The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 19 Issue 5

Monday 7 April 1997

Contents

o Social Insecurity
Simson L. Garfinkel
o Identity Theft
PGN
o More on the Guyana Telephone Scam
Dewi Daniels
o Woman trapped in tanning bed
Michael Mahr
o Time-change risks and DECnet
Ian Brogden
o Follow-up on Joseph Jett
Rich Mintz
o Re: Elections Canada and the Net
Mark Brader
o Not a forgery!
Vivek Sadananda Pai
o Re: The ghost of the Pentium FDIV bug
Allan Heydon
o Info on RISKS (comp.risks)

Social Insecurity

"Simson L. Garfinkel" <simsong@vineyard.net>
Mon, 7 Apr 1997 09:22:47 -0700
USA Today, 07 Apr 1997 [Reprinted by permission of the author.]

Few key bits of info open Social Security records
By Simson L. Garfinkel

The Social Security Administration, trying to speed service and cut costs by
using the Internet, inadvertently has compromised the financial privacy of
tens of millions of Americans.

Social Security's month-old on-line service is handy for taxpayers looking
for instant access to their financial records. But it also gives nosy
neighbors, ex-spouses, prying relatives and just about anyone else the
ability to view those same files if they have some very basic information.

What could they see? How much someone earned every year, going back to
1951. How much someone will get in Social Security benefits after
retirement. How much their families would get now if they died.

Nearly 28,000 people requested the free information on-line in March at
http://www.ssa.gov.

"As soon as crooks start exploiting this service to get other people's
information, Social Security is going to have a real problem on its hands,"
warns Evan Hendricks, chairman of the U.S. Privacy Council, a Washington
D.C.-based federation of privacy activists.

As use of the Internet expands, its lure of convenience is breaking promises
of privacy. And as on-line exchanges become as accepted as faxes or
automatic teller machines, critics say, the drive to provide new services
will continue to outpace appropriate restraints.

In this instance, people familiar with the new Social Security system
say, there is danger for abuse from many directions: a legal adversary,
an employer seeking to learn about an employee's outside income, an
ex-spouse contemplating adjustments in support.

"I like to see this sort of easy access to your own personal information,"
Hendricks says, "but we need something to discourage the wolves."

Social Security officials don't see a problem.

"We have confidence that in the huge majority of cases, the people
requesting these things are the right people," says John Sabo, the Social
Security Administration's director of the Electronic Services Staff.

Last year, the Social Security Administration mailed some 4 million
financial reports to taxpayers at a cost of $5.23 each, Sabo says.

Delivering the same report over the Internet costs a fraction of a penny.

'Social Security numbers are easy' to get

But it's virtually impossible to know if the on-line version of the
financial reports, called PEBES - Personal Earnings and Benefit Estimate
Statement - is being abused. It's also just about impossible to track down
an abuser.

The key to opening PEBES: a Social Security number, mother's maiden name and
state in which a person was born.

That information is not exactly a state secret.

"Social security numbers are easy" to get, says Beth Givens, manager of the
Privacy Rights Clearinghouse in San Diego.

Information vendors used by banks, credit agencies and private detectives
can deliver a Social Security Number for a small fee. They also frequently
are known by co-workers or spouses. And driver's license numbers in many
states are the same as Social Security numbers.

A mother's maiden name and place of birth can show up in court papers,
marriage licenses or divorce decrees.

"Many states have a vital statistics department. You could get it that
way. These documents are public record," she says.

Mark Welch, an engineer at Netscape Communications in California, makers of
popular Internet software, says he's disturbed to see the information so
readily available.

"I was just thinking of all the ways that people could misuse this
information," Welch says.

"A potential employer could use this to determine my salary history. My
co-workers could use this to determine how much I was making relative to
them. My landlord could use this report to decide if I'm making enough money
to be able to rent an apartment. I could make a decision on whether or not
to sue someone based on how much money I thought they had.

"Private investigators would love this kind of information."

"It would be a tremendous asset to people who know how to obtain this
information," says Paddy Calabrese, owner of Inter-tel Detective Agency in
Seattle.

"If somebody calls me up and says they want to know somebody's income, I
just pop into this thing, I charge them $2,000 and it costs me nothing."

Where are the penalties for snooping?

There are supposed to be penalties for snooping.

A warning appears when someone enters the PEBES website: "I certify that I
am asking for information about by my own Social Security record. I
understand that if I deliberately request information under false pretenses,
I may be guilty of a federal crime and could be fined and/or imprisoned."

