The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 15 Issue 79

Tuesday 26 April 1994

Contents

o Fax programming -- risk to politicians
Tom Keenan
o Data Escape from Prison
Mich Kabay
o Industrial espionage
Mich Kabay
o Trojan @ U. Michigan
Mich Kabay
o $14 million QA failure
Mich Kabay
o Security and Privacy panels
John Rushby
o Strange Stalking
Flint Waters
o UK Industrial Spy Law
Peter Sommer
o Combination Locks I Have Known
Neil McKellar
o Unusual Newspaper Error
Stewart Rowe
o Risks of advertising on the net
Jerry Leichter
o Updated addresses for Canter & Siegel
Paul Robinson
o Re: MIT student arrested for BBS used ...
Tim Shepard
Douglas Rand
o Re: NYC subway fare cards double-deduct
Mark Brader
Dan Lanciani
Padgett Peterson
o Info on RISKS (comp.risks)

Fax programming -- risk to politicians

"Tom Keenan" <keenan@acs.ucalgary.ca>
Mon, 25 Apr 94 18:40:56 MDT
According to the April 25/94 Globe and Mail:
Canadian Human Resources Minister Lloyd Axworthy is embarrassed by the leaking
of a sensitive working paper to the press.  It concerns government plans and
"specifically indicated that Quebec wasn't going to get full control over job
training any time soon."  Unfortunately, an operator did not press the 0-2-1
fax code that would have sent it to English speaking provincial government
offices.  By hitting 1-2-1 instead, the working paper went to eight French
language newspapers in Quebec, two of which eventually published stories on
it.

Some are questioning whether it was indeed an error or the work of a saboteur.
Reporters "marvel that a document of particular sensitivity to Quebec
accidentally went to Quebec newspapers only."

Several years ago a similar faux pas occurred in the Canadian parliamentary
press gallery when a young woman sent a detailed account of her romantic
exploits of the past weekend by email to a female friend.  She accidentally
filed it with every newspaper's parliamentary reporter, but they were
gentlemen and did not publish it.

Dr. Tom Keenan, I.S.P.  Dean, Faculty of Continuing Education
University of Calgary   2500 University Dr. NW   Calgary, AB T2N 1N4 CANADA
Voice: (403) 220-5429   FAX: (403) BUG-EXIT = 284-3948


Data Escape from Prison

"Mich Kabay / JINBU Corp." <75300.3232@CompuServe.COM>
26 Apr 94 12:13:52 EDT
>From the Associated Press newswire via Executive News Service (GO ENS) on
CompuServe:

   Inmates-Computers, By MARIA S. FISHER, Associated Press Writer

   KANSAS CITY, Kan. (AP, 18 Apr 1994) -- The letter startled Nick Tomasic. It
   was from a prison inmate; other fellow prisoners, assigned to computerize
   records, had taken a Social Security number from an accident report and
   tried to sell it.  Tomasic is the district attorney for Wyandotte County.
   It was his number.

The author makes the following key points:

o    29 states and the federal government use prisoners for data entry.

o    The National Correctional Industries Association in Belle
Mead, NJ scoffed at the potential risk of misuse, saying that in 12
years, there have been no cases of abuse.

o    Tomasic warned that criminals could determine addresses and phone
numbers of witnesses and victims during data entry.

o    In Johnson City, KS, Sheriff Kent P.  Willnauer is looking into
allegations that a prisoner passed Social Security numbers and other
data to a confederate who opened fraudulent bank accounts.

o    Kansas State government officials insist that the data entry program
saves taxpayers hundreds of thousands of dollars and that there is no
danger to privacy or safety of residents.

Michel E. Kabay, Ph.D./ Dir. Education / Natl Computer Security Assoc.


Industrial espionage

"Mich Kabay / JINBU Corp." <75300.3232@CompuServe.COM>
26 Apr 94 12:13:39 EDT
>From the Reuter newswire via Executive News Service (GO ENS) on CompuServe:

   CHINESE PAIR HELD IN TECHNOLOGY THEFT, By Robert Boczkiewicz

   DENVER, April 15 (Reuter) - A federal judge cited national security
   concerns Friday when he refused to free a Chinese citizen who remains under
   house arrest charged with stealing software technology."

