive News Service (GO ENS) on CompuServe] The author continues with the following key points: o "Electronic benefits transfer" will begin in two counties in autumn 1994 and should be statewide by 1996. o The Lone Star Card will function like a debit card, allowing holders to purchase food only in cooperating grocery stores. o Cardholders will use a 4-digit PIN. o Officials hope the cards will reduce fraud by eliminating all cash from food-stamp transactions (sometimes stores returned change). It will be interesting to watch this program to see how security aspects are handled. Michel E. Kabay, Ph.D., Director of Education, National Computer Security Assn ------------------------------ Date: 14 Feb 1994 10:23:30 GMT From: jharuni@london.micrognosis.com (Jonathan Haruni) Subject: Another ATM "front end" fraud - this time caught An Article in London's Evening Standard of February 11 says that "in one of the most ingenious and innovative high-tech crimes of recent years", culprits planted a fake ATM card reader at a London branch of the Midland bank. In a variation on the theme, the reader was not planted over top of the ATM, but was installed to emulate the door opening devices which most banks use. Users were asked to swipe their cards through the device, and then type in their PINs, to gain admission to the ATM hall. A suspicious customer informed the bank. Some customers had used the device unsuspectingly, but no money was stolen. I see the following developments: - As we know, thieves are well able to reproduce magnetic swipe cards. They no longer need to steal peoples' cards to gain access to their accounts. Any scheme which gives the card number and PIN will do. If this plan really qualified as "ingenious" it would have transmitted the data by radio directly to the thieves' card making machine, and the resulting cards would have been used without delay. - The article was on the front page of a popular newspaper. Although it did contain some excess verbiage (such as the quote above) it also contained all the salient technical details, it described the extent of success and the outcome of the scheme. There is a quote from a bank spokesman and a quote from the police. I've never seen such a complete description of a RISK-worthy story in such a prominent position. Is this a sign that the non-technical public are becoming more aware of the risks of technology, or at least more interested in it ? Jonathan Haruni ------------------------------ Date: Tue, 15 Feb 1994 09:07:29 +0900 From: Robert J Woodhead Subject: [Lighter Side] Risks of computer-literate babies My wife and I are blessed with an extremely literate 14-month-old boy. James is extremely enamoured of technology in general, with special attention being given to remote controls and our family Powerbook laptop. As you might expect, we suffered through the usual baby-instigated data processing disasters (leave the Mac unattended for a moment and he'll go and click the mouse or hit keys in such a way as to maximize the damage), but we have since adjusted to these dangers. Yesterday, however, he got us but good. In a display of hitherto unsuspected manual dexterity, he managed to introduce into the floppy disc drive a used popsicle stick, a fact not discovered until some time later when an attempt was made to insert a floppy into the drive. 15 minutes and a spirited display of vocabulary on the part of this author later, the errant splinter was removed with the help of a bent paperclip. In a tribute to modern floppy disc design, the drive has apparently survived the introduction of wood pulp and traces of raspberry juice. The risks are of course obvious. As our children become more and more computer literate at an earlier age, we need to develop a new BABYSPEC specification (similar to MILSPEC but tougher), which should include (but not be limited to) * Diskette drive flaps that only flap for real diskettes. * Hardened keyboards capable of withstanding two-fisted infant impacts (our "f" key will never be quite the same, though we did manage to get it working again with a paperclip). * Smudge-resistant screens. * Washable. * And, of course, a baby-proof paperclip storage area. Robert J. Woodhead, Biar Games / AnimEigo, Incs. trebor@forEtune.co.jp | ------------------------------ Date: 12 Feb 1994 18:46:50 -0500 From: pcw@access.digex.net (Peter Wayner) Subject: New Novel/Thought experiment... If you're interested in a thought experiment about how to abuse the Intelligence system and products like Clipper, then read Joe Finder's new novel, _Extraordinary Powers_ (Ballentine). It's a great spy novel/technothriller that kept me up long past my bedtime. Saying anymore would spoil the story. (I should say that he is a friend...) Peter ------------------------------ Date: Mon, 14 Feb 1994 00:26 -0400 From: Bob_Frankston@frankston.com Subject: Recent Articles of Interest I won't attempt to do more than a very brief comment on each one. As I've noted in the past, some of us (would like to) assume that simply placing a reference (link) should sufficient. In the world of the Web it's actually starting to happen. Discover Magazine (March 1994) has an article entitled "Counting on Dyscalculia" (which I've called innumeracy). It discusses various problems familiar to Risks readers such as the fact that a false positive rate on a rare disease produces results which are not very good indicators of whether you have the disease. It mentions the impact on public policy such as banning substances at levels that are a fraction of what we ingest anyway. A recent issue of Science News (which I put aside to mention here and have yet to find again) summarizes research on the difference between logical reasoning and human reasoning. In many cases humans reason correctly. These are the cases that make sense to the person doing the reasoning. Otherwise they can be very far off. It covers some of the open issues such as how much people use correlation and coincidence because of its evolution advantages in the absence of complex reasoning. Again, not a surprising article for Risks readers. It