The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 13 Issue 74

Thursday 20 August 1992

Contents

o California Woman Convicted in Computerized Income Tax Refund Scheme
Nigel Allen
o High-tech, discriminatory bathrooms...
Gary Friedman
o Secret Service -- the TV show
Stephen Tihor
o Novell Netware protection?
Fred Cohen
o Risks of Relying on Computerized Records in Court
Mark Rasch
o Barclays Voice-Mail system reveals card numbers
Adrian Howard
o Voting machine failure reveals lack of backup plan
John Long
o Macs becoming popular in Bulgaria
Klaus Brunnstein
o Gold Card with wrong name, odd riders
Jane Beckman
o PRIVACY Forum reminder
Lauren Weinstein
o Info on RISKS (comp.risks)

California Woman Convicted in Computerized Income Tax Refund Scheme

<Nigel.Allen@lambada.oit.unc.edu>
Tue, 18 Aug 92 23:34:25 EDT
Here is a press release from the U.S. Justice Department.

 California Woman Convicted in Income Tax Refund Scheme
 To: National Desk, California Correspondent
 Contact: U.S. Department of Justice, 202-514-2007

   FRESNO, Calif., Aug. 18 /U.S. Newswire/ -- Acting Assistant Attorney General
James A. Bruton and the United States Attorney for the Eastern District of
California, George L. O'Connell, announced Monday, Aug. 17, that Enedina Ochoa
of Turlock, Calif., 26, was convicted by a federal jury on Friday, Aug. 14, of
one count of conspiracy to defraud the government and 20 counts of assisting
others in filing false income tax refund claims with the Internal Revenue
Service.
   The jury trial lasted four days before United States District Judge Oliver
W. Wanger.  Wanger ordered Ochoa held in custody pending sentencing.  Ochoa's
scheme exploited the Internal Revenue Service's newly implemented electronic
filing system, which allows filers of refund claims to receive their refund
checks in one or two days.  By causing large numbers of false refund claims to
be electronically filed, Ochoa and her co-conspirator, Karleena Pulido,
fraudulently obtained approximately $100,000 from the Internal Revenue Service.
Most of the criminal activity involved 1991 federal income tax returns filed
earlier this year.
   Ochoa and Pulido, a Turlock income tax preparer who pled guilty two weeks
ago to conspiracy to defraud the government and 29 counts of assisting others
in filing false claims for income tax refunds, engaged in a scheme to
electronically file false refund claims with the I.R.S. by recruiting
individuals to provide their real names and social security numbers for use by
Pulido on false Forms W-2 which Pulido fabricated.  Ochoa then assisted the
recruited individuals in electronically filing these false refund claims with
the I.R.S. from electronic return transmitters such as Cash-N-Dash, an income
tax transmittal and check cashing service headquartered in Fresno.  Ochoa and
Pulido then divided divided the refund proceeds among themselves and the
individuals they recruited.
   The long-standing I.R.S. system of filing paper returns requires a taxpayer
to wait several weeks before receiving a refund check.
   Ochoa and Pulido face a maximum sentence of ten years imprisonment and a
fine of $250,000 for the conspiracy convictions and five years imprisonment for
each conviction of assisting in the filing of a false claim.  Sentencing is set
for Oct. 19, and Oct. 26, for Pulido and Ochoa, respectively, before Wanger.
   The case is the result of an extensive and ongoing investigation of
electronic filing fraud by special agents of the Internal Revenue Service's
Criminal Investigation Division, and was prosecuted by Department of Justice
Tax Division Trial Attorneys Eric C. Lisann and Floyd J. Miller.  It is the
first prosecution of this type of crime in this judicial district, and is one
of only a very few such cases that have gone to trial anywhere in the United
States since the inception of the Internal Revenue Service's electronic filing
system.
   Acting Assistant Attorney General James Bruton stated, "This conviction
serves as notice that the federal government is committed to early detection
and prosecution of electronic filing schemes.  Blatant abuse of the Internal
Revenue Service's computerized refund program will not be tolerated."
According to Rick Speier, chief of the Internal Revenue Service's Criminal
Investigation Division in San Jose and Fresno, "as the use of electronic filing
increases, the Internal Revenue Service will continue to be vigilant in
identifying electronic filing schemes organized by unscrupulous individuals who
seek to exploit the system for criminal purposes."