According to the author, the FBI arrested Wang Liaosheng and Jing Cui for an
alleged theft of source code from Ellery Systems, Inc of Boulder, CO.  Wang, a
former employee of this firm, allegedly sold information to Beijing Machinery
Import & Export (Group) Corp for $550,000.  The pair face charges of computer
and wire fraud and could be punished by a maximum of 15 years in prison and
$500,000.

Michel E. Kabay, Ph.D./ Dir. Education / Natl Computer Security Assoc.


Trojan @ U. Michigan

"Mich Kabay / JINBU Corp." <75300.3232@CompuServe.COM>
26 Apr 94 12:13:46 EDT
>From the Washington Post newswire via Executive News Service (GO ENS) on
CompuServe:

Message Posted On Internet Spurs Probe; Jokes, Threats Directed At African
Americans

   By John Burgess, Washington Post Staff Writer, 25 Apr 1994

   The sordid side of the emerging electronic culture got a very public
   airing at the University of Michigan this month. Officials there are
   investigating an incident involving a stolen computer password and a death
   threat against African Americans that was sent over the global Internet
   computer network.

The author continues with the following key points:

o    the perpetrator is still unknown.

o    On April 5, someone using a University of Michigan email address sent
the offensive message to 30 newsgroups on the Net.

o    "Purporting to come from a group called the Organization for the
Execution of Minorities, the posting was a lengthy collection of jokes and
riddles directed against black Americans. It also contained rambling
threats of death and injury."

o    The host system was immediately flooded with angry protests from
around the Net.

o    The supposed originator protested his innocence and repudiated the
message and its content.

o    Campus computer security specialists think the student may have been a
victim of a classic Trojan Horse which collected logins and passwords by
spoofing the login screen and writing the ID/password pairs to a file for
retrieval.

o    International users also received the posting and criticized Americans
for racism.

Michel E. Kabay, Ph.D./ Dir. Education / Natl Computer Security Assoc.


$14 million QA failure

"Mich Kabay / JINBU Corp." <75300.3232@CompuServe.COM>
26 Apr 94 15:28:10 EDT
>From _The Globe and Mail_ [Canada], Mon 94.04.25 p. A3:

"Pensioners to keep overpayments:  Ottawa to write off $14 million mistake
by computer."

According to the Canadian Press report, 8,000 pensioners received overpayments
because the computer programs at the Canada Pension Plan did not correctly
combine pensions.  "...[I]t took years to uncover the mistake and figure out
what to do about it."

  [MK comments: what amuses me is the headline which blames the mistake on the
  computer.  Quality Assurance, where art thou?]

Michel E. Kabay, Ph.D. / Dir. Education / Natl Computer Security Assoc.


Oakland posting for risks

John Rushby <RUSHBY@csl.sri.com>
Sun 24 Apr 94 17:07:28-PDT
Last chance to register for

    1994 IEEE SYMPOSIUM ON RESEARCH IN SECURITY AND PRIVACY
               May 16-18, 1994
              Claremont Resort,
             Oakland, California

The program for this, the main conference on computer security research, was
posted in RISKS-15.43, 30 Jan 1994.  I won't repeat the whole thing, but here
are the details of the very exciting panels that have been arranged.  These
were missing from the earlier posting.

Monday 2:00--3:30   PANEL: Firewalls

Moderator: Steve Kent (BBN)
Panelists: Steve Bellovin (AT&T) -- "Firewalls are good"
           Phil Karn (Qualcomm)  -- "Firewalls are bad"

Tuesday 2:00--3:30   PANEL: What Security Needs To Learn From Other Fields

Moderator: Teresa Lunt
Panelists: Nancy Leveson (U. Washington)               -- safety
           Fred Schneider (Cornell)                    -- dependability
           Jeffrey Voas (Reliable Software Technology) -- testing
           Brian Snow (NSA)                            -- security perspective

There's still time to register.  The easiest way to get the program
and registration form is by WWW from http://www.csl.sri.com (follow
the link under conferences), or by anonymous ftp of the file
/pub/oakland94.txt from ftp.csl.sri.com.  If all else fails,
send email requesting the form to John Rushby (Rushby@csl.sri.com).