does jibe with my observation phrase like "Couldn't care less" and "could care less" mean the same thing because the sentence is analyzed against one's own semantic biases as opposed to logical analysis. The Feb. 13th Sunday New York Times had two articles. One is by Peter Lewis based on the CERT alert. It has a sidebar illustrating how a Kerberos challenge/response key system works. Lawrence Fisher has an article on the changes in Telecommuting since the San Francisco earthquake. It says that security is a serious concern and has some discussion on approaches. ------------------------------ Date: Mon, 14 Feb 1994 18:48:48 -0500 (EST) From: John Bush Subject: Re: Celebrity Risks -- Bill Gates In RISKS-15.53, Jack B. Rochester writes: > The Jan. 10, 1994 issue of The New Yorker has a long, juicy article entitled > "E-Mail From Bill," And NOW, from the 21 Feb 1994 issue of BusinessWeek: BILL GATES INUNDATED IN BOX A personality profile in _The New Yorker_ magazine's Jan. 10 issue revealed Bill Gates's electronic-mail address -- and his electronic in box hasn't been the same since. "I've got 5,000 messages stacked up," says Gates, CEO of the Redmond (Wash.) giant, Microsoft. That's up from no more than 10 e-mail messages daily before from the outside (although he may receive as many as 250 per day internally). Until the article ran, the software billionaire was never too busy to read -- and often respond to -- messages sent from around the world via the Internet data highway. Gates chats with outsiders on items that include technology and business opportunities. In his email -ure of the Information Superhighway and his analysis of F. Scott Fitzgerald's _The Great Gatsby_. [This article has been taken verbatim from the magazine. I assume that last sentence is a misprint?] Now, though, he has been forced to use a software program that sifts through the deluge to identify items from important people such as Intel CEO Andrew Grove. But what about the thousands of notes from who-knows-who that continue to stream in and sit in computer memory, ungraced by Bill's attention? Gates has never had anyone else read his electronic mail for him, "but I'm seriously considering it now." ..End of article. If I remember correctly, that address is "billg@microsoft.com"... ------------------------------ Date: Mon, 14 Feb 1994 13:15:28 GMT From: Ross.Anderson@cl.cam.ac.uk Subject: CARD FRAUD AND COMPUTER EVIDENCE A case has just concluded in England which may be significant for computer and cryptographic evidence in general, and for electronic banking in particular. It also give some interesting insights into the quality assurance and fraud investigation practices of one of Britain's largest financial institutions. I will be talking about this case to the BCS Computer Law Special Interest Group on Thursday 17th February at 6pm. The meeting will be held at the offices of Bristows Cooke Carpmael, which can be found at 10 Lincoln's Inn Fields. To get there, take the tube to Holborn, exit southwards and turn second left into Remnant Street. For the sake of those who cannot make it, there follows a report of the case from the notes I made during the hearing. * * * 1. Background. On February 8th, 10th and 11th, I attended the trial at Mildenhall Magistrates' Court, Suffolk, England, of a man who was charged with attempting to obtain money by deception after he complained that he had not made six of the automatic teller machine transactions which appeared on his statement. The essence of the case was that John Munden, a police constable, had complained to the manager of the Halifax Building Society in Newmarket about these transactions, which appeared in September 1992. He had also stated that his card had been in his possession at all times. Since the society was satisified about the security of its computer systems, it was alleged to follow that Munden must have made these transactions, or suffered them to be made; and thus that his complaint was dishonest. This trial had resumed after being adjourned in late 1993. According to the clerk, evidence was given for the Crown at the initial hearing by Mr Beresford of the Halifax Building Society that the society was satisfied that its systems were secure, and so the transaction must have been made with the card and PIN issued to the customer. Beresford had no expert knowledge of computer systems, and had not done the investigation himself, but had left it to a member of his department. He said that fraudulent transactions were rarely if ever made from lobby ATMs because of the visible cameras. The Newmarket branch manager, Mr Morgan, testified that one of the transactions at issue had indeed been made from a machine inside the branch. He also said that in his opinion the defendant had been convinced that he had not made the transaction; and that he would not be aware of all the possible malfunctions of the ATM. The defence had objected that the evidence about the reliability of the computer systems was inadmissible as Beresford was not an expert. The court allowed the prosecution an adjournment to go and look for some evidence; and at the last minute, on the 20th January, I was instructed by Mr Munden's solicitor to act as an expert witness for the defence. 