The warning is nearly identical to banners used on many government agency
websites, permitting those entering wrongly to be prosecuted under the
Computer Security Act.

Prosecutions are exceedingly rare, in part because it is difficult to trace
an on-line user, and there is little deterrent to outweigh great potential
interest. Officials say they have no evidence that anyone has wrongly
accessed a PEBES file.

But they probably wouldn't know. With libraries, schools and even coffee
shops now giving access to the Internet - as well as access available
worldwide - it would be practically impossible to track down a person
illegally requesting files.

Still, not all privacy advocates are disturbed by PEBES.

Marc Rotenberg, director of the Electronic Privacy Information Center, says
the ability of people to easily obtain the information outweighs concerns
about the few who abuse it.  "Promoting first-party access to personal
information is often times as important as . . . restricting access," says
Rotenberg. "By making these systems more transparent, the government gives
individuals greater control over information that has an important impact on
retirement planning.  I'd like to see more agencies set up these services,
though I'd draw a line at tax records and medical information."

Other organizations that hold sensitive financial information on Americans
have decided against putting their files on the Internet - at least for now.

One of the problems in trying to make PEBES more secure is that the current
state of technology and government restrictions on the use of encryption, or
data scrambling, make it difficult to make the information any tougher to
get at.  "Ideally, we would prefer if we could authenticate people through
some sort of digital identity," says Bruce Carter, who runs the website for
the Social Security Administration. "But there just isn't the infrastructure
available for that yet."

SSA says complaints are of too tight security

Here's how a computer user can access PEBES:

An Internet user goes to the Social Security Administration's website,
clicks a button labeled "PEBES," wades through two pages of warnings and
then responds to queries - full name, address, phone number, Social Security
Number, mother's maiden name and state of birth.  After the information is
entered, the user clicks a button on the computer's screen and views the
taxpayer's entire financial history - how much has been paid into Social
Security, how much into Medicare, expected benefits, yearly income.  The
Internet user then can print the information or request that the report be
sent through the mail.

Carter says that while the Social Security Administration has received some
complaints about the privacy of the system, most of the complaints received
have been that the security is too good: roughly 30% of the people who have
attempted to view their reports failed because the information they provided
did not exactly match the spelling stored in government computers.  After
eight failed attempts to view a report, the system locks out the user for 24
hours.

Eight attempts is far too many, says Hendricks of the Privacy Council.  "I
think that this is really a good case of three strikes and you're out," he
says. "When you step back, you see that the Social Security Administration
has not thought through the privacy and security implications of this."

By Simson L. Garfinkel, Special for USA TODAY  http://www.packet.com/garfinkel

  [Lo and behold, someone sent to RISKS a copyrighted Associated Press
  item lifted directly from Simson's USA Today column -- except that
  the AP apparently never bothered to mention the author's name!  Many
  thanks to Simson for springing this column for RISKS readers.  I presume
  its primary *USA Today* copyright status precludes its unrestricted
  redistribution, despite the stated RISKS copyright policy of free reuse.
  This might be an exception to the RISKS policy.  However, if you do want
  to forward this around for other than noncommercial reuse, you might check
  first with SimsonG@vineyard.net.  PGN]


Identity Theft

"Peter G. Neumann" <neumann@csl.sri.com>
Mon, 7 Apr 97 17:23:19 PDT
It is not news to long-time RISKS readers, but Identity Theft is here with a
vengeance.  Today's *San Francisco Chronicle* (7 Apr 1997) has a front-page
article by Ramon G. McLeod entitled "New Thieves Prey on Your Very Name;
Identity bandits can wreak credit havoc".

The article includes the case of Kathryn Rambo of San Jose CA.  Her identity
was stolen (perhaps an insider job?), resulting in tens of thousands of
dollars in debt and ruined credit ratings.  The masquerader acquired a
$35,000 sports utility vehicle, a $3,000 loan, several new credit-card
accounts, and a rented apartment -- all in Rambo's name.  Months later, she
is still trying to clear her name.  In this case, a primary suspect and
alleged accomplice have been apprehended -- although that is not the usual
outcome.

In another case, Caryl Fuller's purse was stolen, and the thief opened up
and maxed out three credit cards despite having a face that obviously did
not match Fuller's picture.

McLeod's article also notes a 1996 ring of methamphetamine addicts whose
dumpster diving and mail interception resulted in their stealing at least
$700,000 in cash and credit from San Francisco residents.

