Thieves broke into a van and stole an Oregon woman's ATM card and discovered her PIN number written on her Social Security card. They then made repeated withdrawals, covering 100 miles and visiting 48 ATM machines over a three day period. (Friday night - Monday 2 AM) They were able to get $346,700 in cash with the help of some questionable computer systems. 1) Ordinarily there is a $200 daily limit for withdrawals, Howver, "because of a computer program change at the Oregon TelCo Credit Union, the limit was not in effect that weekend." 2) When the account was down to zero, the thieves fed empty deposit envelopes into the machine and credited the account with bogus deposits of $825,000 — and then made withdrawals against this sum. Technology did work in at least one repect. At least 5 of the machines had taken photos of the people using the stolen card. Three persons are in custody and are facing Federal charges. [From an AP report in the New York Times 12 Feb 1995.] [Also noted on-line by Jerry Whittle, Belleville, Illinois <email@example.com>, firstname.lastname@example.org (Paul Szabo), "Mich Kabay [NCSA Sys_Op]" <email@example.com>, firstname.lastname@example.org (Dave V. Schaller), and olsen@Rational.COM (David Olsen), and by snail-mail from Ed Coover at MITRE-McLean VA. PGN]
I see a number of mistakes/risks here. 1. Smith wrote left her purse in a van overnight and wrote down her PIN number. 2. The bank's software allowed withdrawals of over $200 per day. 3. The bank immediately credited someone's account for a deposit - even a huge amount like $820,500. My bank doesn't credit my account until the next business day. 4. Only about 10% of the ATM machines had hidden cameras. Had the crooks been a little more lucky, they may have never been caught. 5. Karen Smith isn't liable for the theft even though she left her card and PIN number unsecured. I believe that she should shoulder some of the blame and loss. Jerry Whittle, Belleville, Illinois <email@example.com>
>From the Associated Press news wire via CompuServe's Executive News Service: APn 02/06 1228 Sweden-Pedophiles-Internet By THOMAS GINSBERG Associated Press Writer STOCKHOLM, Sweden (AP) — Pedophiles have found a home on the Internet and exchange hundreds of pictures a week through anonymous conduits, a researcher said Monday. The statistics provided a glimpse at the scope of the potentially illegal activity, which police fear can lure kids into sex. It came from a study by Mats Wiklund, a researcher at Stockholm University's Institute of Computer and System Science. During a seven-day period in late December and early January, Wiklund counted 5,651 messages or postings about child pornography in four electronic "bulletin boards." The author makes the following key points: * Many graphics showed what appeared to be "adolescents engaged in sexual acts." A few showed young children, apparently to attract the interest of other pedophiles. * The messages tracked and counted were a fraction of the total traffic, since Wiklund was unable to track private e-mail and scanned only about half of the porn-related groups he knew of. * Most of the pornographic messages were sent through the anonymizing server located in Finland. * The Internet offers advantages to pedophiles: "The Internet has become a channel of communication for pedophiles," Wiklund said. "From their point of view, they've found a green technology. You can be anonymous and still be reached." * Exchanging pornography electronically is a crime in many areas of the world: In most countries the distribution of child pornography is illegal. Two years ago, U.S. police raided about 40 locations where people were exchanging child pornography by computer. Two Danes were convicted in 1993 of transmitting child pornography to an estimated 6,000 people worldwide. * 85% of the messages Wiklund scanned were fantasies about sex with children or technical tips on how to transmit pornographic pictures. * Law enforcement officials are still unsure of how to handle this traffic: Finnish detective Sgt. Timo Laine said it was unclear whether the country's laws would apply to "electronic smuggling" by computer. He said did not know whether police would take action against the computer owner in Finland. "We've never had this kind of case before," Laine said. "If I transmit this information through the Internet, is it considered smuggling?" M.E.Kabay,Ph.D., Director of Education, Natl Computer Security Assn (Carlisle, PA); Mgmt Consultant, LGS Group Inc. (Montreal, QC)
There was an announcement in misc.kids.computers yesterday that, at first glance, appeared to be just what it said: ``a communication playground for children ages 8-12''. The full text of the announcement is quoted below: KidsCom, a communication playground for children ages 8-12 is up and running. Kids can find key pals, get help with Internet questions from an Internet guru, talk about what they'd like to be when they grow up, explore links to other children's sites, enter sweepstakes to win prizes, and give feedback on what they'd like to see and do on the Internet. http://www.spectracom.com/kidscom/ For more info, please email firstname.lastname@example.org What they didn't mention, however, was that before you can ``play'' you have to fill out a form that asks for: name, address, e-mail address, demographic information, *and a password*! Some people