2. The Prosecution Case. On 8th February, Beresford's evidence resumed. He admitted that the Halifax had some 150-200 `unresolved' transactions over the previous 3-4 years, and that it would be possible for a villain to observe someone's PIN at the ATM and then make up a card to use on the account. He confirmed that the person who investigated the incident had no technical qualifications, had acted under his authority rather than under his direct supervision, and had involved the police without consulting him. Evidence was next given by Mr Dawson, the Halifax's technical support manager. He had originally written the bank's online system in 1971, and was now responsible for its development and maintenance. The ATM system had been written in 1978 for IBM 3600 series machines, and altered in 1981 when the Diebold machines currently in use were purchased. All software was written internally, and in the case of the mainframe element, this had accreted to the nucleus originally written in 1971. Amendments to the online system are made at the rate of 2-3 per week. The PIN encryption scheme used was nonstandard. The PIN was encrypted twice at the ATM and then once more in the branch minicomputer which controls it. At the mainframe, the outer two of these encryptions were stripped off and the now singly encrypted PIN was encrypted once more with another key; the 16 digit result was compared with a value stored on the main file record and on the online enquiry file. When asked whether system programmers could get access to the mainframe encryption software, he categorically denied that this was possible as the software could only be called by an authorised program. When asked whether someone with access to the branch minicomputer could view the encrypted PIN, he denied that this was possible as there were no routines to view this particular record (even although the mini received this field and had PCs attached to it). When asked what operating system the mini used, he said that it was called either TOS or TOSS and that he thought it had been written in Sweden. He could give no more information. He had never heard of ITSEC. He had not investigated any of the other 150-200 `unresolved transactions' because he had not been asked to. The last investigation he had done was of another transaction which had led to a court case, three years previously; he had no idea what proportion of transactions went wrong, was not privy to out-of-balance reports from branches, and was not familiar with branch rules on ATM operations. He never visited the branch at Newmarket, where the disputed transactions took place, but merely looked at the mainframe records to see whether any fault records or error codes. He found none and took this information at face value. The fault recording system does not show repairs. The cryptographic keys in the ATM are not zeroed when the machine is opened for servicing. The maintenance is done by a third party. The branch only loads initial keys into the ATM if keys are lost. The Halifax has no computer security function as such, just the internal auditors and the technical staff; it does not use the term `quality assurance'. When asked by the bench what information was required to construct a card, Dawson initially said the institution identifier, the account number, the expiry date, a service code, an ISO check digit, a proprietary check digit, and a card version number. He concluded from this that a card forger would have to have access to an original card. However it turned out that the ATM system only checks the institution identifier, the account number and the card version number. He maintained doggedly that a forger would still have to guess the version number, or determine it by trial and error, and claimed there was no record of an incorrect version number card being used. However, Munden's card was version 2, and it transpired later that version 1, though created, was not issued to him; and that an enquiry had been made from a branch terminal two weeks before the disputed transactions (the person making this enquiry could not be identified). When asked whether private investigators could get hold of customer account details, as had been widely reported in the press, he just shrugged. He claimed that the system had been given a clean bill of health by the internal and external auditors. The branch manager was recalled and examined on balancing procedures. He described the process, and how as a matter of policy the balancing records were kept for two years. However the balancing records for the two machines in question could not be produced. There was then police evidence to the effect that Munden kept respectable records of his domestic accounts, which included references to the undisputed withdrawals from ATMs, and that although he had once bounced a cheque he was no more in financial difficulty than anybody else. The investigating officer had only had evidence from the branch manager, not from Beresford or Dawson. The investigating officer also reported that Munden had served in the police force for nineteen years and that he had on occasion been commended by the Chief Constable. 3. The Defence. That concluded the prosecution case, and the defence case opened with Munden giving evidence. He denied making the transactions but could not produce an alibi other than his wife for the times at which the alleged withdrawals had taken place. The only unusual matter to emerge from Munden's testimony was that when he went in to the branch to complain, the manager had asked him how his holiday in Ireland went. Munden was dumbfounded and the branch manager said that the transaction code for one of the ATM withdrawals corresponded to their branch in Omagh. This was not apparent from the records eventually produced in court. The next witness was his wife, Mrs Munden. Her evidence produced a serious upset: it turned out that she had had a county court judgment against her, in a dispute about paying for furniture which she claimed had been defective, some two weeks before the disputed withdrawals took place. Her husband had not known about this judgement until it emerged in court. I gave expert evidence to the effect that the Halifax's quality procedures, as described by Dawson, fell far short of what might be expected; that testing of software should be done by an independent team, rather than by the programmers and analysts who created it; and that Dawson could not be considered competent to pronounce on the security of the online system, and he had designed it and was responsible for it. At a more detailed level, I informed the court that both national and international ATM network standards require that PIN encryption be conducted in secure hardware, rather than software; that the reason for this was that it was indeed possible for system programmers to extract encryption keys from software, and that I understood this to have been the modus