The RISKS Digest
Volume 19 Issue 20

Saturday, 31st May 1997

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…

Contents

Spam and yeggs? Brake fast, or be devoured!
PGN
KGB infiltrates MI5 on the hotline
Mich Kabay
Privacy and car navigational systems
DonNorman
Prison guards leak sensitive computer data
David Kennedy
Runaway train-ticket vending machine
Tim Pietzcker
Lost Pond: Jurassic Duck
Mich Kabay
Risks of caring for an electronic pet
Mich Kabay
Florida "Computer Gang" Members Arrested
David Kennedy
Grappling with the risks of ATMs and heavy machinery
John Oram
Re: How Secure Is AT&T's WorldNet Security?
Steve Bellovin
Microsoft and Privacy
"cooler" via Mich Kabay
Re: Computer fraud in subscribing to telephone service?
Geoff Kuenning
Re: Postal Service change of address
Lauren Weinstein
Re: General relativity vs special relativity
Frederick G.M. Roeber
Call for Papers — IFIP WG 11.3 Working Conf on Database Security
Sushil Jajodia
Info on RISKS (comp.risks)

Spam and yeggs? Brake fast, or be devoured!

"Peter G. Neumann" <neumann@chiron.csl.sri.com>
Sat, 31 May 1997 13:20:13 -0700
In ordinary usage, a yegg is a safecracker or robber.  Electronic
equivalents of yeggs are using the Internet and its service providers for
undesired spams.  Some are also victimizing people as well — through scams,
but sometimes with major inconveniences.  Here is an example of the latter,
exploiting the trick of faking the FROM: address to avoid counterspams and
threats.

Tracy LeQuey Parker was apparently victimized by C.N. Enterprises (Craig
Nowak) in San Diego.  C.N. used her FROM: address and her ISP (Zilker
Internet Park) to send out a massive e-mail promotion.  The message offered
information about free cash grants for college students for $19.95.  The
clinker is that she and her ISP received all the hard bounces (due to the
address list containing lots of invalid addresses) and temporary bounces
(due to system or network unavailability).  (This happens to me every time I
send out an issue of RISKS; I once had over 400 bounces in a day!  But
that's small potatoes compared with what happened to Parker and Zilker.)  In
response, a lawsuit has been filed against C.N. by Parker, Zilker, the Texas
Internet Service Providers' Association, and the Austin TX chapter of the
Electronic Frontier Foundation.  [Source: Associated Press item in the *Palo
Alto Daily News*, 30 May 1997.]  We hope they bring home the bacon.


KGB infiltrates MI5 on the hotline

"Mich Kabay [NCSA]" <Mich_Kabay@compuserve.com>
Thu, 29 May 1997 22:00:16 -0400
> KGB infiltrates MI5 on the hotline (Reuters World Report, 25 May 1997)
> From Executive News Service via CompuServe ("Odds and Ends")

> LONDON - Would-be James Bonds bidding to join Britain's secret service got
> a shock when they phoned the job application line — Russia's KGB said it
> had taken over.

Key points:

* After MI5 placed ads for recruits in Britain, 20,000 hopeful security
  agents called in only to hear a bizarre message on the answering machine:
  "Hello my name is Colonel Blotch.  I am calling on behalf of the KGB. We
  have taken over MI5 because they are not secret any more and they are a
  very [useless] organisation."

* MI5 investigating how the taped message was altered.

[MK comment: of course, with two-digit "security" codes on many answering
machines allowing full control of the devices, tampering is no mystery.]

M.E. Kabay, PhD, CISSP (Kirkland, QC), Director of Education
National Computer Security Association (Carlisle, PA) http://www.ncsa.com


Privacy and car navigational systems

Don Norman <dnorman@ucsd.edu>
Sat, 31 May 1997 13:08:18 -0700
Here is yet another inadvertent invasion of privacy, another inadvertent
trail of activities:

I rented a car from Hertz and requested their in-car navigational system. I
ended up in a Ford Taurus with the Hertz "NeverLost" system, made by
Rockwell.  Among its features is a history list of previously selected
destinations.  This is a useful feature, especially as during the several
days of my trip, I had to return to previous locations. Note that the system
allows you to specify destinations by street address or by name of business
or scenic attraction. So my list included the street addresses of the house
at which I stayed and the people with whom I visited, the names of the
restaurants, the airport and the Hewlett-Packard group that I traveled to --
all of which were easy to select from the system's index.

