The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 16 Issue 81

Tuesday 14 February 1995

Contents

o Stolen ATM Card nets $346,770
David Tarabar
Jerome Whittle
o Sweden-Pedophiles-Internet
Mich Kabay
o A RISKy place on the Web
Stephen R. Savitzky
o Rumors in Cyberspace
Adam Shostack
o Priests told to keep cell phones out of confession
Mich Kabay
o Cellular phones
Chaim Seymour
o Web Page copying reader's system information
Brian Leibowitz
o RISKS of posting to newsgroups
A. Padgett Peterson
o Good Pentium Followup
Martin Minow
o Invisible blue zone
Jeff Jonas
o RISKS of third-party-billed calls not uncommon
Tony Yip
o Self-disabling software
Jerry Leichter
Bob Brown
o What "RISKS of Third-Party-Billed Calls"?
Gary Beckmann
PGN
GB
o Re: attack scanning
Stephen Kelley
Frederick B. Cohen
o Info on RISKS (comp.risks)

Stolen ATM Card nets $346,770

David Tarabar <dtarabar@hstbme.mit.edu>
Sun, 12 Feb 95 16:39:56 -0500
Thieves broke into a van and stole an Oregon woman's ATM card and
discovered her PIN number written on her Social Security card.
They then made repeated withdrawals, covering 100 miles and visiting
48 ATM machines over a three day period. (Friday night - Monday 2 AM)

They were able to get $346,700 in cash with the help of some
questionable computer systems.

1) Ordinarily there is a $200 daily limit for withdrawals, Howver,
"because of a computer program change at the Oregon TelCo Credit
Union, the limit was not in effect that weekend."

2) When the account was down to zero, the thieves fed empty deposit
envelopes into the machine and credited the account with bogus
deposits of $825,000 -- and then made withdrawals against this sum.

Technology did work in at least one repect.  At least 5 of the machines
had taken photos of the people using the stolen card. Three persons
are in custody and are facing Federal charges.

[From an AP report in the New York Times 12 Feb 1995.]

   [Also noted on-line by
      Jerry Whittle, Belleville, Illinois  <jwhittle@amclg.safb.af.mil>,
      szabop@tualatin.pen.tek.com (Paul Szabo),
      "Mich Kabay [NCSA Sys_Op]" <75300.3232@compuserve.com>,
      schaller@hsi.com (Dave V. Schaller), and
      olsen@Rational.COM (David Olsen),
   and by snail-mail from Ed Coover at MITRE-McLean VA.  PGN]


Stolen ATM Card nets $346,770

"Whittle, Jerome SMSgt" <JWhittle@amclg.safb.af.mil>
Sun, 12 Feb 95 12:05:00 cst
I see a number of mistakes/risks here.
1. Smith wrote left her purse in a van overnight and wrote down her PIN
   number.
2. The bank's software allowed withdrawals of over $200 per day.
3. The bank immediately credited someone's account for a deposit - even a
   huge amount like $820,500.  My bank doesn't credit my account until the
   next business day.
4. Only about 10% of the ATM machines had hidden cameras.  Had the crooks
   been a little more lucky, they may have never been caught.
5. Karen Smith isn't liable for the theft even though she left her card and
   PIN number unsecured.  I believe that she should shoulder some of the
      blame and loss.

Jerry Whittle, Belleville, Illinois  <jwhittle@amclg.safb.af.mil>


Sweden-Pedophiles-Internet

"Mich Kabay [NCSA Sys_Op]" <75300.3232@compuserve.com>
10 Feb 95 07:42:36 EST
>From the Associated Press news wire via CompuServe's Executive News Service:

    APn  02/06 1228  Sweden-Pedophiles-Internet
    By THOMAS GINSBERG
    Associated Press Writer

    STOCKHOLM, Sweden (AP) -- Pedophiles have found a home on the
    Internet and exchange hundreds of pictures a week through
    anonymous conduits, a researcher said Monday.

