The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 20 Issue 77

Saturday 29 January 2000

Contents

o Report on identity theft
Mich Kabay
o Japanese Government Websites hacked
Ole J. Jacobsen
o Japanese department-store credit-card fraud
Chiaki Ishikawa
o Superbowl XXXIV Web-filtered: adult porn?
John Wharton
o Porn spammers getting cute
Jim Griffith
o Lessons of Y2K
Toby Gottfried
o Parisian programmer makes his own smartcard
NewsScan
o DVD lawyers make "trade secret" public
Declan McCullagh
o French spies listen in to British business phone calls
Declan McCullagh
o DoE password policy comic relief?
Mike Williams
o Re: U.S. removes most restrictions on encryption software
Kevin Mitchell
o Simson Garfinkel's *Database Nation*
Peter G. Neumann
o REVIEW: "Hackers: Crime in the Digital Sublime", Paul A. Taylor
Rob Slade
o REVIEW: "Implementing IPsec", Elizabeth Kaufman/Andrew Newman
Rob Slade
o Info on RISKS (comp.risks)

Report on identity theft

Mich Kabay <mkabay@compuserve.com>
Wed, 26 Jan 2000 09:27:21 -0500
Caitlin Liu of the *Los Angeles Times* published a thorough report on
identity theft on 16 Jan 2000 (front page).  In one case, 22-year-old San
Diego college student Jessica Smith had her car stolen with her handbag
inside.  Although the car and bag were recovered, someone stole her
identity.  She nearly got fired from her new job when a background check
showed that "she" had outstanding warrants for prostitution.  She was unable
to obtain credit, phone service or even to rent an apartment.  With the help
of a sympathetic police investigator, Smith was able to prove her innocence
of the charges a reversal of the usual burden under criminal law, where
usually the state has to prove guilt.  She obtained judicial documents
explaining that her identity had been stolen; nevertheless, she has been
hauled into police stations to be fingerprinted to prove that she is indeed
the person authorized to carry those documents.

Image Data LLC, an identity-fraud prevention service based in Nashua, NH,
commissioned a study in September 1999 that suggested that one out of five
Americans or a member of their family have been victimized by identity
fraud.  [Readers should always be wary of statistics that report how many
"members of your family" or "people you know" have particular
characteristics: it is possible that a single person can be reported by
multiple people.  The over-counting bias increases as a function of sample
size and of social relationships among the sample population.]


Japanese Government Websites hacked

"Ole J. Jacobsen" <ole@cisco.com>
Wed, 26 Jan 2000 07:14:39 -0800 (PST)
Japan called an emergency meeting Wednesday to boost computer security after
humiliating raids on government Websites by hackers, who linked one to a
pornographic site and attacked Japan's war record on another.  The
announcement came amid revelations that the site at the Science and
Technology Agency had been penetrated twice in two days, and that key data
on another site, including census information, had been erased.

  [Source: http://dailynews.yahoo.com/h/nm/20000126/wr/japan_hackers_4.html,
  Japan Calls Emergency Meeting As Hackers Hit Again, By Elaine Lies,
  Reuters, 26 Jan 2000; via Dave Farber's IP list]


Japanese department-store credit-card fraud

Chiaki Ishikawa <Chiaki.Ishikawa@personal-media.co.jp>
Wed, 26 Jan 2000 21:08:13 +0900 (JST)
It is widely reported in the Japanese media that the credit cards issued by
a large department store chain, Takashimaya, were target for fraud.

It seems that some of these cards were duplicated by a third party and
innocent owners were charged for shopping they never did on their own, etc..
The incidents of such mis-use has multiplied since last October and the
Takashimaya store finally has decided to issue whole new set of the credit
cards, about 0.3 million cards in total.  They were mailed to the card
owners this month and they are supposed to be move over to the new cards by
the end of this month.

The articles I read mention that some dubious figures were spotted last year
who were seemingly looking at the cards held by the customer waiting in line
at the cashier or cards laid face up while the store clerk was doing
necessary paperwork for the purchase, etc..  The very typical case of
shoulder-surfing.  However, the spotted figures didn't have a good memory
obviously and were seen to hitting their hand-held telephone keypads or
similar devices!