Of course, the history list also had the locations of all the places the
previous renters of the car had visited. Interesting; I even tried to figure
out what sort of people they were from the places they had visited.

Yes, you can delete items from the history list, but only one item at a
time. Moreover, this feature wasn't immediately obvious to me. I had to
seek it out and then I had to experiment a bit to figure out how to use it.
It's well designed and simple to use - just not immediately obvious.

Did I delete the information about my travels? Well, um, I meant to, but --
well, you know how it is. I meant to do it, but on the day of departure, I
woke up early in the morning, rushed to the car, set the navigational system
to the airport, and took off. I rushed through the traffic, rushed to the
check-in lane, rushed to the airport terminal, rushed aboard the airplane,
and then sat back and relaxed. Only then do I think "damn, I forgot to erase
my history list." I suspect that other travelers will have similar
experiences.

What do I recommend? I have no brilliant suggestions. The history list is a
valuable feature. The designers did put in a selective erasure feature that
is pretty easy to use. Problem is, it was designed for the owner of the car,
not for the rental car situation. The best I can recommend is that the
system have a "forget all" function that the rental car maintenance people
are trained to engage during the car servicing between rentals. Not a great
solution, and one prone to errors of omission.

Do I care? Normally I would say no. I think we are overdoing many of the
privacy concerns. Why would I care that the next driver of the car could see
where I had gone?. Well, it actually didn't take much thought to think of
some reasons why I would care. A competing company might find out about my
hot new, yet-still-secret product by noting which companies I had
visited. Moreover, I have been told by a very reliable source that senior
computer company executives are targeted by an international crime ring with
standard prices for stealing their personal computers or briefcases (no, I
am not making this up). My boss was told that he is on the list, and was
even told how much his PC was worth. Am I on the list? I certainly could
be. And the navigational system has the address of the house at which I
stayed - and where I will stay again.

In many ways, this example is less serious than the trail we already leave
with our cell phones and credit cards, but it differs in that ordinary
citizens can get to it. In any event, it's useful to compile a complete
list. So, add this item to your list of RISKS.

Don Norman, Hewlett-Packard Laboratories
dnorman@ucsd.edu     http://cogsci.ucsd.edu/~norman


Prison guards leak sensitive computer data

David Kennedy <76702.3557@compuserve.com>
Fri, 30 May 1997 03:45:14 -0400
Courtesy of Reuters News via CompuServe's Executive News Service:

> Federal agents arrest 11 New York prison guards
> NEW YORK (Reuter, 22 May 1997) - Federal investigators Thursday arrested
> 11 guards assigned to the Metropolitan Detention Center in Brooklyn on
> charges of smuggling and supporting jailed mobsters, according to grand
> jury indictments.  They were charged with smuggling drugs, liquor, food
> and other supplies into the jail and helping prisoners from the mob
> conduct meetings and search computer files for potential witnesses. The
> prisoners were also warned about searches.

:: One guard, Anthony Martinez demanded US$800/wk for favors that included
"the names of informants in their cases after checking through prison
computers."

:: Max penalty--15 years and US$250K fines.

Dave Kennedy [CISSP] Research Team Chief, National Computer Security Assoc.


Runaway train-ticket vending machine

Tim Pietzcker <pietzcke@ruf.uni-freiburg.de>
Sat, 31 May 1997 12:49:32 +0200 (MET DST)
An interesting incident was reported in our local newspaper recently: A
young man wanted to buy a train ticket from Freiburg to Herbolzheim, a trip
of about 30 miles. Since tickets for short journeys like this cannot be
bought at the regular ticket stands but have to be purchased from a
computerized ticket vending machine, he tried to do so. The machine took
his money (about $10) and gave him a ticket that had several flaws:

 - no destination was printed on the ticket
 - the expiry date for the ticket was Dec 31st, 1969 (!)

