precedence: bulk Subject: Risks Digest 20.77 RISKS-LIST: Risks-Forum Digest Saturday 29 January 2000 Volume 20 : Issue 77 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at and by anonymous ftp at ftp.sri.com, cd risks . Contents: Report on identity theft (Mich Kabay) Japanese Government Websites hacked (Ole J. Jacobsen) Japanese department-store credit-card fraud (Chiaki Ishikawa) Superbowl XXXIV Web-filtered: adult porn? (John Wharton) Porn spammers getting cute (Jim Griffith) Lessons of Y2K (Toby Gottfried) Parisian programmer makes his own smartcard (NewsScan) DVD lawyers make "trade secret" public (Declan McCullagh) French spies listen in to British business phone calls (Declan McCullagh) DoE password policy comic relief? (Mike Williams) Re: U.S. removes most restrictions on encryption software (Kevin Mitchell) Simson Garfinkel's *Database Nation* (Peter G. Neumann) REVIEW: "Hackers: Crime in the Digital Sublime", Paul A. Taylor (Rob Slade) REVIEW: "Implementing IPsec", Elizabeth Kaufman/Andrew Newman (Rob Slade) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Wed, 26 Jan 2000 09:27:21 -0500 From: Mich Kabay Subject: Report on identity theft Caitlin Liu of the *Los Angeles Times* published a thorough report on identity theft on 16 Jan 2000 (front page). In one case, 22-year-old San Diego college student Jessica Smith had her car stolen with her handbag inside. Although the car and bag were recovered, someone stole her identity. She nearly got fired from her new job when a background check showed that "she" had outstanding warrants for prostitution. She was unable to obtain credit, phone service or even to rent an apartment. With the help of a sympathetic police investigator, Smith was able to prove her innocence of the charges a reversal of the usual burden under criminal law, where usually the state has to prove guilt. She obtained judicial documents explaining that her identity had been stolen; nevertheless, she has been hauled into police stations to be fingerprinted to prove that she is indeed the person authorized to carry those documents. Image Data LLC, an identity-fraud prevention service based in Nashua, NH, commissioned a study in September 1999 that suggested that one out of five Americans or a member of their family have been victimized by identity fraud. [Readers should always be wary of statistics that report how many "members of your family" or "people you know" have particular characteristics: it is possible that a single person can be reported by multiple people. The over-counting bias increases as a function of sample size and of social relationships among the sample population.] ------------------------------ Date: Wed, 26 Jan 2000 07:14:39 -0800 (PST) From: "Ole J. Jacobsen" Subject: Japanese Government Websites hacked Japan called an emergency meeting Wednesday to boost computer security after humiliating raids on government Websites by hackers, who linked one to a pornographic site and attacked Japan's war record on another. The announcement came amid revelations that the site at the Science and Technology Agency had been penetrated twice in two days, and that key data on another site, including census information, had been erased. [Source: http://dailynews.yahoo.com/h/nm/20000126/wr/japan_hackers_4.html, Japan Calls Emergency Meeting As Hackers Hit Again, By Elaine Lies, Reuters, 26 Jan 2000; via Dave Farber's IP list] ------------------------------ Date: Wed, 26 Jan 2000 21:08:13 +0900 (JST) From: Chiaki Ishikawa Subject: Japanese department-store credit-card fraud It is widely reported in the Japanese media that the credit cards issued by a large department store chain, Takashimaya, were target for fraud. It seems that some of these cards were duplicated by a third party and innocent owners were charged for shopping they never did on their own, etc.. The incidents of such mis-use has multiplied since last October and the Takashimaya store finally has decided to issue whole new set of the credit cards, about 0.3 million cards in total. They were mailed to the card owners this month and they are supposed to be move over to the new cards by the end of this month. The articles I read mention that some dubious figures were spotted last year who were seemingly looking at the cards held by the customer waiting in line at the cashier or cards laid face up while the store clerk was doing necessary paperwork for the purchase, etc.. The very typical case of shoulder-surfing. However, the spotted figures didn't have a good memory obviously and were seen to hitting their hand-held telephone keypads or similar devices! BTW, it always amazes me that Japan is just a few years behind the USA in terms of these fraud and abuses in terms of credit cards/e-commerce business and not many people in Japan seem to be paying attention