High-tech, discriminatory bathrooms...

Gary Friedman <garyf@puente.Jpl.Nasa.Gov>
Mon, 17 Aug 92 15:24:12 PDT
The Santa Monica, CA Municipal Pier has recently added new "high-tech" public
restrooms that are discriminatory about to whom they will dispense water.  Like
many of the new breed of restrooms increasingly found in airports, both the
urinals and the washbasins have an infrared proximity sensor which turns the
water on and off for you; there's no need to ever touch a control.

A nine-year-old who was with me stood in front of a washbasin I had just used,
and got mad when the faucet wouldn't turn on for him.  Nothing he tried,
including covering the sensor with his hand, would work.  Only after I
suggested jumping up and down and waving his hands above his head did the
faucet finally acknowledge that a human was there and grant the public
resource, and then promptly quit a few seconds later when his hands moved down
to be washed.

I know the problem of people leaving conventional faucets running unattended is
ancient, and that many solutions have been tried in the past to combat it; such
as the mechanical push button which will let the water run for anywhere from 1
to 15 seconds, depending on the maintenance history.  I see in this new
electronic twist to an old problem two new RISKS, one of which is rather
serious:

1) Discrimination against short people.  This being a public area, it is
reasonable to expect children.  (It's doubtful that any health epidemic might
result from this; after all most kids don't wash their hands and don't prepare
food in eating establishments.)

2) I saw no manual overrides for the controls; I assume that if a power failure
were to occur (as a result of a natural disaster; not difficult to imagine in
California) it would also cut off the water delivery, a crucial resource during
such times.  Often during a disaster the electricity is the first thing to go
out, while the water flow is much more reliable.  This new solution
unnecessarily couples the two while providing no perceivable advantages over
the older mechanical methods, exacerbating worst-case scenarios.

(This gets added to my ever-expanding list encompassing electronic tire
pressure gages, electronic carpenter's level, computerized office building
directories, microprocessor-based wire strippers, etc. for having no advantages
over the prior art but catastrophically fail when the batteries die.)

                                             -Gary Friedman
Gary Friedman, Jet Propulsion Laboratory - NASA, 4800 Oak Grove Drive,
Pasadena, CA 91109   (818) 306-6193  {cit-vax,elroy,psivax}!devvax!garyf


Secret Service -- the TV show

Stephen Tihor 212 998 3052 <TIHOR@ACFcluster.NYU.EDU>
17 Aug 1992 12:24:24 -0400 (EDT)
Last night NBC broadcast an episode of "Secret Service" in NY at least that
featured a straightforwards nut who wants to kill the President plot and then
a rather confusing account of their high technology defense of a fuzzy city
power system against sabotage by a fired employee.

I hope someone taped it and caught the exact wording of the disclaimer at the
end because it was hard to follow the logic and determine what was the original
incident and what was Hollywoodisms.

The piece was prefaced with a brief discussion some of the risks of power
outages.

The expert quickly diagnosed the problem as a VIRUS.  Persistent references to
virus in the context of a electric power control system seemed odd. Since they
appeared to be running pre-existing VIRUS checking software on the system one
might suspect the "main frame" was an IBM PC or Apple Macintosh running
standard software rather than a real tiem control system or perhaps something
larger and safer. Interesting references were made to viruses lurking WITHIN
modems.  Then they identified the source of the attacking codes as the local
font storage in what appeared to be a old DECwriter dot matric printer.

