Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
Here is a press release from the U.S. Justice Department. California Woman Convicted in Income Tax Refund Scheme To: National Desk, California Correspondent Contact: U.S. Department of Justice, 202-514-2007 FRESNO, Calif., Aug. 18 /U.S. Newswire/ — Acting Assistant Attorney General James A. Bruton and the United States Attorney for the Eastern District of California, George L. O'Connell, announced Monday, Aug. 17, that Enedina Ochoa of Turlock, Calif., 26, was convicted by a federal jury on Friday, Aug. 14, of one count of conspiracy to defraud the government and 20 counts of assisting others in filing false income tax refund claims with the Internal Revenue Service. The jury trial lasted four days before United States District Judge Oliver W. Wanger. Wanger ordered Ochoa held in custody pending sentencing. Ochoa's scheme exploited the Internal Revenue Service's newly implemented electronic filing system, which allows filers of refund claims to receive their refund checks in one or two days. By causing large numbers of false refund claims to be electronically filed, Ochoa and her co-conspirator, Karleena Pulido, fraudulently obtained approximately $100,000 from the Internal Revenue Service. Most of the criminal activity involved 1991 federal income tax returns filed earlier this year. Ochoa and Pulido, a Turlock income tax preparer who pled guilty two weeks ago to conspiracy to defraud the government and 29 counts of assisting others in filing false claims for income tax refunds, engaged in a scheme to electronically file false refund claims with the I.R.S. by recruiting individuals to provide their real names and social security numbers for use by Pulido on false Forms W-2 which Pulido fabricated. Ochoa then assisted the recruited individuals in electronically filing these false refund claims with the I.R.S. from electronic return transmitters such as Cash-N-Dash, an income tax transmittal and check cashing service headquartered in Fresno. Ochoa and Pulido then divided divided the refund proceeds among themselves and the individuals they recruited. The long-standing I.R.S. system of filing paper returns requires a taxpayer to wait several weeks before receiving a refund check. Ochoa and Pulido face a maximum sentence of ten years imprisonment and a fine of $250,000 for the conspiracy convictions and five years imprisonment for each conviction of assisting in the filing of a false claim. Sentencing is set for Oct. 19, and Oct. 26, for Pulido and Ochoa, respectively, before Wanger. The case is the result of an extensive and ongoing investigation of electronic filing fraud by special agents of the Internal Revenue Service's Criminal Investigation Division, and was prosecuted by Department of Justice Tax Division Trial Attorneys Eric C. Lisann and Floyd J. Miller. It is the first prosecution of this type of crime in this judicial district, and is one of only a very few such cases that have gone to trial anywhere in the United States since the inception of the Internal Revenue Service's electronic filing system. Acting Assistant Attorney General James Bruton stated, "This conviction serves as notice that the federal government is committed to early detection and prosecution of electronic filing schemes. Blatant abuse of the Internal Revenue Service's computerized refund program will not be tolerated." According to Rick Speier, chief of the Internal Revenue Service's Criminal Investigation Division in San Jose and Fresno, "as the use of electronic filing increases, the Internal Revenue Service will continue to be vigilant in identifying electronic filing schemes organized by unscrupulous individuals who seek to exploit the system for criminal purposes."
The Santa Monica, CA Municipal Pier has recently added new "high-tech" public
restrooms that are discriminatory about to whom they will dispense water. Like
many of the new breed of restrooms increasingly found in airports, both the
urinals and the washbasins have an infrared proximity sensor which turns the
water on and off for you; there's no need to ever touch a control.
A nine-year-old who was with me stood in front of a washbasin I had just used,
and got mad when the faucet wouldn't turn on for him. Nothing he tried,
including covering the sensor with his hand, would work. Only after I
suggested jumping up and down and waving his hands above his head did the
faucet finally acknowledge that a human was there and grant the public
resource, and then promptly quit a few seconds later when his hands moved down
to be washed.
