The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 15 Issue 60

Monday 28 February 1994

Contents

o $1M deposited in bank error
PGN
o Another Olympic E-mail Penetration
PGN
o The dangers of electronic mail
Rob Hasker
o Ex-employee arrested in computer-file theft
Lance Gatrell
o How about bounties for inspecting safety-critical software?
Michael Chastain
o Reloadable and Smart Cards en route to worldwide acceptance
Gordon Webster and Sree Kumar
o FBI Digital Telephony Proposal and PCS mobile phone networks
M. Hedlund
o Re: Van Eck Radiation ...
James H. Haynes
Fredrick B. Cohen
Vadim Antonov
Bob Brown
John R Levine
Bill Bolosky
o Info on RISKS (comp.risks)

$1M deposited in bank error

"Peter G. Neumann" <neumann@csl.sri.com>
Mon, 28 Feb 94 18:08:00 PST
The Bank of Stockton (California) accidentally turned Mohammed Idrees Kussair's
deposit of $100,000 into $1M.  He assumed that a relative in Pakistan must have
wired the money to him, and spent it to pay off rental properties and to take a
trip to Pakistan.  A San Joaquin County Superior judge ruled that he had not
broken any laws, and cleared him of criminal charges.  A spokesman for the bank
said that the bank intends to sue him.  [Source: An AP item in the San
Francisco Chronicle, 11 Feb 1994]


Another Olympic E-mail Penetration

"Peter G. Neumann" <neumann@csl.sri.com>
Mon, 28 Feb 94 10:02:04 PST
Misuse of the Olympic E-mail system continued, subsequent to the earlier case
reported in RISKS-15.59.

Someone masqueraded as Wayne Abbott, a Canadian TV employee, and sent a nasty
E-mail message to Cathy Turner relating to her skating style.  [Cathy was
disqualified for contact with another skater, after apparently winning the
gold in the 1,000-meter speedskate.]  [San Francisco Chronicle, 27 Feb 1994,
p. C-5]


The dangers of electronic mail

Rob Hasker <hasker@sal.cs.uiuc.edu>
Fri, 25 Feb 1994 12:57:45 -0600
Quoting from the Feb. 24 News-Gazette of Champaign-Urbana, Illinois:

"UI student arrested for e-mail threat to Clinton"

     URBANA -- A University of Illinois student has been arrested for
threatening the life of President Clinton, U.S. Attorney Frances Hulin
announced today.
     Christopher James Reincke, 18, of Townsend Hall, Urbana, allegedly
sent an electronic mail message to the White House on Dec. 4 threatening
Clinton, Hulin stated in a press release.
     The message read: "I am curious, Bill, how would you feel about being
the first president to be killed on the same day as his wife ...  It would
be best, I think, to not continue with your immediate plans.  Perhaps a
vacation.  You will die soon.  You can run, but you cannot hide."
     The message was signed "Overlord" and purported to be from
"Allmighty@Never.Gonna.Catch.Me."
     Reincke appeared before U.S. District Judge Harold A. Baker in
Danville today and was released on his own recognizance.
     Hulin said the charge resulted from an investigation by the Secret
Service and the UI police.
     Investigators determined the message originated at the UI, and a
computer trace identified Reincke as the apparent author, Hulin said.
     While being questioned by agents, Reincke admitted he had sent the
message, according to the press release.


(Local news reports suggest that the student intended this to be a
practical joke.  As I see it, the risk is in assuming that it doesn't
really matter what you say by email.)

Rob Hasker  hasker@cs.uiuc.edu


Ex-employee arrested in computer-file theft

Lance Gatrell <gatrell@aragtap.den.mmc.com>
Mon, 28 Feb 94 09:30:50 MST
Denver Post, p. 1C, Feb. 25, 1994

A former employee of a Boulder [Colorado] computer software company was
arrested yesterday for fraudulently transferring 122 computer files worth
$915,000 just before leaving his ex-employer, the FBI said in Denver federal
court documents.  Liaosheng Wang, also known as Andrew Wang, of Westminster,
was arrested by FBI agents for allegedly stealing the computer files,
including important "source code files," from Ellery Systems Inc., where he
worked as a design engineer from December 1990 until his resignation this
month.

