The Risks Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 19 Issue 19

Thursday 29 May 1997

Contents

o FBI sting nabs man trying to sell 100,000 credit-card data items
PGN
o Computer fraud in subscribing to telephone service?
Thomas Brazil
o Oklahoma bombing trial transcripts
Henry G. Baker
o Area-code switcheroo
Gary McGraw
o How Secure Is AT&T's WorldNet Security?
Brian S. McWilliams
o Eavesdropping tools used by drug barons
Peter Wayner
o AltaVista stores username/password for shopping malls
Fredrik Pihl
o Re: On-line brokerage-trading passwords in plaintext
Hal Lewis
o Risks of lying on return address of spam
Mich Kabay
o Anti-spam bill introduced in U.S. Senate
Abigail
o Re: E-mail disaster: inadvertent use of a mailing list
Dorothy Denning
Joe Carlet
o Re: JVM verification
Li Gong
o General relativity vs special relativity
Steven M. Schweda
o Re: Fire ants and computers
Simson L. Garfinkel
Vexxallarius Venturi
o Re: On-line change of postal address
G. Allen Morris III
Evan McLain
o Final version of "Risks of Key Recovery" available
Matt Blaze
o Info on RISKS (comp.risks)

FBI sting nabs man trying to sell 100,000 credit-card data items

"Peter G. Neumann" <neumann@chiron.csl.sri.com>
Sat, 23 May 97 10:44:14 PDT
Carlos Felipe Salgado Jr. ("Smak", 36, Daly City, CA) was arrested at San
Francisco Airport on 21 May 1997 after he sold an encrypted diskette with
personal data on more than 100,000 credit-card accounts to undercover FBI
agents, who paid him $260,000, checked out the validity of the data, and
then nabbed him.  He reportedly had obtained the information by hacking into
various company databases on the Internet or by packet-sniffing an
unidentified SanDiego-based ISP.  He faces up to 15 years in prison and
$500,000 in fines.  [Source: *San Francisco Chronicle, 22 May 1997, A25; 23
May 1997, D1-2]

Add this case to the burgeoning Risks of Identity Theft file, including
recent cases involving thefts of a Visa International database of 300,000
credit cards (RISKS-18.62), Caltrain's ticket-by-mail commuter database
(RISKS-19.02), and Levi Strauss' 40,000 employees and retirees
(RISKS-19.12).


Computer fraud in subscribing to telephone service?

Thomas Brazil <braz@mnw.net>
Fri, 23 May 1997 15:55:36 -0500
Several weeks ago, we started receiving automated calls. When my wife picked
up the line, there was just a slight hum for exactly 10 seconds, then the
line would disconnect.  Initially, my wife had thought some "female" was
trying to call me, and hung up.  It was only when I received the same calls
that she believed me!  After the first two weeks of this, we received
another, automated 10-second hangup IMMEDIATELY followed by a call from
South Central Bell inquiring as to whether we wanted to "TouchStar"
telephone service, which allows the customer to find out (among other
things) who had "called and hung up" for a "low" monthly fee.  I complained
that I thought it was rather coincidental that BellSouth would call right
after another automated hang up, but they professed their innocence.  Today,
I started receiving them on BOTH of my lines at the same time.  I called a
friend (another RISKS reader) to ask what steps I could take (I live in AL,
he lives in MD).  To my surprise, he started getting the same 10-second
automated hangups 3 weeks ago, and have not stopped!

What I feel is happening is that the phone companies have tapped into a way
to generate more money by causing people to dial the *69 number for the
75-cent fee.  When people get tired of paying the fee, they subscribe to the
service.  I may just do that to see if the calls stop.  I have tried the
better business bureau, but no humans exist to speak to!  The risk?  Well,
my marriage went south for the first two weeks, and people are possibly
getting duped while the phone companies take the money and run.


Oklahoma bombing trial transcripts

Henry G. Baker <hbaker@netcom.com>
Wed, 28 May 1997 11:47:43 -0700 (PDT)
RISKS readers may find the following transcript from the OK bombing trial
to be particularly interesting:
  http://www.cnn.com/US/9703/okc.trial/transcripts/may/050697.eve.txt
(Note CNN's Y2K problem, but that's for another time!)