I know the problem of people leaving conventional faucets running unattended is
ancient, and that many solutions have been tried in the past to combat it; such
as the mechanical push button which will let the water run for anywhere from 1
to 15 seconds, depending on the maintenance history. I see in this new
electronic twist to an old problem two new RISKS, one of which is rather
serious:
1) Discrimination against short people. This being a public area, it is
reasonable to expect children. (It's doubtful that any health epidemic might
result from this; after all most kids don't wash their hands and don't prepare
food in eating establishments.)
2) I saw no manual overrides for the controls; I assume that if a power failure
were to occur (as a result of a natural disaster; not difficult to imagine in
California) it would also cut off the water delivery, a crucial resource during
such times. Often during a disaster the electricity is the first thing to go
out, while the water flow is much more reliable. This new solution
unnecessarily couples the two while providing no perceivable advantages over
the older mechanical methods, exacerbating worst-case scenarios.
(This gets added to my ever-expanding list encompassing electronic tire
pressure gages, electronic carpenter's level, computerized office building
directories, microprocessor-based wire strippers, etc. for having no advantages
over the prior art but catastrophically fail when the batteries die.)
-Gary Friedman
Gary Friedman, Jet Propulsion Laboratory - NASA, 4800 Oak Grove Drive,
Pasadena, CA 91109 (818) 306-6193 {cit-vax,elroy,psivax}!devvax!garyf
Last night NBC broadcast an episode of "Secret Service" in NY at least that featured a straightforwards nut who wants to kill the President plot and then a rather confusing account of their high technology defense of a fuzzy city power system against sabotage by a fired employee. I hope someone taped it and caught the exact wording of the disclaimer at the end because it was hard to follow the logic and determine what was the original incident and what was Hollywoodisms. The piece was prefaced with a brief discussion some of the risks of power outages. The expert quickly diagnosed the problem as a VIRUS. Persistent references to virus in the context of a electric power control system seemed odd. Since they appeared to be running pre-existing VIRUS checking software on the system one might suspect the "main frame" was an IBM PC or Apple Macintosh running standard software rather than a real tiem control system or perhaps something larger and safer. Interesting references were made to viruses lurking WITHIN modems. Then they identified the source of the attacking codes as the local font storage in what appeared to be a old DECwriter dot matric printer. With some external clues the agents attempt to confront the criminal in house, which is wired with many falling metal screen, sounds effects, and gas but which lacks reinfored walls. The culprit is classic middle aged computer geek who appears uncaring about possible loss of life although the agents do not mention to him the risk of a life sentence of death penalty of others die as a result of his sabotage. He refuses to help them disarm the problem. The expert has announced that this is a logic bomb and eventually realizes that since the bug code is not in the copy of the system on disk as long as they shutdown without writing memory to disk they can reboot bug free. So a brief deliberate blackout is used to save the city. I am obvious very curious about the TRUE FACTs of this can if the show plans to show such other SS triumphs in the war on electronic crime as almost destroying Steve Jackson Games. [Program also noted by johana!tsw@apple.com (Tom Watson)]
I have been doing exhaustive tests on Novell Netware protection, and I cannot
believe these people can sell their product on the basis that it is the most
secure. If it is, we are in big trouble!!
"Read Only" files are successfully infected by DOS viruses!
"Directory protection" works exactly the opposite of how the manual claims!
IN 3 DIFFERENT PLACES!!!
Several protection bits work from a MacIntosh, but not from DOS machines!!
What kind of network protection doesn't work when the user uses a
different machine to login?!? Protection based in the user's machine
and not on the server!!!
A shareware product successfully gathers passwords from the net as they are
entered by the users! For $35 I can get every password on your network
(if I choose to pay the shareware licensing fees to be honest about it)
Passwords can be ANYTHING - including nothing at all! The supervisor password
on our network is empty, so anyone on the net can login with no password
(we are physically isolated - but how about some password controls!)
So-called Execute Only protection does not prevent companion viruses from
working, and prevents the sys admin from verifying program integrity,
prevents backup and restore of execute-only files, and thus is a great
hindrance to protection!
