The RISKS Digest
Volume 21 Issue 7

Saturday, 30th September 2000

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…


California DMV fosters identity theft?
Single points of failure and backup plans
William P.N. Smith
Control of Olympics news coverage
Tighter security poses a security threat
Ray Randolph
Cochise County election computer errors
Nicky L. Sizemore
The risk of identity theft
Amrith Kumar
De Fault is in Default
Charlie Shub
Re: AI strikes again
Perry Bowker
Zygo Blaxell
REVIEW: "CyberShock", Winn Schwartau
Rob Slade
Info on RISKS (comp.risks)

California DMV fosters identity theft?

<"Peter G. Neumann" <>>
Mon, 25 Sep 2000 14:08:03 PDT

An AP item (seen by me on the front page of the *Palo Alto Daily News*, 25
Sep 2000) says that the California Department of Motor Vehicles issued over
100,000 fraudulent drivers' licenses in 1999, and typically makes little or
no effort to check the validity of the 900,000 duplicate license requests it
receives each year.  Examples include duplicate licenses issued to people of
the wrong race or the wrong gender, and in one case bogus duplicates of a
particular individual's license to 18 different people.  The driver's
license is called a ``breeding document'' for identity thieves, leading to
financial fraud, ruined credit, purchases of firearms by felons, and other
misuses.  DMV officials claim that implementing an on-line photo-retrieval
system would cost $3 million over the next two years.  This seems like a
useful system — especially if it were used pervasively.

Single points of failure and backup plans

<"William P.N. Smith" <>>
Mon, 25 Sep 2000 17:00:37 -0400

Last night our cable modem (currently AT&T Roadrunner, name subject to
change daily 8*) stopped working, and the constant busy signals from
their tech support line led me to believe it wasn't merely Yet Another
Outage (TM).

Strangely, my cable modem lights were all doing the right thing, and
when I checked with my neighbors, their cable modems were working fine.
After a couple of hours of redialing I finally got a message saying that
there were unspecified problems that they were working on (strange,
usually they list the affected towns) and after some time on hold I
finally talked to a tech support rep who offered to help "if I can".

Turns out the DHCP server for the entire northeast went down, and as
people's leases on their IP addresses expired, they were dropped off the
network.  I asked about the secondary or backup DHCP servers, but
apparently there was so much demand due to expired leases that the
backup server couldn't respond quickly enough, and was getting
overloaded with requests.


Even single users ought to have a backup Internet connection (dialup ISP
worked for me, but not my wife, as she has no modem...)

You know you're in trouble when your customers have your tech support in
their speed dial.  Customers know they are in trouble when they get busy
signals on your tech support line.

Serious system-wide failures might leave some systems operating normally
for a while.

Your backups might have to be more powerful than your primary servers,
or alternately customer growth might mask server deficiencies.

William Smith
ComputerSmiths Consulting, Inc.

Control of Olympics news coverage

<"NewsScan" <>>
Mon, 25 Sep 2000 09:56:04 -0700

Concerned that the Internet will compete with TV coverage and cut into its
major source of revenue, the organizers of the 27th Olympics Games are
taking a hard line about what words and images can be communicated by
Internet about the sporting events now going on in Sydney, Australia. They
have forbidden athlete diaries and online chats, and all streaming video
(even of trial events that took place months ago. Referring to a recent
lawsuit in Virginia supporting the Olympics Committee's efforts to restrict
Internet coverage, constitutional lawyer Floyd Abrams thinks it's ironic
that "the increased availability of a means of communication leads to a
ruling seeking to assure that less is said." (*The New York Times*, 25 Sep
2000; NewsScan
Daily, 25 September 2000)

Tighter security poses a security threat

<"Ray Randolph" <>>
Mon, 25 Sep 2000 20:35:49 -0600

Today's *Christian Science Monitor* online edition discusses a newly
released report, the *Baker-Hamilton Report*, prepared at the request of the
DOE.  The report says in essence that scientists at Los Alamos National
Weapons Labs have become afraid of reporting or admitting even minor
security breaches as a result of the threat of an aggressive prosecution and
in the wake of the Wen Ho Lee situation.  Who can blame them?  The RISKS
should be fairly obvious.  The entire article can be accessed at:

A quick search for the "Baker-Hamilton report" on the DOE web site didn't
turn up anything, but I would imagine that the report itself would make for
fairly interesting reading for any RISK follower.