In a complaint filed in U.S. District Court in Denver, FBI special agent John
Gedney said Wang may have stolen the files after twice being denied promotions
at the Boulder company late last month.  ...  Wang apparently transferred the
files from his account at Ellery Systems to Internet, a global computer
network, the complaint said.  From Internet, Wang was able to communicate from
his computer at Ellery Systems with a computer at Unidata Inc., a Denver
company.  [sic]

The FBI is continuing its investigation to determine if Wang was trying to
sabotage his former employer or transferred the information for a fee.
"Everything that was transferred was confidential property," said Jeff Jordan,
an Ellery vice president.  "It was the source code for our product and we
intend to get it back."  [...]

Geoffrey Shaw, Ellery Systems' chief executive officer, told the FBI that Wang
had no authority to transfer the files to Unidata, particularly since they
contained a proprietary program that had been copyrighted.

If convicted of wire fraud, Wang could be sentenced to up to five years in
prison and fined up to $250,000.


How about bounties for inspecting safety-critical software?

Michael Edward Chastain <mec@shell.portal.com>
Sun, 27 Feb 1994 00:14:22 -0800
After reading a recent RSISKS article about validating the Sizewell B PPS
software, I was struck by an idea: how about a bounty for inspecting
safety-critical software?

Here's the plan: the government organization which is purchasing the
safety-critical software publishes the specification, the entire source
code as delivered by private contractors, and technical documentation
on the hardware environment.  It then offers a bounty to any party
anywhere who demonstrates a logical error in the software.  The bounty
would be funded by reductions in money paid to the original contractors.

Finding a bug is much harder than demonstrating that one has found a bug.
Bounty hunters would have an incentive to deploy whatever technology they
found useful in finding errors.

Michael Chastain  mec@shell.portal.com


Reloadable and Smart Cards en route to worldwide acceptance

Gordon Webster <pwajam!gordon@uunet.UU.NET>
Fri, 25 Feb 94 17:19:31 est
Of late there have been quite a few articles in the RISK forum regarding
Smart/Reloadable Cards and issues surrounding their incipient risks.  The
impression (whether right or wrong) is that most readers (or respondents) are
not aware of the level of acceptance that this technology have outside of
North America.  While the potential risks of the cards are legion, I will not
attempt to address them at this point, but merely attempt to touch the tip of
iceberg and illustrate the impact having outside of North America.

The kind of chargeable card described in John Gray's item in RISK issue #49
has been available in Japan and some other parts of Asia for at least a year.
The cash the card is charged with can be spent at any retail outlet equipped
with a simple PoS-type terminal; and the card can be "re-loaded" with cash at
ATMs, by a simple transfer from a current or savings account held by the same
holder.

Both mag-stripe and embedded-chip versions of the card are in commercial use.
The embedded-chip versions are usually multi-function cards (i.e., they can be
used for other purposes as well as that of an electronic wallet).

Countries in which reloadable card programs (or pilot programs) exist include:
Singapore, Japan, France and South Africa. The cards used are mostly
embedded-chip cards, not mag-stripe based. These cash cards are loaded
electronically in machines similar to ATMs, by transfer from chequing or
savings accounts.

Cards can be used at any retailer with a reading device.  The reading device
deducts purchase price, issues a receipt, and shows the balance remaining on
the card.  Some of them (not all) are PIN-activated (RISK readers take note).
When the balance on the card is exhausted the card is taken back to the
issuing bank or a retail machine for replenishment.

In Japan, the use of the cards apparently has been growing quickly, there is
some political pressure to regulate the business, because it is seen as
cutting into the Bank of Japan's sole right to issue bank-notes. There is talk
of regulations to force issuers to deposit a specified percentage of the money
circulating on such cards with the central bank, or to charge a consumption
tax on such transactions, the money to go into a central fund which would
reimburse card-holders in case the issuing institution went belly-up.

The Japanese are fairly far along in terms of acceptance of the cards, some of
the applications are as follows:

  - NTT (the Japanese equivalent of AT&T) is a large proponent of the use of
the cards for making pay phone calls.  They have found their usage quite
profitable as they have found that callers using such cards talk 20-40% longer
on the phone, maybe because they don't have to fumble for coins or replacement
cards.

  - Other Japanese retailers who accept such cards include the railways, buses
and taxis, car washes, highway toll booths, fast-food outlets and even
video-game arcades.