    The statistics provided a glimpse at the scope of the potentially
    illegal activity, which police fear can lure kids into sex. It
    came from a study by Mats Wiklund, a researcher at Stockholm
    University's Institute of Computer and System Science.

    During a seven-day period in late December and early January,
    Wiklund counted 5,651 messages or postings about child
    pornography in four electronic "bulletin boards."

The author makes the following key points:

* Many graphics showed what appeared to be "adolescents engaged in
  sexual acts."  A few showed young children, apparently to attract
  the interest of other pedophiles.

* The messages tracked and counted were a fraction of the total traffic,
  since Wiklund was unable to track private e-mail and scanned only
  about half of the porn-related groups he knew of.

* Most of the pornographic messages were sent through the anonymizing
  server located in Finland.

* The Internet offers advantages to pedophiles:

    "The Internet has become a channel of communication for
    pedophiles," Wiklund said. "From their point of view, they've
    found a green technology. You can be anonymous and still be
    reached."

* Exchanging pornography electronically is a crime in many areas of the
  world:

    In most countries the distribution of child pornography is
    illegal. Two years ago, U.S. police raided about 40 locations
    where people were exchanging child pornography by computer.
    Two Danes were convicted in 1993 of transmitting child
    pornography to an estimated 6,000 people worldwide.

* 85% of the messages Wiklund scanned were fantasies about sex with
  children or technical tips on how to transmit pornographic pictures.

* Law enforcement officials are still unsure of how to handle this
  traffic:

    Finnish detective Sgt. Timo Laine said it was unclear whether
    the country's laws would apply to "electronic smuggling" by
    computer. He said did not know whether police would take
    action against the computer owner in Finland.

    "We've never had this kind of case before," Laine said. "If
    I transmit this information through the Internet, is it
    considered smuggling?"

M.E.Kabay,Ph.D., Director of Education, Natl Computer Security Assn
(Carlisle, PA); Mgmt Consultant, LGS Group Inc. (Montreal, QC)


A RISKy place on the Web

Stephen R. Savitzky <steve@cache.crc.ricoh.com>
Tue, 14 Feb 95 15:14:36 -0800
There was an announcement in misc.kids.computers yesterday that, at first
glance, appeared to be just what it said: ``a communication playground for
children ages 8-12''.  The full text of the announcement is quoted below:

  KidsCom, a communication playground for children ages 8-12 is up and
  running.  Kids can find key pals, get help with Internet questions from an
  Internet guru, talk about what they'd like to be when they grow up, explore
  links to other children's sites, enter sweepstakes to win prizes, and give
  feedback on what they'd like to see and do on the Internet.

  http://www.spectracom.com/kidscom/
  For more info, please email kidscom@spectracom.com

What they didn't mention, however, was that before you can ``play'' you have
to fill out a form that asks for:  name, address, e-mail address, demographic
information, *and a password*!  Some people are already advising kids against
giving out their names and addresses on the Net; this goes *much* farther.

There are at least two risks here, the most obvious being the risk (almost a
certainty) of ending up on some direct marketer's mailing list.  The other one
is the usual one of sending passwords in the clear: what if the kid has an
account on a Unix system somewhere (mine does, on our Linux box at home), and
what if they use the same password in both places?

Now, the folks at SpectraCom may simply not have thought about the potential
consequences of what they're doing; their description of the company as

 a full service research, strategic planning and communications company that
 specializes in conveying information in an understandable and actionable
 way.                                                          ^^^^^^^^^^(sic)

would seem to indicate as much.  But the same technique could be used by
someone trolling for easy systems to crack.  It would work even better on
adults, of course, and the next bunch might ask for a 4-digit number instead
of a password...

Hey, kid, want a free lollypop?  Just fill out this form...