are already advising kids against giving out their names and addresses on the Net; this goes *much* farther. There are at least two risks here, the most obvious being the risk (almost a certainty) of ending up on some direct marketer's mailing list. The other one is the usual one of sending passwords in the clear: what if the kid has an account on a Unix system somewhere (mine does, on our Linux box at home), and what if they use the same password in both places? Now, the folks at SpectraCom may simply not have thought about the potential consequences of what they're doing; their description of the company as a full service research, strategic planning and communications company that specializes in conveying information in an understandable and actionable way. ^^^^^^^^^^(sic) would seem to indicate as much. But the same technique could be used by someone trolling for easy systems to crack. It would work even better on adults, of course, and the next bunch might ask for a 4-digit number instead of a password... Hey, kid, want a free lollypop? Just fill out this form... Steve Savitzky h:email@example.com 408-294-6492 http://www.rahul.net/starport/ w:firstname.lastname@example.org.COM 415-496-5710 http://www.crc.ricoh.com/~steve/
In RISKS-16.79, Mitch Kabay writes: > ... Now imagine this rumour spreading through cyberspace, aided by > anonymous postings ... While there may be risks in anonymous postings, spread of rumors really doesn't seem to be one of them. The "Good Times" virus of a few months back spread without going through anonymizing services. This is to be expected of the way rumors spread. People who saw and spread the virus did so because they heard it from people they knew. Attempts to spread rumors through anon. services will be subject to much more fact checking and consideration than 'normal' rumors. News and mailing lists do just fine in causing runaway rumor spread. Theres no little that anonymous servers will do to change that. Adam
>From the Reuters news wire via CompuServe's Executive News Service, yet another unexpected technological interference with a religious process: RTw 02/08 0749 Priests told to keep cell phones out of confession ROME, Feb 8 (Reuter) - Even Italians who religiously carry their cellular phones while dining in restaurants or jogging in forests might draw the line against priests using them in the confessional box. An Italian Catholic magazine has told priests who own such phones to keep them out of the confessional box or at least turn them off while administering the sacrament to the faithful. It seems the February editorial in _Vita Pastorale_, a monthly magazine for parish priests, cited a case in which a woman complained after her priest's cell phone rang during her confession. A cartoon in the left-leaning daily La Repubblica showed a priest in a confessional box holding a cellular phone to his ear while simultaneously hearing a member of the faithful confess. "Say three Our Fathers and three Hail Marys...No, no I wasn't talking to you," the priest says to the caller. M.E.Kabay,Ph.D., DirEd, Natl Computer Security Assn (Carlisle, PA); Mgmt Consultant, LGS Group Inc. (Montreal, QC)
Re: M.E. Kabay's posting. The official Israeli term for Cellular phones: The term 'pelephone' means 'wonder phone' and not 'miracle phone'. It is generally used and is not peculiar to Rabbis. Chaim Seymour, Chairman, Cataloguing and Classification Dept, Wurzweiler Library, Bar-Ilan University, Ramat Gan 52100 Israel Tel: 03-5318127
I found this on the edupage newsletter. **************************************************************************** Edupage, a summary of news items on information technology, is provided three times each week as a service by Educom — a Washington, D.C.-based consortium of leading colleges and universities seeking to transform education through the use of information technology. **************************************************************************** ONLINE SPYING While you're connected to your favorite Web page, it's also connected to you, and could be copying all sorts of information off your hard drive, say industry experts. In fact, it happened last year when Central Point Software used registration software developed by Pipeline Communications, and inadvertently also gathered descriptions of the users' systems — the type of microprocessor, the version of DOS and Windows, the type of display and mouse, and the amount of free space available on the hard drive. Customers squawked, and Central Point had Pipeline change the software. However, Pipeline reports that at least one of its clients is using the scanning feature now — but only after getting the owner's permission. The lesson? "If you can't trust it, don't connect to it." (Forbes 2/13/95 p.186) Brian Leibowitz email@example.com