operandi of a sustained fraud against the customers of a London clearing bank in 1985-6; that I had been involved in other ATM cases, in which some two dozen different types of attack had emerged and which involved over 2000 complaints in the UK; and that the Halifax, uniquely among financial institutions, was a defendant in civil test cases in both England and Scotland. I continued that ATM cameras are used by a number of other UK institutions, including the Alliance and Leicester Building Society, to resolve such cases; that in other countries which I have investigated the practice would be not to prosecute without an ATM photograph, or some other direct evidence such as a numbered banknote being found on the accused; that card forgery techniques were well known in the prison system, thanks to a document written by a man who had been jailed at Winchester some two years previously for card offences; that I had personally carried out the experiment of manufacturing a card from an observed PIN and discarded ticket, albeit with the account holder's consent and on an account with Barclays rather than the Halifax; that the PIN pad at the Halifax's Diebold ATM in Cambridge was so sited as to be easily visible from across the road; and that in any case the investigative procedures followed in the case left very much to be desired. In cross examination, the prosecutor tried to score the usual petty points: he attacked my impartiality on the grounds that I am assisting the Organised Crime Squad at Scotland Yard to investigate criminal wrongdoing in financial institutions (the reply from our lawyer was of course that helping the prosecution as well as the defence was hardly evidence of partiality); he claimed that the PIN pad at the ATM in Newmarket was differently sited to that in Cambridge, to which I had no answer as I had not had the time to go there; and he asserted that the Alliance and Leicester did not use ATM cameras. On this point I was able to shoot him down as I had advised that institution's supplier. He finally tried to draw from me an alternative theory of the disputed transactions - staff fraud, or a villain whom Munden had booked in the past getting his own back by means of a forged card, or a pure technical glitch? I was unable to do this as there had been neither the time nor the opportunity to demand technical disclosure from the Halifax, as had been the case in two previous criminal cases I had helped defend (both of which we incidentally won). Dawson was recalled by the prosecution. He explained that only two of the three tests carried out on new software were done by the analysis and programmers who had written it, and that the third or `mass test' was done by an independent team. He said that software failures could not cause false transactions to appear, since the online system was written in assembler, with the result that errors caused an abend. He claimed that they did indeed possess a hardware security module, which was bought in 1987 when they joined VISA, and which they used for interchange transactions with VISA and Link although not for all transactions with their own customers; and he finally repeated his categorical denial that any system programmer could get at the encryption software. When asked by what mechanism this was enforced, he said that they used a program called ACF2. In his closing speech, the defendant's lawyer pointed out the lack of any apparent motive, and went on to point out the lack of evidence: the balancing records were not produced; the person responsible for attending to those ATM malfunctions which the branch could not cope with was not identified; the Halifax employee who had carried out the investigation was not called; the handwriting on the ATM audit rolls, which was the only way to tie them to a particular machine, could not be identified; the cameras were not working; statements were not taken from branch staff; the disk in the ATM had not been produced; and the internal and external audit reports were not produced. He mentioned my expert opinion, and reiterated my point that when a designer of a system says that he can't find anything wrong, what has he shown? He also recalled that in the High Court action in which the Halifax is the defendant, they had not relied on the alleged infallibility; and pointed out that if ATM systems worked properly, then people wouldn't need to go to keep going to law about them. 4. The Verdict and Its Consequences. I have been aware for years that the legal system's signal-to-noise ratio is less than 10dB; however, in view of the above, you can understand that it was with some considerable surprise that I learned late on Friday that the court had convicted Munden. My own reaction to the case has been to withdraw my money from the Halifax and close my account there. Quite apart from their ramshackle systems, the idea that complaining about a computer error could land me in prison is beyond my tolerance limit. No doubt it will take some time for the broader lessons to sink in. What is the point, for example, of buying hardware encryption devices if people can get away with claiming that system programmers can never get at an authorised library? Why invest in elaborate digital signature schemes if they simply repair the banks' defence that the system cannot be wrong? Is there not a case for giving more consideration to the legal and political consequences of computer security designs? 5. Action. In the meantime, the police investigations branch have to consider whether John Munden will lose his job, and with it his house and his pension. In this regard, it might just possibly be helpful if anyone who feels that Dawson's evidence was untruthful on the point that software can be protected from system programmers on an IBM compatible mainframe, or that his evidence was otherwise unsatisfactory, could write expressing their opinion to the Chief Constable, Cambridgeshire Constabulary, Hinchingbrooke Park, Huntingdon, England PE18 8NP. Ross Anderson ------------------------------ End of RISKS-FORUM Digest 15.54 ************************