Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
An AP item (seen by me on the front page of the *Palo Alto Daily News*, 25 Sep 2000) says that the California Department of Motor Vehicles issued over 100,000 fraudulent drivers' licenses in 1999, and typically makes little or no effort to check the validity of the 900,000 duplicate license requests it receives each year. Examples include duplicate licenses issued to people of the wrong race or the wrong gender, and in one case bogus duplicates of a particular individual's license to 18 different people. The driver's license is called a ``breeding document'' for identity thieves, leading to financial fraud, ruined credit, purchases of firearms by felons, and other misuses. DMV officials claim that implementing an on-line photo-retrieval system would cost $3 million over the next two years. This seems like a useful system — especially if it were used pervasively.
Last night our cable modem (currently AT&T Roadrunner, name subject to change daily 8*) stopped working, and the constant busy signals from their tech support line led me to believe it wasn't merely Yet Another Outage (TM). Strangely, my cable modem lights were all doing the right thing, and when I checked with my neighbors, their cable modems were working fine. After a couple of hours of redialing I finally got a message saying that there were unspecified problems that they were working on (strange, usually they list the affected towns) and after some time on hold I finally talked to a tech support rep who offered to help "if I can". Turns out the DHCP server for the entire northeast went down, and as people's leases on their IP addresses expired, they were dropped off the network. I asked about the secondary or backup DHCP servers, but apparently there was so much demand due to expired leases that the backup server couldn't respond quickly enough, and was getting overloaded with requests. Risks: Even single users ought to have a backup Internet connection (dialup ISP worked for me, but not my wife, as she has no modem...) You know you're in trouble when your customers have your tech support in their speed dial. Customers know they are in trouble when they get busy signals on your tech support line. Serious system-wide failures might leave some systems operating normally for a while. Your backups might have to be more powerful than your primary servers, or alternately customer growth might mask server deficiencies. William Smith wpns@compusmiths.com N1JBJ@amsat.org ComputerSmiths Consulting, Inc. www.compusmiths.com
Concerned that the Internet will compete with TV coverage and cut into its major source of revenue, the organizers of the 27th Olympics Games are taking a hard line about what words and images can be communicated by Internet about the sporting events now going on in Sydney, Australia. They have forbidden athlete diaries and online chats, and all streaming video (even of trial events that took place months ago. Referring to a recent lawsuit in Virginia supporting the Olympics Committee's efforts to restrict Internet coverage, constitutional lawyer Floyd Abrams thinks it's ironic that "the increased availability of a means of communication leads to a ruling seeking to assure that less is said." (*The New York Times*, 25 Sep 2000 http://partners.nytimes.com/2000/09/25/technology/25WEB.html; NewsScan Daily, 25 September 2000)
Today's *Christian Science Monitor* online edition discusses a newly released report, the *Baker-Hamilton Report*, prepared at the request of the DOE. The report says in essence that scientists at Los Alamos National Weapons Labs have become afraid of reporting or admitting even minor security breaches as a result of the threat of an aggressive prosecution and in the wake of the Wen Ho Lee situation. Who can blame them? The RISKS should be fairly obvious. The entire article can be accessed at: http://www.christiansciencemonitor.com/durable/2000/09/26/fp2s2-csm.shtml A quick search for the "Baker-Hamilton report" on the DOE web site didn't turn up anything, but I would imagine that the report itself would make for fairly interesting reading for any RISK follower. [The Government gave a terrible example of *when holey* prosecutions can run amok (holey, i.e., having holes). Perhaps the "situation" (as Ray calls it) will become known as an *Un-Ho-Lee Mess* (unholy, i.e., of questionable authority). PGN]
