The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 22 Issue 46

Friday 3 January 2003


H&R Block employees suspected of identity theft against 27 customers
Monty Solomon
Half-million people victimized by stolen hard-drives
Monty Solomon
Woman shot by former classmate who stalked her by Internet
Monty Solomon
Man allegedly stalks ex-girlfriend with help of GPS
George Mannes
Credit agencies provide information on your relations under DPA
Tim Storer
PGP.COM cannot handle sales to some US residents
Michel E. Kabay
/Trivial/ Risks of Technical Arrogance
melandrob searle
Oregon proposing taxing in-state car mileage via GPS
Mike Hogsett
Re: Total Information Awareness / O Big Brother
Fredric L. Rice
Re: Computer programmer faces U.S. fraud charge
Bob Morrell
Re: Surgical tool left in woman's stomach for 4 months
John Sullivan
Caller ID untrustworthy
Mathew Lodge
REVIEW: "Protect Your Digital Privacy", Glee Harrah Cady/Pat McGregor
Rob Slade
REVIEW: "Privacy Defended", Gary Bahadur/William Chan/Chris Weber
Rob Slade
Info on RISKS (comp.risks)

H&R Block employees suspected of identity theft against 27 customers

<Monty Solomon <>>
Thu, 2 Jan 2003 16:12:19 -0500

A federal complaint charges that 27 people who went to H&R Block for help
with tax preparation through April 2001 had their personal information
stolen in an identity theft scam involving four suspects, who allegedly used
names, addresses, SSNs, and dates of birth to alter the victims' addresses
for tax refunds, opened new credit-card accounts, etc.  H&R Block reportedly
would not cooperate in the investigation until it was subpoenaed.  [Source:
Associated Press, 2 Jan 2003, PGN-ed]

Half-million people victimized by stolen hard-drives

<Monty Solomon <>>
Thu, 2 Jan 2003 18:05:17 -0500

SSNs and other personal information for a half million military personnel
and family members were stolen from hard-drives belonging to Phoenix-based
TriWest Healthcare Alliance on 14 Dec 2002.  [Source: Associated Press item,
$100K Reward for stolen ID data, 2 Jan 2003; PGN-ed...  Coincidentally, DoD
is in the process of computerizing medical records of all military
personnel.  Can they spell Security?  Encryption?  Identity Theft?],1848,57045,00.html

Woman shot by former classmate who stalked her by Internet

<Monty Solomon <>>
Tue, 31 Dec 2002 02:06:01 -0500

A former classmate of Amy Boyer, 20, paid an Internet information broker to
track her down, and then shot her on 15 Oct 1999.  Since her death, the
family has been fighting to protect other potential victims, most recently
suing the information broker for negligence and invasion of privacy.
[Source: Parents of slain woman want to stop Internet brokers from selling
personal information, by Holly Ramer, Associated Press, 30 Dec 2002; PGN-ed]

Man allegedly stalks ex-girlfriend with help of GPS

Fri, 3 Jan 2003 11:57:23 -0500

The story starts here on The Smoking Gun (GPS angle appears at bottom of second
page of typed complaint):

As far as I can guess (not confirmed) this is the product allegedly used:

Now anyone, for better or worse, can be James Bond.

  [A 42-year-old Wisconsin man is accused of stalking an ex-girlfriend by
  placing a GPS tracking device under the hood of her car.  The device
  George refers to is called SmartTrack.  PGN]

Credit agencies provide information on your relations under DPA

<"Tim Storer" <>>
Mon, 30 Dec 2002 12:30:54 -0000

The programme is A Right to Know presented by Michael Crick on BBC Radio 4.
He requested information held on him by a credit agency under the Data
Protection Act.  Interestingly, the company supplied the information --
including the credit history of another member of his family because this is
used to assess your own rating.  Apparently the agency's policy was to
supply the data on other occupants at an address if they shared a surname.
The representative of the agency didn't seem overly clear as to whether this
procedure had now been corrected.  Crick goes on to point out the rather
obvious risks...

PGP.COM cannot handle sales to some US residents

<"Michel E. Kabay" <>>
Tue, 31 Dec 2002 14:52:46 -0500

PGP.COM's Web site is programmed so that customers can go through all the
forms required to order and pay for a license for PGP — and then can refuse
access to the download after the credit-card has been debited if it cannot
do a reverse IP lookup on what it receives as the customer's IP address.

