precedence: bulk Subject: RISKS DIGEST 19.05 RISKS-LIST: Risks-Forum Digest Monday 7 April 1997 Volume 19 : Issue 05 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator ***** See last item for further information, disclaimers, caveats, etc. ***** Contents: Social Insecurity (Simson L. Garfinkel) Identity Theft (PGN) More on the Guyana Telephone Scam (Dewi Daniels) Woman trapped in tanning bed (Michael Mahr) Time-change risks and DECnet (Ian Brogden) Follow-up on Joseph Jett (Rich Mintz) Re: Elections Canada and the Net (Mark Brader) Not a forgery! (Vivek Sadananda Pai) Re: The ghost of the Pentium FDIV bug (Allan Heydon) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Mon, 7 Apr 1997 09:22:47 -0700 From: "Simson L. Garfinkel" Subject: Social Insecurity USA Today, 07 Apr 1997 [Reprinted by permission of the author.] Few key bits of info open Social Security records By Simson L. Garfinkel The Social Security Administration, trying to speed service and cut costs by using the Internet, inadvertently has compromised the financial privacy of tens of millions of Americans. Social Security's month-old on-line service is handy for taxpayers looking for instant access to their financial records. But it also gives nosy neighbors, ex-spouses, prying relatives and just about anyone else the ability to view those same files if they have some very basic information. What could they see? How much someone earned every year, going back to 1951. How much someone will get in Social Security benefits after retirement. How much their families would get now if they died. Nearly 28,000 people requested the free information on-line in March at http://www.ssa.gov. "As soon as crooks start exploiting this service to get other people's information, Social Security is going to have a real problem on its hands," warns Evan Hendricks, chairman of the U.S. Privacy Council, a Washington D.C.-based federation of privacy activists. As use of the Internet expands, its lure of convenience is breaking promises of privacy. And as on-line exchanges become as accepted as faxes or automatic teller machines, critics say, the drive to provide new services will continue to outpace appropriate restraints. In this instance, people familiar with the new Social Security system say, there is danger for abuse from many directions: a legal adversary, an employer seeking to learn about an employee's outside income, an ex-spouse contemplating adjustments in support. "I like to see this sort of easy access to your own personal information," Hendricks says, "but we need something to discourage the wolves." Social Security officials don't see a problem. "We have confidence that in the huge majority of cases, the people requesting these things are the right people," says John Sabo, the Social Security Administration's director of the Electronic Services Staff. Last year, the Social Security Administration mailed some 4 million financial reports to taxpayers at a cost of $5.23 each, Sabo says. Delivering the same report over the Internet costs a fraction of a penny. 'Social Security numbers are easy' to get But it's virtually impossible to know if the on-line version of the financial reports, called PEBES - Personal Earnings and Benefit Estimate Statement - is being abused. It's also just about impossible to track down an abuser. The key to opening PEBES: a Social Security number, mother's maiden name and state in which a person was born. That information is not exactly a state secret. "Social security numbers are easy" to get, says Beth Givens, manager of the Privacy Rights Clearinghouse in San Diego. Information vendors used by banks, credit agencies and private detectives can deliver a Social Security Number for a small fee. They also frequently are known by co-workers or spouses. And driver's license numbers in many states are the same as Social Security numbers. A mother's maiden name and place of birth can show up in court papers, marriage licenses or divorce decrees. "Many states have a vital statistics department. You could get it that way. These documents are public record," she says. Mark Welch, an engineer at Netscape Communications in California, makers of popular Internet software, says he's disturbed to see the information so readily available. "I was just thinking of all the ways that people could misuse this information," Welch says. "A potential employer could use this to determine my salary history. My co-workers could use this to determine how much I was making relative to them. My landlord could use this report to decide if I'm making enough money to be able to rent an apartment. I could make a decision on whether or not to sue someone based on how much money I thought they had. "Private investigators would love this kind of information." "It would be a tremendous asset to people who know how to obtain this information," says Paddy Calabrese, owner of Inter-tel Detective Agency in Seattle. "If somebody calls me up and says they want to know somebody's income, I just pop into this thing, I charge them $2,000 and it costs me nothing." Where are the penalties for snooping? There are supposed to be penalties for snooping. A warning appears when someone enters