The RISKS Digest
Volume 15 Issue 37

Monday, 3rd January 1994

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…

Contents

Hacker nurse makes unauthorised changes to prescriptions
John Jones
Customs Data Diddling
Mich Kabay
Credit cards again
Mich Kabay
Tax Frauds
Mich Kabay
Re: Can SETI signals bear viruses?
Robert Ayers
Dave Weingart
James Abendschan
"When H.A.R.L.I.E. Was One" by Gerrold
Rob Slade
Request for help with RISKy situation
Alan Wexelblat
Info on RISKS (comp.risks)

Hacker nurse makes unauthorised changes to prescriptions

John Jones <J.G.Jones@computer-science.hull.ac.uk>
Mon, 3 Jan 94 10:09:41 GMT
The Guardian (21st December, 1993) reports the conviction of a male
nurse who hacked into a hospital's computer system and modified
entries, including prescriptions.  The hacker:

    - prescribed drugs normally used to treat heart disease and high
      blood pressure to a 9 year old with meningitis.
      This change was spotted by a ward sister;

    - prescribed antibiotics to a patient in a geriatric ward.
      These drugs were administered to the patient, with no apparent
      adverse reaction;

    - "scheduled" an unnecessary X-ray for a patient;

    - "recommended" a discharge for another patient.

The hacker gained access to the computer system after learning the
password through observing a locum doctor having trouble logging in.

He qualified as a nurse in 1989.  He is reported to have undergone a
considerable personality change as the result of a road accident in
1984.  As well as developing a fascination for computers and other
hi-tec equipment, he had apparently developed a "lack of sensitivity
to the consequences of his actions".

He had been sacked for unprofessional behaviour in 1990, but was
re-employed in 1992 at the same hospital.

He pleaded guilty to unauthorised modification of computer records.
He offered no explanation for his actions, but denied any malicious
intent.  He was jailed for 12 months.

John Jones (jgj@dcs.hull.ac.uk)


Customs Data Diddling

"Mich Kabay / JINBU Corp." <75300.3232@compuserve.com>
02 Jan 94 21:12:25 EST
>From the Associated Press newswire via Executive News Service (GO ENS)
on CompuServe:

  Customs-Whistleblower, By Michael White, Associated Press Writer
  SAN DIEGO (AP, 30 Dec 1993) — Some of what Mike Horner regards as his best
  work ultimately destroyed his career as a U.S. Customs Service inspector on
  the Mexican border.  Horner left the service after alleging that
  intelligence reports he filed identifying suspected drug smugglers and their
  vehicles were deleted from Customs' computer network."

This article and another by the same author detail the apparent data diddling
that resulted in first deleting, then re-introducing, Mr Horner's records of
smuggling across the US/Mexican border.

Horner's allegations of malfeasance were ignored by his superiors.

No one can explain how his deleted entries could have re-appeared after he
left the U.S. Customers Service.

White's next story is

  Customs Smuggling, By Michael White, Associated Press Writer
  LOS ANGELES (AP, 30 Dec 1993) — Weaknesses in U.S. Customs' cargo tracking
  system may have opened a door for smugglers of drugs and other contraband
  and cost taxpayers millions of tariff dollars, according to sources and
  Customs records.

   Among the problems: False inspectors' names are showing up on cargo entry
records, passing containers without inspection; and seals placed on containers
bound for distant destinations are breached in transit, allowing contraband to
be removed or contents stolen between the dock and inspection points."

This article deals with irregularities in the computer system used to
monitor the Port of Los Angeles.

Key points of the article:

o some bonded cargos appear to be opened illegally, allowing contraband
  to be removed.

o some inspection records online include names of nonexistent officials;

o records of suspicious shipments which should have initiated followups
  have been overridden with false names.

o 200-400 records of in-bond cargo containers are purged each month because
  the Customs Service cannot trace the containers; an indendent study by the
  Treasury Department estimated data destruction in the thousands per month.

o Some employees say that the computer system fools inspectors into relying on
  electronic records instead of their own initiatives when deciding which
  shipments to inspect.

Michel E. Kabay, Ph.D., Director of Education, National Computer Security Assn


Credit cards again

"Mich Kabay / JINBU Corp." <75300.3232@compuserve.com>
02 Jan 94 21:11:50 EST
>From the Reuter newswire via Executive News Service (GO ENS) on CompuServe:

  Britons Charged with Europe-Wide Credit Card Fraud

  LONDON (Reuter, 30 Dec 1993) - Three Britons have been charged with
  conspiracy in a 2.5 million pound ($3.7 million) Europe-wide credit card
  fraud, police said on Thursday."

The article says that the Birmingham men are accused of having used fake
credit cards and stole expensive products in France, Britain, Belgium and the
Netherlands.  Apparently other arrests are promised.

Once again we see that one of the world's most frequently used
network access control tokens, the common credit card, is wholly inadequate
to protect the public and the banking industry against fraud.