This transcript was brought to the attention of another usenet group due to
its details of how the debit-card business works.

The bulk of this transcript deals with the testimony of a Mr. John Kane, an
executive of the company that handled the telephone debit card that was
allegedly used.

Problems:

There was no one computer that had all of the information necessary to
connect a phone debit-card number, the phone number from which a call was
made, and the phone number to which the call was made.  3 different logs
from 3 different computer systems whose clocks were not synchronized must be
related in order to determine this information.  Therefore, it is difficult
to relate the logs in an unambiguous manner.  Furthermore, the logs indicate
only a physical port number, and the only way to determine the
correspondence is to _physically inspect_ the connectivity of the cables.

Q. How often were the cables rearranged?  Since the system would work fine
with a different permutation of the cables, what assurance do we have that
the cables had not been rearranged by a technician who many never have told
anyone, or not even realized himself?

Due to the large sizes of these files (2.5 billion calls!), the 'matching'
process allowed for +/- 4 minutes 'slop' in comparing the clock times of the
different logs.  Q.  Did they take into account Daylight Savings Time
(especially given the problems we're recently been talking about)?

Q. Did they take into account the fact that on different days the clocks may
have had different discrepancies?

There are key items missing from the most important transaction log.  This
is because this computer was _intentionally rebooted_ 3 times every day
(perhaps at midnight, 8AM, 4PM, all Los Angeles time).  Each time the
computer was rebooted, some transactions were lost; whether from not having
been saved from the write buffer, or not being logged during a length boot
process, was not made clear.  Apparently, a very critical phone call was one
of the transactions that were not logged due to this rebooting.  (What are
the chances of this??)

Why was this computer rebooted 3X per day?  Because it had apparently been
crashing of its own accord prior to this, and those crashes had been very
inconvenient, so it was decided that purposely rebooting would result in
fewer complaints.  This rebooting may have resulted in a slight loss of
revenue, as well, as the missing calls may never have been logged.

There is a presumption that if a PIN (in this case a 14-digit PIN) is being
used, that only one person could possibly have used it.  However, apparently
this system did not check to see that multiple people (perhaps in different
parts of the country) were not using the same PIN number at the same time.
(Unlike many prepaid phone cards in Europe, there is no physical card to
plug into the phone -- the _only_ proof of identity is the PIN.)

Henry Baker  ftp://ftp.netcom.com/pub/hb/hbaker/home.html


Area-code switcheroo

Gary McGraw <gem@rstcorp.com>
Fri, 23 May 1997 11:04:43 -0400 (EDT)
AT&T Research (and probably some surrounding subsection of New Jersey) is
getting a new area code (973).  The old area code was (908).  This morning I
tried calling Avi Rubin (who said I should mention "Web Security
Sourcebook", his new book), at his new number and got a "no such area code"
message from the phone company.  (Incidentally, Avi's new number came off
his .sig from an e-mail he sent me.)  Undaunted, I looked up his old number
in my rolodex and called that.  I was answered with a recorded message
saying "...listen up, my new number is (973)...", which then terminated in
silence.  No chance to leave a message.  No actual human being.

This means that it is currently impossible to reach Avi by phone (something
he doesn't seem too put out by)!  After I sent Avi some e-mail, he called me
in Virginia.  He explained that he had tested the new number from within the
old (908) range and it worked.  Thus he assumed it worked in the rest of the
world.  It doesn't.

The risk?  You might actually get some work done if you never have to talk
on the phone.  New area code anyone?

Gary McGraw, Reliable Software Technologies (RST), Sterling, VA
gem@rstcorp.com  <http://www.rstcorp.com/~gem>


How Secure Is AT&T's WorldNet Security?

"Brian S. McWilliams" <bmcw@redbud.mv.com>
Thu, 22 May 1997 23:18:56 -0400
by Brian McWilliams, PC World News Radio

May 20, 1997 - - A security window left open by AT&T's WorldNet Internet
service may have exposed credit card, e-mail, and other personal information
of WorldNet subscribers.

PC World News Radio learned that the account access pages at the WorldNet
site, where subscribers can change their user account information, are not
protected by SSL, the widely used protocol that authenticates and encrypts
transactions over the Internet.