With some external clues the agents attempt to confront the criminal in house,
which is wired with many falling metal screen, sounds effects, and gas but
which lacks reinfored walls.  The culprit is classic middle aged computer geek
who appears uncaring about possible loss of life although the agents do not
mention to him the risk of a life sentence of death penalty of others die as a
result of his sabotage.  He refuses to help them disarm the problem.

The expert has announced that this is a logic bomb and eventually realizes that
since the bug code is not in the copy of the system on disk as long as they
shutdown without writing memory to disk they can reboot bug free.  So a brief
deliberate blackout is used to save the city.

I am obvious very curious about the TRUE FACTs of this can if the show plans to
show such other SS triumphs in the war on electronic crime as almost destroying
Steve Jackson Games.

   [Program also noted by johana!tsw@apple.com (Tom Watson)]


Novell Netware protection?

Mr Fred Cohen <cohen@fitmail.fit.qut.edu.au>
Wed, 19 Aug 92 8:28:12 EST
I have been doing exhaustive tests on Novell Netware protection, and I cannot
believe these people can sell their product on the basis that it is the most
secure.  If it is, we are in big trouble!!

"Read Only" files are successfully infected by DOS viruses!
"Directory protection" works exactly the opposite of how the manual claims!
        IN 3 DIFFERENT PLACES!!!
Several protection bits work from a MacIntosh, but not from DOS machines!!
    What kind of network protection doesn't work when the user uses a
    different machine to login?!?  Protection based in the user's machine
    and not on the server!!!

A shareware product successfully gathers passwords from the net as they are
    entered by the users!  For $35 I can get every password on your network
    (if I choose to pay the shareware licensing fees to be honest about it)
Passwords can be ANYTHING - including nothing at all!  The supervisor password
        on our network is empty, so anyone on the net can login with no password
    (we are physically isolated - but how about some password controls!)
So-called Execute Only protection does not prevent companion viruses from
    working, and prevents the sys admin from verifying program integrity,
    prevents backup and restore of execute-only files, and thus is a great
    hindrance to protection!

This was the results of the first 2 DAYS of experiments!  If we can find this
many problems in 2 days (while not explicitly trying to look for these kinds of
holes), I can't imagine anyone claiming this system to be the best available
security.  But who knows?  In the next few days we will be looking at Unix
based servers!  FC


Risks of Relying on Computerized Records in Court

<Rasch@DOCKMASTER.NCSC.MIL>
Wed, 19 Aug 92 11:46 EDT
Joe Konstan reports that CALL TRACE would pick up the identity of the
individual responsible for making the harassing telephone calls even if RETURN
CALL did not.  He notes that "the switch does know who placed the call..."
However, this assumes that the switch itself (which is computer software, after
all) is operating properly, and isn't the cause of the problem.  Even assuming
no "bug" in the switch, there is always the (very real) danger that the switch
can be compromised by unauthorized users (insiders or "hackers").  What this
teaches us is that, as computerized systems become more vulnerable to attack
and compromise, their reliability is compromised.

As a lawyer and former (computer crime) prosecutor, I can assure you that
computerized information is *routinely* accepted as reliable and frequently
forms the basis for criminal prosecutions and convictions.  Telephone toll
records, credit card records, bank statements and the like are admitted into
evidence as "business records" without even a fleeting inquiry into the manner
in which they were created.  For the most part, Courts "assume" that these
records are reliable.  While computerized summaries and computer generated
reports (created for litigation) are subject to greater scrutiny, they all
suffer from the MEGO effect (My Eyes Glaze Over).  If I can't understand it, it
must be right.

Generally, there is little harm to this.  For the most part, computer generated
records are reliable, and are relied upon in the ordinary course of business
transactions.  Indeed, they are frequently more reliable than the "paper"
records they replaced and which were routinely accepted.  However, the public
must be ever vigilant against the possibility of alterations,
misinterpretations, and simple errors in these records -- they are not always
what they seem.