The article is an important item for RISKS readers, including tips on how to
protect yourself (and your SSN, credit information, etc); phone numbers for
Equifax (800-685-1111), Experian (800-392-1122; formerly TRW), and Trans
Union (800-851-2674) to check your credit ratings; discussion that Identity
Theft is not illegal in California and that it makes a low-risk high-gain
target.  In general, even if you do everything you can to prevent such
occurrences, it may not be enough.  But clearing your name is perhaps the
hardest part.  The full article is on the Chron's Website
<http://www.sfgate.com>.

  [Needless to say, there are many past cases of Identity Theft in RISKS.
  If you are a new reader, a bunch of them are summarized in RISKS-18.91.]


More on the Guyana Telephone Scam (Re: RISKS-18.90)

Dewi Daniels <dewi@cableol.co.uk>
Sun, 06 Apr 1997 16:24:11 +0100
Thank you all for your overwhelming response to my previous posting about
calls to Guyana that had appeared on my telephone bill. I had not
anticipated such a large number of helpful responses. I have tried to
respond to each of you individually, but I still have a backlog to deal
with, so I apologise if you have not yet heard from me.

CableTel has carried out an investigation, and concluded that our friends
must have made the calls. We utterly refute this allegation. CableTel claim
the telephone number is an "Internet modem" line to a "pornographic web
site" in Guyana, even though the BT international operator still tells me
that the number does not exist.

A number of people pointed out to me that similar instances have been
reported on UK television by BBC1's "Watchdog" and HTV's "The Ferret".  I
have now seen one of the reports by "Watchdog", and have spoken to a
reporter from the "The Ferret". It seems that the problem is very
widespread, given the response that the two programmes have received to
their reports. Since I have expertise in software safety and security, I
feel some responsibility to pursue the matter on behalf of those victims who
do not feel they can take on the telephone companies on equal terms.

We have legal insurance through DAS Legal Insurance Services, and intend to
take our claim to the small claims court. It seems to me that our case is
going to hinge around the ruling in the case of the Halifax Building Society
vs John Munden that "when a case turns on computers or similar equipment
then, as a matter of common justice, the defence must have access to test
and see whether there is anything making the computers fallible". In the
absence of such access, the court would not allow any evidence emanating
from computers.

Your responses indicated an alarming number of ways in which a phone call
could fraudulently be charged to our account, some of which include:

1. "Watchdog" claim that hackers have obtained access to manufacturer and
supervisor passwords used by telephone exchanges. These passwords would
presumably allow them to make telephone calls on any circuit, or alter the
CDRs after the event. I did not attach much credence to this report at the
time, but it seems more plausible now that CableTel claim the call was to a
modem.

2. An insider would presumably have access to such passwords, and might be
able to make fraudulent phone calls with little risk of detection. It would
presumably be very hard to prove that such fraud had taken place.

3. Fraudulent calls could be made by attaching a handset to the distribution
box in the street or the box on the outside wall of our house. CableTel have
examined the boxes, and say they found no evidence of tampering. I don't
know whether this eliminates the possibility of an insider opening the box
with a key.

4. Miswiring of the telephone circuit could cause a handset to be connected
to the wrong telephone line, causing calls to be charged to the wrong
account. CableTel have checked the wiring.

5. Older-style cordless phones were extremely unsecure, and calls could be
made from another handset, whilst the proper handset was removed from the
base station.

6. There has been at least one example of a Trojan Horse being used to
redirect unsuspecting web surfers to a premium rate phone line (the
Moldovian scam). However, whilst the hapless web surfer might be unaware
that he was incurring expensive telephone charges, he most certainly would
be aware that he was connected to a pornographic web site.

Thank you for your help. I will continue to keep you posted on developments.

Dewi Daniels  Guildford, England


Woman trapped in tanning bed

"Michael Mahr" <michael@mailzone.com>
Sat, 5 Apr 1997 21:46:38 -0500
According to a CNN report, a 60-year-old Michigan woman was trapped in her
home tanning bed on 3 Apr 1997.  Fortunately she carried a cordless phone
into the bed so she was able to dial 911 for help.  Police and firefighters
had to dismantled the bed to save her.  Too bad she didn't bring a palmtop
computer with her.  She could have sent e-mails for help or even asked the
"net" for tips on freeing herself.  There might even be a web site just for
this occasion...

Sometimes technologies seem to cancel one another out, and that
may be all we can hope for.