The following message appeared on my screen when I clicked on the download
button: "In accordance with current US Export restrictions, PGP 8.0 products
may be downloaded by individuals throughout the world except those in the
following countries: Cuba, Libya, Iran, Iraq, North Korea, Sudan, and
Syria. If you are in one of these countries, you may not download PGP

I was downloading from Vermont using my StarBand account.  I tried again
after disabling my firewall — no luck.

The customer service agent was very nice and obviously embarrassed about
this situation and admitted that there are no measures in place for dealing
with such a technical glitch.  She diffidently suggested that I try to
download the product again using a different ISP or Internet access point.

I did suggest that the company might deal with such glitches in several

1) Check the IP address BEFORE the user fills out all the forms and the
credit card gets debited.

2) Send the user a CD-ROM to the US address listed in the order.

3) Ask the user for strong evidence that they are in fact living in the
US:  e.g.,

  a) have the user send a fax from the appropriate US fax machine phone line
  with a US driver's license showing the same address as the one used in the

  b) ask for other corroborating evidence such as a US address listing in
  university or corporate Web sites.

Of course, I canceled the charge on my card.  Someday (not soon), I'll try
to download the product from my university access point and — if the
university firewall does not conceal my IP address — maybe I'll succeed in
giving these people my money in return for an upgrade to their product.  In
the meantime, I'll just continue using my PGP v6.5.8

RISKS of assuming your automated system is perfect:  you lose sales.

M. E. Kabay, PhD, CISSP

* Associate Professor of Information Assurance
Dept. of Computer Information Systems

* Program Director, MSc in Information Assurance

Norwich University, Northfield VT  +1.802.479.7937

/Trivial/ Risks of Technical Arrogance

<"melandrob.searle" <>>
Thu, 2 Jan 2003 16:36:22 +1300

I am just about calmed down after a trying time with a christmas present for
a five-year old. The whole sorry episode is of course my fault, I merely
needed to read the minimum system requirements more thoroughly and remember
precisely the characteristics of the family machine.

The details :

The game - shall remain nameless to protect somebody.
The stated minimum system:
    Win 95 (OK I have XP which should be compatible and Google says the
      game was released last year so I assume that the vendors/game
      programmers mean or equivalent)
    Pentium 90 MHz or faster (Much faster)
    16 MB RAM (More than that)
    15 MB Hard Disk (No problem)
    Quad-speed CD-ROM (Yeah, yeah)
    Stereo sound card (Got a sound card, two speakers ----- Oops missed
      that one )

So, eager five-year old by my side, go through installation. Fool the
registration screen by lying about the location of Canterbury and the postal
code (already said the country is Other but the stupid screen will not
accept four digit post-codes or state/province abbreviations outside the
US). First technical arrogance.  Installation completed successfully

Locate the shortcut to the game and launch, wait, FATAL error no stereo
sound game over. Second technical arrogance and this one gets me steamed up
enough to write.

I have worked on system and product software for nearly eighteen years and
every year somebody decides that the behaviour under an error condition can
be specified by the programmers (only the expected normal behaviour is a
requirement). Handling of errors is ALWAYS a system issue. (My feelings on
the game are that it is a bit like causing a core meltdown in a nuclear
facility because the siren doesn't work).

Programmers in their techy way decide that the minimum hardware is a
critical environmental requirement and nobody told them that the PC on their
desk may be a bit better specified than the typically available.  Has nobody
heard of graceful degradation ?

Oregon proposing taxing in-state car mileage via GPS

<Mike Hogsett <>>
Wed, 01 Jan 2003 13:43:55 -0800

Despite "To protect drivers' privacy, using the system to track cars in
real time would be illegal" the risks seem obvious.

What about travel on private land and/or off-road mileage?  Who pays when
you car is towed?  What about the fact that due to inaccuracies of GPS your
position when stationary will often bounce back and forth between the
extremes of those inaccuracies?

Re: Total Information Awareness / O Big Brother

<frice@SkepticTank.ORG (Rev. Fredric L. Rice)>
Fri, 03 Jan 2003 03:28:41 GMT

The last couple of RISKS have touched upon the so-called "Total Information
Awareness" plan that various United State law enforcement and intelligence
agencies are planning (dare I say "plotting?") to implement.