To get into the page, you type in your e-mail identification and a special
security word that you select when you sign up for WorldNet service. When
you type in the word, it becomes a hidden field in the HTML page. The
service keeps sending the word as plain text every time you make another
request on that Web site.

"We sat there and just started grabbing packages and dumping them into a
database," said Patrick Cline, a WorldNet subscriber who's a database
engineer for a Georgia-based software company. "Read them off and you can
get people's e-mail IDs, passwords, all that data."

Cline says he discovered the hole in WorldNet's security recently when he
was updating his account. Out of curiosity, he checked the HTML source code
on the account access page and saw it was sending his account name, e-mail
ID, and, most importantly, his security word, from his browser over the Net
as plain, unencrypted text.

Using what he said are widely available tools and techniques, Cline says he
wrote an application that watched the WorldNet account access page and
grabbed security words and account IDs. After an hour or so, he had
collected information on some 20 user accounts. With that data, he said he
could have logged into the users' accounts,  read their e-mail, viewed
their credit-card data, and essentially posed as those users.

"I guess the idea of the security word is that only one single person would
know it," said Cline. "But, if you can grab that data, you could do
anything you want. You could be that person as far as WorldNet is concerned."

A spokesperson for AT&T WorldNet confirmed that the service heard from
Cline regarding the security vulnerability and was investigating the
possible exposure. But he said the opportunities for hackers to get
WorldNet users' information is small, because the account access page isn't
available on the open Internet, but only to WorldNet users who dial into
one of the company's points of presence.

Nonetheless, Cline said that user information is at least available to
hackers with a WorldNet account, and he advised fellow WorldNet
subscribers, and Net users in general, to be vigilant about using sites
that ask for confidential information without proper security protection.

"People need to be aware of how easy, or how accessible, this technology is
becoming to capture this information. Any idiot just coming out of school
can do this, can just grab plain information that's just being sent, and
encryption is the key to protecting people."

Dave Kennedy, director of research for the National Computer Security
Association, said he was surprised that a high-profile service like AT&T's
would leave such a security window open.

"If AT&T did this, that's a bad thing because they're such a major provider
and certainly being as large as they are, would be expected to know better.
" But he added that there are "far more good sites than there are clueless
sites."

As of news time, AT&T WorldNet's account access page was still operating
without encryption.

RealAudio:
http://www.pcworld.com/cgi-bin/playradio.pl?Month=05&Day=20&Year=97&Bps=28

Text: http://www.pcworld.com/cgi-bin/database/body.pl?ID=970520182007


Eavesdropping tools used by drug barons

Peter Wayner <pcw@access.digex.net>
Sat, 24 May 1997 10:27:45 -0400 (EDT)
The top story in the 24 May 1997 edition of *The New York Times* describes
how one of the top Generals in the Mexican army apparently sold his services
to a drug dealer.  The good news is that he rounded up some of the
traffickers on the street.  The bad news is that he only rounded up the
competitors of his client who rewarded him well for such service.  The story
also notes that the General has denied the charges.

RISKS readers will be interested in these quotes:

* General Gutierrez's subordinates, working with Mr. Carrillo Fuentes's
  eavesdroppers and gunmen, detained and interrogated dozens of suspected
  Areliano Felix associates, the testimony indicates. ...

* Before one joint operation [sic], the traffickers briefed one of the
  general's subordinates, showing him a file of reconnaissance photos of
  Arellan Felix associates and their residences, as well as tape recordings
  of telephone conversations the traffickers had intercepted, the testimony
  indicates. ...

* Last October, the mutual trust was so high [sic] between General Gutierrez
  and the Carrillo Fuentes organization that the traffickers delivered a set
  of computerized, encrypted cellular phones that allowed Mr. Carrillo
  Fuentes and his aides to talk freely with the general, his driver and
  other military officers without being overheard, the testimony indicates.

So, the debate is what to do about the eavesdropping and encryption in this
story.  Obviously, cheap and easy encryption would have allowed the rival
organization a fighting chance to move its drugs into America and prevent a
monopoly from developing.  But encryption also allowed the allegedly corrupt
General to speak freely with his partners, the drug barons.  Could it be
that the RISKS of technology may be the least of our RISKS?