The young man went to the ticket office to complain. However, the officials
claimed that he had forged the ticket (since the computer never makes
mistakes) and refused to give him a refund. He tried to make clear to them
that nobody would ever forge a ticket in such a stupid way, but to no
avail. He gave up and tried to board the train anyway, but they would not
let him and threatened to impose an extra fine upon him for travelling
without a ticket. Since the young man's clothes were of a somewhat unclean
appearance, he suspected that this explained a good deal of the officials'
unfriendliness, a suspicion that was confirmed the next day when he returned
in a suit and met the officials in a much friendlier attitude.

This story was reported in our newspaper. A few days later, several officials
of other train stations wrote to the newspaper that they knew about this
problem and had already reported it to their superiors.

It's the same risks again: Computers are never wrong, and if they are, the
errors are not reported to other users. Also, you can expect to be
discriminated against when improperly dressed.

Tim Pietzcker, University of Freiburg


Lost Pond: Jurassic Duck

"Mich Kabay [NCSA]" <Mich_Kabay@compuserve.com>
Wed, 28 May 1997 20:21:10 -0400
The news wires (via PointCast News on the Industries channel) report another
Web site hacked:

> Hackers leave print on ``Lost World'' (Reuter, 28 May 1997)

The opening page for the Web site for the film ``The Lost World: Jurassic
Park'' wasn't all it was quacked up to be after hackers got through with it
Tuesday.  In place of the film's trademark dinosaur logo was a profile of a
prehistoric-looking duck, accompanied by the title ``The Lost Pond: Jurassic
Duck.''  The report makes the following key points:

* Signed "hackers."
* Alan Sutton, Universal Studios vice president for distribution and
  marketing, said he thought prank was amusing and done in a spirit of fun.
* Universal plan to improve their security.

M.E. Kabay, PhD, CISSP (Kirkland, QC), Director of Education
National Computer Security Association (Carlisle, PA) http://www.ncsa.com


Risks of caring for an electronic pet

"Mich Kabay [NCSA]" <Mich_Kabay@compuserve.com>
Thu, 29 May 1997 22:00:27 -0400
Via Executive News Service on CompuServe:

> CYBER PET `DEATHS' MAY LEAVE OWNERS NEEDING COUNSELLING
> PA News May 22, 1997 16:03:00

> Heartbroken Tamagotchi computer pet owners may need bereavement
> counselling to help them get over the "virtual" deaths of the little
> gizmos, experts said today.  ...  The egg-shaped "pets", which have an
> interactive screen, were invented for children not allowed real animals.
> Owners press buttons to feed, stroke and exercise the computer toys,
> which beep if they become "ill" - and "die" if neglected.

According to the article,

* Dr Daniel DeSouza, of Toronto, Canada says the children may grieve over
  the "death" of these "pets."

* He has set up a support group on the Internet to help bereaved owners.

* Dr Sidney Crown of the Royal London Hospital said that "lonely children
  are most at risk."

* At Nottingham Trent University, Dr Mark Griffiths, an expert in
  addiction to computer games, supported these concerns.

[MK comment: This is no different, as far as I can see, from weeping over
the death of creatures existing only in books and in our imagination:
certainly I wept when Gandalf "died" in _The Lord of the Rings_ when I was a
kid.  Oops, excuse me, but now I have to go feed my pet electrons.]

M.E. Kabay, PhD, CISSP (Kirkland, QC), Director of Education
National Computer Security Association (Carlisle, PA) http://www.ncsa.com


Florida "Computer Gang" Members Arrested

David Kennedy <76702.3557@compuserve.com>
Fri, 30 May 1997 03:45:10 -0400
Courtesy of United Press International via CompuServe's Executive News Service:

> Florida computer gang members arrested

> LECANTO, Fla., 22 May 1997 (UPI) — Florida authorities have arrested two
> alleged leaders of a so-called computer "gang" they say set up a Web site
> that accused a teacher of having a homosexual affair with a student.  The
> Web site displayed a photograph of the student's prom picture with the
> teacher's head superimposed onto the head of the boy's female date.