BTW, it always amazes me that Japan is just a few years behind the USA in
terms of these fraud and abuses in terms of credit cards/e-commerce business
and not many people in Japan seem to be paying attention to what goes on in
USA.  I was quite taken aback to read that the people (store clerks
presumably?) spotted such dubious figures and did nothing at all.  The
newspaper articles quoted the store management as saying just looking at
other people's cards are not a just cause for arrest or anything
drastic. Surely.

(This lax attitude is quite different from a case where someone at the
department store checking counter was passing the customer credit card
through another reader. One customer asked the clerk questions and was not
satisfied with the answers and fetched the store security person and put
the clerk into the custody of the police or whoever on the spot. This was
reported earlier in RISKS if I am not mistaken.  Surely, in that case, the
clerk was operating as a bad guy, but that the store management didn't do a
thing about this case in Japan until this month (issuing new cards) is a
little bit disappointing.  Japanese consumer laws are not well developed and
I am afraid that some of the customers whose cards were mis-used had to
negotiate the damage recovery with the department store. There is no 50
dollars limit like that if I recall correctly in Japan! This hurts.)

After reading the articles and looking at the new design of the cards, it
occurred to me that the card issuers might well consider making the numbers
DIFFICULT TO READ by means of ungainly color combination (or no color at all
in a patterned background, etc.).  After all, the card reader reads the
numbers from the magnetic stripe and the legitimate card owners can read the
numbers at leisure if they want to make mail order purchases, etc.. This
would make the reading difficult for the shoulder-surfing artists.

In the articles, it was also noted that the credit cards issued by a same
organization have a tendency to have similar string of digits (near the
beginning?) and thus easy to copy by the shoulder surfers. This could again
possibly be made more difficult by truly randomizing the issued numbers
using MD5 or whatever at the cost of administration.

Just a thought.

Chiaki Ishikawa, Shinagawa, Tokyo, Japan 142-0051


Superbowl XXXIV Web-filtered: adult porn?

John Wharton <jwharton@netcom.com>
Wed, 26 Jan 2000 14:22:56 -0800 (PST)
Just heard a report on CBS network radio that net-savvy football fans around
the country are being stymied in their efforts to learn about this Sunday's
Superbowl.  Seems the Web-filtering software installed on browsers, e.g., in
certain public libraries spots the "XXX" in "Superbowl XXXIV" and interprets
this to mean it's an adult porn site.  John Wharton
  [via Dave Farber's IP list]


Porn spammers getting cute

Jim Griffith <griffith@netcom.com>
Tue, 25 Jan 2000 21:06:11 -0800 (PST)
I just got nailed by a porn spammer getting clever.  The spammer in question
sent me e-mail stating that I'd been sent a cyberspace greeting at
www.hypergreeting.com (a legitimate e-card site).  However, while the text
description of the link says "www.hypergreeting.com", the actual link behind
the text led to a hardcore site.  I'm just glad I didn't decide to check it
out at work.

  [We've had several cases like this in RISKS.  PGN]


Lessons of Y2K

"Toby Gottfried" <toby6700@earthlink.net>
Sun, 23 Jan 2000 20:26:49 -0800
Amidst all the hoopla over Y2K, we have much to contemplate.
There is a big lesson to learn from it about our dependency on technology.
For all the advances in capability we have made (including those that make
possible the distribution of these words), we have created systemic risks.

Under evolution organisms adapt (slowly!) to their environment.  Technology
represents the opposite approach: humans attempting to adapt their
environment to themselves, in their current state.  Each step of
"technolution" solves or eases some existing problem, but may change the
overall landscape.  In the last couple of centuries, the pace has
accelerated, and luxuries became conveniences became necessities.

Our senses developed to a good level of acuity over the millenia, now they
are often necessarily aided by external devices.  Our brains have large,
unused capacities, but we rely on easily lost electronic notepads instead of
our memories.  Cars take us from one place to another through suburbs spread
beyond walkable distances, fouling the air along the way.  Many people have
trouble walking any distance at all (which problem can be made worse by
having to carry a heavy external "brain", which can also be lost or stolen).
Essential knowledge is placed on a worldwide network, which must work all
the time.  Food comes from all over the world, as does the energy to move us
and our goods, and change the temperature of our surroundings (intentionally
or otherwise).  Now human reproduction is becoming more technological.  It
is a very complex system which we take for granted.

