The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 13 Issue 14

Sunday 16 February 1992

Contents

o Police Foil Million Pound Hacking Plot
Ed Urbanowicz
o Phone May Trap Kidnapper
Antony Upward
o Australian Government Bungles Private Data
Les Earnest
o Third Chicago Airport Selection
William E. Mihalo
o Carpal Syndrome reports rise sharply
Jeff Helgesen
o Patent Foul-up
Laurence Leff
o Computer Virus Catalog: Jan.1992 edition
Klaus Brunnstein
o Re: Dutch police arrest hackers
Brinton Cooper
Martin Minow
o Automated Phone Systems
Michael J. Clark
via Allan Meers
o International finance
David B. Benson
o Info on RISKS (comp.risks)

Police Foil Million Pound Hacking Plot

"Peter G. Neumann" <neumann@csl.sri.com>
Sun, 16 Feb 92 14:47:09 PST
Ted Urbanowicz of Stow, Ohio, sent in an item from the 30 Jan 1992 issue of
Computing (UK).  I have abstracted.

  Police have charged a woman under the Computer Misuse Act following a million
pound hacking incident at a leading city finance company.  Elaine Borg, a
computer operator at fund managers Henderson Financial Investment Services, is
accused of hacking into the company's computer system between 1 Oct 1991 and 19
Jan 1992 with intent to defraud it of a million pounds.  Borg was charged in
London's City Magistrates' Court under Section Two of the Act, which covers
unauthorised access to systems with the aim of assisting a more serious crime,
such as fraud or blackmail.  Her activities were being monitored for several
days before she was apprehended.  Oddly, the managing director of Henderson was
quoted as saying that it would have been difficult to complete the fraud,
because it would have required collusion at the other end.  But the article
noted that Borg faces a second charge of conspiracy with another person,
Richard Hollands, while another man, Keith Cheeseman, was also arrested in
connection with the fraud, but not charged because of extradition problems.
Cheeseman is wanted by the FBI in connection with a multimillion pound bond
theft in London two years ago.

The COMPUTING article closed with a note on a recent National Computing Centre
report (Security Breaches Survey, NCC, Oxford Road, Manchester M1 7ED UK;
contact David Lindsay, phone 44 6355524040), which estimates that security
breaches cost UK industry 1.1 billion pounds a year.


Australian Government Bungles Private Data

Les Earnest <les@sail.stanford.edu>
Fri, 7 Feb 92 15:14:51 -0800
   [Reposted with permission from the ClariNet Electronic Newspaper newsgroup.
   For more info on ClariNet, write to info@clarinet.com or phone
   1-800-USE-NETS.]

SYDNEY, AUSTRALIA, 1992 FEB 6 (NB) -- Australian government officials are
ducking for cover as yet another case of personal data misuse "hits the fan."
More than 6,000 households received official letters containing personal and
financial details about others.

Recipients of what should have been a routine Department of Social Services
letter about child allowances were shocked to see a list of information about
others, sometimes neighbors.  The data included name, address, bank account
details, tax file number, and income.

One recipient said: "I was looking at the back of the letter, assuming the
information I saw was meant as an example, when a neighbor rang to say she was
reading all about me on the letter she had just received. I felt sick, knowing
that my private affairs had been revealed like that. They say 'give us your
details - you can trust us' but we can't, can we?"

Officials from the department have given two explanations so far, though it may
be some time before the complete story surfaces. The letters had correct data
on the front, but incorrect data on the reverse. The first explanation was that
the laser print run had faltered, and when it was restarted, the letters were
printing front and back, one step out of sync. The second (and expected) excuse
was that there was a glitch in the computer program which had been imported.

Unfortunately for the Australian government, this was not the first incident of
its type, and a large public storm is rising over the rapid increase in the
amount of data held in a central computer in Australia's capital, Canberra.


Third Chicago Airport Selection

"William E. Mihalo" <calumet!wem@apple.com>
Sat, 08 Feb 1992 09:28:21 cst
The selection process for the third Chicago airport continues to generate
controversy (see a previous issue of Risks Digest).  In this particular case,
its an excellent example of PC-based computerized mapping programs and
spreadsheets being abused.