  - One of the last bastions in Japan to hold out against such cards gave in
not long ago.  You can now use them at Buddhist temples, to make donations.
An argument between religious and tax establishments now threatens. Temples
have been tax-exempt so far, but the tax authorities do not want to exempt
them from the consumption tax on the use of cards.

Another country which has launched a smart card scheme is Guatemala, no less.
The scheme in Guatemala is called Credisa, the card is called Elite, and the
launching bank is a new retail bank called MultiBanco.  The hardware and
software are being provided by GemPlus, the same (French) vendor who provided
the hardware for the French reloadable card pilot.

In Guatemala, I believe the major incentive for smart cards is the poor
telecomms infrastructure, which places limits on on-line authorization
capability.

    Gordon Webster  - Price Waterhouse Assoc. Jamaica - gordon@pwajam.uunet
    Sree Kumar  - Price Waterhouse Assoc. Jamaica - sree@pwajam.uunet


FBI Digital Telephony Proposal and PCS mobile phone networks

"M. Hedlund" <hedlund@netcom.com>
Mon, 28 Feb 1994 11:32:59 -0800 (PST)
    This article elaborates on part of the EFF statement issued last
week concerning the FBI's proposed Digital Telephony wiretap bill.  The EFF
condemned the bill, which enlarges law enforcement powers of surveillance,
granted by wiretap laws, by adding tracking ability. Addressed herein is point
two of the EFF statement, concerning the surveillance of mobile communica-
tors, such as cellular phones, Personal Communications Services (PCS) and
laptop computers.  PCS mobile phones create severe privacy risks for future
phone users, especially under the FBI's proposal; and these risks strongly
support the EFF's position.

    The FBI asserts that their proposal adapts existing wiretap laws to
account for emerging communications technologies.  Wiretap laws have not
adequately covered mobile communications, and the FBI is correct to assume
that some revisions will be necessary to adequately balance law enforcement
needs with the privacy rights of mobile phone users.  Their proposed
revisions, however, do not simply provide for wiretap; instead, the FBI seeks
to expand wiretap laws, allowing law enforcement officers to track the
signalling information of mobile communications users.

    The EFF believes that the FBI proposal would create an enormous hole
in the privacy rights of individuals suspected of crimes.  Their statement
notes:
    It is conceivable that law enforcement could
    use the signalling information to identify the
    location of a target.....This provision takes a
    major step beyond current law in that it allows
    for a tap and/or trace on a *person*, as opposed
    to mere surveillance of a phone line.

    This fear is completely realistic.  It is not simply "conceivable"
that the FBI's proposal would allow law enforcement to surveil the location of
a target -- positioning technology is a planned part of PCS networks, one of
the technological advances anticipated by the proposal.  Similar positioning
technology is planned for cellular phones, as well.

    PCS advances cellular phone technology by integrating mobile
communications with other phone networks, and by expanding the services and
quality mobile phones can offer.  Most PCS proposals involve three forms of
mobility: terminal mobility, the ability to make and receive calls at any
location, and the ability of the phone network to track the location of the
mobile phone; personal mobility, the ability of the user to be reachable by a
single phone number at all times; and service mobility, the ability of the
user to access CLASS(sm)-like features, such as Call Waiting and Caller ID,
from any phone they use.

    The FBI proposal requires phone companies, when presented with a
wiretap order, to transmit the content and the signalling, or "call setup
information," from the tapped phone to law enforcement officers.  With a
wireline phone, such as a residence phone line, call setup information would
comprise only the originating and dialled phone numbers, as well as billing
information (such as the residence address) for the call.  Because of the
wireless aspect of PCS, however, call setup information for a PCS phone
includes very detailed information on the location and movement of the caller.

    PCS mobile phones will connect with the phone network via
"microcells," or very small receivers similar to those used for cellular
phones.  While a cellular network uses cells with up to an 8 to 10 mile
radius, PCS networks will use microcells located on every street corner and in
every building.  The call setup information for a PCS call would include the
microcell identifier -- a very specific means of locating the user.  An order
for a PCS wiretap would allow law enforcement officers to receive a detailed,
verifiable, continuous record of the location and movement of a mobile phone
user.