The issue of false positives when sifting through the mountain of
information that's planned to be collected should be a nice waste of time,
money, and resources for our government, diverting them from doing _real_
police work by catching _real_ bad guys but if such a plan is implemented
and is eventually developed to a minimum of perfection, innocent, lawful
people who simply don't want to be identified, it seems to me, can
eventually be so identified.  Apparently Americans don't have the right to
privcy or the right to lawfully disappear in America.

Quite a few years ago someone anonymously sent me a text document titled,
"Vanishing Point: How to disappear in America without a trace" which I
originally thought was rather paranoid though, with the passage of the
euphemistically named "Patriot Act" I'm thinking might not be so paranoid at
all.  After removing some of the more irresponsible text fragments from it,
I posted it to my Web site, where it can be found at

One of the suggested items is:

  Alter your buying habits. When you throw your old self away, you need to
  discard as many predictable patterns as possible. One of the most common
  mistakes when hiding is maintaining old habits.  If you're a smoker,
  stop. If you don't smoke, start. If you enjoy hot and spicy foods, stop
  purchasing those items and change to mild foods. If you frequent bars,
  stop. This may seem an unusual step but you're working toward
  disappearing, right? Patterns are predictable. Break them.

  There is the possibility that in the future people may be identifiable by
  their purchasing habits. Granted the point-of-sale data collected by
  computers would need to be immense yet eventually pattern-recognition
  software may some day be able to provide authorities with perhaps 100 of
  the best possible "hits" on people matching your known buying habits. When
  — if ever — that becomes a reality, you can be sure you won't know about
  it until it's shown on cable television. By that time the technology will
  have been in use for years and you may end up on a list of possible
  matching a purchase profile.

It seems more and more likely to me that such technology will be upon us
thanks to the galloping fascism we're experiencing in America ...

Re: Computer programmer faces U.S. fraud charge (RISKS-22.44)

<"Bob Morrell" <>>
Mon, 30 Dec 2002 18:39:26 -0500

Regarding the attempted manipulation of stock via spreading a virus in the
company, the item noted "He had reportedly been hoping to gain from the
resulting stock price drop."  This might leave the RISKS digest reader with
the impression that the price of the stock did in fact fall as the result of
the viral infection, which is not true, according to the NYTimes article, a
link to which Mr. Solomon also provided. The article states: "The plan
failed when a computer virus that Mr. Duronio personally transmitted to
1,000 of the 1,500 computers used by PaineWebber brokers across the country
failed to disrupt work seriously or cause a sharp change in the stock
price." It wasn't that the virus was, like most viruses, harmless, or that
computers are just not as important as we all think... Apparently backup
computers kicked in and minimized any disruption.

Good management of RISKS. Thank you Paine Webber...  [And incomplete PGN-ed]

Re: Surgical tool left in woman's stomach for 4 months (R-22.44)

<John Sullivan <>>
Fri, 3 Jan 2003 14:21:50 +0000

Well, the CNN URL has expired and I can't find anything via their search
facility, so taking a hint from the URL looked it up directly on

  "Why Does This Metal Detector Keep Going Off??"

    "Several days later the woman had an X-ray [...] It showed a
     12-inch-long, 2-inch-wide surgical retractor".


None of "canadian", "surgical" or "retractor" find it even on Reuters,
despite those words definitely being in the article, only "x-ray" seems to
turn it up. Looking at whose search actually works gives
more variations: 33cm; 30cm x 5cm; 30cm (11.7in); 11.7in; 11.7in x 5cm;
30cm x 6cm; 30cm (13in) x 6cm (2in); 13in.

You can almost trace the history of unit conversion and rounding errors
through the various sources. A RISK various space agencies are painfully
aware of. Averaging to get a more accurate figure ;-) gives about 12 inches


  [I had already updated the archive copy, which notes the broken URL, offers
  instead, which says it was a 33-centimeter retractor.  PGN]

Caller ID untrustworthy (was: Why you should read Mitnick's book)

<Mathew Lodge <>>
Fri, 03 Jan 2003 14:00:30 -0800

> ... So don't trust caller ID to show that the caller is someone you know,
> or from your own company.  [Don Norman]

I was thinking about this last night when I called American Express to
dispute a charge. Normally, after entering your card number, Amex has
requires the last four digits of your SSN to "authenticate" you (no risk
there, right? :-). This time, a recording said something like "we have
verified your home or office phone number" and connected me to a customer
service rep who asked no further authorization questions.