:: Two 19 year olds were charged with "publication of material that exposes
a person to hatred, contempt or ridicule."  Because they worked together,
anti-gang laws apply upgrading the charges from misdemeanors to felonies.

:: The victim-teacher has been the target of harassment before, another
former student was sentenced to 6 months' probation last December.

Dave Kennedy [CISSP] Research Team Chief, National Computer Security Assoc.


Grappling with the risks of ATMs and heavy machinery

John Oram <*benz@havkt.hop.pn>
Fri, 30 May 1997 01:32:28 -0700
Well, it looks as if the wily criminals of rural British Columbia have
taken to the spirit of crimes reported in RISKS, specifically trying to
steal the hardware itself (a la CalTrans and the various DMV break-ins.)

Using a "grapple-loader" (imagine a bulldozer with a big, well, grapple in
the front), the criminals broke through the wall of the shopping centre and
tried to lift the ATM into a pick-up truck.  However, they dropped it, ran
and abandoned the grapple-loader.  (Bobbling the grapple loader is boggling
given there aren't googols of them around - pretty easy to trace I would
think.)

No word if they planned to set it up in a mall and steal PINs...

John Oram  benz@havkt.hop.pn (* rot13 to unscramble e-mail address)


Re: How Secure Is AT&T's WorldNet Security? (RISKS-19.19)

Steve Bellovin <smb@research.att.com>
Thu, 29 May 1997 23:04:22 -0400
The story about an eavesdropping incident on AT&T Worldnet is incorrect.  In
fact, a later story by the same author says as much (see
http://www.pcworld.com/news/daily/data/0597/970523154723.html).  But there
are some lessons to be learned from what happened.

The original report noted that certain Web pages do not use
encryption.  We were already aware of this, and the upgrade was in
progress even before this incident.  But the report also claimed
that as a result of the lack of encryption, a customer was able to
observe other accounts and passwords going by.  This struck us as
more than slightly odd, since the user was coming in from a dial-up
modem...

I won't bother enumerating all the possibilities we considered and
investigated.  The ultimate answer was that there was no eavesdropping going
on; rather, a network administrator had extracted accounts and passwords for
a number of users from a LAN-based file server, and fed these into a
simulated network monitor program.  And how did these passwords get there?
Well, various people used a shared facility — that is, a network of PCs --
as their platform for connecting to AT&T Worldnet.  This exposed their
passwords to anyone with suitable access to the file server — which is what
happened.

What can we learn from this?  The first point, of course, is that the system
administrator wins — always.  Nothing short of token-based encryption is
even a plausible defense against someone who can read any file, and plant
programs to monitor keystrokes.  (That latter didn't happen here, to my
knowledge.)  A corollary is that you can't meaningfully encrypt such files,
if the enemy is a knowledgeable administrator.  If the key is stored in your
programs, it can be extracted; the same skills that are used to defeat copy
protection will suffice.  At most, such encryption is a minor hurdle; more
likely, it's security through obscurity, giving the same grade of protection
as the lock on a bathroom door.  Could the user supply the key?  Part of the
answer is "no, see above about keystroke monitors".  But there's a more
fundamental issue, one that goes to the heart of the real problem.

When we deploy computer systems, we engineer them.  That is, we choose among
many possible designs, to balance needs against costs.  There is no such
thing as absolute security, of course; more importantly, there is a price to
any security system, and it makes no sense to spend more on security than it
can save you.  We're dealing here with a mass market product.  J. Random
Customer *will*, with a fairly high probability, forget his or her password.
The cost of an unrecoverable account is quite high — we probably lose the
customer.  But it has to be taken a step further — it's important to
minimize the number of calls to Customer Care.  (Customer Care is expensive
in the mass market world.  There are a fair number of software packages
around for which the vendor loses money on any copy that generates even a
single call.)