This was the results of the first 2 DAYS of experiments! If we can find this
many problems in 2 days (while not explicitly trying to look for these kinds of
holes), I can't imagine anyone claiming this system to be the best available
security. But who knows? In the next few days we will be looking at Unix
based servers! FC
Joe Konstan reports that CALL TRACE would pick up the identity of the individual responsible for making the harassing telephone calls even if RETURN CALL did not. He notes that "the switch does know who placed the call..." However, this assumes that the switch itself (which is computer software, after all) is operating properly, and isn't the cause of the problem. Even assuming no "bug" in the switch, there is always the (very real) danger that the switch can be compromised by unauthorized users (insiders or "hackers"). What this teaches us is that, as computerized systems become more vulnerable to attack and compromise, their reliability is compromised. As a lawyer and former (computer crime) prosecutor, I can assure you that computerized information is *routinely* accepted as reliable and frequently forms the basis for criminal prosecutions and convictions. Telephone toll records, credit card records, bank statements and the like are admitted into evidence as "business records" without even a fleeting inquiry into the manner in which they were created. For the most part, Courts "assume" that these records are reliable. While computerized summaries and computer generated reports (created for litigation) are subject to greater scrutiny, they all suffer from the MEGO effect (My Eyes Glaze Over). If I can't understand it, it must be right. Generally, there is little harm to this. For the most part, computer generated records are reliable, and are relied upon in the ordinary course of business transactions. Indeed, they are frequently more reliable than the "paper" records they replaced and which were routinely accepted. However, the public must be ever vigilant against the possibility of alterations, misinterpretations, and simple errors in these records — they are not always what they seem. Mark D. Rasch, Arent Fox Kinter Plotkin & Kahn, Washington, D.C. (202) 857-6154 Rasch@ncsc.dockmaster.mil
>From the 18/08/1992 issue of the "Independent" (a "quality" English
newspaper.) All transcription mistooks are, of course, my own.
Hackers pinpoint card weaknesses (John Eisenhammer --- Bonn)
Barclays Bank executives in Germany were forced to admit
yesterday that young hackers had made a fool of their credit
card computer system.
According to Hans-Hermann Schra"der, the official responsible for
the Protection of Information regulations in the state of
Hamburg, where the "crime" took place, the bank's computer
security was "totally unsatisfactory".
For the past few months, a group of youths in Hamburg have been
drawing out information about individual Visa and Eurocard
owners, including their credit ratings, in order to show how
easily such allegedly confidential information can be used.
Even worse for the bank, which has been running a massive
advertising campaign in Germany for its offer of both main
credit cards for the price of one, officials still cannot tell
from the voice-mail computer records that anything was amiss. It
was only after hearing tapes on television, with client voices
on them, that Barclays officials conceded that all was not as it
should be.
The special voice-mail computer was used by clients confirming
that they had received their cards, at which point they provided
their personal numbers, and by those requesting a credit limit
increase. The information was recorded, not on normal tape but
digitally by a computer, and the information was later decoded
by bank staff. According to Rolf Wo"rdemann, a member of
Germany's main hacker organisation, the Hamburg Chaos Computer
Club, voice-mail computers such as the one at Barclays are as
"easy to break as a bicycle lock".
Rather than prosecute Barclays officials are hoping that the
hackers will be willing to co-operate, so that the bank can find
out just how bad things are, and who needs new credit cards, The
fact that the enterprising youths also managed, once they had
accessed Barclays' computer system, to make lengthy
international telephone calls at the bank's expense, will be
quietly forgotten.
I found this especially amusing since Barclays officials have recently
been appeared on national news in the UK expounding the infallibility of
cash-card machines. I find the automatic assumption the computer cannot
be fouling up exceptionally irritating. The thought of having to give
personal numbers over the phone is also a bit of a worry (to me anyway
--- but then I'm paranoid :-)
I also dislike the idea that the bank is having to ask the hackers how
they did it. Shouldn't they have the expertise to find holes as
apparently large as exist in the system (then again if they had the
expertise, the holes wouldn't be there.) The "hackers" in the article,
while not exactly represented as heros, are definitely not painted as
villains either. I'm not so sure.