Cochise county, in the southwest corner of Arizona, had a primary and special election Tuesday, 12 September. In it they used a new computer tallying system obtained by the state for rural ballot counting. Our local paper, *The Sierra Vista Herald*, reports that results from the elections were delayed due to software errors in the new system. According to the paper, the major errors centered around counting as major party votes those cast in nonpartisan (non-primary) positions and overcounting third-party, e.g., Libertarian, votes. In addition to the usual issues of inadequate verification, validation, and test (VV&T), this was the first election here in which everyone could vote in a primary. Seems rash to implement a new voting protocol and a new ballot tally system in the same election. Votes are being recounted using the old system, which was kept as a backup provision. At least they got that right. Reporting on story from Sierra Vista Herald: http://www.svherald.com/news/bnews/stories/00030203bn.html http://www.svherald.com/news/bnews/stories/00091301bn.html http://www.svherald.com/news/stories/00091301n.html http://www.svherald.com/news/bnews/stories/00091402bn.html http://www.svherald.com/news/bnews/stories/00091501bn.html
In October 1998, the company that I worked for (let's call it A Inc) was acquired by another company (let's call it B Inc). "A Inc" issued me a corporate credit card (from Amex) a long time before that. Around January 1999, B Inc decided that they needed to issue me a new corporate credit card ... But, "B Inc" also wanted to spin of a portion of the acquired company and in February 1999, they created a spinoff company (let's call it C Inc). In all this confusion, I was left with an Amex Credit card from A Inc which expired in February, I got a new Amex Credit card for C Inc in February and I was fat dumb and happy. I never quite got the Amex card from B Inc, maybe they never had it mailed out or something weird happened there; or maybe it was just lost in the mail. But, B Inc went ahead and told our in-house Amex Travel Agency to change my travel profile to use the new credit card that they had issued for me. In January 2000, I moved and informed Amex of my address change in regards to the card from C Inc. Then in February 2000, I made a purchase through the in-house Amex Travel Agency for a ticket for business travel. The way in which A Inc and C Inc handle business travel tickets is that Amex directly charges the corporation and no charge appears on my credit card bill. Today, September 29th, I get a call from a collection agency indicating that an Amex card in my name, with my SSN, my correct name and my old address was delinquent and the charges were airline tickets issued in February. After much investigation, I gathered all the information I presented above but here's where it begins to get interesting. I have the Amex Credit Aware reporting service. That, when I started getting it in March 2000, did not list the personal Amex card that I had, the card that they were charging $5.99 or whatever ... Second, it did not list my corporate card (the one from A Inc or C Inc). It surely did not list the one from B Inc. As part of all this investigation, I called Amex Fraud Investigation and they took my SSN and they showed all three cards. I called Experian and because initially it was being handled as a fraud, they actually took my SSN and said they showed three Amex cards on my SSN. They took SSN, last name, first name, address and all that to verify that I was in fact the person whose records they were looking at and then they confirmed the last 5 digits of all three accounts, my personal one, my corporate one from C Inc and the corporate one from B Inc What caused this whole mixup ? 1. Your SSN is not your sole identifier for purposes of Credit, name is also significant. 2. Amex (for my personal card) had my last name and first name interchanged which is why the card would not show up on the Credit Aware Service. 3. Corporate Cards don't appear to show up on there for some reason, not sure if it's the same as 2. 4. An employer can / may apply for a card in your name, maybe without your knowledge. They reveal your name, SSN and all that nice stuff to someone. 5. When companies get bought and sold, strange things happen to these cards and the information there. B Inc was not paying me any salary but they had an active card in my name. I called them and told the folks there in their Finance office and sure enough they had my card on file ... 6. If you have no balance on a card, you sometimes get no bill. In my case, for the four months in 1998/1999, I had no balance on the card because I never knew I had it. So I never got a statement. People move, addresses change ... the bills suddenly appear. I used to live in an apt and mail for previous tenants is regular; it usually goes to the trash can. and finally 7. I had two Amex cards that I knew of, both had valid addresses. Amex could not find me or figure out that the address was wrong when the card went deliquent. I don't believe they even contacted the company that I was supposed to work for (it was a corporate card). And yet, a collection agency could find me. 8. A credit monitoring service is somewhat questionable. What if any is the real solution to this problem? Thankfully, my employer readily agreed to help out, the amount in question was about $800, and I paid and will get reimbursed etc. But what's the real solution? Amrith Kumar <amrithk@earthlink.net>