the PEBES website: "I certify that I am asking for information about by my own Social Security record. I understand that if I deliberately request information under false pretenses, I may be guilty of a federal crime and could be fined and/or imprisoned." The warning is nearly identical to banners used on many government agency websites, permitting those entering wrongly to be prosecuted under the Computer Security Act. Prosecutions are exceedingly rare, in part because it is difficult to trace an on-line user, and there is little deterrent to outweigh great potential interest. Officials say they have no evidence that anyone has wrongly accessed a PEBES file. But they probably wouldn't know. With libraries, schools and even coffee shops now giving access to the Internet - as well as access available worldwide - it would be practically impossible to track down a person illegally requesting files. Still, not all privacy advocates are disturbed by PEBES. Marc Rotenberg, director of the Electronic Privacy Information Center, says the ability of people to easily obtain the information outweighs concerns about the few who abuse it. "Promoting first-party access to personal information is often times as important as . . . restricting access," says Rotenberg. "By making these systems more transparent, the government gives individuals greater control over information that has an important impact on retirement planning. I'd like to see more agencies set up these services, though I'd draw a line at tax records and medical information." Other organizations that hold sensitive financial information on Americans have decided against putting their files on the Internet - at least for now. One of the problems in trying to make PEBES more secure is that the current state of technology and government restrictions on the use of encryption, or data scrambling, make it difficult to make the information any tougher to get at. "Ideally, we would prefer if we could authenticate people through some sort of digital identity," says Bruce Carter, who runs the website for the Social Security Administration. "But there just isn't the infrastructure available for that yet." SSA says complaints are of too tight security Here's how a computer user can access PEBES: An Internet user goes to the Social Security Administration's website, clicks a button labeled "PEBES," wades through two pages of warnings and then responds to queries - full name, address, phone number, Social Security Number, mother's maiden name and state of birth. After the information is entered, the user clicks a button on the computer's screen and views the taxpayer's entire financial history - how much has been paid into Social Security, how much into Medicare, expected benefits, yearly income. The Internet user then can print the information or request that the report be sent through the mail. Carter says that while the Social Security Administration has received some complaints about the privacy of the system, most of the complaints received have been that the security is too good: roughly 30% of the people who have attempted to view their reports failed because the information they provided did not exactly match the spelling stored in government computers. After eight failed attempts to view a report, the system locks out the user for 24 hours. Eight attempts is far too many, says Hendricks of the Privacy Council. "I think that this is really a good case of three strikes and you're out," he says. "When you step back, you see that the Social Security Administration has not thought through the privacy and security implications of this." By Simson L. Garfinkel, Special for USA TODAY http://www.packet.com/garfinkel [Lo and behold, someone sent to RISKS a copyrighted Associated Press item lifted directly from Simson's USA Today column -- except that the AP apparently never bothered to mention the author's name! Many thanks to Simson for springing this column for RISKS readers. I presume its primary *USA Today* copyright status precludes its unrestricted redistribution, despite the stated RISKS copyright policy of free reuse. This might be an exception to the RISKS policy. However, if you do want to forward this around for other than noncommercial reuse, you might check first with SimsonG@vineyard.net. PGN] ------------------------------ Date: Mon, 7 Apr 97 17:23:19 PDT From: "Peter G. Neumann" Subject: Identity Theft It is not news to long-time RISKS readers, but Identity Theft is here with a vengeance. Today's *San Francisco Chronicle* (7 Apr 1997) has a front-page article by Ramon G. McLeod entitled "New Thieves Prey on Your Very Name; Identity bandits can wreak credit havoc". The article includes the case of Kathryn Rambo of San Jose CA. Her identity was stolen (perhaps an insider job?), resulting in tens of thousands of dollars in debt and ruined credit ratings. The masquerader acquired a $35,000 sports utility vehicle, a $3,000 loan, several new credit-card accounts, and a rented apartment -- all in Rambo's name. Months later, she is still trying to clear her name. In this case, a primary suspect and alleged accomplice have been apprehended -- although that is not the usual outcome. In