The very minor problem of Y2K was sufficiently widespread to threaten to
disrupt much or all of this.  But Y2K was relatively easy to anticipate and
head off.  Something else might not be.  Recent news stories have appeared
about the President proposing defenses against cyber-terrorism and a lowered
redundancy and reliability in the deregulated national power grid.  The
survivalists now have to figure out what to do with their provisions, but
every-man-for-himself is not the right way to back up this system.

Do we have the vision to reap the benefits of technology and avoid the
pitfalls or will we change our environment beyond our ability to adapt to it
fast enough ?  As the now ancient margarine commercial reminded us, "It's
not nice to fool Mother Nature".


Parisian programmer makes his own smartcard

"NewsScan" <newsscan@newsscan.com>
Wed, 26 Jan 2000 09:00:30 -0700
A resourceful French computer programmer has been arrested on counterfeiting
and fraud charges after he purchased 10 Paris Metro tickets using his
homemade smartcard. After proving the smartcard worked, Serge Humpich then
tried to sell his "invention" to the Cartes Bancaires consortium, an
amalgamation of 176 smartcard-issuing banks, for about $1.5 million. Humpich
faces a seven-year jail term, but insists that he never intended to steal;
rather, he was tricked into purchasing the Metro tickets after Carte
Bancaires officials insisted he demonstrate the card worked. Meanwhile,
Humpich's lawyer says Humpich deserves compensation for the four years of
work it took him to crack the 640-bit encryption key used to verify the
"digital signature" on the cards. "It is an invention," he said, noting that
Humpich had patented his discovery before contacting the Cartes Bancaire
group. Humpich's card is designed to respond positively no matter what PIN
number is typed in.  [MSNBC, 25 Jan 2000, http://www.msnbc.com/news/361936.asp
via NewsScan Daily, 26 Jan 2000]


DVD lawyers make "trade secret" public

Declan McCullagh <declan@well.com>
Wed, 26 Jan 2000 15:11:44 -0800
Lawyers representing the DVD industry got caught in an embarrassing gaffe
when they filed a lawsuit [against a Norwegian teenager and his father] and
accidentally publicized the computer code they wanted to keep secret.  The
DVD Copy Control Association included its "trade secret" source code in
court documents, but forgot to ask the judge to seal them from public
scrutiny.  Whoops.

In a hastily arranged hearing Wednesday morning, DVD CCA lawyers asked Santa
Clara Superior Court Judge William J. Elfving to correct their oversight,
and he agreed to keep the document confidential.

It may be a little late. The document is dated 13 Jan 2000 and is widely
available on the Web.  The owner of one site that placed the 140KB
declaration on-line says over 21,000 people have downloaded it so far.  [...]

  [DVD Lawyers Make Secret Public, Declan McCullagh <declan@wired.com>, see
    http://www.wired.com/news/politics/0,1283,33922,00.html
  Distributed via Declan's POLITECH, a moderated mailing list of politics
  and technology.  See http://www.well.com/~declan/politech/ ]


French spies listen in to British business phone calls

Declan McCullagh <declan@well.com>
Wed, 26 Jan 2000 15:37:53 -0800
French intelligence is intercepting British businessmen's calls after
investing millions in satellite technology for its listening stations.  The
French government upgraded signals intelligence last year.  Now secret
service elements are using it to tap into commercial secrets. At least eight
centres, scattered across France, are being "aimed" at British defence
firms, petroleum companies and other commercial targets.  Eavesdroppers can
"pluck" GSM digital mobile phone signals from the air by targeting
individual numbers or sweeping sets of numbers. Targets have included
executives at British Aerospace, British Petroleum and British Airways,
according to French sources.  Senior executives have been told not to
discuss sensitive issues on mobile phones, and BAe staff have been told to
be "especially careful" during campaigns for new business, such as the
current battle to supply Eurofighter missiles.  [...]