A revised configuration for the Lake Calumet site (which is strongly favored by
Mayor Daley), has modified the footprint for the airport. The Ford assembly
plant in Hegewisch, Illinois is now spared (this plant is used for the assembly
of the Ford Taurus and Mercury Sable). However the revised footprint for the
airport has it crossing the stateline into Northwest Indiana. One of the
runways ends within less than a mile of the Amoco Oil Refinery in Whiting. An
estimated 25,000 homes, half a dozen schools and 15 churches would need to be
razed to make room for the airport. The revised plan doesn't anticipate the
relocation of any industrial sites.

However it also calls for the draining of several hundred acres of wetlands.
The fate of several lakes that are adjacent to the airport site is also in
question. An estimated 50,000 people would be dislocated by the project.

The second risk is one of computer spreadsheets. The original cost of the
airport was $5 billion. A revised cost from Mayor Daley is $10.8 billion.
However this assumes the razing of only 10,000 homes. An estimated $18 to 30
billion would be needed to raze the 25,000 homes that are within a 7 mile
radius of the proposed site. Assuming a $10.8 billion dollar cost a ticket
surtax of $12-15 per ticket would be levied for any flight originating or
terminating from Midway and O'Hare. With the $30 billion estimate the ticket
tax would be in the range of $36 - $50.

The entire justification for the third airport is based on FAA data from the
late 1970's which was gathered just before the deregulation of the airline
industry in the United States.

One question for the Risks community. Has anyone ever estimated the area of
destruction that would result if a jumbo jet was to make a direct hit upon an
oil refinery? Whenever the issue of safety is mentioned it is dismissed with
the statement that commercial aviation is safer than driving.  O'Hare was the
site of a DC-10 crash in 1979 which killed several hundred people. Indiana
within the past 4 years has had two crashes (one in Indianapolis, and a more
recent one in Evansville) with planes going down near airports with a
significant loss of life from people on the ground.

                                       William E. Mihalo wem@calumet.uucp


Carpal Syndrome reports rise sharply

Jeff Helgesen <jmh@morgana.pubserv.com>
Thu, 13 Feb 92 14:43:47 -0600
[The following article appeared in the Chicago Tribune, 11 Feb 1990.  All typos
are mine; bracketed inserts are those of the original editor.]

CARPAL SYNDROME REPORTS RISE SHARPLY (Jon Van, Chicago Tribune)

Reports of repetitive-motion disorders have risen sixfold in recent years and
now account for more than half of all occupational illnesses in the United
States, a report in Wednesday's Journal of the American Medical Association
noted.

Physicians must work with employers, industrial designers, labor
representatives and others to modify work sites so that these injuries,
sometimes known as cumulative trauma disorders and sometimes as carpal tunnel
syndrome, can be avoided, the report said.

The U.S. Bureau of Labor Statistics found that there were 24 cases of
cumulative trauma disorder for every 10,000 U.S. workers in 1990, up from 4
cases per 10,000 in 1982.

Dr. David M. Rempel, director of the ergonomics laboratory at the University of
California at San Francisco, said in his Journal report that several factors
account for the increase. They include increased awareness of the problem,
advances in medical diagnosis and an ever-accelerating pace of work.  Even
though the problem is growing, most physicians are ill-prepared to deal with
it, Rempel and his colleagues said.  ``Because of the scarcity of medical
research on [the disorders],'' they wrote, ``many physicians are unable to
identify patients working in high-risk environments and are inadequately
prepared to treat patients with symptomatic disorders.''

When someone applies force over and over to the same group of muscles, the same
joint or the tendon, the result may be tissue tears and trauma. Other factors
causing damage are awkward joint posture and prolonged constrained posture.

Workers should be encouraged to watch for symptoms, especially pain, and seek
medical attention early, Rempel and the co-authors said. They shouldn't be told
to work through pain, the report said.  ``Medical intervention for the patient
with [a disorder] requires not only accurate diagnosis and appropriate therapy,
but also direct involvement in changing the patient's work environment,'' the
report concluded.


Patent Foul-up

Dr. Laurence Leff <mflll@uxa.ecn.bgu.edu>
Sun, 9 Feb 1992 22:49:17 GMT
This RISKS submissions concerns a computer problem with a patent application.