AltaVista stores username/password for shopping malls

Fredrik Pihl <pihl@innovative.se>
Wed, 28 May 1997 11:59:39 +0100
AltaVista stores URLs containing username/password for shopping malls.  When
searching for (e.g.,) a specific music band, you might get a result
including an autologin to a shopping mall.  You have full control of the
user information and are able to change the shipping address etc, but still
having the original user having to pay for it.

Never use the CGI GET method to submit parameters!

Fredrik Pihl, Innovative Media AB, S-412 88 Goteborg SWEDEN
<pihl@innovative.se>  http://www.innovative.se/  Phone +46-31-7724013


Re: On-line brokerage-trading passwords in plaintext (Helsel, R-19.16)

hal lewis <hlewis@physics.ucsb.edu>
Wed, 28 May 1997 08:38:48 -0700
In RISKS-19.16, Cliff Helsel reported that ETrade, IMHO one of the best of
the on-line trading services, makes all customer passwords available to
their customer service employees--perhaps to all their employees.  So I
asked them (via e-mail) if it were true.  It took two weeks, but the answer
came, and was: the procedure has been changed, and it is no longer true.
Another problem solved, though of course I have no idea how well they have
solved it.  (Note the power of Risks! Use it prudently.)

That left the question of whether the passwords are stored in the clear or
encrypted (recognizing that someone, some day, insider or outsider, will
break into the file).  I asked, but have no idea whether they will tell.
Stay tuned.

Hal Lewis


Risks of lying on return address of spam

"Mich Kabay [NCSA]" <Mich_Kabay@compuserve.com>
Thu, 29 May 1997 12:04:25 -0400
>From WIRED online via PointCast News:

Small-Time Spammer Slapped with Suit, by Ashley Craddock, 29 May 1997

Attempting to narrow the scope of spam wars, Internet activists in Austin,
Texas, have slapped a novice junk e-mailer with a lawsuit charging that he
illegally dumped his online garbage in someone else's mailbox.

The author makes the following key points:

* College student Craig Nowak admits having chosen a reply address at random
for his first spam attack on the Net from his "short-lived" company, CN
Enterprises.

* He chose "flowers.com" and the legitimate owners of that address received
5,000 bounced messages and enraged responses to Nowak's fraudulently
labelled junk e-mail.

* Tracy LaQuey Parker has been joined in her lawsuit by the Electronic
Frontier Foundation (Austin chapter) and the Texas Internet Service
Providers Association.

* Lawsuit demands "unspecified actual and punitive damages" for having
falsely attached the flowers.com address to the junk, causing potential
blacklisting of the legitimate firm.

M.E. Kabay, PhD, CISSP (Kirkland, QC), Director of Education
National Computer Security Association (Carlisle, PA) http://www.ncsa.com=


Anti-spam bill introduced in U.S. Senate

Abigail <abigail@fnx.com>
Fri, 23 May 1997 19:04:18 -0400 (EDT)
In RISKS-19.18, Lance Hoffman notes the "anti-spam bill" introduced in the
Senate.  But it is not an anti-spam bill. It's an anti-commercial-e-mail
bill.

I read the bill and my reaction was `great, if I now send someone an e-mail
with the URL of O'Reilly's webpage, I can be sued, but they still can't get
me when I e-mail the bible to a million addresses'.

It's a bad bill, for many reasons:

- It only addresses the US, which is rather pointless on the Internet.
  I have seen a couple of machines outside the USA, and I bet they
  are able to send e-mail as well.
- It doesn't address the real problem: misuse of the system. The problem
  isn't that the content of e-mail is commercial, the problem is that
  sending enormous amounts of mail at one time can bring mail delivery
  systems to their knees. A mail server of a large ISP that goes down
  under the load wouldn't have stayed up if the content was a fairy tale.
- The proposed solution doesn't solve anything. Yes, adding 'Advertisement'
  in the subject makes it easier to filter it, but the net traffic
  stays the same, and so does the load on machines. (Hmm, extra filtering
  might even increase the load).
- Faking an e-mail address is about as easy typing your name. How do
  you prove an alleged commercial e-mail actually comes from the address
  mentioned? Wouldn't an organisation like the Church of Scientology
  have some interesting (mis)uses for this bill?