Michel E. Kabay, Ph.D., Director of Education, National Computer Security Assn


Tax Frauds

"Mich Kabay / JINBU Corp." <75300.3232@compuserve.com>
02 Jan 94 17:40:16 EST
>From the Washington Post newswire via Executive News Service (GO ENS) on
CompuServe

IRS Charges Tax Preparer With $1.1 Million Fraud,  By Christopher B. Daly
 Special to The Washington Post

   BOSTON, Dec. 16 - The president of a nationwide tax-preparation service was
indicted today on charges that he used computers to cheat the Internal Revenue
Service out of more than $1 million in one of the biggest electronic tax fraud
cases on record, officials said.
   Richard M. Hersch, 56, of Ardmore, Pa., was accused of using his company,
Quik Tax Dollars Inc. of Bryn Mawr, Pa., to file 431 false tax claims and
launder $1.1 million..."

The article provides details of the case.  Key points:

o 12 million returns were filed electronically in the 1992 tax year.

o Hersch is accused of making up "145 false tax returns using
  fictitious names and Social Security numbers."

o He then allegedly used an intermediary company, Drake Enterprises,
  which is not accused of wrong-doing, to forward the tax returns to the IRS.

o Hersch received cheques from a local bank which assumed that the bogus
  returns were OK, based preliminary info from the IRS which simply certified
  that there were no obvious errors.  Since there were no real filers,
  Hersch appears to have kept all the money himself.

o Incidentally, Hersch has been indicted in Philadelphia on charges of
  stealing $262,865 from Provident Bank by passing bad cheques.  He has also
   been indicted on charges of using other people's AmEx cards for more than
   $1000 in unauthorized purchases.

o Mr Hersch is currently under house arrest.

Comment:  how did this man get to run a tax-preparation service at all?
Aren't there any background checks for people in this kind of position?
And how about some kind of verification of the fake Social Security
Numbers?  Is it not possible to check that the SSN is assigned to the
person for whom the fake return was made?

Michel E. Kabay, Ph.D., Director of Education, National Computer Security Assn


Can SETI signals bear viruses? (Cantillo, RISKS-15.36)

Robert Ayers <ayers@mv.us.adobe.com>
Mon, 3 Jan 94 09:17:33 PST
The sci-fi classic "A is for Andromeda" by Fred Hoyle is the story
of a SETI signal which is exactly the plans for, and a program for,
a very large computer.  The excitement begins, of course, when
(against the advice of one scientist) the computer is built ...


Can SETI signals bear viruses? (Cantillo, RISKS-15.36)

the person your mother warned you about <phydeaux@med.cornell.edu>
Mon, 3 Jan 1994 09:12:52 -0500
Not sure if this has been treated seriously by industry or academia, but
in Vernor Vinge's (marvelous and Hugo-winning) _A_Fire_Upon_The_Deep_, this
very method was used by a malicious intelligence to take over remote systems.
(In the book, one main method of communication is by a cosic equivalent of
Usenet (called either the Known Net or (frequently, and accurately) the Net of
a Million Lies).  The Blight (abovementioned intelligence) transmitted
intelligent packets to take over the remote system).

Personally, I don't think that this is going to be much of a problem right now.
In order for the information to wreak any real damage (unless you overload the
front end with a powerful signal), the virii would need to run, and unless
the evil LGMs at the other end somehow know the architecture of the system
doing the decoding, I can't see that this is a serious problem.

73 de Dave Weingart   KB2CWF  phydeaux@cumc.cornell.edu   (212) 746-3638


Can SETI signals bear viruses? (Cantillo, RISKS-15.36)

James Abendschan <unkadath!shamus@naucse.cse.nau.edu>
Sun, 2 Jan 1994 21:04:28 +0000 (GMT)
I can't help but think you've been reading "Snow Crash" :-)

The relevance is that, in the course of the narrative, it is discovered the
antagonist can cause a biological "crash" of the minds of programmers who have
"firmwired the binary code in the deep structures of their brain."  He picked
this data stream from stellar emissions recorded via a SETI-like antenna
network.

A bit esoteric, but it made an amusing read.

(The antagonist also vaguely reminded me of H. Ross Perot; odd.)

For those of you interested, the author is Neal Stephenson and the publisher
is Bantam Spectra.

James


"When H.A.R.L.I.E. Was One" by Gerrold

"Rob Slade, Ed. DECrypt & ComNet, VARUG rep" <roberts@decus.arc.ab.ca>
30 Dec 93 15:28 -0600
BKHARLIE.RVW  931222

Ballantine Books
101 Fifth Avenue
New York, NY 10003
or
Bantam Doubleday Dell
666 Fifth Avenue
New York, NY  10103
"When H.A.R.L.I.E. Was One", Gerrold, 1972/1988

HARLIE is not a virus.  He/it is an experiment in artificial intelligence.
For the purposes of the book the experiment is a success and HARLIE is alive:
is a person.  The plot revolves (slowly) around the efforts of corporate
management to kill the project (and HARLIE) and the efforts of the computer
(program) and its creators to stave this off.  As in most of Gerrold's books,
the plot is primarily there to set up dialogues in which he can expound his
philosophies.  (The most blatant example of this is in "A Rage for Revenge"
most of which takes place in a seminar, the largest chunk of which is devoted
to an illustration of the standard five-stage model of grieving.)