to what goes on in USA. I was quite taken aback to read that the people (store clerks presumably?) spotted such dubious figures and did nothing at all. The newspaper articles quoted the store management as saying just looking at other people's cards are not a just cause for arrest or anything drastic. Surely. (This lax attitude is quite different from a case where someone at the department store checking counter was passing the customer credit card through another reader. One customer asked the clerk questions and was not satisfied with the answers and fetched the store security person and put the clerk into the custody of the police or whoever on the spot. This was reported earlier in RISKS if I am not mistaken. Surely, in that case, the clerk was operating as a bad guy, but that the store management didn't do a thing about this case in Japan until this month (issuing new cards) is a little bit disappointing. Japanese consumer laws are not well developed and I am afraid that some of the customers whose cards were mis-used had to negotiate the damage recovery with the department store. There is no 50 dollars limit like that if I recall correctly in Japan! This hurts.) After reading the articles and looking at the new design of the cards, it occurred to me that the card issuers might well consider making the numbers DIFFICULT TO READ by means of ungainly color combination (or no color at all in a patterned background, etc.). After all, the card reader reads the numbers from the magnetic stripe and the legitimate card owners can read the numbers at leisure if they want to make mail order purchases, etc.. This would make the reading difficult for the shoulder-surfing artists. In the articles, it was also noted that the credit cards issued by a same organization have a tendency to have similar string of digits (near the beginning?) and thus easy to copy by the shoulder surfers. This could again possibly be made more difficult by truly randomizing the issued numbers using MD5 or whatever at the cost of administration. Just a thought. Chiaki Ishikawa, Shinagawa, Tokyo, Japan 142-0051 ------------------------------ Date: Wed, 26 Jan 2000 14:22:56 -0800 (PST) From: John Wharton Subject: Superbowl XXXIV Web-filtered: adult porn? Just heard a report on CBS network radio that net-savvy football fans around the country are being stymied in their efforts to learn about this Sunday's Superbowl. Seems the Web-filtering software installed on browsers, e.g., in certain public libraries spots the "XXX" in "Superbowl XXXIV" and interprets this to mean it's an adult porn site. John Wharton [via Dave Farber's IP list] ------------------------------ Date: Tue, 25 Jan 2000 21:06:11 -0800 (PST) From: Jim Griffith Subject: Porn spammers getting cute I just got nailed by a porn spammer getting clever. The spammer in question sent me e-mail stating that I'd been sent a cyberspace greeting at www.hypergreeting.com (a legitimate e-card site). However, while the text description of the link says "www.hypergreeting.com", the actual link behind the text led to a hardcore site. I'm just glad I didn't decide to check it out at work. [We've had several cases like this in RISKS. PGN] ------------------------------ Date: Sun, 23 Jan 2000 20:26:49 -0800 From: "Toby Gottfried" Subject: Lessons of Y2K Amidst all the hoopla over Y2K, we have much to contemplate. There is a big lesson to learn from it about our dependency on technology. For all the advances in capability we have made (including those that make possible the distribution of these words), we have created systemic risks. Under evolution organisms adapt (slowly!) to their environment. Technology represents the opposite approach: humans attempting to adapt their environment to themselves, in their current state. Each step of "technolution" solves or eases some existing problem, but may change the overall landscape. In the last couple of centuries, the pace has accelerated, and luxuries became conveniences became necessities. Our senses developed to a good level of acuity over the millenia, now they are often necessarily aided by external devices. Our brains have large, unused capacities, but we rely on easily lost electronic notepads instead of our memories. Cars take us from one place to another through suburbs spread beyond walkable distances, fouling the air along the way. Many people have trouble walking any distance at all (which problem can be made worse by having to carry a heavy external "brain", which can also be lost or stolen). Essential knowledge is placed on a worldwide network, which must work all the time. Food comes from all over the world, as does the energy to move us and our goods, and change the temperature of our surroundings (intentionally or otherwise). Now human reproduction is becoming more technological. It