My trash company bills quarterly. I would rather pay every six months. This June, I got the $36.00 bill and paid the $72.00 by check. Last week, I got a bill for $36.00 for the final quarter of this year. Apparently, (if I understood the customer-service person correctly) they use a piece of billing software in which the amount paid defaults to the amount owed once the account number is entered, and the data-entry person must manually override the amount if a customer remits any amount other than the default. Fortunately, my record showed a history of paying semiannual amounts every six months, so the rep fixed it on the spot, taking my word that the check had cleared in the larger amount. His comment was to the effect that "I know how his software works, and I'm almost certain of what happened, so I'll take your word for it." charlie shub University of Colorado at ColSpgs http://cs.uccs.edu/~cdash cdash@cs.uccs.edu -or- cdash@mail.uccs.edu (719) 262-3492 [It is unusual that Pride goeth before Default. PGN]
I think this is unfair to the issuing bank. I also once received a call from the same bank, because their computer detected that I was charging a few things in Toronto, and I also seemed to be in Jamaica, running up several $K in cash advances! Someone had obviously captured my card number and was using it for all it was worth (with the apparent compliance of some Jamaican merchants) Within minutes, the card was frozen, and I received a replacement by courier within 24 hours. Otherwise, it would have been weeks before I even knew this was happening, and likely many months to sort out the problem, and with a high risk of cost to me. I think it was a pretty good trade-off. If this bothers you, better to carry two different cards, just in case, and be thankful someone is trying to protect your backside! Perry Bowker, Toronto, Canada [It obviously works (or doesn't work) both ways. PGN]
Actually, this protocol can work reasonably well if you have a cell phone. On two occasions, with two different banks (one of them was the CIBC), I've been called almost immediately after making a large purchase and challenged to recite various pieces of information from my credit application (doing that with a cell phone has its own risks, of course, which can be mitigated by phoning back using the merchant's phone). I note that this protocol doesn't seem to stop the initial transaction from being completed. In both cases I was called some minutes after I had left the store with my purchases.
BKCBRSHK.RVW 20000625
"CyberShock", Winn Schwartau, 2000, 1-56025-246-4, U$24.95
%A Winn Schwartau winn@infowar.com,winns@gte.net
%C Fourth Floor, 841 Broadway, New York, NY 10003
%D 2000
%G 1-56025-246-4
%I Thunder's Mouth/Inter.Pact Press
%O U$24.95 212-780-0380 fax: 813-393-6361
%P 470 p.
%T "CyberShock: Surviving Hackers, Phreakers, Identity Thieves,
Internet Terrorists and Weapons of Mass Disruption"
As some may know, Winn Schwartau and I do not see eye-to-eye on the emphasis
to be given to certain exhortations in alerting the public to matters of
computer security. So when he informed me of his latest book, he noted that
I might like to do the usual hatchet job on it. Unfortunately, I can't
fully comply. While I may quibble with some aspects of his latest book,
overall it is a good overview of the existing computer security situation,
and would make a helpful introduction for new computer and Internet users.
Part one is an outline of hackers and hacking. "The Great New Global
Society" appears to be (although erudite and readable it's not exactly
straightforward) a presentation of society as seriously messed up, and
hackers as curious and determined. The results of a number of surveys of
computer penetration are described in "Whole Lotta Hacking Goin' On," with
unfortunately little space given to the design of the studies. There are
some examples of Web site defacement and an ad for Linux in "CyberGraffiti."
(And it's attrition.org, not attrition.com.) "Who Are the Hackers?" gives a
reasonable structure to the current security breaking population and
environment, although, as Schwartau notes, the game has become so big and
ill-defined that one might be forgiven for coming out of this chapter
thinking that anyone could be a hacker and a hacker could be anyone. Some
stories from the annual DefCon (and the inadequacies of the Plaza Hotel) are
retailed in "CyberChrist at the Hacker Con." "Hacktivism" lists a few
examples of digital civil disobedience. "An American Alien Hacks Through
Customs" is probably fair warning to customs agents that if you mess with
Schwartau at the border you are going to look really silly in his next book.
Part two looks into protecting you and yours. "In Cyberspace You're Guilty
Until Proven Innocent" describes identity theft, and the ease and dangers
thereof. (It also includes a rather odd section on Web privacy security.)
The chapter admits that there is not much you can do about identity theft.