I don't have a solution for the problem of junkmailing, but I hope
this bill will not pass the Senate.

Abigail


Re: E-mail disaster: inadvertent use of a mailing list (Byrd, R-19.18)

Dorothy Denning <denning@cs.georgetown.edu>
Fri, 23 May 1997 14:37:07 -0400
When I worked for Digital's Systems Research Center, our e-mail interface
program had a feature for resolving the aliases in a message without sending
the message.  I always used this before sending to make sure my messages
went to the people I intended and to find out if I had the right alias (now
I often generate bounced messages because I got the alias wrong or thought I
had one that I didn't).  It also had the advantage that I could create
hierarchical alias lists, building aliases out of aliases, which enormously
simplified the process of updating e-mail addresses.  The resolver did not
work recursively, but it was a simple matter to click the button a few times
to get to the leaves (usually at most 2 levels deep).

Dorothy Denning


Re: E-mail disaster: inadvertent use of a mailing list (Byrd, R-19.18)

Joe Carlet <jcarlet@travelin.com>
Wed, 28 May 1997 16:32:58 -0500
When I worked at another (un-named) company a similar thing happened.  Two
people on two different continents were fired for exchanging private, shall
we say "racy" (actually pornographic) letters between themselves.  What
happened is the e-mail system would allow the (inadvertent) attachment of one
e-mail message to another.  The ADD ATTACHMENT function key was "F7", the
DELETE MESSAGE function key was "F6".  So the first individual (accidentally
--- you're ahead of me-- ) hit the F7 key before the F6 key, then proceeded
to send a message to yet another mailing list on another subject.......

One could observe (in the upper right corner) that there was "x" number
of attachments to a mail message.   If one was observant.  If.......

After THAT incident there were a LOT of people who became VERY
observant of the upper right corner of their mail screen.........
Of course the obvious risk is don't use the corporate mail system
to exchange private mail, the corporate mail police are watching you!

-Joe


Re: JVM verification (Sirer, RISKS-19.18)

Li Gong <gong@games.Eng.Sun.COM>
Wed, 28 May 1997 12:16:42 -0700
Emin Gun Sirer of the University of Washington posted an article in
RISKS-19.18 entitled "Java security architectures/testing
methodology/flaws".  [...]

Emin Gun Sirer <egs@cs.washington.edu> wrote:
> A few of the flaws involve breakdowns in the typesafety guarantees of
> Java, which expose web users who execute foreign Java code to security
> attacks. A flaw in typesafety may allow an application to gain access to
> restricted data or to restricted services. Some of the other flaws are
> deviations from the JVM specification, and a few are particular unenforced
> interpretations of an ambiguous specification.

It is perhaps worth noting the usage of "a few", "may allow", and "some of"
in the above description.  For the original JavaSoft statement on this
issue, see http://java.sun.com/security/UW.html.  For a much more detailed
and more interesting exposition on the topic, see
http://java.sun.com/security/UWdetails.html.  Some excepts:

1. Why is there a discrepancy in the statements from UW and from JavaSoft?

The University of Washington statement refers to 24 bugs found in the JDK
system, and the JavaSoft statement refers to one bug that is fixed.  Why this
discrepancy?

The University of Washington researchers tested several different verifier
implementations, including those used by commercial Java browsers, and a
development tool from JavaSoft called javap.  Javap is a decompiler that
takes Java bytecode as input, and produces a Java "pseudo source" file.  It
is possible to invoke javap with a verification option turned on, in which
javap performs a subset of tests that the VM performs.  When the Kimera
project's test vectors are applied to the verifier used by the JDK platform,
the appletviewer and HotJava, a different set of test results emerges.

  <"[...]" denotes requested deletion in archive copy.  PGN>


General relativity vs special relativity (Re: Hayes, RISKS-19.18)

Steven M. Schweda <SMS@provis.com>
23 May 97 09:43:00 CDT
Arrgh.