Strange Stalking

Flint Waters <Flint.Waters@uwyo.edu>
Tue, 26 Apr 1994 14:00:00 +0000 (M)
We just finished a pretty strange case.

A woman came in a reported that her estranged husband was stalking her.  The
officer that took the call started an investigation for the alleged stalking
and contacted our County Attorney, (DA to most folks).

While investigating the matter the suspects lawyer turned over email from
the wife to the husband soliciting contact.  It started to look like a
normal domestic situation where the complaint matches the mood.

Sgt Banks brought me the email so I could verify it and move on to other
things.  As I started looking into it things got strange.  One of our campus
systems is an Alpha running VMS and we have a special NEWUSER procedure
which allows staff to create their own accounts, providing they know all of
the important information about themselves.

As I investigated the accounts I found that the suspect and victims account
were created within a few minutes of each other.  I placed a trap on the
logins to both accounts and soon learned that every access to her account was
immediately preceded or followed by an access to his account and from the same
computer.

Over the next several months I tracked the access to both accounts and
watched as the suspect turned over more and more email from his wife.  This
guy was pretty creative in that he wrote long letters to himself and even
changed his writing style to mimic hers.

We had a pretty solid interference case for the false evidence he was
creating but it was only a misdemeanor.  We really wanted to put together a
felony due to some other crimes the suspect had committed, which were
pending prosecution.

Finally, the wife decided to take a computer course on campus.  The first day
of class the students were told to create accounts on the campus computer
system.  Our victim went to the computer lab and followed all of the
appropriate steps only to find she couldn't create an account because her
authorization had been used already.  Confused she went to her assigned User
Consultant and complained that she was denied access.

The consultant, not knowing about my investigation, disusered the fraudulent
account and helped the victim get a new one.

The gig was up since I was certain the suspect would realize we were watching
him now.  Fortunately, denial of computer service is a felony in Wyoming. We
then pursued the arrest warrant.  Several days later our suspect was arrested
at his office on campus.  When arrested he asked if he could call his
attorney.  When we said yes, he led us down the hall to a locked computer lab.
He entered the code on the door and walked to the phone which sat two feet
from the very computer that had been used to generate many of the fraudulant
messages.

By now our case was pretty solid.  The suspect was charged with Computer
Crimes: Crimes Against Computer Users which carried a three year felony
term, ten years if intent to commit fraud is proven.

Kinda heavy but pretty funny when you face the guy and he lies through his
teeth.  He thought he was dealing with a couple of Barney Fife's and he
treated us like we were stupid.  Obviously we didn't know what we were
talking about and he had received all of the mail from his wife.  We booked
him and went back to work.

As it turned out, the joke was on us.  On the day of the preliminary hearing
the suspects lawyer arrived with a sworn affidavit from the wife.  She
decided that she had not been stalked and that her husband had not denied
her of any computer service.  It appears a reconciliation is in the works.

Naturally we decided not to pursue prosecution with a hostile victim and our
case was dropped.  Really a shame considering the hours we had invested.  The
suspect has some federal time hanging over him on some other crimes but I
really would have liked to see him lie on the stand about his computer feats.

Oh well.  I never thought I'd have a computer-domestic disturbance.


UK Industrial Spy Law

Peter Sommer <hcorn@virtcity.demon.co.uk>
Sat, 23 Apr 94 10:59:15 GMT
INDUSTRIAL SPY'S LEGAL LOOPHOLE TO BE CLOSED

Britain's industrial spies enjoy a legal loophole.  If they access a computer
to which they are not authorised, they can be found guilty under the Computer
Misuse Act, 1990.  If they manage to deceive an authorised user into giving
them information from that computer, they almost certainly commit no offence.
The UK government signaled on March 24th 1994 that it would introduce remedial
legislation.  However the precise form is still unclear and there appears to
be no date for implementation.