    These phones are also likely to "feature" automatic registration:
whenever the PCS mobile phone is on (in use or able to receive calls), it will
automatically register itself with the nearest microcell.  Law enforcement
agencies, able to track this registration, would have the equivalent of an
automatic, free, instantaneous, and undetectable global positioning locator
for anyone suspected of a crime.

    PCS tries to improve on cellular phone privacy and security by
incorporating cryptographic techniques.  Encryption could not only create a
secure phone conversation, but could also (coupled with use of a PIN number)
insure that only a valid subscriber could make calls on a particular phone,
preventing fraudulent calls on stolen phones.  An additional phone-to-network
authentication could prevent fraudulent calling through a "masquerade" phone
designed to simulate a user's registration.

    But the FBI proposal would require that such encryption be defeatable
in wiretap circumstances.  As the proposal stands, this form of weak
encryption is distinguishable from the Clipper Chip because the phone
companies, not a key escrow arrangement, enable law enforcement access; but it
is entirely possible that the Clipper Chip could be used as the encrypting
device.  In either circumstance, PCS encryption could be compromised by
careless or malicious law enforcement officials.  Perhaps it is time for Phil
Zimmerman and ViaCrypt to begin work on PGPCS -- and let us all hope we are so
lucky.

    The cellular phone market is tremendous, and analysts believe that the
PCS market, incorporating both voice and data communications, will be even
larger.  Coupled with the FBI's Digital Telephony proposal, PCS raises many
privacy and security risks, making the EFF's condemnation of the FBI proposal
all the more appropriate.

CLASS is a service mark of Bell Communications Research (Bellcore).

For more information:

*   Bellcore Special Report SR-INS-002301, "Feature Description and
    Functional Analysis of Personal Communications Services (PCS)
    Capabilities," Issue 1, April 1992.  Order from Bellcore, (800)
    521-CORE (2673), $55.00.

*   GAO report GAO/OSI-94-2, "Communications Privacy: Federal Policy
    and Actions," November 1993.  Anonymous FTP to cu.nih.gov, in the
    directory "gao-reports".

*   EFF documents, available via anonymous FTP or gopher:
    ftp://ftp.eff.org/pub/EFF/Policy/Digital_Telephony

   [*The New York Times* today has a front-page article by John Markoff,
   entitled "Price of Technology May Be Privacy".  I first saw a version of
   it in today's *San Francisco Chronicle*, although as seems typical of the
   Chron they truncated it after 11 of its 34 paragraphs.  At least they
   mentioned Markoff this time, which they frequently do not do!  PGN]


Re: Van Eck Radiation and Clipper and Wiretapping

"James H. Haynes" <haynes@cats.ucsc.edu>
Mon, 28 Feb 1994 11:15:30 -0800 (PST)
It just struck my irony bone that we have the Feds on the one hand wanting to
install leaks in encryption and communication switching; and we have the FCC
regulating things like PCs so they don't radiate interfering signals.  When
will FCC be ordered to "get with the program" and _require_ that PCs and
monitors radiate enough so the snoops can do their jobs?


Van Eck Radiation (Schwartau, RISKS-15.59)

Fredrick B. Cohen <fc@Jupiter.SAIC.Com>
Sat, 26 Feb 94 22:26:48 PST
    The contention that this is a Van Eck device is ludicrous! You don't
need to use radiated signals if you place a bugging device in the computer.
You simply listen to the information and transmit it over a normal radio
channel.

> ... .  The device would work like this:

    This is not how Van Eck's mechanism worked.  It exploited the normal
radiated signals, not those created by a bugging device.

> I spoke to the FBI and US Attorney's Office about the technology used for
> this, and none of them would confirm or deny the technology used "on an
> active case."

    Now that's a journalistic confirmation if I ever heard one!

> To the best of my knowledge, this is the first time that the Government had
> admitted the use of Van Eck (Tempest Busting etc.)  in public.  ...

    Since when is a refusal to comment an admission?

    If the point of the article is to assert that there are radiated
signals from video screens that can be used at a distance to observe the
content of the screens, of course there is.  If you want confirmation, why not
go and buy the 100 dollars of equipment required to do it yourself?