Steve Savitzky h:steve@starport.com 408-294-6492 http://www.rahul.net/starport/
            w:steve@crc.ricoh.COM 415-496-5710 http://www.crc.ricoh.com/~steve/


Rumors in Cyberspace (Kabay, RISKS-16.79)

Adam Shostack <adam@bwh.harvard.edu>
Thu, 9 Feb 1995 16:15:32 -0500 (EST)
In RISKS-16.79, Mitch Kabay writes:

> ...  Now imagine this rumour spreading through cyberspace, aided by
> anonymous postings ...

    While there may be risks in anonymous postings, spread of rumors
really doesn't seem to be one of them.  The "Good Times" virus of a few
months back spread without going through anonymizing services.  This is to
be expected of the way rumors spread.  People who saw and spread the virus
did so because they heard it from people they knew.

    Attempts to spread rumors through anon. services will be subject to
much more fact checking and consideration than 'normal' rumors.  News and
mailing lists do just fine in causing runaway rumor spread.  Theres no
little that anonymous servers will do to change that.

Adam


Priests told to keep cell phones out of confession

"Mich Kabay [NCSA Sys_Op]" <75300.3232@compuserve.com>
09 Feb 95 07:51:57 EST
>From the Reuters news wire via CompuServe's Executive News Service, yet
another unexpected technological interference with a religious process:

    RTw  02/08 0749  Priests told to keep cell phones out of confession

    ROME, Feb 8 (Reuter) - Even Italians who religiously carry
    their cellular phones while dining in restaurants or jogging
    in forests might draw the line against priests using them in
    the confessional box.

    An Italian Catholic magazine has told priests who own such
    phones to keep them out of the confessional box or at least
    turn them off while administering the sacrament to the faithful.

It seems the February editorial in _Vita Pastorale_, a monthly magazine
for parish priests, cited a case in which a woman complained after her
priest's cell phone rang during her confession.

    A cartoon in the left-leaning daily La Repubblica showed a
    priest in a confessional box holding a cellular phone to his
    ear while simultaneously hearing a member of the faithful confess.

    "Say three Our Fathers and three Hail Marys...No, no I wasn't
    talking to you," the priest says to the caller.

 M.E.Kabay,Ph.D., DirEd, Natl Computer Security Assn (Carlisle, PA);
 Mgmt Consultant, LGS Group Inc. (Montreal, QC)


Cellular phones

Chaim Seymour <seymour@ashur.cc.biu.ac.il>
Sun, 12 Feb 1995 15:28:20 +0200
Re: M.E. Kabay's posting. The official Israeli term for Cellular phones:

  The term 'pelephone' means 'wonder phone' and not 'miracle phone'.

It is generally used and is not peculiar to Rabbis.

Chaim Seymour, Chairman, Cataloguing and Classification Dept, Wurzweiler
Library, Bar-Ilan University, Ramat Gan 52100 Israel  Tel: 03-5318127


Web Page copying reader's system information

Brian Leibowitz <bml@netcom.com>
Fri, 10 Feb 1995 09:40:37 -0800
I found this on the edupage newsletter.
****************************************************************************
Edupage, a summary of news items on information technology, is provided
three times each week as a service by Educom -- a Washington, D.C.-based
consortium of leading colleges and universities seeking to transform
education through the use of information technology.
****************************************************************************

ONLINE SPYING
While you're connected to your favorite Web page, it's also connected to
you, and could be copying all sorts of information off your hard drive, say
industry experts. In fact, it happened last year when Central Point
Software used registration software developed by Pipeline Communications,
and inadvertently also gathered descriptions of the users' systems -- the
type of microprocessor, the version of DOS and Windows, the type of display
and mouse, and the amount of free space available on the hard drive.
Customers squawked, and Central Point had Pipeline change the software.
However, Pipeline reports that at least one of its clients is using the
scanning feature now -- but only after getting the owner's permission. The
lesson? "If you can't trust it, don't connect to it." (Forbes 2/13/95
p.186)

Brian Leibowitz  bml@netcom.com


RISKS of posting to newsgroups

A. Padgett Peterson <padgett@tccslr.dnet.mmc.com>
Thu, 9 Feb 95 11:43:59 -0500
>From:   UVS1::"daemon@anon.penet.fi"  8-FEB-1995 22:25:48.89
>To: padgett@tccslr.dnet.mmc.com
>CC:
>Subj:   Anonymous code name allocated.