English Law knows no concept of information theft - you can steal pieces of
paper and data media containing information but there is no specific law
protecting commercial secrets.  The law is more concerned with catching the
means of industrial espionage: bugging and tapping are criminal offences,
respectively under the Wireless Telegraphy and Interception of Communications
Acts. The Computer Misuse Act punishes unauthorised access without, in section
1, caring what the reason was.

Recent coverage by the BBC-TV's leading current affairs show Panorama and by
the London Sunday Times has revealed that 200 UK pounds is the average rate
charged by private detectives to assemble a dossier of an individual's bank
balances, medical records and tax status.  Nearly all of the information comes
via abuse of this loop-hole. The technique is variously called the pretext
call, the voice-hack, the imposter and the masquerade.  The private detective
assumes whatever "official" identity is necessary to mislead the bank clerk or
government employee.  Recently one "detective agency" has been circulating
leading figures in the UK with offers to obtain critical data on any
individuals in whom they were interested.

If any offence is being committed, it is probably by the computer owners, who,
under the Data Protection Act, have an obligation to take appropriate steps to
secure data under their control.  (Eighth Principle, Data Protection Act,
1984).  Data Protection obligations apply within the European Union.

A case in a magistrate's court (lowest level) last December suggested that
there might be a way of extending the Computer Misuse Act to cover such third
parties.  Malcolm Farquharson induced a female employee of a cellular phone
company to obtain details of cellular phone numbers and their ESNs (Electronic
Serial Numbers) so that he could fraudulently clone phones.  The numbers were
held on a computer to which the female employee had authorised access.
Farquharson, but not the employee, was found guilty and sentenced to six
months in prison although he had never touched the computer.

However legal experts believe that this case would not survive appeal to a
higher court.

The UK Home Office say that the loophole will probably be closed by means of
an amendment to the Data Protection Act but have so far produced no wordings
nor a timetable.  On April 10th, Home Secretary Michael Howard said that the
Government was considering a new offence of gaining information by deception.

Even when the loophole is closed the abuse is likely to continue - enforcing a
law where a telephone-based perpetrator is already doing a good job pretending
to be someone else is never going to be easy.

Peter Sommer at the Virtual City London N4 4SR United Kingdom
    hcorn@cix.compulink.co.uk CompuServe: 100012,2610


Combination Locks I Have Known

Neil McKellar <mckellar@cs.ualberta.ca>
Tue, 26 Apr 1994 13:56:55 -0600
I have owned four combination locks in my life.  All of them were made by
'Dudley', a Canadian company.  Admittedly, these are not top of the line
locks.  They were, however, the brand of lock officially "endorsed" by my
school in grade 7 when I first got a locker.  That was in 1979.  I owned that
lock until 1991 when it was broken into at the local gym.  I immediately went
out and bought the first 'Dudley' lock I picked out of a basketful in front
of the local bookstore checkout counter.  By mere coincidence, this lock had
the same combination as my old one.  I treated this as fortunate happenstance.

Later, I lost the new lock and was forced once again to replace it.  Again, I
selected the first lock in the basket.  This time it had a different
combination which I promptly forgot when the lock lay idle for six months.  So
this time, I purposely searched through the basket for a lock with MY
combination on it.  I found one in less than thirty seconds.

The locks are of the tumbler variety with markings from 0 to 59.  I've tried
my lock and I can be off by one marking when dialing the combination.  Still,
considering that I have successfully obtained 3 of 4 locks with the same
combination, I'm tempted to go home tonight and try to "find" the combination
I lost.  Perhaps I'll even time myself.

Neil McKellar (mckellar@cs.ualberta.ca)


Unusual Newspaper Error

"Stewart Rowe" <usr2210a@tso.uc.edu>
Fri, 22 Apr 1994 16:55:29 -0400
Perhaps one of your readers can explain how the Midwest edition of *The New
York Times* today had a photo on the front page with the caption.  "Joseph P.
Kennedy Jr. being arrested at the White House yesterday", with no further
explanation or story anywhere in the paper?