  [Source: French spies listen in to British calls, James Clark,
http://www.sunday-times.co.uk/news/pages/sti/2000/01/23/stinwenws03006.html?999
  Distributed via Declan's POLITECH, a moderated mailing list of politics
  and technology.  See http://www.well.com/~declan/politech/ ]


DoE password policy comic relief?

Mike <John.Michael.Williams@Computer.org>
Wed, 26 Jan 2000 06:48:32 -0500
  [The] DOE security "czar" ... said it is now virtually impossible for
  employees to transfer nuclear secrets from classified to unclassified
  computer networks ...

To quote Don Adams of "Get Smart" - Would you believe ... no more than
once a week? ... once a day?

  Many [nuke] employees used their last names or initials, and some simply
  typed "password" when logging onto classified networks, he said.
  Now, [the czar] added, "we have a password policy that I would put up
  against any in industry and academia."

Password Policy?  Reusable passwords to guard nuclear secrets?  Doesn't
this constitute a well-known RISK, of breach followed by fusion?

Does anybody in the press ever question these publicity handouts?  Do we
in the industry just sit on our hands, letting this travesty continue?

  [Source: Energy Chief Touts Security Upgrades at Nuclear Labs,
  Vernon Loeb, *The Washington Post*, 26 Jan 2000, A13:
  http://www.washingtonpost.com/wp-srv/WPlate/2000-01/26/126l-012600-idx.html]


Re: U.S. removes most restrictions on encryption software (NewsScan)

Kev <klmitch@MIT.EDU>
Tue, 25 Jan 2000 17:16:57 -0500
Although the restrictions on encryption software have indeed been revamped,
there are still a number of problems with the new regulations, as described
at http://www.epic.org/crypto/export_controls/joint_release_1_00.html.  In
particular, PGN's comment, "Open-source software is apparently
unrestricted," does not appear to be entirely true, according to my reading
of the material available (Note: IANAL).  In particular, you may not post
source code directly to citizens of the 7 terrorist nations mentioned in the
article.  You can, however, place your source code on a publically
accessible Web site or ftp site, and you apparently don't have to worry
about who actually accesses it (again, IANAL).  You must, however, inform
BXA about what you intend to do and either send them a copy or tell them the
URL.  Some people I know are also of the opinion that these regulations
would conflict with the GPL.

In short, I feel the new regulations are a step in the right direction, but
they unfortunately have not been completely removed, and that's what should
eventually happen.

Kevin L. Mitchell <klmitch@mit.edu>  http://web.mit.edu/klmitch/www/

  [I may appear to have oversimplified, but if something is posted on
  a Website, it would appear to be effectively open to the world!  PGN]


Simson Garfinkel's *Database Nation*

"Peter G. Neumann" <neumann@csl.sri.com>
Thu, 27 Jan 2000 10:10:59 PST
Simson Garfinkel
*Database Nation: The Death of Privacy in the 21st Century*
O'Reilly & Associates, Sebastopol CA 95472

The following words of Ralph Nader are on the back cover of this book,
and very appropriately highlight this excellent book:

  "Database Nation by Simson Garfinkel is a graphic and blistering
  indictment of the burgeoning technologies used by business, government,
  and others to invade the self -- yourselves -- and restrict both your
  freedom to participate in power and your freedom from abuses of
  power.  The right of privacy is a constitutionally protected right, and
  its erosion or destruction undermines democratic society as it
  generates, in one circumstance after another, a new kind of serfdom.
  This book is one that you're entitled to take very personally."

You will find this book very much in tune with what you have been reading in
RISKS and in Lauren Weinstein's PRIVACY FORUM all these years.  Simson has
brought it all together very nicely in a highly readable book.