>From: UVS1::"firstname.lastname@example.org" 8-FEB-1995 22:25:48.89 >To: email@example.com >CC: >Subj: Anonymous code name allocated. >You have sent a message using the anonymous contact service. >You have been allocated the code name an199742. >You can be reached anonymously using the address >firstname.lastname@example.org. >If you want to use a nickname, please send a message to >email@example.com, with a Subject: field containing your nickname. >For instructions, send a message to firstname.lastname@example.org. This arrived in my morning mail. Seems someone has either subscribed to the FIREWALLS newsgroup or set up a mail forwarder such that anyone posting to the FIREWALLS group is automatically granted an "anonymous" account. Since ANON.PENET.FI is generally believed to have been compromised some time ago and all accounts/real user names extracted, this could be an attempt by someone wanting to discredit any such list (wonder if the numbers are assigned sequentially). Personally, I have no use for such an account and did not request it (why I did not bother to obscure the account number), just one reason being that "Security by Obscurity" has been proven not to work in the long term, another being that I would consider certain domestic agencies lax if they were not monitoring international gozintas and gozoutas. Of course, on the gripping hand (literary plug) this may have a plus in that anyone who receives an account this way probably did not have one before. 8*) Padgett
In IEEE Spectrum, February 1995, there's a good overview of the Pentium problem, including a reasonable amount of technical detail and links to several technical papers. Of particular interest to Risks readers is the author, Linda Geppert's, conclusion: "These scientists and others did all of us a service by digging deep into the causes and ramifications of the bug and so precipitating Intel's no-questions-asked replacement policy. But in the process they spent valuable time and effort on something that could have been a non-problem, had Intel been more forthcoming." Martin Minow email@example.com
With all the outcry about people not knowing what phone calls cost, this is somewhat related in that people are assumed responsible for knowledge that is not readily available. In a TV "Shame On You" report, it was shown that an entire area of lower Manhattan, New York is a "Blue Zone" where the curb is SUPPOSED to be painted blue and have signs that tell that there's no parking and it's a tow away zone. Well, there are entire blocks with NO signs or paint on the curbs. The traffic department issued tickets from US $55 to $200 if towed. Appeals are useless as even a reporter with the parking commissioner was told that "leaflets were distributed". Yea - back in 1988. Traffic court simply found everyone 'guilty'. So now the leaflets are being distributed, along with the parking ticket. So even when there's no notification or warning, New York City's Parking Violations Bureau doesn't back down and gets to keep your money. At least with the phone companies, folks seem to be getting refunds. Now jump to the computer network world. There are many newcomers spamming USENET with posting to EVERY newsgroup (some apparently use some script as they're too thorough to post to EVERY newsgroup so fast, and some even crosspost to 8-10 groups at a time). When informed "you should not do that", some reply "nobody told me it was wrong, were was I to find out?". I'm not sure of the balance of abiding by the rules that you never read vs "how was I supposed to know?". (Ex: "I never knew murder was illegal" is no defense anywhere I know.) There are cancel-bots used to filter out internet abusers. I'm concerned about a denial of service attack. Let's say somebody forges my header and spams the network. The cancelbots then cancel those postings and I'm essentially barred from the internet. Unless I get replies that I'm being blocked, I have no way to know to appeal (let alone to whom) and I must get a new network identity to ever reachieve connectivity. My apologies if the cancelbot control is already centralized and fair, but I fear that I may be blocked with no way to appeal, even if wrongly accused. I guess this boils down to internet connectivity being a privilege, not a right. -- Jeffrey Jonas firstname.lastname@example.org
I find that a reader's experience with PacBell's third party billed policy not uncommon. Living in Vancouver, BC, I've had to call BC Tel periodically (meaning once every year or two depending on my luck) to credit my bill with third party calls that I did not make. It appears that BC Tel rarely verifies third party calls. In other words, anybody can pick up a pay (or any other) phone, dial the operator and request a long distance call to be billed to a third phone number that they make up. The operator may ask for the caller's name but, again, that is not verified so any name will do. I am not certain but I believe the route BC Tel takes is that if they cannot collect from the caller (i.e. the person who gave a phony name and third party number), they will try to collect from the number that was called. The first risk is the overall reactive approach to chase down fraud after it has occurred with no attempt to prevent it. In other words, the onus is on the customer to check if his/her telco has made a billing mistake. In a large family with several teenagers, this type of bill checking for erroneous third party calls is quite impossible. The second risk is attempting to collect from the called party. What if the long distance call is a nuisance call from an ex-spouse? Or a $200 long distance call from old school mates or friends or whoever (and you thought they were so nice to call you!)... The list goes on. And what about the legal implications of asking people to pay for calls that they did not initiate nor authorize? But...there is no outcry so I guess the problem is not serious enough to warrant drastic action.