Oh well, another Infallible-Banking-Computer-System (tm) bites the dust!
aids (email: adrianh@cogs.susx.ac.uk)
This year, I started serving as a registrar for my precinct. Our county
started using computerized tallying machines this year, and everyone had to go
through required training to learn how to use them. During the training
meeting, I asked what would happen if a machine should completely fail. I was
assured that this "probably" would never happen. I could swear that some of
the sample tallying machines in the back were snickering after this remark.
If there is a blackout to the machines, then voters are supposed to put
their ballots into a special slot just for such emergencies. It is assumed
that the electricity will come on again later during the day. (What if the
power goes out 10 minutes before closing?) After the polls close, the
registrar and judges are then supposed to open the special slot and send the
ballots through the reader. Ballots cannot be read twice because the machine
marks them as they go through.
The machines worked fine during the primary, but during the runoff, in which
very few people voted, my machine had a memory error just a few minutes before
closing. There was nothing that could be done except send another machine out
to me. We only had 21 people vote the entire day (!), so we could have counted
it by hand, but the elections board wouldn't allow it!
What if there had been several memory failures during the day? Would there
be enough backup machines to handle it? What a mess! And why are we so
reliant on machines that we cannot allow humans to do something that we can do
just as quickly?
John Long, Raleigh, NC, jlong@bnr.ca
According to a report from Vesselin Bontchev who just returned from his summer vacation in Bulgaria, Macintoshs are becoming quite popular in Bulgaria. Recently, an Apple distributor began to distribute Macs which many Bulgarians found superior to their PC clones and began to like. We strongly hope that this may not attract the interest of the well-known virus authors in Bulgaria and subsequently in other Eastern European countries. Klaus Brunnstein, University of Hamburg, Germany (August 18, 1992)
Everyone gets credit card "pre-approval" offers in the mail, but this last one started me wondering. First off, it was addressed to "Jeffery L. Beckmann," with my correct address, down to a zip +4 code. My name is Beckman, not Beckmann (two n's), and my name is Jane G., not Jeffery L. And we won't even go into the way that my gender has gotten switched. So, how did Mr. Beckmann get associated with MY address in whomever's database? Just for grins, to see what sort of gold Mastercard he was being offered, I read the thing. It had a $10,000 credit line, and NO ONE, repeat, no one, has *ever* offered Beckman, Jane G. a card with that kind of credit line. Weirder still, to get the card, you were *required* to take out a cash advance of a minimum of $2000, up to the $10,000 limit of the card. After much searching through fine print, I found the card was offered by an institution called "First Deposit." Then I found the weirdest part---the terms would only be sent to you when you sent for your pre-approved cash advance and activated the Gold Card. In short, it could be 50% annual interest, starting to accrue from the time they send you your "advance," and you wouldn't even know it until you had taken the plunge. Even the form was strange---just a signature line and a phone number are to be provided. Normally, these forms ask for independent confirmation of credit---the usual questions about your obligations, etc., even if they are theoretically "pre-approved" (which is actually a misnomer). Several things occur to me. I could sign Jeffery Beckmann up, collect his cash advance, and skip town, if I were that sort. Who would be responsible? The mysterious Mr. Beckmann, who may not exist? For that matter, what if Jeffery Beckmann's obligations and credit history get mixed up with mine, since his address is obviously already mixed up? And speaking of, HOW did this mystery person get HIS name associated with MY address, aside from a totally superficial resemblence between last names, his not even being spelled the same as mine? What if Mr. Beckmann is an international representative of a drug cartel, and now has his address linked to mine? Will my house suddenly be of interest to some unknown authorities, who are doing computer traces of his activities? What database generated this so generous invitation, and how did it determine that Mr. Beckmann was able to qualify for such a hefty cash advance/credit limit without even knowing his real address? The RISKS here seem to cover several different aspects of our overly- databased society. -Jane G. Beckman [jane@swdc.stratus.com]
[Lauren Weinstein is urging people to submit their PRIVACY related stories, questions, comments, etc. to his PRIVACY Forum. Apparently not many people know of its existence, or else to consider privacy only in the more general context of RISKS. PGN] You can get info about the digest by sending a message to: privacy-request@cv.vortex.com with the words: information privacy in the BODY of the message. Submissions are explicitly solicited! --Lauren--
Please report problems with the web pages to the maintainer