When the patent examiner issues a final rejection of a patent, the patent
office can give you a shortened time to respond.  This response is an appeal to
the board of patent appeals.

The statutory time to respond is six months; however the patent office has the
authority to shorten this time.

You can extend the time given by the patent office by paying a late
fee--however, late fees won't extend your total time more than the six months
specified in the statute.

On 08/13/91, the patent examiner issued me a final rejection of my patent.  The
problem concerns the date on the letter informing me of this.

That letter was issued on a standardized form, PTOL-326.

That form included the statement:

"A shortened statutory period for response to this action is set to expire
3(three) month(s) 0 days from the DATE OF THIS LETTER."  (Emphasis mine).  The
3 for three months and the zero for 0 days were entered in handwriting.

The date was supposed to be printed on the preprinted form under or next to the
preprinted text that said "Date mailed"

Unfortunately, the dot matrix printout of the date was obscured by the
preprinted "Date mailed."  The date printed on the letter of "08/??/91" was
eighty percent obscured.

It was obvious that the form was not correctly aligned in the printer.  The
name of the examiner was not under the heading "examiner."  And the number 231
wa not under "art unit."  Thus, I couldn't read it properly and read the date
as 09/10/91.  The slash overlapped one of the letters which appeared to be a
nine.  Section 1.134 of 37 of the Code of Federal Regulations states in
pertinent part,

  "An office action will notify the applicant of any non-statutory or shortened
  statutory time period set for response to an Office action."

The office action failed to notify me of the indicated time.  Thus, "unless the
applicant is notified in writing that response is required in less than six
months, a maximum period of six months is allowed."  (37CFR 1.134).  Thus, I am
arguing my response was not due for six months from the indicated date as the
Patent office did not fulfill it's regulatory requirement of notifying me as
specified by this section.

Therefore, I requested that no fee be assessed at all.

This points out the obvious risks of not aligning forms when put into
printers.

However, this likely human error was compounded by:

1) using a cheap nine-pin dot matrix printer with this form.  If the numbers
   were printed with a daisy wheel printer or 24-pin printer, they would have
   been more readable even if printed on top of other information.

2) Using a numerical date format "08/13/91" instead of August 13, 91.
   One is less likely to confuse August and September than 08 and 09.
   Although "November" and "December" have most of their letters in common.

3) However, the patent office had the correct date in a computer
   system.  They should have printed everything out using a laser
   printer including the shortened statutory time, the date of final
   reject and the date the response was due.  All the information on
   the preprinted form would be printed out at the same time.

   This would be a simple WordPerfect merge application.


Computer Virus Catalog: Jan.1992 edition

Klaus Brunnstein <brunnstein@rz.informatik.uni-hamburg.dbp.de>
14 Feb 92 16:54 +0100
At the end of our winter semester, the following new entries of Computer Virus
Catalog are available:

        INDEX.192:    survey of all entries published so far
                      (214 viruses/trojans)
        AMIGAVIR.192: 14 new viruses (total: 29 viruses/time bombs)
        MACVIR.192:    9 new viruses (all known 29 viruses/clones classified)
        MSDOSVIR.192: 15 new viruses (total: 99 viruses, 4 trojans)
                      including: Amilia (Murphy Strain), AntiCAD (Jerusalem/
                                 AntiCAD strain), FEXE & FICHV2.0 & FICHV2.1
                                 (all: FICHV strain), Hafenstrasse (no strain),
                                 Michelangelo (Stoned strain), PLOVDIV 1.3
                                 (PLOVDIV strain), SEMTEX, Sverdlov=Hymn of
                                 USSR, Violetta, ZeroHunt-411, -415 = Minnow/1
                                 (ZeroHunt strain), VDV-853 (maybe VCS 1.0
                                 predecessor).
                      Moreover, the first polymorphic virus using Dark Avenger
                      "Mutating Engine 0.9" is classified, named "Dedicated".