> > It's not meaningful to compare a clock in Denver with a clock in
> > California to within a microsecond, ...
> Not true.  The two locations are essentially fixed with respect to each

Special relativity says there's no difference.  General Relativity says
there _is_ a difference.  Somewhere _after_ chapter 1, I expect Misner,
Thorne, and Wheeler mention this.  (My copy's at home, and I'm not.)  Clocks
run more slowly in stronger gravitational fields, independent of relative
motion or lack thereof.  (Or so the theory goes.)

I've not tried to run the numbers, but I suspect that actually getting a
microsecond difference between Denver and someplace at sea-level would take
longer than I care to wait.

I greatly enjoy the RISKS news, but I would not depend on it for an
education in physics.  Too many contributors who know things that are not
true.

Steven M. Schweda, Provis Corporation, 5251 Program Avenue  #100
Mounds View, MN  55112-4975  (+1) 612-785-2000 ext. 16  sms@provis.com


Re: Fire ants and computers (RISKS-19.17)

"Simson L. Garfinkel" <simsong@vineyard.net>
Thu, 22 May 1997 23:04:56 -0700
If fire ants are attracted to strong electrical fields, then this does
suggest a way to create an effective fire ant trap & killing device.  I am
surprised that nobody has done it.


Re: Fire ants and computers (RISKS-19.17)

Vexxallarius Venturi <rcdragon@omsi.edu>
Thu, 22 May 1997 23:55:26 -0700
Doesn't anyone remember one of the biggest problems the Super Conducting
Super Collider project ran into during construction in Texas?  It wasn't
politics... It was the Mecca of fire ants in all the extremely high-voltage
conduits, junctions, transformers, and other high-strength field areas.  The
ants would eat the insulating compounds off and sit there basking in the emf
high they apparently got.  Occasionally, an ant would offer itself as
sacrifice, prompting some Damn Big Breakers to blow...

Sadly, the engineers rated a Major Duh! from the local farmers who have
had to put up with the critters for years...

Vexxallarius Venturi (aka The Really Cranky Dragon)
<a href="http://www.omsi.edu/~rcdragon">http://www.omsi.edu/~rcdragon <rcdragon@omsi.edu>


Re: On-line change of postal address (RISKS-19.18)

"G. Allen Morris III" <gam3@csua.berkeley.edu>
Mon, 26 May 1997 20:41:20 -0700 (PDT)
The web-site run by the USPS requires that you print out a form and mail it
to your postmaster or give it to you postal carrier.  I don't see how this
is any different than paper forms.  It is certainly not an `on-line' change.

G. Allen Morris III

  [Also noted by Alan Winston <WINSTON@SSRL.SLAC.STANFORD.EDU>.
  But it is certainly easier to get the forms, especially if
  frauds are being coordinated from outside of the U.S.  PGN]


Re: On-line change of postal address (RISKS 19.18)

Evan McLain <emclain@top.net>
Fri, 23 May 1997 02:38:29 -0500
The Postal Service Change-of-Address web page
(http://www.usps.gov/moversnet/coa.html) does NOT allow you to send
change-of-address notices via e-mail.  It merely lets you create a form on
your screen, with the help of an automated address/zip code lookup database,
that you can print out, sign, and snail mail to the Post Office.

Evan


Final version of "Risks of Key Recovery" available

Matt Blaze <mab@research.att.com>
Thu, 29 May 1997 00:03:31 -0400
The final (27 May 1997) version of the report ``The Risks of Key Recovery,
Key Escrow and Trusted Third-Party Encryption'' is now available.  The
report, by Hal Abelson, Ross Anderson, Steve Bellovin, Josh Benaloh, Matt
Blaze, Whit Diffie, John Gilmore, Peter Neumann, Ron Rivest, Jeff Schiller,
and Bruce Schneier examines the technical implications, risks, and costs of
the ``key recovery,'' ``key escrow'' and ``trusted third-party'' encryption
systems being promoted by various governments.  A preliminary version of the
report was released last week [and noted in RISKS-19.17]; the final version
is now available.  The report is available as online as follows:

On the web at:
   http://www.crypto.com/key_study
In PostScript format via ftp:
   ftp://research.att.com/dist/mab/key_study.ps
In plain ASCII text format via ftp:
   ftp://research.att.com/dist/mab/key_study.txt

Please report problems with the web pages to the maintainer