REVIEW: "Hackers: Crime in the Digital Sublime", Paul A. Taylor

Rob Slade <rslade@sprint.ca>
Wed, 26 Jan 2000 20:17:22 -0800
BKHAKERS.RVW   991024

"Hackers: Crime in the Digital Sublime", Paul A. Taylor, 1999,
0-415-18072-4, U$24.99
%A   Paul A. Taylor drpaul_a_taylor@yahoo.co.uk
%C   11 New Fetter Lane, London, England, EC4P 4EE
%D   1999
%G   0-415-18072-4
%I   Routledge
%O   U$24.99 +44-71-842-2214 info@routledge-ny.com
%P   198 p.
%T   "Hackers: Crime in the Digital Sublime"

Following in the footsteps of Sarah Ford, Dorothy Denning, and Ray Kaplan,
Paul Taylor is attempting to open the world, and world view, of those who
make informal attempts to penetrate computer and communications security to
the security "expert."  The book tries to explain motivations, culture, and
background, with a view to the benefits of a dialogue between the official
guardians and those who pry at the gaps in the armor.  Using extensive
interviews with people from both sides of the divide, Taylor attempts to put
forward the reality behind the hype.

Chapter one concentrates on the terms; hack, hacker, and hacking;
emphasizing the original meaning of creative and useful mastery of the
technology.  Hacking culture is reviewed quite thoroughly in chapter two,
although perhaps not enough attention is paid to the divisions and continuum
that exists.  (I was amused by the note in the preface to the effect that
nobody would admit to distributing viruses: virus writers still occupy the
lowest rung of the hacking ladder.)  Motivation is explored, and possibly
too much credence given to self- reporting, in chapter three.  Chapter four
is a marvel, a first rate examination, and indictment, of the state of
computer security (or, perhaps, insecurity).  Arguments for, and against,
dialogue with, and employment of, those who have done unauthorized security
breaking are given in chapter five.  Chapter six, however, turns to
presenting a number of sociological theories about why hackers might be
marginalized.  This material seems to have no purpose other than to propose
that such people are being treated unfairly.  Chapter seven is worse: even
given the wretched track record of computer ethics literature it is
disappointing in that presents little content that is germane to the
discussion, and seems to wander off into miscellaneous speculation.  The
conclusion, in chapter eight, also meanders, but tries to dispel a number of
myths that have grown up around the hacker idea.

The book will probably not be a popular hit, which is a pity.  I would
suggest two reasons for the low profile.  The first is that Taylor is making
a conscious effort to avoid sensationalism, and, indeed, to counter the
sensational, and misinformed, reports of computer security penetration that
are prevalent in the popular media.  The second reason is not inherent in
the nature of the material and is somewhat unfortunate: Taylor's writing
style is more "academic" than is necessary, using, for example, the passive
voice most of the time.  (I found the use of the word "whilst" to become
quite jarring after a few pages.)  A good copy editing would help: your
humble scribe, world's worst proofreader that he is, still found a number of
grammatical errors, even outside of the quotations.

(Oddly, for all its academic formality, endnotes, and bibliography, the work
falls short in terms of clarity of references and citations.  I am quoted on
page 84, but I can't figure out how.  I am also dying to know who the other
"Dr. Taylor" is.)

The extensive use of interview materials, and quotations from other works,
is both a strength and a weakness.  No one perspective is allowed to
dominate, and a great many arguments and opinions are presented.  The
constant quotes from a variety of sources, however, often reduce the
readability of the work.  I found the book very difficult and time consuming
to get through.  Added to this, Taylor's aversion to contaminating the
source material with his own analysis ensures that the text is very
demanding of the reader's own analytical skills and work.

Taylor does make a serious effort to give a fair and even presentation to
both sides of the argument, but it is still fairly obvious that his
sympathies lie in "detente."  The title of the book itself indicates this.
There is a discussion of the derivation and evolution of the "hacker" term,
but the acceptance of the "popular" status of the word to mean those who
break into computers also allows those who break into computer systems to
present arguments for their behaviour as a kind of discovery learning,
without the supporting evidence that would otherwise be necessary.  In this,
Taylor's work shares a weakness with other, similar, books on the topic:
"hacker" claims are taken at their own valuation without much analysis of
either factual or motivational claims.  Taylor has a great deal more
material and a wider range of direct contacts than Levy (cf. BKHACKRS.RVW),
Sterling (cf.  BKHKRCRK.RVW), or Dreyfus (cf. BKNDRGND.RVW) and his
conclusions are significantly more reliable, but the fundamental defect
remains.