is a very complex system which we take for granted. The very minor problem of Y2K was sufficiently widespread to threaten to disrupt much or all of this. But Y2K was relatively easy to anticipate and head off. Something else might not be. Recent news stories have appeared about the President proposing defenses against cyber-terrorism and a lowered redundancy and reliability in the deregulated national power grid. The survivalists now have to figure out what to do with their provisions, but every-man-for-himself is not the right way to back up this system. Do we have the vision to reap the benefits of technology and avoid the pitfalls or will we change our environment beyond our ability to adapt to it fast enough ? As the now ancient margarine commercial reminded us, "It's not nice to fool Mother Nature". ------------------------------ Date: Wed, 26 Jan 2000 09:00:30 -0700 From: "NewsScan" Subject: Parisian programmer makes his own smartcard A resourceful French computer programmer has been arrested on counterfeiting and fraud charges after he purchased 10 Paris Metro tickets using his homemade smartcard. After proving the smartcard worked, Serge Humpich then tried to sell his "invention" to the Cartes Bancaires consortium, an amalgamation of 176 smartcard-issuing banks, for about $1.5 million. Humpich faces a seven-year jail term, but insists that he never intended to steal; rather, he was tricked into purchasing the Metro tickets after Carte Bancaires officials insisted he demonstrate the card worked. Meanwhile, Humpich's lawyer says Humpich deserves compensation for the four years of work it took him to crack the 640-bit encryption key used to verify the "digital signature" on the cards. "It is an invention," he said, noting that Humpich had patented his discovery before contacting the Cartes Bancaire group. Humpich's card is designed to respond positively no matter what PIN number is typed in. [MSNBC, 25 Jan 2000, http://www.msnbc.com/news/361936.asp via NewsScan Daily, 26 Jan 2000] ------------------------------ Date: Wed, 26 Jan 2000 15:11:44 -0800 From: Declan McCullagh Subject: DVD lawyers make "trade secret" public Lawyers representing the DVD industry got caught in an embarrassing gaffe when they filed a lawsuit [against a Norwegian teenager and his father] and accidentally publicized the computer code they wanted to keep secret. The DVD Copy Control Association included its "trade secret" source code in court documents, but forgot to ask the judge to seal them from public scrutiny. Whoops. In a hastily arranged hearing Wednesday morning, DVD CCA lawyers asked Santa Clara Superior Court Judge William J. Elfving to correct their oversight, and he agreed to keep the document confidential. It may be a little late. The document is dated 13 Jan 2000 and is widely available on the Web. The owner of one site that placed the 140KB declaration on-line says over 21,000 people have downloaded it so far. [...] [DVD Lawyers Make Secret Public, Declan McCullagh , see http://www.wired.com/news/politics/0,1283,33922,00.html Distributed via Declan's POLITECH, a moderated mailing list of politics and technology. See http://www.well.com/~declan/politech/ ] ------------------------------ Date: Wed, 26 Jan 2000 15:37:53 -0800 From: Declan McCullagh Subject: French spies listen in to British business phone calls French intelligence is intercepting British businessmen's calls after investing millions in satellite technology for its listening stations. The French government upgraded signals intelligence last year. Now secret service elements are using it to tap into commercial secrets. At least eight centres, scattered across France, are being "aimed" at British defence firms, petroleum companies and other commercial targets. Eavesdroppers can "pluck" GSM digital mobile phone signals from the air by targeting individual numbers or sweeping sets of numbers. Targets have included executives at British Aerospace, British Petroleum and British Airways, according to French sources. Senior executives have been told not to discuss sensitive issues on mobile phones, and BAe staff have been told to be "especially careful" during campaigns for new business, such as the current battle to supply Eurofighter missiles. [...] [Source: French spies listen in to British calls, James Clark, http://www.sunday-times.co.uk/news/pages/sti/2000/01/23/stinwenws03006.html?999 Distributed via Declan's POLITECH, a moderated mailing list of politics and technology. See http://www.well.com/~declan/politech/ ] ------------------------------ Date: Wed, 26 Jan 2000 06:48:32 -0500 From: Mike Subject: DoE password policy comic relief? [The] DOE security "czar" ... said it is now virtually impossible for employees to transfer nuclear secrets from classified to unclassified computer networks ... To quote Don Adams of "Get Smart" - Would you believe ... no more than once a week? ... once a day? Many [nuke] employees used their last names or initials, and some simply typed "password" when logging onto classified networks, he said. Now, [the czar] added, "we have a password policy that I would put up against any in industry and academia." Password Policy? Reusable passwords to guard nuclear secrets? Doesn't this constitute a well-known RISK, of breach followed by fusion? Does anybody in the press ever question these publicity handouts? Do we in the industry just sit on our hands, letting this travesty continue? [Source: Energy Chief Touts Security Upgrades at Nuclear Labs, Vernon Loeb, *The Washington Post*, 26 Jan 2000, A13: http://www.washingtonpost.com/wp-srv/WPlate/2000-01/26/126l-012600-idx.html] ------------------------------ Date: Tue, 25 Jan 2000 17:16:57 -0500 From: Kev Subject: Re: U.S. removes most restrictions on encryption software (NewsScan) Although the restrictions on encryption software have indeed been revamped, there are still a number of problems with the new regulations, as described at http://www.epic.org/crypto/export_controls/joint_release_1_00.html. In particular, PGN's comment, "Open-source software is apparently unrestricted," does not appear to be entirely true, according to my reading of the material available (Note: IANAL). In particular, you may not post source code directly to citizens of the 7 terrorist nations mentioned in the article. You can, however, place your source code on a publically accessible Web site or ftp site, and you apparently don't have to worry about who actually accesses it (again, IANAL). You must, however, inform BXA about what you intend to do and either send them a copy or tell them the URL. Some people I know are also of the opinion that these regulations would conflict with the GPL. In short, I feel the new regulations are a step in the right direction, but they unfortunately have not been completely removed, and that's what should eventually happen. Kevin L. Mitchell http://web.mit.edu/klmitch/www/ [I may appear to have oversimplified, but if something is posted on a Website, it would appear to be effectively open to the world! PGN] ------------------------------ Date: Thu, 27 Jan 2000 10:10:59 PST From: "Peter G. Neumann" Subject: Simson Garfinkel's *Database Nation* Simson Garfinkel *Database Nation: The Death of Privacy in the 21st Century* O'Reilly & Associates, Sebastopol CA 95472 The following words of Ralph Nader are on the back cover of this book, and very appropriately highlight this excellent book: "Database Nation by Simson Garfinkel is a graphic and blistering indictment of the burgeoning technologies used by business, government, and others to invade the self -- yourselves -- and restrict both your freedom to participate in power and your freedom from abuses of power. The right of privacy is a constitutionally protected right, and its erosion or destruction undermines democratic society as it generates, in one circumstance after another, a new kind of serfdom. This book is one that you're entitled to take very personally." You will find this book very much in tune with what you have been reading in RISKS and in Lauren Weinstein's PRIVACY FORUM all these years. Simson has brought it all together very nicely in a highly readable book. ------------------------------ Date: Wed, 26 Jan 2000 20:17:22 -0800 From: Rob Slade Subject: REVIEW: "Hackers: Crime in the Digital Sublime", Paul A. Taylor BKHAKERS.RVW 991024 "Hackers: Crime in the Digital Sublime", Paul A. Taylor, 1999, 0-415-18072-4, U$24.99 %A Paul A. Taylor drpaul_a_taylor@yahoo.co.uk %C 11 New Fetter Lane, London, England, EC4P 4EE %D 1999 %G 0-415-18072-4 %I Routledge %O U$24.99 +44-71-842-2214 info@routledge-ny.com %P 198 p. %T "Hackers: Crime in the Digital Sublime" Following in the footsteps of Sarah Ford, Dorothy Denning, and Ray Kaplan, Paul Taylor is attempting to open the world, and world view, of those who make informal attempts to penetrate computer and communications security to the security "expert." The book tries to explain motivations, culture, and background, with a view to the benefits of a dialogue between the official guardians and those who pry at the gaps in the armor. Using extensive interviews with people from both sides of the divide, Taylor attempts to put forward the reality behind the hype. Chapter one concentrates on the terms; hack, hacker, and hacking; emphasizing the original meaning of creative and useful mastery of the technology. Hacking culture is reviewed quite thoroughly in chapter two, although perhaps not enough attention is paid to the divisions and continuum that exists. (I was amused by the note in the preface to the effect that nobody would admit to distributing viruses: virus writers still occupy the lowest rung of the hacking ladder.) Motivation is explored, and possibly too much credence given to self- reporting, in chapter three. Chapter four is a marvel, a first rate examination, and indictment, of the state of computer security (or, perhaps, insecurity). Arguments for, and against, dialogue with, and employment of, those who have done unauthorized security breaking are given in chapter five. Chapter six, however, turns to presenting a number of sociological theories about why hackers might be marginalized. This material seems to have no purpose other than to propose that such people are being treated unfairly. Chapter seven is worse: even given the wretched track record of computer ethics literature it is disappointing in that presents little content that is germane to the discussion, and seems to wander off into miscellaneous speculation. The conclusion, in chapter eight, also meanders, but tries to dispel a number of myths that have grown up around the hacker idea. The book will probably not be a popular hit, which is a pity. I would suggest two reasons for the low profile. The first is that Taylor is making a conscious effort to avoid sensationalism, and, indeed, to counter the sensational, and misinformed, reports of computer security penetration that are prevalent in the popular media. The second reason is not inherent in the nature of the material and is somewhat unfortunate: Taylor's writing style is more "academic" than is necessary, using, for example, the passive voice most of the time. (I found the use of the word "whilst" to become quite jarring after a few pages.) A good copy editing would help: your humble scribe, world's worst proofreader that he is, still found a number of grammatical errors, even outside of the quotations. (Oddly, for all its academic formality, endnotes, and bibliography, the work falls short in terms of clarity of references and citations. I am quoted on page 84, but I can't figure out how. I am also dying to know who the other "Dr. Taylor" is.) The extensive use of interview materials, and quotations from other works, is both a strength and a weakness. No one perspective is allowed to dominate, and a great many arguments and opinions are presented. The constant quotes from a variety of sources, however, often reduce the readability of the work. I found the book very difficult and time consuming to get through. Added to this, Taylor's aversion to contaminating the source material with his own analysis ensures that the text is very demanding of the reader's own analytical skills and work. Taylor does make a serious effort to give a fair and even presentation to both sides of the argument, but it is still fairly obvious that his sympathies lie in "detente." The title of the book itself indicates this. There is a discussion of the derivation and evolution of the "hacker" term, but the acceptance of the "popular" status of the word to mean those who break into computers also allows those who break into computer systems to present arguments for their behaviour as a kind of discovery learning, without the supporting evidence that would otherwise be necessary. In this, Taylor's work shares a weakness with other, similar, books on the topic: "hacker" claims are taken at their own valuation without much analysis of either factual or motivational claims. Taylor has a great deal more material and a wider range of direct contacts than Levy (cf. BKHACKRS.RVW), Sterling (cf. BKHKRCRK.RVW), or Dreyfus (cf. BKNDRGND.RVW) and his conclusions are significantly more reliable, but the fundamental defect remains. There are also gaps in the coverage. Taylor does not dwell on the basic fragility of data, nor the tendency of digital systems to catastrophic failure under even the most minor perturbation. There are also indirect effects of unauthorized system penetration. To give only one example, the regular choice of NASA as a target, and the media hype over even minor success, has had a negative impact on budget appropriation, and therefore on the space program as a whole. You can't claim much for the advancement of knowledge out of that. With all the problems presented above, I still highly recommend this work to anyone in the security field, or to anyone who wants to understand either security work or an important part of the computer culture. For all its flaws, Taylor's book is the most extensive and detailed examination of the cracker phenomenon I have ever read. He exposes a number of nasty little secrets that the computer industry as a whole would prefer to forget. Hopefully this work will be continued, expanded, and refined, to become a valuable classic in technical security literature. copyright Robert M. Slade, 1999 BKHAKERS.RVW 991024 rslade@vcn.bc.ca rslade@sprint.ca slade@victoria.tc.ca