>You have sent a message using the anonymous contact service.
>You have been allocated the code name an199742.
>You can be reached anonymously using the address
>an199742@anon.penet.fi.

>If you want to use a nickname, please send a message to
>nick@anon.penet.fi, with a Subject: field containing your nickname.

>For instructions, send a message to help@anon.penet.fi.

This arrived in my morning mail. Seems someone has either subscribed to the
FIREWALLS newsgroup or set up a mail forwarder such that anyone posting to
the FIREWALLS group is automatically granted an "anonymous" account.

Since ANON.PENET.FI is generally believed to have been compromised some time
ago and all accounts/real user names extracted, this could be an attempt by
someone wanting to discredit any such list (wonder if the numbers are
assigned sequentially).

Personally, I have no use for such an account and did not request it (why
I did not bother to obscure the account number), just one reason being that
"Security by Obscurity" has been proven not to work in the long term, another
being that I would consider certain domestic agencies lax if they were not
monitoring international gozintas and gozoutas.  Of course, on the gripping
hand (literary plug) this may have a plus in that anyone who receives an
account this way probably did not have one before.  8*)

Padgett


Good Pentium Followup

Martin Minow <minow@apple.com>
Thu, 9 Feb 1995 16:45:22 -0800
In IEEE Spectrum, February 1995, there's a good overview of the Pentium
problem, including a reasonable amount of technical detail and links to
several technical papers.

Of particular interest to Risks readers is the author, Linda Geppert's,
conclusion:

"These scientists and others did all of us a service by digging deep into
the causes and ramifications of the bug and so precipitating Intel's
no-questions-asked replacement policy. But in the process they spent
valuable time and effort on something that could have been a non-problem,
had Intel been more forthcoming."

Martin Minow  minow@apple.com


Invisible blue zone

Jeff Jonas <jeffj@panix.com>
Tue, 14 Feb 1995 18:29:13 -0500 (EST)
With all the outcry about people not knowing what phone calls cost, this is
somewhat related in that people are assumed responsible for knowledge that
is not readily available.

In a TV "Shame On You" report, it was shown that an entire area of lower
Manhattan, New York is a "Blue Zone" where the curb is SUPPOSED to be
painted blue and have signs that tell that there's no parking and it's a tow
away zone.  Well, there are entire blocks with NO signs or paint on the
curbs.  The traffic department issued tickets from US $55 to $200 if towed.
Appeals are useless as even a reporter with the parking commissioner was
told that "leaflets were distributed".  Yea - back in 1988.  Traffic court
simply found everyone 'guilty'.  So now the leaflets are being distributed,
along with the parking ticket.  So even when there's no notification or
warning, New York City's Parking Violations Bureau doesn't back down and
gets to keep your money.  At least with the phone companies, folks seem to
be getting refunds.

Now jump to the computer network world.  There are many newcomers spamming
USENET with posting to EVERY newsgroup (some apparently use some script as
they're too thorough to post to EVERY newsgroup so fast, and some even
crosspost to 8-10 groups at a time).  When informed "you should not do
that", some reply "nobody told me it was wrong, were was I to find out?".

I'm not sure of the balance of abiding by the rules that you never read vs
"how was I supposed to know?".  (Ex: "I never knew murder was illegal" is no
defense anywhere I know.)

There are cancel-bots used to filter out internet abusers.  I'm concerned
about a denial of service attack.  Let's say somebody forges my header and
spams the network.  The cancelbots then cancel those postings and I'm
essentially barred from the internet.  Unless I get replies that I'm being
blocked, I have no way to know to appeal (let alone to whom) and I must get
a new network identity to ever reachieve connectivity.  My apologies if the
cancelbot control is already centralized and fair, but I fear that I may be
blocked with no way to appeal, even if wrongly accused.  I guess this boils
down to internet connectivity being a privilege, not a right.