There are also gaps in the coverage.  Taylor does not dwell on the basic
fragility of data, nor the tendency of digital systems to catastrophic
failure under even the most minor perturbation.  There are also indirect
effects of unauthorized system penetration.  To give only one example, the
regular choice of NASA as a target, and the media hype over even minor
success, has had a negative impact on budget appropriation, and therefore on
the space program as a whole.  You can't claim much for the advancement of
knowledge out of that.

With all the problems presented above, I still highly recommend this
work to anyone in the security field, or to anyone who wants to
understand either security work or an important part of the computer
culture.  For all its flaws, Taylor's book is the most extensive and
detailed examination of the cracker phenomenon I have ever read.  He
exposes a number of nasty little secrets that the computer industry as
a whole would prefer to forget.  Hopefully this work will be
continued, expanded, and refined, to become a valuable classic in
technical security literature.

copyright Robert M. Slade, 1999   BKHAKERS.RVW   991024
rslade@vcn.bc.ca  rslade@sprint.ca  slade@victoria.tc.ca p1@canada.com
http://victoria.tc.ca/techrev    or    http://sun.soci.niu.edu/~rslade


REVIEW: "Implementing IPsec", Elizabeth Kaufman/Andrew Newman

Rob Slade <rslade@sprint.ca>
Thu, 27 Jan 2000 07:15:43 -0800
BKIMPIPS.RVW   991029

"Implementing IPsec", Elizabeth Kaufman/Andrew Newman, 1999,
0-471-34467-2, U$49.99
%A   Elizabeth Kaufman
%A   Andrew Newman
%C   5353 Dundas Street West, 4th Floor, Etobicoke, ON   M9B 6H8
%D   1999
%G   0-471-34467-2
%I   John Wiley & Sons, Inc.
%O   U$49.99 416-236-4433 fax: 416-236-4448 rlangloi@wiley.com
%P   271 p.
%T   "Implementing IPsec: Making Security Work on VPNs, Intranets, and
      Extranets"

This book starts with a rough, and even aggressive, manner.  It continues
the same way.  But what makes for a rather abrasive introduction also makes
for a very practical and solid guide to designing, evaluating, and thinking
about network security.

Chapter one is brief, really only an overview of the structure of the book.
Part one actually starts in the next chapter, and looks at what you need to
know going in.  Chapter two looks at the basic information you need before
you even start to consider security, and provides a highly practical guide
to documenting the network.  (Oh, sure, you *all* have fully documented
networks.  No, thank you, I don't want to buy any bridges.)  Security
should, of course, start with a policy, but chapter three outlines a
real-world approach when you don't have one.  The law is an underappreciated
factor in implementing security, and a highly instructive run through of
related aspects is presented in chapter four.

Part two reviews the essentials of the technology.  Chapter five covers the
Internet Protocol, and the security weaknesses built into what it does.
Cryptography cannot be covered in a single chapter, but I was a bit
surprised that there is not even a discussion of relative strengths in the
basics that are explained in chapter six.  Keys and key management are
discussed reasonably well in chapter seven.

Part three looks at implementation considerations.  Chapter eight gives an
extremely helpful, if somewhat depressing, look at possible problems and
inherent conflicts.  Chapter nine offers some useful pointers, but is more
about the generic types of implementations.

Part four gets down to the brass tacks of buying.  Chapter ten gives some
rough pointers on how to evaluate vendors.  But the really useful stuff is
in chapter eleven, which provides the details, with explanations, for an
entire RFP.

RFC 2401 is printed as an appendix.

The authors are not out to produce a fun read, but they have a very nice
sense of sarcasm--and know when to use it.  Subtle digs pop up in the text
frequently, and are generally right on target.  The humour included in the
work is germane to the topic, and helps to highlight and render memorable
important basic concepts.

As the authors are at pains to point out, IPsec is by no means a mature
technology.  Security practitioners, and network managers, are fortunate to
have such a guide to avoiding the worst mistakes as they take the first
steps into a new area.

copyright Robert M. Slade, 1999   BKIMPIPS.RVW   991029
rslade@vcn.bc.ca  rslade@sprint.ca  slade@victoria.tc.ca p1@canada.com
http://victoria.tc.ca/techrev    or    http://sun.soci.niu.edu/~rslade

Please report problems with the web pages to the maintainer

Top