p1@canada.com http://victoria.tc.ca/techrev or http://sun.soci.niu.edu/~rslade ------------------------------ Date: Thu, 27 Jan 2000 07:15:43 -0800 From: Rob Slade Subject: REVIEW: "Implementing IPsec", Elizabeth Kaufman/Andrew Newman BKIMPIPS.RVW 991029 "Implementing IPsec", Elizabeth Kaufman/Andrew Newman, 1999, 0-471-34467-2, U$49.99 %A Elizabeth Kaufman %A Andrew Newman %C 5353 Dundas Street West, 4th Floor, Etobicoke, ON M9B 6H8 %D 1999 %G 0-471-34467-2 %I John Wiley & Sons, Inc. %O U$49.99 416-236-4433 fax: 416-236-4448 rlangloi@wiley.com %P 271 p. %T "Implementing IPsec: Making Security Work on VPNs, Intranets, and Extranets" This book starts with a rough, and even aggressive, manner. It continues the same way. But what makes for a rather abrasive introduction also makes for a very practical and solid guide to designing, evaluating, and thinking about network security. Chapter one is brief, really only an overview of the structure of the book. Part one actually starts in the next chapter, and looks at what you need to know going in. Chapter two looks at the basic information you need before you even start to consider security, and provides a highly practical guide to documenting the network. (Oh, sure, you *all* have fully documented networks. No, thank you, I don't want to buy any bridges.) Security should, of course, start with a policy, but chapter three outlines a real-world approach when you don't have one. The law is an underappreciated factor in implementing security, and a highly instructive run through of related aspects is presented in chapter four. Part two reviews the essentials of the technology. Chapter five covers the Internet Protocol, and the security weaknesses built into what it does. Cryptography cannot be covered in a single chapter, but I was a bit surprised that there is not even a discussion of relative strengths in the basics that are explained in chapter six. Keys and key management are discussed reasonably well in chapter seven. Part three looks at implementation considerations. Chapter eight gives an extremely helpful, if somewhat depressing, look at possible problems and inherent conflicts. Chapter nine offers some useful pointers, but is more about the generic types of implementations. Part four gets down to the brass tacks of buying. Chapter ten gives some rough pointers on how to evaluate vendors. But the really useful stuff is in chapter eleven, which provides the details, with explanations, for an entire RFP. RFC 2401 is printed as an appendix. The authors are not out to produce a fun read, but they have a very nice sense of sarcasm--and know when to use it. Subtle digs pop up in the text frequently, and are generally right on target. The humour included in the work is germane to the topic, and helps to highlight and render memorable important basic concepts. As the authors are at pains to point out, IPsec is by no means a mature technology. Security practitioners, and network managers, are fortunate to have such a guide to avoiding the worst mistakes as they take the first steps into a new area. copyright Robert M. Slade, 1999 BKIMPIPS.RVW 991029 rslade@vcn.bc.ca rslade@sprint.ca slade@victoria.tc.ca p1@canada.com http://victoria.tc.ca/techrev or http://sun.soci.niu.edu/~rslade ------------------------------ Date: 13 Dec 1999 (LAST-MODIFIED) From: RISKS-request@csl.sri.com Subject: Abridged info on RISKS (comp.risks) The RISKS Forum is a MODERATED digest. Its Usenet equivalent is comp.risks. => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) if possible and convenient for you. Alternatively, via majordomo, SEND DIRECT E-MAIL REQUESTS to with one-line, SUBSCRIBE (or UNSUBSCRIBE) [with net address if different from FROM:] or INFO [for unabridged version of RISKS information] .MIL users should contact (Dennis Rears). .UK users should contact . => The INFO file (submissions, default disclaimers, archive sites, copyright policy, PRIVACY digests, etc.) is also obtainable from http://www.CSL.sri.com/risksinfo.html ftp://www.CSL.sri.com/pub/risks.info The full info file will appear now and then in future issues. *** All contributors are assumed to have read the full info file for guidelines. *** => SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line. => ARCHIVES are available: ftp://ftp.sri.com/risks or ftp ftp.sri.comlogin anonymous[YourNetAddress]cd risks [volume-summary issues are in risks-*.00] [back volumes have their own subdirectories, e.g., "cd 19" for volume 19] or http://catless.ncl.ac.uk/Risks/VL.IS.html [i.e., VoLume, ISsue]. Also, new AUSTRALIAN archive http://mirror.aarnet.edu.au/risks/ PostScript copy of PGN's comprehensive historical summary of one liners: illustrative.PS at ftp.sri.com/risks . ------------------------------ End of RISKS-FORUM Digest 20.77 ************************