It is also very US-centric: for example, the Canadian SIN (Social Insurance
Number), as opposed to the US SSN (Social Security Number), is very seldom
used for commercial transactions. The advice in "Protecting Your Kids and
Family From Hackers" is not an easy or quick fix, but it is (with the
notable exception of the piece on cyberstalking) realistic and well written.
So is the counsel in "Spam." "Scam Spam" offers very useful and relevant
guidance on dealing with fraud on the net.
Part three outlines the techniques of hacking itself. "Getting Anonymous"
is a quick overview of anonymizing services and spoofing. Some of the
basics are skipped in "Password Hacking," but there is a nice introduction
to biometric techniques. While not getting into the gritty details, there
is a quick lesson on eavesdropping on promiscuous networks in "Hack and
Sniff." "Scanning, Breaking and Entering" lays out the information that
is--must be--available to anyone wanting to mount a network attack. "War
Dialing" basically notes that phones are a means of access. Leaving aside a
minor quibble with the definition of trojan horse software (like the Trojans
who "installed" the horse of their own destruction because they didn't know
what it contained, users generally install trojans because of a
misrepresentation of what the software does), most of "Trojan Hacking" only
describes Back Orifice. There is some small degree of comfort for credit
card users, and some rather embarrassing points for credit card merchants,
in "Hacking for $." While it waffles a little, "Viruses, Hoaxes, and Other
Animals" contains good advice and a reasonable picture of the current
situation. "Crypto Hacking" is (absent an impossible IP address) a nice
history of cryptography, although it's a bit thin on details.
"Steganography" defines the term, but misses a few points on usage. The
discussion of computer forensics in "Hacking for Evidence" is limited to
data recovery, but has some good points for users and companies.
Part four deals with destructive activities. "Denial of Service" rather
overstates the point, since the term generally is restricted to operations
that inhibit use but do not harm hardware or data. "Schwartau to Congress"
appears to be a minor aside. The discussion of electromagnetic weaponry in
"Weapons of Mass Disruption" is fascinating, but does downplay a few
inconvenient laws of physics, such as inverse square distance relationships.
Part five analyses some tips for protecting yourself. "Hiring Hackers"
examines both sides of the question. The basics of intrusion detection is
outlined in "Catching Hackers." There is a decent introduction to firewalls
in "Defensive Hacking," along with a pointer to simple automated penetration
testing. "Corporate Anti-Hacking" presents a number of good points
(although if you follow all of them blindly you'll likely face mass
resignations). Deception is promoted in "Lying to Hackers is OK By Me."
Part six discusses law enforcement. "Hacking and Law Enforcement" is rather
depressing, but reasonable. The advice on striking back boils down to "be
careful" in "Corporate Vigilantism." "Infrastructure Is Us" seems to be a
bit out of place, in that it presents no protective measures: only a
warning. Similarly, the material on infowar is alarming but not really
illuminating in "Something Other Than War."
Part seven looks to the future. "Luddite's Lament" expresses frustration
with phones. "The Future of Microsoft" is one of the standard jokes about
Microsoft's fight with the US federal government. Digital manipulation of
propaganda is mentioned in "Messing With the Collective Mind." "Extreme
Hacking" gives short takes on some new technologies. "The Toaster Rebellion
of '08" is one of the standard scifi plots.
While there is a heavy emphasis on the sensational, overall this book does
provide the security novice with a fairly reliable picture of the current
security environment. Possibilities are generally presented as such, and
the analysis of relative dangers is usually good. A number of useful tips
are given that can help home and small business computer users be more
secure in their computer and network use. Security specialists will find
little that is new here, but that is not the target audience for the book.
I have frequently been asked for a recommendation for a general security
introduction directed at the non-technical computer and Internet user, and,
for all its flaws, I think this work may be the closest I've seen.
copyright Robert M. Slade, 2000 BKCBRSHK.RVW 20000625
rslade@vcn.bc.ca rslade@sprint.ca slade@victoria.tc.ca p1@canada.com
http://victoria.tc.ca/techrev or http://sun.soci.niu.edu/~rslade
Please report problems with the web pages to the maintainer