  [The Government gave a terrible example of *when holey*
  prosecutions can run amok (holey, i.e., having holes).
  Perhaps the "situation" (as Ray calls it) will become known as an
  *Un-Ho-Lee Mess* (unholy, i.e., of questionable authority).  PGN]

Cochise County election computer errors

<"Nicky L. Sizemore" <>>
Thu, 28 Sep 2000 20:31:41 -0700

Cochise county, in the southwest corner of Arizona, had a primary and
special election Tuesday, 12 September.  In it they used a new computer
tallying system obtained by the state for rural ballot counting.

Our local paper, *The Sierra Vista Herald*, reports that results from the
elections were delayed due to software errors in the new system.  According
to the paper, the major errors centered around counting as major party votes
those cast in nonpartisan (non-primary) positions and overcounting
third-party, e.g., Libertarian, votes.

In addition to the usual issues of inadequate verification, validation, and
test (VV&T), this was the first election here in which everyone could vote
in a primary.  Seems rash to implement a new voting protocol and a new
ballot tally system in the same election.

Votes are being recounted using the old system, which was kept as a backup
provision.  At least they got that right.

	Reporting on story from Sierra Vista Herald:

The risk of identity theft

<Amrith Kumar <>>
Fri, 29 Sep 2000 16:18:02 -0400 (EDT)

In October 1998, the company that I worked for (let's call it A Inc) was
acquired by another company (let's call it B Inc).

"A Inc" issued me a corporate credit card (from Amex) a long time before
that. Around January 1999, B Inc decided that they needed to issue me a new
corporate credit card ...

But, "B Inc" also wanted to spin of a portion of the acquired company and in
February 1999, they created a spinoff company (let's call it C Inc).

In all this confusion, I was left with an Amex Credit card from A Inc which
expired in February, I got a new Amex Credit card for C Inc in February and
I was fat dumb and happy. I never quite got the Amex card from B Inc, maybe
they never had it mailed out or something weird happened there; or maybe it
was just lost in the mail.

But, B Inc went ahead and told our in-house Amex Travel Agency to change my
travel profile to use the new credit card that they had issued for me.

In January 2000, I moved and informed Amex of my address change in regards
to the card from C Inc. Then in February 2000, I made a purchase through the
in-house Amex Travel Agency for a ticket for business travel. The way in
which A Inc and C Inc handle business travel tickets is that Amex directly
charges the corporation and no charge appears on my credit card bill.

Today, September 29th, I get a call from a collection agency indicating that
an Amex card in my name, with my SSN, my correct name and my old address was
delinquent and the charges were airline tickets issued in February.

After much investigation, I gathered all the information I presented above
but here's where it begins to get interesting.

I have the Amex Credit Aware reporting service. That, when I started getting
it in March 2000, did not list the personal Amex card that I had, the card
that they were charging $5.99 or whatever ...

Second, it did not list my corporate card (the one from A Inc or C Inc). It
surely did not list the one from B Inc.

As part of all this investigation, I called Amex Fraud Investigation and
they took my SSN and they showed all three cards.

I called Experian and because initially it was being handled as a fraud,
they actually took my SSN and said they showed three Amex cards on my SSN.
They took SSN, last name, first name, address and all that to verify that I
was in fact the person whose records they were looking at and then they
confirmed the last 5 digits of all three accounts, my personal one, my
corporate one from C Inc and the corporate one from B Inc

What caused this whole mixup ?

1. Your SSN is not your sole identifier for purposes of Credit, name is also

2. Amex (for my personal card) had my last name and first name interchanged
which is why the card would not show up on the Credit Aware Service.

3. Corporate Cards don't appear to show up on there for some reason, not
sure if it's the same as 2.

4. An employer can / may apply for a card in your name, maybe without your
knowledge. They reveal your name, SSN and all that nice stuff to someone.

5. When companies get bought and sold, strange things happen to these cards
and the information there.

B Inc was not paying me any salary but they had an active card in my name. I
called them and told the folks there in their Finance office and sure enough
they had my card on file ...

6. If you have no balance on a card, you sometimes get no bill. In my case,
for the four months in 1998/1999, I had no balance on the card because I
never knew I had it. So I never got a statement. People move, addresses
change ... the bills suddenly appear. I used to live in an apt and mail for
previous tenants is regular; it usually goes to the trash can.

and finally

7. I had two Amex cards that I knew of, both had valid addresses. Amex could
not find me or figure out that the address was wrong when the card went
deliquent. I don't believe they even contacted the company that I was
supposed to work for (it was a corporate card). And yet, a collection agency
could find me.