  [3 Apr date disambiguated in archive copy.  PGN]


Time-change risks and DECnet

Ian Brogden <i.brogden@ieee.ca>
Sat, 05 Apr 1997 08:57:22 -0600
Several years ago when working late enough to be at work when the clocks
fell back, I noticed a very strange phenomena with DECnet. Basically, DECnet
stopped for an hour. To make matters somewhat more confusing, we could still
use the system from our terminals (via LAT), but couldn't copy files send
data between systems. To further demonstrate the risks of working so late,
it took us just about an hour to figure out what the problem was.
Apparently DECnet uses absolute times to decide when a link has timed out or
an acknowledgement message needs to be sent. When the clocks were set back,
none of these timers were going to go off for another hour.

Ian Brogden


Follow-up on Joseph Jett (Re: RISKS-16.08,09)

Rich Mintz <mintz@merlin.netresponse.com>
Sun, 6 Apr 97 21:06:27 -0500
The front page of *The New York Times* Business section of Sunday, 6 April
1997, has a long and remarkably detailed feature article (by Saul Hansell,
entitled "A Scoundrel or a Scapegoat") concerning Joseph Jett, the "former
superstar bond trader at Kidder, Peabody & Company" who was fired from the
company and stands accused of having engineered a scheme to create
transactions that yielded phony profits on such a scale that the company's
very survival was threatened.

Note the following: "$17 million of Mr. Jett's $28 million in apparent
profit [in the first 10 months of 1992] was not from legitimate trades but
solely from a glitch in the way its computer system processed the stripping
and reconstituting of bonds."

Jett's "angle" was to make money off the minor price differential between
regular government bonds and what are called "zero coupon bonds," which
(according to the article) are created by taking a regular bond (which
involves a principal payment and, say, 60 semi-annual interest payments) and
"stripping" it into its parts (61 zero-coupon bonds, in this case).  "If
demand is higher for [zero-coupon bonds] than for regular Government bonds,
a trader can buy a bond, then have the [Federal Reserve] strip it and sell
the pieces for more."  Alternatively, if demand is higher for regular bonds,
a trader can buy up the pieces and "reconstitute" them into the original
bond, which sells for more.

But the computer system Jett was using could handle one of these stripping
or reconstituting transactions only as a _pair_ of transactions: a sale (of
the 61 pieces, for instance) and then a purchase (or the reconstituted
bond).

The computer system allowed the sale-purchase transaction to be settled up
to five days in the future, because the postponement of settlement is
meaningful in the case of many ordinary securities transactions.  In this
case, though, it isn't, because zero-coupon bonds by definition (because
they represent the accrual of interest over time) are more valuable tomorrow
than they are today.  When Jett entered a reconstitution into the system,
"the computer would immediately calculate the transaction as being
profitable.  That was an error, and it came about because [the pieces] could
be bought in the open market on that day for less than they were scheduled
to be sold for when the transaction settled -- after interest had a chance
to accrue.  In a reconstitution scheduled to be settled in five days, for
example, the difference between the two prices was equal to five days of
interest.  The next day, the computer would record a profit...equal to only
four days of interest."  By settlement day, the "profit" would have
disappeared.

The question of Jett's guilt (a ruling from the U.S. Securities & Exchange
Commission is pending) is essentially irrelevant to this forum, but the
RISKS aren't; they include:

- When adapting a software system to new uses, assuming those new uses are
exactly analogous to existing uses when in fact they are different in some
aspect which turns out to be material.

- Being too quick to believe what the computer tells you ("it says this is a
profitable transaction, and the computer doesn't lie" -- some of Jett's
associates apparently believe his inexperience might have made him
credulous).

Richard Mintz (mintz@netresponse.com)  Arlington, Virginia USA


Re: Elections Canada and the Net (Kabay, RISKS-18.95)

Mark Brader <msb@sq.com>
Mon, 7 Apr 97 04:04:12 EDT
Mich Kabay writes:

> In the *Globe&Mail*, 27 Mar 1997, p. A6, their Applied Science Reporter
> tells another story of how governments are fearful of uncontrolled human
> communications.

Oh.  It looked to me like another story of how governments were slow to
take account of the fact that the Net is subject to existing laws.

> ... Some background:  Canada, like the US and Russia, is so wide that
> many people in the Western areas must vote after vote-counting has begun in
> Eastern regions.  Election officials have long been concerned about the
> effects of releasing late public-opinion polls and also preliminary
> vote-counts from the East ...

[The Globe article, by Mary Gooderham, says]

> > Officials have decided that the Internet will face the same rules as other
> > news media when it comes to disseminating public opinion polls within 48
> > hours of election day and releasing vote results early on election night.

It is bizarre that they had to decide this now.  As Mich points out himself,

> * The Canada Elections Act forbids premature "publishing" voting results by
> any means.

Publishing means making public.  So the law applies to Usenet or WWW sites
just as much as to print or broadcast media.