Stewart Rowe usr2210a@tso.uc.edu


Risks of advertising on the net

Jerry Leichter <leichter@lrw.com>
Tue, 26 Apr 94 08:23:08 EDT
In their Internet advertising, Canter and Siegal are ignoring some fundamental
characteristics of the net as currently constituted.  I think they'll find
their attempt at Internet advertising will fairly quickly become ineffective -
though many people may be annoyed along the way.

The relevant characteristics of the Internet are (a) the anonymity; (b) the
low cost of generating any particular kind of message.  What, after all,
prevents anyone from taking a C&S ad, modifying it slightly - changing the
addresses and phone numbers, for example - and posting it back as widely as
the original?  If only a few people do this, it will be impossible to tell
which are the real ads and which are fakes - short of calling a phone number
and finding that it terminates, say, at the Bar Association rather than C&S.

Of course, ads that mention price will raise even more severe problems.  If
the spoof suggests a completely unreasonable price, the business can probably
disclaim it.  But what happens when the spoof suggests a reasonable-looking
price that happens to leave the advertiser with no profit?  He is left the
the choice of accepting the price, and losing money, or disclaiming the ads,
damaging his own reputation.

Traditional printed ads can, of course, also be spoofed.  However, attempts
to do so are rare.  First, it's very expensive to do; second, the traditional
at least attempt to verify the identity of advertisers.  Neither of these
constraints apply on the net.

It's true that a careful reading of the header lines will often reveal which
are the true ads, and which are the fakes.  But why should the people who the
ad is trying to reach bother to check header lines?  The whole point of an ad
is to communicate information quickly.  The same reasoning shows that digital
signatures wouldn't help.  Who would bother to check them?  Only those who
have an established relationship with the sender of the ad would likely even
have a quick ability to verify the signature - and that's not the population
a broadly distributed ad is trying to reach.

When the spoofers are traceable - and it's well known that it's often
impossible to trace a message, much less *prove* that a particular individual
sent it - the legal situation might get rather interesting.  Even ignoring the
very broad protection the courts have recently granted to parody, why is the
spoofer's message any less legitimate than the original?  If the spoof ads
look entirely different, refer to "Carver and Siegalman", and have different
addresses and phone numbers, just what right to "Canter and Siegal" have to
complain?  They are not being directly referred to or identified.  If they
have a problem establishing a unique identity in the noise of the marketplace
- and no one ever said that all marketplace participants have to be genuine -
that's not the law's concern.
                    -- Jerry


Updated addresses for Canter & Siegel

Paul Robinson <PAUL@TDR.COM>
Fri, 22 Apr 1994 14:24:08 -0400 (EDT)
This list should help in setting up kill files or to watch for later posts:

Sender:       LISTSERV list owners' forum <LSTOWN-L@SEARN.BITNET>
Poster:       Wes Morgan <morgan@ENGR.UKY.EDU>
Subject:      Updated addresses for Canter & Siegel [mispeling curekted]

It appears that Canter & Siegel, the law firm which recently flooded both
Usenet and LISTSERVs with their "Green Card Lottery" posting, have secured
access to the net through many sources.  For those of you interested in
blocking their access to your list, here is the current collection of
addresses for that firm.

        cslaw@delphi.com
        cslaw@win.net
        cslaw@witchcraft.com
        cslaw@pipeline.com
        cslaw@netcom.com
        cslaw@indirect.com       (currently disabled)
        lcanter@delphi.com
        lcanter@win.net
        lcanter@witchcraft.com
        lcanter@pipeline.com
        lcanter@indirect.com     (currently disabled)
        76636.443@compuserve.com

They also, apparently, have sites of their own; those sites are
lcanter.win.net and msiegel.win.net.

In an article in Tuesday's _New York Times_, Mr. Carter basically said,
"this was immensely profitable; we will be doing this in the future."
Forewarned is forearmed...