This, then, is the bottom line.  The engineers who made certain security
choices — storing account information in the clear — saved a moderate
amount of money, traded against a small diminution in security.  The
customers who used a shared facility to store these account information
files (unknowingly) trusted someone else.  The overall complexity of the
total system — the AT&T Worldnet end, the user software, the end users, and
their environment, including an untrustworthy administrator — led to some
accounts being compromised.  And the one simple palliative cited --
encryption of certain network sessions — would have done nothing to protect
anyone.

Steve Bellovin


Microsoft and Privacy

"Mich Kabay [NCSA]" <Mich_Kabay@compuserve.com>
Thu, 29 May 1997 12:04:45 -0400
>From Computer Privacy Digest Wed, 28 May 97, Volume 10 : Issue: 026
Date: 27 May 1997 14:45:37 -0600
>From: cooler <cooler@teleport.com>
Subject: Microsoft and Privacy

Yesterday I became aware of an online privacy issue involving Microsoft, and
I hope to bring an awareness of this issue to anyone who can take that
awareness further.

The issue is this: Microsoft has begun to set up a series of "Sidewalk"
sites, ostensibly to provide local information for various cities.  One
example is at http://www.newyork.sidewalk.com/ .  If you visit that site,
you can see a link (toward the right) to "Terms and Conditions".  The link
is to a page explaining the "Terms of Use" of the Sidewalk site.  This is
rather unusual; I don't know any other site that has "Terms of Use".
Reading through six paragraphs of fine print you will see that they are
asserting that your usage of their site entitles them to sell your e-mail
address together with any demographic data they might gather about you.

I believe there is a serious online privacy issue because:
 1) Few visitors will be aware that they have implicitly consented to
    allow the sale of their personal data.
 2) Providing local information about cities increases the chance that
    your personal data will be tied to geodemographic data.
 3) Microsoft also makes a browser.  We have no way to know that they can't
    grab your e-mail address with it.  Indeed, their new browser integrates
    seamlessly with the information on your desktop, so the potential is
    there for them to grab much more data.

While the selling of personal data is nothing new, I believe that
Microsoft has an unusual advantage here.  Their willingness to gather
and sell this data, together with the intimacy of their browser,
presents a new and possibly dangerous threat to personal privacy.

 - - - - - - - - - - - -

MICROSOFT:

SIDEWALK WEB SITE TERMS, CONDITIONS, AND NOTICES
  [omitted by "cooler" and RISKS-19.20,
  but added to the archive copy by request.  PGN]

Locator information" consists of a user's name, e-mail address, physical
address and/or other data about the user that enables the recipient to
personally identify the user. Any user who does not wish to receive any
special offers or communications from Microsoft on behalf of suppliers, or
directly from Microsoft or its affiliates, may so notify Microsoft at the
listed below under SERVICE CONTACT. (Note that a user's election not to
receive such information will not affect the user's receipt of offers and
communications that were processed prior to the user's election.) Locator
information and individual information will be processed and stored by
Microsoft in the United States and, if the user does not live in the United
States, possibly in the country of residence. Users may contact Microsoft
to determine whether such information has been accurately recorded and, if
not, to request correction of any inaccuracies in the information recorded
by Microsoft.

USE OF INFORMATION

The name, address and payment information (if applicable) that the user
provides via this Web site, together with information regarding the manner
in which the user uses this Web site, will not be processed or disclosed by
Microsoft except as permitted by these terms and conditions. By being a user
of this Web site, the user agrees that Microsoft may share with other
parties both aggregate information, individual information and locator
information gathered by Microsoft in the course of the user's continuing
individual use of this Web site.  "Aggregate information" is information
that describes the habits, usage patterns and/or demographics of users as a
group but does not describe or reveal the identity of any particular user.
"Individual information" is information about a user that is presented in a
form distinguishable from information relating to other users but not in a
form that personally identifies any user or enables the recipient to
communicate directly with any user. "Locator information" consist accurately
recorded and, if not, to request correction of any inaccuracies in the
information recorded by Microsoft.