Re: Van Eck monitoring

Vadim Antonov <avg@titan.sprintlink.net>
Sat, 26 Feb 1994 19:45:47 -0500
First of all, reception of a signal from computer screen is much easier than
it seems due to the fact that images are mostly static; i.e., the same pattern
of radiation will be repeated many times allowing for digital accumulation of
the signal (it works the same way for astronomers who are able to resolve very
dim objects by collecting "random" photons for a long time).  Interferometry
(i.e., simultaneous reception of the signal from several distant points and
multiplying the received signals delayed to compensate for the propagation
delays) can also be a very useful tool to sort out weak signal coming from a
single source with known location from random electromagnetic noise.

Also, cleaning up the signal using spectral analysis (FT, etc.) should work
great because the spectre of the source signal is discrete (i.e., all
frequencies are derived from a single stable oscillator's frequency by
dividing it by small integer numbers).

Add directed antennae or (even better) phased antennae arrays and you got the
picture...

It's nothing more than methods very well known in optical and radio astronomy
so the special services don't have to bother me :-)

--vadim


Van Eck Radiation Helps Catch Spies (?!?)

Bob Brown <bbrown@gmcf.org>
Sun, 27 Feb 94 10:41:47 EST
Winn Schwartau [RISKS-15.59] headlined his message "Van Eck in Action"
suggesting that the FBI used electromagnetic eavesdropping in developing their
case against Aldrich Ames.  Later Schwartau quotes the FBI's own affidavit as
saying that 'the FBI "placed an electronic monitor in his (Ames's) computer,"
suggesting that a Van Eck receiver...'

It's time for someone to shout "Occam's Razor!"  If the FBI placed anything
"in" Ames' computer, it needn't have been anything as complicated as a
receiver that sucked keyboard strokes or video pixels out of the electronic
chaos that's inside a computer case.  A sophomore EE student could design a
high-impedance device to pluck video and keyboard signals directly off their
respective connectors and relay them onward.  Such a gadget would be much
simpler, and therefore more reliable than a Van Eck receiver.

On the other hand, the FBI could have simply copied the contents of Ames'
hard disk with something like LapLink.  They're (understandably) not talking.


Re: Van Eck Radiation Helps Catch Spies, maybe not

John R Levine <johnl@iecc.com>
Sun, 27 Feb 94 15:40 EST
>On October 9, 1993, the FBI "placed an electronic monitor in his (Ames')
>computer," suggesting that a Van Eck receiver and transmitter was used
>to gather information on a real-time basis.

I don't know about you, but if I were able to stick a bug inside the computer,
I'd attach it directly to the keyboard and video ports.  Why fool around
trying to reconstruct a signal, when a wire containing the signal itself is
half an inch away?

Do we have here a risk of technophilia?  Even if I couldn't get inside the
house, it's quite possible that a conventional camera looking through a window
could see enough of the the screen and keyboard to gather useful information.

John Levine, johnl@iecc.com, jlevine@delphi.com, 1037498@mcimail.com


Re: Van Eck Radiation Helps Catch Spies

Bill Bolosky <bolosky@microsoft.com>
Mon, 28 Feb 94 13:44:28 TZ
A case recently came up in Washington State that is related to the question of
the legality of using Van Eck radiation emitted from a residence as a
survelience technique.

In the incident in question, a person was suspected of growing marijuana in
his home, using grow lights.  However, there was insufficient evidence to get
probable cause for a search warrant.  So, without a warrant, the police stood
in the street and used an IR detector on the house.  They determined that the
house was emitting radiation that was consistent with grow lights, and used
this evidence as probable cause to get a search warrant.  In the ensuing
search, the house was found to contain marijuana and the homeowner was
convicted.

He appealed his conviction on the grounds that the use of the IR detector
constituted a search of his home, for which a warrant was required; evidence
from this illegal search could not be used as probable cause for a warrant.
The Washington State Supreme court agreed with the defendant, ruled the search
illegal and overturned his conviction.  They said that non-visible radiation
emanating from a home is not the same as, say, leaving a window open, and that
a reasonable expectation of privacy existed for such radiation.

I would imagine that this legal precident would also preclude the use of Van
Eck radiation detectors in the state of Washington without a search warrant.
Of course, in the Ames case such a warrant almost certainly had already been
obtained based on other probable cause, and so this wouldn't be a valid
defence for Ames.

Bill Bolosky  bolosky@microsoft.com

Please report problems with the web pages to the maintainer