8. A credit monitoring service is somewhat questionable.

What if any is the real solution to this problem?  Thankfully, my employer
readily agreed to help out, the amount in question was about $800, and I paid
and will get reimbursed etc.  But what's the real solution?

Amrith Kumar <>

De Fault is in Default

<Charlie Shub <>>
Fri, 29 Sep 2000 10:18:44 -0600 (MDT)

My trash company bills quarterly.  I would rather pay every six months.
This June, I got the $36.00 bill and paid the $72.00 by check.  Last week, I
got a bill for $36.00 for the final quarter of this year.  Apparently, (if I
understood the customer-service person correctly) they use a piece of
billing software in which the amount paid defaults to the amount owed once
the account number is entered, and the data-entry person must manually
override the amount if a customer remits any amount other than the default.

Fortunately, my record showed a history of paying semiannual amounts every
six months, so the rep fixed it on the spot, taking my word that the check
had cleared in the larger amount.  His comment was to the effect that "I
know how his software works, and I'm almost certain of what happened, so
I'll take your word for it."

charlie shub   University of Colorado at ColSpgs  -or-  (719) 262-3492

  [It is unusual that Pride goeth before Default.  PGN]

Re: AI strikes again (Whitlock, RISKS-21.06)

<"Perry Bowker/Markham/IBM" <>>
Tue, 26 Sep 2000 20:36:40 -0400

I think this is unfair to the issuing bank. I also once received a call from
the same bank, because their computer detected that I was charging a few
things in Toronto, and I also seemed to be in Jamaica, running up several $K
in cash advances! Someone had obviously captured my card number and was
using it for all it was worth (with the apparent compliance of some Jamaican

Within minutes, the card was frozen, and I received a replacement by courier
within 24 hours. Otherwise, it would have been weeks before I even knew this
was happening, and likely many months to sort out the problem, and with a
high risk of cost to me. I think it was a pretty good trade-off.

If this bothers you, better to carry two different cards, just in case, and
be thankful someone is trying to protect your backside!

Perry Bowker, Toronto, Canada

  [It obviously works (or doesn't work) both ways.  PGN]

Re: AI strikes again (Whitlock, RISKS-21.06)

< (Zygo Blaxell)>
26 Sep 2000 13:55:25 -0400

Actually, this protocol can work reasonably well if you have a cell phone.
On two occasions, with two different banks (one of them was the CIBC), I've
been called almost immediately after making a large purchase and challenged
to recite various pieces of information from my credit application (doing
that with a cell phone has its own risks, of course, which can be mitigated
by phoning back using the merchant's phone).

I note that this protocol doesn't seem to stop the initial transaction from
being completed.  In both cases I was called some minutes after I had left
the store with my purchases.

REVIEW: "CyberShock", Winn Schwartau

<Rob Slade <>>
Mon, 25 Sep 2000 08:35:06 -0800

BKCBRSHK.RVW   20000625

"CyberShock", Winn Schwartau, 2000, 1-56025-246-4, U$24.95
%A   Winn Schwartau,
%C   Fourth Floor, 841 Broadway, New York, NY   10003
%D   2000
%G   1-56025-246-4
%I   Thunder's Mouth/Inter.Pact Press
%O   U$24.95 212-780-0380 fax: 813-393-6361
%P   470 p.
%T   "CyberShock: Surviving Hackers, Phreakers, Identity Thieves,
      Internet Terrorists and Weapons of Mass Disruption"

As some may know, Winn Schwartau and I do not see eye-to-eye on the emphasis
to be given to certain exhortations in alerting the public to matters of
computer security.  So when he informed me of his latest book, he noted that
I might like to do the usual hatchet job on it.  Unfortunately, I can't
fully comply.  While I may quibble with some aspects of his latest book,
overall it is a good overview of the existing computer security situation,
and would make a helpful introduction for new computer and Internet users.

Part one is an outline of hackers and hacking.  "The Great New Global
Society" appears to be (although erudite and readable it's not exactly
straightforward) a presentation of society as seriously messed up, and
hackers as curious and determined.  The results of a number of surveys of
computer penetration are described in "Whole Lotta Hacking Goin' On," with
unfortunately little space given to the design of the studies.  There are
some examples of Web site defacement and an ad for Linux in "CyberGraffiti."
(And it's, not  "Who Are the Hackers?" gives a
reasonable structure to the current security breaking population and
environment, although, as Schwartau notes, the game has become so big and
ill-defined that one might be forgiven for coming out of this chapter
thinking that anyone could be a hacker and a hacker could be anyone.  Some
stories from the annual DefCon (and the inadequacies of the Plaza Hotel) are
retailed in "CyberChrist at the Hacker Con."  "Hacktivism" lists a few
examples of digital civil disobedience.  "An American Alien Hacks Through
Customs" is probably fair warning to customs agents that if you mess with
Schwartau at the border you are going to look really silly in his next book.