Mark D. Rasch, Arent Fox Kinter Plotkin & Kahn, Washington, D.C.
(202) 857-6154                       Rasch@ncsc.dockmaster.mil


Barclays Voice-Mail system reveals card numbers

Adrian Howard <adrianh@cogs.sussex.ac.uk>
Wed, 19 Aug 92 09:48:34 +0100
>From the 18/08/1992 issue of the "Independent" (a "quality" English
newspaper.) All transcription mistooks are, of course, my own.

    Hackers pinpoint card weaknesses (John Eisenhammer --- Bonn)

    Barclays Bank executives in Germany were forced to admit
    yesterday that young hackers had made a fool of their credit
    card computer system.

    According to Hans-Hermann Schra"der, the official responsible for
    the Protection of Information regulations in the state of
    Hamburg, where the "crime" took place, the bank's computer
    security was "totally unsatisfactory".

    For the past few months, a group of youths in Hamburg have been
    drawing out information about individual Visa and Eurocard
    owners, including their credit ratings, in order to show how
    easily such allegedly confidential information can be used.

    Even worse for the bank, which has been running a massive
    advertising campaign in Germany for its offer of both main
    credit cards for the price of one, officials still cannot tell
    from the voice-mail computer records that anything was amiss. It
    was only after hearing tapes on television, with client voices
    on them, that Barclays officials conceded that all was not as it
    should be.

    The special voice-mail computer was used by clients confirming
    that they had received their cards, at which point they provided
    their personal numbers, and by those requesting a credit limit
    increase. The information was recorded, not on normal tape but
    digitally by a computer, and the information was later decoded
    by bank staff. According to Rolf Wo"rdemann, a member of
    Germany's main hacker organisation, the Hamburg Chaos Computer
    Club, voice-mail computers such as the one at Barclays are as
    "easy to break as a bicycle lock".

    Rather than prosecute Barclays officials are hoping that the
    hackers will be willing to co-operate, so that the bank can find
    out just how bad things are, and who needs new credit cards, The
    fact that the enterprising youths also managed, once they had
    accessed Barclays' computer system, to make lengthy
    international telephone calls at the bank's expense, will be
    quietly forgotten.

I found this especially amusing since Barclays officials have recently
been appeared on national news in the UK expounding the infallibility of
cash-card machines. I find the automatic assumption the computer cannot
be fouling up exceptionally irritating. The thought of having to give
personal numbers over the phone is also a bit of a worry (to me anyway
--- but then I'm paranoid :-)

I also dislike the idea that the bank is having to ask the hackers how
they did it. Shouldn't they have the expertise to find holes as
apparently large as exist in the system (then again if they had the
expertise, the holes wouldn't be there.) The "hackers" in the article,
while not exactly represented as heros, are definitely not painted as
villains either. I'm not so sure.

Oh well, another Infallible-Banking-Computer-System (tm) bites the dust!
aids (email: adrianh@cogs.susx.ac.uk)


Voting machine failure reveals lack of backup plan

John (J.O.F.) Long <JLONG@BNR.CA>
17 Aug 92 14:46:00 EDT
   This year, I started serving as a registrar for my precinct.  Our county
started using computerized tallying machines this year, and everyone had to go
through required training to learn how to use them.  During the training
meeting, I asked what would happen if a machine should completely fail.  I was
assured that this "probably" would never happen.  I could swear that some of
the sample tallying machines in the back were snickering after this remark.
   If there is a blackout to the machines, then voters are supposed to put
their ballots into a special slot just for such emergencies.  It is assumed
that the electricity will come on again later during the day.  (What if the
power goes out 10 minutes before closing?)  After the polls close, the
registrar and judges are then supposed to open the special slot and send the
ballots through the reader.  Ballots cannot be read twice because the machine
marks them as they go through.
   The machines worked fine during the primary, but during the runoff, in which
very few people voted, my machine had a memory error just a few minutes before
closing.  There was nothing that could be done except send another machine out
to me.  We only had 21 people vote the entire day (!), so we could have counted
it by hand, but the elections board wouldn't allow it!
   What if there had been several memory failures during the day?  Would there
be enough backup machines to handle it?  What a mess!  And why are we so
reliant on machines that we cannot allow humans to do something that we can do
just as quickly?
            John Long, Raleigh, NC, jlong@bnr.ca