> * Professor John Courtney (political science, University of Saskatchewan)
> raised the question of whether the Office would try to forbid electronic
> mail from residents of the east to residents of the west.

But point-to-point communications are not publishing.  Phone calls are not
prohibited, so the law cannot affect e-mail either.  Individuals who want
the information so much that they will "willingly seek it out" themselves
are free to do so.

> I expect this sort of nonsense from authoritarians in the PRC, Burma, and
> so on; it's distressing to see people in Canada uttering such rubbish.

It's distressing to see someone fail to realize that an election where
people in the west can have extra information when they vote is unfair.
(The interesting part is that it's mostly the people in the *west* who
have complained, when rationally they're the ones with the advantage.)

> The fundamental issue is ... whether a government has any business at
> all controlling what information individuals willingly seek out.

The fundamental issue is how to hold a election where all electors are on
an equal footing, in a world where the Sun shines on different places at
different times.

And the weirdest part of this whole exchange is that the election law
WAS CHANGED in December to eliminate a large part of the issue in the
first place, and yet nothing was said about that.  The change to the law
was to adjust the polling hours.  Instead of 9 am to 8 pm local time
in each of six time zones, the polls will be open 12 hours, opening and
closing (am/pm) at:

    Time zone       Local time       Pacific Time
    Newfoundland       8:30             4:00
    Atlantic           8:30             4:30
    Eastern            9:30             6:30
    Central            8:30             6:30
    Mountain           7:30             6:30
    Pacific            7:00             7:00

Since the voters in the two easternmost time zones are numerically few,
and since it takes about half an hour before the vote counts reach
numbers that anything significant can be deduced from, the information
available, by whatever channels, before the polls close in the Pacific
time zone will now be very limited.

Mark Brader, msb@sq.com
SoftQuad Inc., Toronto


Not a forgery!

Vivek Sadananda Pai <vivek@cs.rice.edu>
Mon, 7 Apr 1997 11:27:25 -0500 (CDT)
For about 6 months now, I've been receiving repeated mailings from a student
at a large public university in New York about commercial parties that his
company is promoting. I asked his postmaster to put a stop to it, and after
that failed, I set up a procmail filter.

Soon, he changed domains (but still within the same university in New York),
and I saw the spam again. I asked his new postmaster to look into the
matter, and his frequency of mailing actually _increased_.  I later received
a note from the postmaster telling me that she and her co-workers determined
that one of the notes I forwarded to her had been a forgery. No other
information about how this determination was made was provided.

I replied with the header and a header from a known un-forged note, and I
also showed a clear pattern in the timings of all the mail he'd sent over
the past 6 months (from my procmail log), and I asked how the determination
of forgery had been made. No response. I then personally mailed the user
again immediately after he sent another mailing, and he replied immediately
- indicating that he (a business student) was logged in around the time a
new mailing was sent. I once again sent this to the postmaster and pointed
out that it probably wasn't coincidence. No response. To make a long story
short, I then had a discussion with the user directly again, and got him to
admit that he was still sending me mail. I forwarded this info to the
postmaster, asking once again how they had (clearly incorrectly) determined
that the previous note was a forgery.  No response.

The risks? People who are supposed to be administering systems and acting as
postmasters somehow incorrectly determined that a real letter was a forgery,
even though there was a fair bit of circumstantial evidence to the
contrary. If they couldn't figure out when a relatively clueless
_non-malicious_ user was logged in, what chance do they have of tracking
down a real break-in?

Of course, it's also annoying that they never divulged how they determined
the mailing was a forgery - the user never denied (to me) that he was
sending the mailings, so it seems that they never even bothered asking the
user in question...

-Vivek


Re: The ghost of the Pentium FDIV bug (Solomon, RISKS-19.04)

Allan Heydon <heydon@pa.dec.com>
Mon, 07 Apr 97 16:53:49 -0700
> I pressed the recalculate key (F9) to no avail.

This behavior is easily explained.  The "recalculate" key behaves
incrementally: it causes only those cells that depend on at least one cell
that has been invalidated since the last update to be recomputed.  The cell
in question depends on no other cells, so unless its contents are edited, it
will never be recalculated.  That explains why "retyp[ing] the formulas over
the originals" corrected the problem.

Perhaps not unreasonably, the authors of Excel assumed that the same cell
contents would always produce the same results.  In cases where this
assumption proves wrong, a variant of the recalculate function that
recalculates *all* cells would be useful.

Allan Heydon (heydon@pa.dec.com)

Please report problems with the web pages to the maintainer

Top