Part two looks into protecting you and yours.  "In Cyberspace You're Guilty
Until Proven Innocent" describes identity theft, and the ease and dangers
thereof.  (It also includes a rather odd section on Web privacy security.)
The chapter admits that there is not much you can do about identity theft.
It is also very US-centric: for example, the Canadian SIN (Social Insurance
Number), as opposed to the US SSN (Social Security Number), is very seldom
used for commercial transactions.  The advice in "Protecting Your Kids and
Family From Hackers" is not an easy or quick fix, but it is (with the
notable exception of the piece on cyberstalking) realistic and well written.
So is the counsel in "Spam."  "Scam Spam" offers very useful and relevant
guidance on dealing with fraud on the net.

Part three outlines the techniques of hacking itself.  "Getting Anonymous"
is a quick overview of anonymizing services and spoofing.  Some of the
basics are skipped in "Password Hacking," but there is a nice introduction
to biometric techniques.  While not getting into the gritty details, there
is a quick lesson on eavesdropping on promiscuous networks in "Hack and
Sniff."  "Scanning, Breaking and Entering" lays out the information that
is--must be--available to anyone wanting to mount a network attack.  "War
Dialing" basically notes that phones are a means of access.  Leaving aside a
minor quibble with the definition of trojan horse software (like the Trojans
who "installed" the horse of their own destruction because they didn't know
what it contained, users generally install trojans because of a
misrepresentation of what the software does), most of "Trojan Hacking" only
describes Back Orifice.  There is some small degree of comfort for credit
card users, and some rather embarrassing points for credit card merchants,
in "Hacking for $."  While it waffles a little, "Viruses, Hoaxes, and Other
Animals" contains good advice and a reasonable picture of the current
situation.  "Crypto Hacking" is (absent an impossible IP address) a nice
history of cryptography, although it's a bit thin on details.
"Steganography" defines the term, but misses a few points on usage.  The
discussion of computer forensics in "Hacking for Evidence" is limited to
data recovery, but has some good points for users and companies.

Part four deals with destructive activities.  "Denial of Service" rather
overstates the point, since the term generally is restricted to operations
that inhibit use but do not harm hardware or data.  "Schwartau to Congress"
appears to be a minor aside.  The discussion of electromagnetic weaponry in
"Weapons of Mass Disruption" is fascinating, but does downplay a few
inconvenient laws of physics, such as inverse square distance relationships.

Part five analyses some tips for protecting yourself.  "Hiring Hackers"
examines both sides of the question.  The basics of intrusion detection is
outlined in "Catching Hackers."  There is a decent introduction to firewalls
in "Defensive Hacking," along with a pointer to simple automated penetration
testing.  "Corporate Anti-Hacking" presents a number of good points
(although if you follow all of them blindly you'll likely face mass
resignations). Deception is promoted in "Lying to Hackers is OK By Me."

Part six discusses law enforcement.  "Hacking and Law Enforcement" is rather
depressing, but reasonable.  The advice on striking back boils down to "be
careful" in "Corporate Vigilantism."  "Infrastructure Is Us" seems to be a
bit out of place, in that it presents no protective measures: only a
warning.  Similarly, the material on infowar is alarming but not really
illuminating in "Something Other Than War."

Part seven looks to the future.  "Luddite's Lament" expresses frustration
with phones.  "The Future of Microsoft" is one of the standard jokes about
Microsoft's fight with the US federal government.  Digital manipulation of
propaganda is mentioned in "Messing With the Collective Mind." "Extreme
Hacking" gives short takes on some new technologies.  "The Toaster Rebellion
of '08" is one of the standard scifi plots.

While there is a heavy emphasis on the sensational, overall this book does
provide the security novice with a fairly reliable picture of the current
security environment.  Possibilities are generally presented as such, and
the analysis of relative dangers is usually good.  A number of useful tips
are given that can help home and small business computer users be more
secure in their computer and network use.  Security specialists will find
little that is new here, but that is not the target audience for the book.
I have frequently been asked for a recommendation for a general security
introduction directed at the non-technical computer and Internet user, and,
for all its flaws, I think this work may be the closest I've seen.

copyright Robert M. Slade, 2000   BKCBRSHK.RVW   20000625    or

Please report problems with the web pages to the maintainer