In RISKS-16.79, Jeremy Epstein describes a proposed Virginia law requiring that companies notify customers if the software they sell has a self-disabling feature (e.g., after some period of time). The law would apparently not ban such features. Mr. Epstein then lists two potential risks: a) Does informing people that the software is self-disabling encourage them to try to subvert the feature? I'm actually rather surprised that anyone would consider these to be *risks*. Is it a bad idea to inform people that they are liable for no more than $50 in charges on their credit cards a bad idea because it encourages them to be careless with their cards? Does telling them their cars have dual-redundant brakes encourage them to experiment with their master cylinders? There are certainly good arguments for and against banning self-disabling software to begin with. But if it's to be allowed, requiring fair notice to those who receive the software certainly seems very reasonable. If this perhaps makes life a bit tougher for those whose view of doing business is "Well, if the customer doesn't pay up, I'll *really* screw him," isn't that just too bad? b) If someone did and that triggered the disable feature, would that come under the law? It's beyond me what could be in the law that such tampering could possibly "come under". Even if the idea is that people could get themselves into trouble by such tampering, which they would not have been tempted to try without the required disclosure - is there really any reason why the law should try to protect those individuals who are not only dishonest but incompetent to boot? Mr. Epstein continues: And what if it were used in safety critical systems: "I'm sorry, but the license period on the software in your heart monitor has expired. Please contact the vendor to reenable." I am at a loss as to what this has to do with the proposed law, vague as the description we have of it might be. Is Mr. Epstein upset because the law doesn't simply ban self-disabling features? It also doesn't ban murder, but so what. A general ban on self-disabling features might require some tough arguing, but a ban on such features for safety-critical systems would be much harder to oppose. In any case, I would think it's hardly necessary: The liability if a deliberate action led to a serious injury or death would be enormous. I should think any lawyer would quite properly have no trouble convincing a jury that the installation of code to disable a heart monitor constituted depraved indifference to human life, among other nasty things - with or without notice. — Jerry
Jeremy Epstein (RISKS-16.79) sees a risk in a proposed Virginia law requiring disclosure of self-disabling features in software for sale. Such a law is actually an extremely good idea and a reducer of risks. Many reputable companies, e.g. the SAS Institute, use self-disablers as a way of enforcing their license agreements. Unhappily a small number of disreputable companies have used the same technique to sandbag buyers in the event of a contract dispute. With regard to Mr. Epstein's example of medical monitoring software (ahem) expiring, aren't the RISKS substantially reduced of one knows beforehand that this is going to happen on a given date?
Micah Altman writes about a "risk" of 3rd party calls in RISKS-16.80. However, this has always been SOP as far as I am aware. It was an oft used method of making long distance calls when I was in college. Generally, since I was calling from a listed number, the operator would "take my word for it". My parents would check the phone bill when it came. If they protested a call then the charge would be made to the number I called from. If you call from a pay phone, the operator will verify before charging the number you request. The only risk is the good ol' risk of not checking you bill when it comes in the mail. At least we have that, the eight years I lived in Austria I never got an itemized bill. You took the Post/Telephone Company's word for it!!! Now, there was a risk! Gary Beckmann
You are correct that it is not new. But practice a few years ago was NEVER to accept a third-number charge unless it was verified live by the third party. With the new automated servers, that has been abandoned. The savings in fewer operators seems to offset the losses.
So the question, then, is for whom is the risk? The customer who doesn't read the bill? The telephone carrier who swallows the cost of fraud? The operators who are losing their jobs?
- Management Analytics is offering (in a test mode only) the ability to - scan sites over the Internet for well-known over-the-wire security holes. What assurance is there that the results mailed back to the system administrator actually match the result of the test? Send us the name of a computer you're worried about and we'll try to break in. If we can, we'll tell you about it. Really, we will. Not my computers, thanks just the same. Steve Kelley, Purdue University Cytometry Laboratories
> What assurance is there that the results mailed back to the > system administrator actually match the result of the test? These are all tests you can perform yourself using public domain software (for the most part). The service is just a convenience for checking against external attack from an external location. But even more importantly, it helps test your detection capability. > Send us the name of a computer you're worried about > and we'll try to break in. If we can, we'll tell you > about it. Really, we will. Really! > Not my computers, thanks just the same. You are very welcome to use it or not at your discretion. FC
Please report problems with the web pages to the maintainer