--Wes


Re: MIT student arrested for BBS used ... (Cohen, RISKS-15.76)

Tim Shepard <shep@lcs.mit.edu>
Wed, 20 Apr 94 15:47:49 -0400
I've been closely following the accounts of this case in the Boston
Globe and The Tech (a student-published newspaper at MIT).  Until your
report, I had not heard any assertions that the student had actually
been arrested.

According to an article in The Tech on Friday April 8th, 1994:

    "A federal grand jury charged an MIT student yesterday on a felony
    charge for allegedly allowing the piracy of over $1 million in
    business and entertainment software using Athena workstations."

According to an article in The Tech on Tuesday April 12th, 1994:

    "David M.  LaMacchia '95, who was indicted last Thursday for
    conspiracy to commit wire fraud, will be arraigned this Friday at
    the U.S.  District Courthouse in Boston, according to LaMacchia's
    lawyer Harvey Silverglate."

Other than Cohen's article, and a couple of followup articles in RISKS DIGEST,
I've seen no report that he had been actually arrested.  I cannot imagine why
he would need to be arrested.  (I would expect that if he already has a
lawyer, and the lawyer knows of the scheduled arraignment three or more days
beforehand, he would most likely show up in court.  Maybe I missed something.
What was your source?)

        -Tim Shepard


Re: MIT student arrested for BBS used ... (Cohen, RISKS-15.76)

Douglas Rand <drand@osf.org>
25 Apr 94 17:50:35
In his post, Fredrick Cohen states "An MIT student was arrested today
for having a BBS at the school that was used by the participants to
store and fetch commercial software." and goes on to paint the student
as practically an innocent bystander caught up in other peoples crimes
by happenstance.  If one is to believe any of the reportage on the
real incident, the student was anything but innocent.

All the reportage in the Boston Globe, not known for its great sympathy with
law enforcement, made it quite clear that the student actively advertised his
BBS as a place to upload and download pirated software.  He went out of his
way to personally solicit software on at least some occasions (according to
the reports).

In this, he would be guilty of various crimes regardless of the means he used
to carry the crimes out.  While I feel a little sorry for him, in that he
probably felt he was carrying on some idealistic fight, I don't feel
particularly sorry for him, and he deserves to be prosecuted.

Let's save our righteous indignation for the truly innocent,
wrongly accused and persecuted by people in power.

Doug Rand <drand@osf.org>           Open Software Foundation, Motif Development


Re: NYC subway fare cards double-deduct (Greene, Risks-15.78)

Mark Brader <msb@sq.sq.com>
Mon, 25 Apr 1994 18:57:58 -0400
Okay, so how exactly is it possible in this system for the turnstile to
(a) deduct the fare from the card, and (b) identify whose card it was,
so that it won't deduct it again if the same card is re-swiped -- and yet
not figure out that it now has to unlock itself?

By the way, what happens if the turnstile does unlock, and the rider hands the
card back across the barrier to someone else?  Will the second rider get
admitted without a second fare being deducted, because the same card was used?

Mark Brader, msb@sq.com   SoftQuad Inc., Toronto

   [Also related comments from dan@wais.com (Dan Aronson)
   and sullivan@geom.umn.edu  (John Sullivan).  PGN]


Re: NYC subway fare cards double-deduct; UI at fault (Greene)

Dan Lanciani <ddl@das.harvard.edu>
Fri, 22 Apr 94 17:53:16 EDT
I can't let this pass without comment.  Clearly this system was designed
by someone obsessed with the RISKs of free rides.  The only way I can imagine
this kind of failure mode occurring is if they are doing something along
the lines of <read>

Double your pleasure in the subway (Greene, RISKS 15.78)

A. Padgett Peterson <padgett@tccslr.dnet.mmc.com>
Fri, 22 Apr 94 14:08:39 -0400
Wonder if they put a limit on the "swipe again" - sounds like a new kind
of "family plan".

Padgett

Please report problems with the web pages to the maintainer

Top