After analysis of an accident with a UNIX shellscript virus in a European
university, based on several publications of an AT&T author who described all
details of the virus' code and sufficient details of his "attacks" on several
UNIX systems in his enterprise, we have classified this virus under the
provisional name "AT&T ATTACK virus". This information is available from the
author, on specific demand; despite the fact that this classification does not
contain any information helpful in programming this virus, we wish to avoid as
far as possible a similar virus wave as we observer so regretfully in the PC
world.  This is the reason for some restrictions in distribution of the Catalog
entry.

All information including all other Virus Catalog entries may be received
either by demand from the author or may be downloaded from our FTP site:

              address: ftp.informatik.uni-hamburg.de
                      134.100.4.42
              login   anonymous
              password your-email-adress
              directory: pub/virus/texts/catalog

Moreover, those interested in Chaos Congress material (e.g. CCC91): these are
available on the same ftp site with the same procedures in
              directory: pub/virus/texts/hackers

Finally, we are updating the Index of Malicious MsDos Code; to avoid those
inaccuracies which unfortunately were built-into the first edition (IMSDOS.791)
due to misleading information from several alternate sources, Vesselin Bontchev
and I decided that we *only publish information on those viruses/trojans etc
which are in our Secure Malware Database*. In the next edition, it will
describe about 1,150 viruses/trojans with those names/aliases which are used by
major antivirus software. This edition will be available on the ftp-site early
in March.

All comments and critical remarks which helps us in enhancing the quality of
our work and information is strongly welcomed.

Klaus Brunnstein, Virus Test Center, University of Hamburg, Germany


Re: Dutch police arrest hackers (Minow, RISKS-13.13)

Brinton Cooper <abc@BRL.MIL>
Tue, 11 Feb 92 9:20:16 EST
In discusing system restoration following illegal hacker activity, Martin
Minnow takes issue with the assertion, "...Every system manager that uses a
legal copy of the operating system has a distribution version within easy
reach."  He says, in part, "Rebuilding the operating system for a small
workstation takes at least a half-day. Re-editing all site-specific files, such
as pasword files, network host tables, aliases..."

It seems to be RISK-y behavior not to keep an image of your operating system,
including the site-specific files, on tape back-up...off-line, not available
via automatic de-archiving, mountable only manually, etc.  What happens when
disks are corrupted by more benign influences such as power surges or head
crashes?
                                      _Brint

    [Also commented on by David Rose, dave@phoenix.pub.uu.oz.au.  PGN]


re: Brinton Cooper's comments on system recovery

Martin Minow <minow@ranger.enet.dec.com>
Tue, 11 Feb 92 15:47:12 PST
Brinton Cooper notes that it is "RISK-y behavior" not to keep a fully-
configured system image on tape backup, especially in order to recover from
hardware errors.  He is absolutely correct. However, if your system was
intentionally attacked, this might be insufficient. I know of one case where
the system manager not only rebuilt the system from distribution tapes, but he
even went so far as to order new tapes from the manufacturer in order to avoid
the minuscule risk that the attacker had physical access to the on-site tape
library. Of course, only the system owner can evaluate the tradeoff between
acceptable risk and the cost of protecting against that risk.
                                                               Martin Minow


Automated Phone Systems

Allan Meers - Sun Education/Professional Services <Allan.Meers@ebay.sun.com>
Tue, 11 Feb 92 13:37:11 PST
>From rec.humor, a commentary on those over-optioned
                 automated phone answering/messaging systems.

                       AUTOMATION IN THE 20th CENTURY
                            By Michael J. Clark

The setting is a typical bedroom, a woman is in the bed asleep, next to her bed
is a night stand with an alarm clock and a telephone.  Suddenly the woman
awakens to the sound of a strange noise in the house, she looks around, starts
to panic and then picks up her phone to call the police.

Woman: (Startled and panicked, talking out loud to herself in a low tone)
"I-I-I-I've got to call the police, there's someone here, oh God I know there
is, let's see...what's the number, (she nervously punches the numbers into the
phone.)