In both versions, the "virus" is a mere diversion.  It has nothing to do with
the story at all, and is a discussion point between two characters, never
referred to again.  Indeed, in the first version it is introduced as a science
fiction story, "but the thing had been around a long time before that."  Make
of this latter statement what you will.  My resident science fiction expert
can't think of what the prior story might be and ventures that this might be
Asimovian self-citation.

Statements have been made that the virus aspect was downplayed in the second
version.  This is rather ironic.  The virus story gets roughly the same amount
of ink in both versions, but the early one is definitely superior.  HARLIE72
gives a fairly simple and straightforward account of a self-propagating
program.  In fact, aside from the dependence upon dial-up links, the parallels
between the HARLIE72 virus and the actual CHRISTMA infestation fifteen years
later are uncanny.  Specifics include the use of an information source for
valid contacts, and a mutation which loses the self-deletion characteristic.

The HARLIE88 discussion is much more convoluted, bringing in malaria, spores,
phages and parasites.  The are even two separate invocations of the worm, one
lower case and one capitalized, both with different definitions.  (One refers
to a logic bomb, and the other to a virus directed at a specific target.
Neither definition is so used by anyone else.)  The end result is a completely
iconoclastic set of terminology bearing almost no relation to anything seen in
real life.

To further the irony, HARLIE88 could have been viral.  HARLIE72 could not:
part of the system was advanced hardware which did not exist in other
computers.  Therefore, while HARLIE72 had the ability to program other
computers, such programming could never have resulted in a reproduction without
the additional hardware.  HARLIE88, however, was software only.  To be sure,
the environment included "2k channel, multi-gated, soft-lased, hyper-state"
processors, roughly a million times more powerful than the home user's "Mac-
9000", but still, as one character has it, just chips.  HARLIE88 *could*
survive, albeit running more slowly, on other computers.  However, while one
character realizes that HARLIE could be "infectious" the discussion dies out
without realizing that the primary tension of the story has just been
eliminated.

copyright Robert M. Slade, 1993   BKHARLIE.RVW  931222
Vancouver Institute for Research into User Security Canada V7K 2G6 604-984-4067
ROBERTS@decus.ca Robert_Slade@sfu.ca  rslade@cue.bc.ca  p1@CyberStore.ca


Request for help with RISKy situation

"Alan (Miburi-san) Wexelblat" <wex@media.mit.edu>
Thu, 30 Dec 93 15:10:10 -0500
My bank has installed one of those bank-by-phone services.  You call up,
give your 10-digit account number, password is the last 4 digits of your
SSN, and off you go.  At the moment the transactions available are purely
informational (get balance, get last 5 checks that cleared, etc.), but they
say they plan to allow operational transactions (e.g. pay bills, transfer
money) soon.

The problems of this kind of system have been well-covered here in the past;
what I need help with is also a known problem, but in this case it appears
to be particularly severe.  To wit:

In this system, if you time out too often or enter incorrect information
twice, you are transferred to a human being who is supposed to help you
figure out the system.  In my case I encountered this human twice.  The
first time I had misunderstood which subset of the account digits they
wanted.  When I got to the human, he could apparently see the digits I had
typed and he told me the correct digits to use for my account (how helpful,
I thought).

I then called back and tried the new digit set, and it still failed twice.
I talked to another human being who revealed that not only did he have on
his screen my account #, but also he had the 4-digit password I had typed
*and* the correct password.  It turns out that there was a data
transcription error in my account and they had a wrong SSN for me; thus the
password was different than I expected.

The helpful gentleman — with NO confirmation of who I was — provided the
correct four digits to me!!  ARGH!  And I wasn't even *trying* to do social
engineering.

Now, what I would like help from RISKS readers on is how I should draft my
letter of protest/alarm.  To whom within the bank/government/BBB/SEC/etc
should it be sent?  How do I explain to them that (a) they have to guard
this information at least as closely as bank-card PINs; (b) they should
provide some way for me to change my password; (c) they have to train their
people a whole lot better!  At the moment I'm tempted to rant and rave at
them, but I know a calm, well-thought-out, detailed response is more likely
to get the results I want.  Should I start off with a phone call?  Has
anyone on this list dealt successfully with similar problems?

Please send suggestions directly to me; I will summarize back to RISKS and
let y'all know if there is any change in the future.

--Alan Wexelblat, Reality Hacker, Author, and Cyberspace Bard
Media Lab - Advanced Human Interface Group  wex@media.mit.edu  617-258-9168

Please report problems with the web pages to the maintainer

x
Top