Macs becoming popular in Bulgaria

<brunnstein@rz.informatik.uni-hamburg.dbp.de>
18 Aug 92 18:59 +0100
According to a report from Vesselin Bontchev who just returned from his summer
vacation in Bulgaria, Macintoshs are becoming quite popular in Bulgaria.
Recently, an Apple distributor began to distribute Macs which many Bulgarians
found superior to their PC clones and began to like. We strongly hope that this
may not attract the interest of the well-known virus authors in Bulgaria and
subsequently in other Eastern European countries.

Klaus Brunnstein, University of Hamburg, Germany (August 18, 1992)


Gold Card with wrong name, odd riders

Jane Beckman <jane@stratus.swdc.stratus.com>
Mon, 17 Aug 92 15:46:49 PDT
Everyone gets credit card "pre-approval" offers in the mail, but this last one
started me wondering.  First off, it was addressed to "Jeffery L. Beckmann,"
with my correct address, down to a zip +4 code.  My name is Beckman, not
Beckmann (two n's), and my name is Jane G., not Jeffery L.  And we won't even
go into the way that my gender has gotten switched.  So, how did Mr. Beckmann
get associated with MY address in whomever's database?

Just for grins, to see what sort of gold Mastercard he was being offered, I
read the thing.  It had a $10,000 credit line, and NO ONE, repeat, no one, has
*ever* offered Beckman, Jane G. a card with that kind of credit line.  Weirder
still, to get the card, you were *required* to take out a cash advance of a
minimum of $2000, up to the $10,000 limit of the card.  After much searching
through fine print, I found the card was offered by an institution called
"First Deposit."  Then I found the weirdest part---the terms would only be sent
to you when you sent for your pre-approved cash advance and activated the Gold
Card.  In short, it could be 50% annual interest, starting to accrue from the
time they send you your "advance," and you wouldn't even know it until you had
taken the plunge.  Even the form was strange---just a signature line and a
phone number are to be provided.  Normally, these forms ask for independent
confirmation of credit---the usual questions about your obligations, etc., even
if they are theoretically "pre-approved" (which is actually a misnomer).

Several things occur to me.  I could sign Jeffery Beckmann up, collect his cash
advance, and skip town, if I were that sort.  Who would be responsible?  The
mysterious Mr. Beckmann, who may not exist?  For that matter, what if Jeffery
Beckmann's obligations and credit history get mixed up with mine, since his
address is obviously already mixed up?  And speaking of, HOW did this mystery
person get HIS name associated with MY address, aside from a totally
superficial resemblence between last names, his not even being spelled the same
as mine?  What if Mr. Beckmann is an international representative of a drug
cartel, and now has his address linked to mine?  Will my house suddenly be of
interest to some unknown authorities, who are doing computer traces of his
activities?  What database generated this so generous invitation, and how did
it determine that Mr. Beckmann was able to qualify for such a hefty cash
advance/credit limit without even knowing his real address?  The RISKS here
seem to cover several different aspects of our overly- databased society.

  -Jane G. Beckman  [jane@swdc.stratus.com]


PRIVACY Forum reminder

Lauren Weinstein <lauren@cv.vortex.com>
Tue, 18 Aug 92 11:06 PDT
[Lauren Weinstein is urging people to submit their PRIVACY related stories,
questions, comments, etc. to his PRIVACY Forum.  Apparently not many
people know of its existence, or else to consider privacy only in the
more general context of RISKS.  PGN]

You can get info about the digest by sending a message to:

   privacy-request@cv.vortex.com

with the words:

   information privacy

in the BODY of the message.  Submissions are explicitly solicited!  --Lauren--

Please report problems with the web pages to the maintainer

Top