After a few rings the phone is answered, there is a delay, then we hear:
"Welcome to our emergency phone mate 911, the automated emergency answering
system, the latest in emergency response technology!  If you are calling from a
touch tone phone, please enter a 1 at the tone, enter now"......(the woman
looks both shocked and puzzled as she nervously punches in a "1") "Thank you,
our emergency phone mate 911 recognizes that you are calling from a touch tone
phone......To serve you better your police and emergency services have set up
this system to route your call to the appropriate emergency service
personnel......If you are in need of police assistance enter a 5, if you
require information in Spanish, enter 7, in Chinese enter 4, in Greek enter 9,
in French enter 6 or Italian enter an 8, if you wish fire or medical service
enter a 3 and the corresponding numerical code for the language in which you
will be speaking or in need of translation......to repeat the previous
information please enter 0.......Enter your code now please"......(the woman,
who has now gone from fear and panic to being irritated and confused enters a 5
and waits.....) "Emergency phone mate 911 recognizes that you have requested
police assistance in English....In order to better serve you, please enter the
appropriate number at the tone....a 1 if your call is not an emergency, a 2 if
you need information, a 3 if you are returning a call from a police official, a
4 if you are inquiring about a parking ticket, or a 5 if this is an emergency,
enter your code now"........(she shakes her head and rolls her eyes and enters
a 5 quite forcefully) "Emergency phone mate 911 recognizes that you have a
police emergency, please enter a 1 if it is a life threatening emergency, a 2
if it is a non life threatening emergency, a 3 if there are weapons involved, a
4 if there are multiple perpetrators, a 5 if the perpetrators are non English
speaking and will require a Miranda warning in any other language....Please be
sure to enter the appropriate language code if you enter a 5....if the police
emergency is a non life threatening rape or physical assault please enter a
7.......

(the woman now has lost her temper, she punches in a 2 saying out loud "How the
hell do I know if it's life threatening or not you imbecile!)  "Emergency phone
mate 911 recognizes that you have a police emergency that is non life
threatening, emergency phone mate will now direct your call to the appropriate
department for response.....please hold while your call is transferred.....(we
hear ringing......, the phone is answered) "Dunkin' Donuts, may I help you?"
........


International finance

David B. Benson <dbenson@yoda.eecs.wsu.edu>
Wed, 12 Feb 92 14:09:10 -0800
  From: dbenson@yoda.eecs.wsu.edu (David B. Benson)
  To: djb@vax.ox.ac.uk (Dave Benson)
  Subject:  Bank statement

  Dear Dave,

  Forwarded to me from Yale is a bank statement from Den Danske Bank
  originally addressed to

    MATHEMATIKER, DAVID BENSON, DEPT. OF MATHEMATICS,
    YALE UNIVERSITY, BOX 2155, YALE ST.,NEW HAVEN,CONN.06520 USA

  I suspect this is yours.  However, I did open it (apologies, but there
  was no other way to determine the original addressee) and it appears
  that the account is inactive.

  Would you like me to send this to you anyway?  (Alternatively, with
  your authorization, I could send you the account number and the balance
  via this not very secure medium of email.)

  Sincerely, David B. Benson

- - - -

  Date: Tue, 11 Feb 92 9:04 GMT
  From: DAVE BENSON <DJB@vax.oxford.ac.uk>
  To: DBENSON <@nsfnet-relay.ac.uk:DBENSON@YODA.EECS.WSU.edu>
  Subject: Bank statement

  Dear David,
  I seem to be plagued in life by encountering other David Bensons.
  There's one living just a few miles from here who shares also my
  middle name and exact date of birth. I have no desire to meet this
  doppelg"anger in case he turns out to look just like me.
    As far as the bank account is concerned, I tried several times
  in 1982 to close it, and in the end decided just to ignore it.
  So please do what you like with the statement of balance of
  zero Kroner og zero 0re.
    Zoodle wurgle,
  Dave Benson.

- - - -

  From: dbenson@yoda.eecs.wsu.edu (David B. Benson)
  To: DAVE BENSON <DJB@vax.oxford.ac.uk>
  Subject: Re: Bank statement

  I know the feeling all too well.  So far, though, none with the
  same middle initial nor looking like me.  I'll not send along the
  bank statement, but I fear that now Yale will, every year, forward
  the statement to me -- for the rest of my life.

  Cheers,   David
                      [Reproduced with permission of Both Dave Bensons.
                      But what if they start charging interest?  PGN]

Please report problems with the web pages to the maintainer

Top