Faking caller ID is a lot easier these days because you don't need to buy a
DMS-100 (bulky and expensive), learn how to program it (a specialized task
with little generally available documentation), and buy the right kind of
interconnect to your local telco (the really expensive and time-consuming bit).

Any voice over IP gateway that uses an ISDN PRI interface will allow you to
configure any calling number (caller ID) you like, and then signal it to
the PSTN via the PRI during call set-up. The ability to control caller ID
is necessary to seamlessly integrate VoIP endpoints (e.g. IP Phones) into
the PSTN.

A Cisco 3620 would do the job, is 2" high by 19" wide and can be bought on
Ebay today for $849. There is good, free 3620 configuration advice on There are likely cheaper alternatives, I just know setting
caller ID can be done on a 3620.

T1 PRI pricing is dependent on your distance from the central office and
whether you have a competitive alternative to your local RBOC, but can cost
as little as $300/month. An E1 PRI will work just as well overseas.

REVIEW: "Protect Your Digital Privacy", Glee Harrah Cady/Pat McGregor

<Rob Slade <>>
Thu, 5 Dec 2002 08:17:04 -0800

BKPYDPRV.RVW   20020924

"Protect Your Digital Privacy", Glee Harrah Cady/Pat McGregor, 2002,
0-7897-2604-1, U$29.99/C$44.95/UK#21.99
%A   Glee Harrah Cady
%A   Pat McGregor
%C   201 W. 103rd Street, Indianapolis, IN   46290
%D   2002
%G   0-7897-2604-1
%I   Macmillan Computer Publishing (MCP)
%O   U$29.99/C$44.95/UK#21.99 800-858-7674 317-581-3743
%P   652 p.
%T   "Protect Your Digital Privacy: Survival Skills for the
      Information Age"

Part one sets the stage.  Chapter one gives vague ideas about
protecting your privacy in the twenty first century, mostly about
e-commerce.  A variety of definitions of privacy, from differing
perspectives, are listed in chapter two.

Part two discusses privacy and the individual.  From celebrity
magazines to publicly available government databases to e-commerce
loyalty programs, chapter three discusses who might want to know
different types of information about people.  Chapter four presents
the usual information about kids and the net: the net is potentially
dangerous for kids, talk to your kids about their net use, and safe
sites.  Although there is nothing new here, the material is reasonable
and well presented.  Email address harvesting and cookies are reviewed
in chapter five.  Chapter six talks about high speed Internet access,
including little content on security or privacy, but an odd bit on
malware.  There is a similar discussion of cellular phones and
technology in chapter seven.  Chapter eight examines cell phone
location systems, "pay-fobs," face recognition and other miscellaneous

Part three talks about taking control of your privacy and information.
Chapter nine suggests taking an inventory of your personal information
(available online) and looks at Web search engines and the inaccuracy
of commercial search services.  Chapter ten is a mixed bag of security
topics, including a little cryptography, something on passwords, and
cookies again.  Although there are some good tips on protecting online
transactions, chapter eleven suffers from a lack of structure.  The
advice to know where you are and who you are dealing with, for
example, is on page 308, but the material on server authentication is
on page 294.  Neither location actually demonstrates the ability to
verify the certificate, or the "Paypal/Paypa1" fraud.  Chapter twelve
deals with what to do if your information is compromised, but doesn't
cover the topic particularly well.  There is mention of spam filters,
but not the dangers of losing email; there are directions for
reporting frauds, but few details on the levels below which the
agencies aren't interested; addresses of credit agencies, but little
useful information on identity theft.

Part four looks at legal protection.  Chapter thirteen is an excellent
overview of laws regarding privacy, covering both the United States
and a number of other countries.  (While the rest of the book is
primarily directed at home users, this chapter alone may be worth the
price of the volume for security practitioners.  I am not aware of any
other text that deals with current laws as well.)  Advocacy groups are
listed in chapter fourteen, with self-regulation programs in fifteen.
Electronic voting is examined in chapter sixteen, concentrating on
Internet or online voting, although most of the studies cited dealt
with other forms of voting technology.  Chapter seventeen asks where
we are going, and meanders around so much that it is hard to say.
There is a vague wrapup in chapter eighteen.