-- Jeffrey Jonas  jeffj@panix.com


RISKS of third-party-billed calls not uncommon (Altman, RISKS-16.80)

"Tony Yip, 431-3183, F13" <TONYY@ola.bc.ca>
Mon, 13 Feb 1995 15:06:16 -0800 (PST)
I find that a reader's experience with PacBell's third party billed policy not
uncommon. Living in Vancouver, BC, I've had to call BC Tel periodically
(meaning once every year or two depending on my luck) to credit my bill with
third party calls that I did not make.

It appears that BC Tel rarely verifies third party calls. In other words,
anybody can pick up a pay (or any other) phone, dial the operator and request a
long distance call to be billed to a third phone number that they make up. The
operator may ask for the caller's name but, again, that is not verified so any
name will do.

I am not certain but I believe the route BC Tel takes is that if they cannot
collect from the caller (i.e. the person who gave a phony name and third party
number), they will try to collect from the number that was called.

The first risk is the overall reactive approach to chase down fraud after it
has occurred with no attempt to prevent it. In other words, the onus is on the
customer to check if his/her telco has made a billing mistake. In a large
family with several teenagers, this type of bill checking for erroneous third
party calls is quite impossible.

The second risk is attempting to collect from the called party. What if the
long distance call is a nuisance call from an ex-spouse? Or a $200 long
distance call from old school mates or friends or whoever (and you thought they
were so nice to call you!)... The list goes on. And what about the legal
implications of asking people to pay for calls that they did not initiate nor
authorize?

But...there is no outcry so I guess the problem is not serious enough to
warrant drastic action.


Self-disabling software (Epstein, RISKS-16.79)

Jerry Leichter <leichter@lrw.com>
Mon, 13 Feb 95 17:25:18 EDT
In RISKS-16.79, Jeremy Epstein describes a proposed Virginia law requiring
that companies notify customers if the software they sell has a
self-disabling feature (e.g., after some period of time).  The law would
apparently not ban such features.

Mr. Epstein then lists two potential risks:

    a)  Does informing people that the software is self-disabling
        encourage them to try to subvert the feature?

I'm actually rather surprised that anyone would consider these to be *risks*.
Is it a bad idea to inform people that they are liable for no more than $50
in charges on their credit cards a bad idea because it encourages them to be
careless with their cards?  Does telling them their cars have dual-redundant
brakes encourage them to experiment with their master cylinders?

There are certainly good arguments for and against banning self-disabling
software to begin with.  But if it's to be allowed, requiring fair notice to
those who receive the software certainly seems very reasonable.  If this
perhaps makes life a bit tougher for those whose view of doing business is
"Well, if the customer doesn't pay up, I'll *really* screw him," isn't that
just too bad?

    b)  If someone did and that triggered the disable feature, would
        that come under the law?

It's beyond me what could be in the law that such tampering could possibly
"come under".  Even if the idea is that people could get themselves into
trouble by such tampering, which they would not have been tempted to try
without the required disclosure - is there really any reason why the law
should try to protect those individuals who are not only dishonest but
incompetent to boot?

    Mr. Epstein continues:  And what if it were used in safety critical
    systems: "I'm sorry, but the license period on the software in your
    heart monitor has expired.  Please contact the vendor to reenable."