INDEMNITY

As a condition of use of this Web site, you, the end user, agree to
indemnify Microsoft and its suppliers from and against any and all
liabilities, expenses (including attorneys' fees) and damages arising out of
claims resulting from your use of this Web site, including without
limitation any claims alleging facts that if true would constitute a breach
by you of these terms and conditions.  [...]


Re: Computer fraud in subscribing to telephone service? (RISKS-19.19)

Geoff Kuenning <geoff@Ficus.CS.UCLA.EDU>
Thu, 29 May 1997 15:16:00 -0700
Thomas Brazil tells of receiving "automated" phone calls consisting of 10
seconds of hum, followed by a hangup.  He accuses BellSouth of generating
these calls in an attempt to get subscribers to sign up for automated call
return, an accusation supported by no evidence except the coincidence of
*one* of these calls with a telemarketing call from BellSouth.

It seems to me that if this were the case, it would be a very short time
before somebody used call return, CNID, or a call tracing facility to
identify the perpetrator as BellSouth, and the FCC would have a dandy time
punishing them.  It is far more likely that the calls, if truly automated,
are purely accidental.  Suppressing them may be a pain, but I doubt a
nefarious purpose.

The only RISK I see here is that as the RISKS list becomes more widespread,
our moderator is less and less able to filter out unsupported and illogical
claims from the overly paranoid.

Geoff Kuenning  geoff@fmg.cs.ucla.edu  http://fmg-www.cs.ucla.edu/geoff/

  [But maybe I let a few through just to see who is paying attention?  PGN]


Re: Postal Service change of address

Lauren Weinstein <lauren@vortex.com>
Thu, 29 May 97 15:01:21 PDT
As others have pointed out, the web page in question only creates a form for
you to print and mail.  USPS especially likes this since it results in a
form without a very common risk--the usual illegible handwriting.

But there still are a variety of privacy-related concerns surrounding change
of addresses, and these issues were the subject of my PRIVACY Forum Radio
interview with Mike Selnick of USPS Washington, D.C. headquarters late last
year.

> I wonder if it's possible to instruct one's post office not to accept any
> change of address except in person?

This point was also covered in that interview.  The answer at the current
time appears to be no.

The full interview is available online for playback through the PRIVACY
Forum; it runs about thirty minutes.  It can be accessed through the PRIVACY
Forum/PRIVACY Forum Radio links via:
  http://www.vortex.com
--Lauren-- Moderator, PRIVACY Forum  www.vortex.com


Re: General relativity vs special relativity (Schweda, RISKS-19.19)

"Frederick G.M. Roeber" <roeber@netscape.com>
Thu, 29 May 1997 18:09:29 -0700
> Special relativity says there's no difference.  General Relativity
> says there _is_ a difference.

The non-meaningfulness is actually due to the fact that simultaneity is not
well-defined for spacelike-separated events.

If two events have a spacelike separation — basically, if they happen
"close enough in time / far apart enough in space" such that there isn't
time for a photon to go from one to the other — then various observers may
see the events happen in different orders.

This isn't an illusion: take everything into account, including the speed of
light, clock differences, etc., and different observers can still see this
difference.

Causality is still preserved because neither event can possibly affect the
other.  But it does mean that simultaneity is a somewhat fuzzy concept:
"this exact moment, somewhere else" can actually correspond to a range of
times at that other location.

This is why it's not meaningful to compare two clocks a few
(light-)milliseconds apart to within a microsecond.

Frederick G.M. Roeber, Physicist in Residence, Netscape


Call for Papers — IFIP WG 11.3 Working Conf on Database Security

Sushil Jajodia <jajodia@isse.gmu.edu>
Wed, 28 May 1997 12:04:52 -0400 (EDT)
Twelfth Annual IFIP WG 11.3 Working Conference on Database Security
Porto Carras Complex, Chalkidiki, Greece
15-17 July, 1998

["Conference" limited to 40 people.  Consequently, CFP truncated for
RISKS. PGN]

More information about the conference and about IFIP WG 11.3 can be
found at URL: http://www.cs.rpi.edu/ifip/

Please report problems with the web pages to the maintainer

x
Top