A number of other authors have attempted to provide a book about
privacy for the masses.  Chris Peterson's attempt (cf. BKILIWMP.RVW)
was about privacy, but not really about the net.  David Brin's "The
Transparent Society" (cf. BKTRASOC.RVW), which gets a mention in the
current work, is fascinating, but doesn't really cover the present
situation.  "Privacy Defended" (cf. BKPRVDFN.RVW) is only nominally
about privacy.  Cady and McGregor have managed to stick pretty close
to the topic.  They present a good deal of useful information,
although the book would definitely benefit from an improved framework
and a general tightening up of the writing: with a trimming of
verbiage and a more focussed thread to the ideas the volume could be
lightened by a third or more.  However, for those who want some
guidance on the topic and don't want the academic classics like
"Privacy on the Line" (cf. BKPRIVLN.RVW) or "Technology and Privacy"
(cf. BKTCHPRV.RVW), this would be a good choice.

copyright Robert M. Slade, 2002   BKPYDPRV.RVW   20020924    or

REVIEW: "Privacy Defended", Gary Bahadur/William Chan/Chris Weber

<Rob Slade <>>
Mon, 9 Dec 2002 08:18:12 -0800

BKPRVDFN.RVW   20020923

"Privacy Defended", Gary Bahadur/William Chan/Chris Weber, 2002,
0-7897-2605-X, U$34.99/C$54.99/UK#25.50
%A   Gary Bahadur
%A   William Chan
%A   Chris Weber
%C   201 W. 103rd Street, Indianapolis, IN   46290
%D   2002
%G   0-7897-2605-X
%I   Macmillan Computer Publishing (MCP)
%O   U$34.99/C$54.99/UK#25.50 800-858-7674
%P   699 p.
%T   "Privacy Defended: Protecting Yourself Online"

The introduction states that this is a privacy book for non- specialists,
but the write up seems to deal with computer intrusions or malware rather
than privacy issues.

Part one talks about life in the digital age.  Chapter one is an
uncompelling demonstration of how to obtain personal information online plus
more on intrusions and a lengthy outline of the rest of the chapters in the
book.  There is a slightly unfocused look at privacy laws and related issues
in chapter two.  Various government, industry, commercial, and other groups
and agencies (as well as a few programs) are described in chapter three.

Part two tells us that the enemy is out there.  Chapter four points out
legal threats to individual privacy that people may not know about, but not
in much detail.  Illegal threats, such as blackhats, intruders, identity
theft, and fraud (as well as those of questionable legality, like spyware)
are reviewed in chapter five.

Part three looks at protecting your privacy.  Chapter six lists lookup and
anonymity tools.  Cookies, spyware, some tools, and payment systems are
presented in chapter seven.  Spam, malware, and PGP are discussed in chapter
eight, along with miscellaneous other topics related to e-mail.

Part four advises on securing your PC.  Chapter nine reviews SSL (Secure
Sockets Layer) and digital certificates, but because cryptography has not
been explained the background discussion is poor.  (It is also sometimes
erroneous: for most people SSL does *not* authenticate the client.)  A
collection of random security factors and tools, by operating system, is
presented in chapter ten.  (The division by operating system is not always
clear: tools vary on different versions of Windows, and this is not made
clear.  There are also a number of errors: IPSec is an Internet protocol and
has nothing to do with the Microsoft Windows IP Security Policy.)  Screen
shots of configuration menus for personal firewalls make up most of chapter
eleven.  Chapter twelve deals with viruses (poorly), chat (chat systems seem
to be almost inherently insecure, so it's hard to understand why), and
cryptography (poorly and briefly).  Miscellaneous and random network topics
are covered in chapter thirteen.

Part five looks at other devices, in a single chapter, fourteen, covering
various gadgets, threats, and protections--not necessarily for those

Part six says what to do if your privacy is compromised.  Chapter fifteen
mentions kids, mostly rehashing previous material and adding content
restriction.  Intrusion detection and a review of other tools from prior
chapters finishes out in sixteen.

This book is not really about privacy, it is yet another attempt at a
general security guide.  "Protect Your Digital Privacy" (cf.  BKPYDPRV.RVW)
sticks much closer to the privacy topic.  "Inside Internet Security"
(cf. BKININSC.RVW) and even "Access Denied" (cf.  BKACCDEN.RVW) are better
at covering general security for non- professionals.

copyright Robert M. Slade, 2002   BKPRVDFN.RVW   20020923    or

Please report problems with the web pages to the maintainer