I am at a loss as to what this has to do with the proposed law, vague as the
description we have of it might be.  Is Mr. Epstein upset because the law
doesn't simply ban self-disabling features?  It also doesn't ban murder, but
so what.  A general ban on self-disabling features might require some tough
arguing, but a ban on such features for safety-critical systems would be much
harder to oppose.  In any case, I would think it's hardly necessary:  The
liability if a deliberate action led to a serious injury or death would be
enormous.  I should think any lawyer would quite properly have no trouble
convincing a jury that the installation of code to disable a heart monitor
constituted depraved indifference to human life, among other nasty things -
with or without notice.
                -- Jerry


Self-Disabling Software (Epstein, RISKS-16.79)

Bob Brown <bbrown@dkmc.org>
Thu, 9 Feb 95 00:01:45 EST
Jeremy Epstein (RISKS-16.79) sees a risk in a proposed Virginia law
requiring disclosure of self-disabling features in software for sale.  Such
a law is actually an extremely good idea and a reducer of risks.  Many
reputable companies, e.g. the SAS Institute, use self-disablers as a way of
enforcing their license agreements.  Unhappily a small number of
disreputable companies have used the same technique to sandbag buyers in the
event of a contract dispute.  With regard to Mr. Epstein's example of
medical monitoring software (ahem) expiring, aren't the RISKS substantially
reduced of one knows beforehand that this is going to happen on a given
date?


What "RISKS of Third-Party-Billed Calls"? (Altman, RISKS-16.80)

Gary Beckmann <beckmann@world.std.com>
Tue, 14 Feb 1995 10:59:07 -0500
Micah Altman writes about a "risk" of 3rd party calls in RISKS-16.80.
However, this has always been SOP as far as I am aware.  It was an oft used
method of making long distance calls when I was in college.  Generally,
since I was calling from a listed number, the operator would "take my word
for it".  My parents would check the phone bill when it came.  If they
protested a call then the charge would be made to the number I called from.
If you call from a pay phone, the operator will verify before charging the
number you request.

The only risk is the good ol' risk of not checking you bill when it comes in
the mail.  At least we have that, the eight years I lived in Austria I never
got an itemized bill.  You took the Post/Telephone Company's word for it!!!
Now, there was a risk!

Gary Beckmann


Re: What "RISKS of Third-Party-Billed Calls"? (Beckmann, RISKS-16.81)

Peter G. Neumann, Moderator <risks@csl.sri.com>
Tue, 14 Feb 95 8:53:03 PST
You are correct that it is not new.  But practice a few years ago was NEVER
to accept a third-number charge unless it was verified live by the third
party.  With the new automated servers, that has been abandoned.  The
savings in fewer operators seems to offset the losses.


Re: What "RISKS of Third-Party-Billed Calls"? (RISKS-16.81)

Gary Beckmann <beckmann@world.std.com>
Tue, 14 Feb 1995 15:53:52 -0500
So the question, then, is for whom is the risk?  The customer who
doesn't read the bill?  The telephone carrier who swallows the cost of
fraud?  The operators who are losing their jobs?


Re: attack scanning (Cohen, RISKS-16.80)

Stephen Kelley <kelley@vet.vet.purdue.edu>
Mon, 13 Feb 95 15:43:47 -0500
- Management Analytics is offering (in a test mode only) the ability to
- scan sites over the Internet for well-known over-the-wire security holes.

What assurance is there that the results mailed back to the
system administrator actually match the result of the test?

    Send us the name of a computer you're worried about
    and we'll try to break in.  If we can, we'll tell you
    about it.  Really, we will.

Not my computers, thanks just the same.

Steve Kelley, Purdue University Cytometry Laboratories


Re: attack scanning (Kelley, RISKS-16.81)

"Dr. Frederick B. Cohen" <fc@all.net>
Mon, 13 Feb 1995 16:11:50 -0500 (EST)
> What assurance is there that the results mailed back to the
> system administrator actually match the result of the test?

These are all tests you can perform yourself using public domain
software (for the most part).  The service is just a convenience
for checking against external attack from an external location.
But even more importantly, it helps test your detection capability.

>    Send us the name of a computer you're worried about
>    and we'll try to break in.  If we can, we'll tell you
>    about it.  Really, we will.

Really!

> Not my computers, thanks just the same.

You are very welcome to use it or not at your discretion.

FC

Please report problems with the web pages to the maintainer

Top