another case, Caryl Fuller's purse was stolen, and the thief opened up and maxed out three credit cards despite having a face that obviously did not match Fuller's picture. McLeod's article also notes a 1996 ring of methamphetamine addicts whose dumpster diving and mail interception resulted in their stealing at least $700,000 in cash and credit from San Francisco residents. The article is an important item for RISKS readers, including tips on how to protect yourself (and your SSN, credit information, etc); phone numbers for Equifax (800-685-1111), Experian (800-392-1122; formerly TRW), and Trans Union (800-851-2674) to check your credit ratings; discussion that Identity Theft is not illegal in California and that it makes a low-risk high-gain target. In general, even if you do everything you can to prevent such occurrences, it may not be enough. But clearing your name is perhaps the hardest part. The full article is on the Chron's Website . [Needless to say, there are many past cases of Identity Theft in RISKS. If you are a new reader, a bunch of them are summarized in RISKS-18.91.] ------------------------------ Date: Sun, 06 Apr 1997 16:24:11 +0100 From: dewi@cableol.co.uk (Dewi Daniels) Subject: More on the Guyana Telephone Scam (Re: RISKS-18.90) Thank you all for your overwhelming response to my previous posting about calls to Guyana that had appeared on my telephone bill. I had not anticipated such a large number of helpful responses. I have tried to respond to each of you individually, but I still have a backlog to deal with, so I apologise if you have not yet heard from me. CableTel has carried out an investigation, and concluded that our friends must have made the calls. We utterly refute this allegation. CableTel claim the telephone number is an "Internet modem" line to a "pornographic web site" in Guyana, even though the BT international operator still tells me that the number does not exist. A number of people pointed out to me that similar instances have been reported on UK television by BBC1's "Watchdog" and HTV's "The Ferret". I have now seen one of the reports by "Watchdog", and have spoken to a reporter from the "The Ferret". It seems that the problem is very widespread, given the response that the two programmes have received to their reports. Since I have expertise in software safety and security, I feel some responsibility to pursue the matter on behalf of those victims who do not feel they can take on the telephone companies on equal terms. We have legal insurance through DAS Legal Insurance Services, and intend to take our claim to the small claims court. It seems to me that our case is going to hinge around the ruling in the case of the Halifax Building Society vs John Munden that "when a case turns on computers or similar equipment then, as a matter of common justice, the defence must have access to test and see whether there is anything making the computers fallible". In the absence of such access, the court would not allow any evidence emanating from computers. Your responses indicated an alarming number of ways in which a phone call could fraudulently be charged to our account, some of which include: 1. "Watchdog" claim that hackers have obtained access to manufacturer and supervisor passwords used by telephone exchanges. These passwords would presumably allow them to make telephone calls on any circuit, or alter the CDRs after the event. I did not attach much credence to this report at the time, but it seems more plausible now that CableTel claim the call was to a modem. 2. An insider would presumably have access to such passwords, and might be able to make fraudulent phone calls with little risk of detection. It would presumably be very hard to prove that such fraud had taken place. 3. Fraudulent calls could be made by attaching a handset to the distribution box in the street or the box on the outside wall of our house. CableTel have examined the boxes, and say they found no evidence of tampering. I don't know whether this eliminates the possibility of an insider opening the box with a key. 4. Miswiring of the telephone circuit could cause a handset to be connected to the wrong telephone line, causing calls to be charged to the wrong account. CableTel have checked the wiring. 5. Older-style cordless phones were extremely unsecure, and calls could be made from another handset, whilst the proper handset was removed from the base station. 6. There has been at least one example of a Trojan Horse being used to redirect unsuspecting web surfers to a premium rate phone line (the Moldovian scam). However, whilst the hapless web surfer might be unaware that he was incurring expensive telephone charges, he most certainly would be aware that he was connected to a pornographic web site. Thank you for your help. I will continue to keep you posted on developments. Dewi Daniels Guildford, England ------------------------------ Date: Sat, 5 Apr 1997 21:46:38 -0500 From: "Michael Mahr" Subject: Woman trapped in tanning bed According to a CNN report, a 60-year-old Michigan woman was trapped in her home tanning bed on 3 Apr 1997. Fortunately she carried a cordless phone into the bed so she was able to dial 911 for help. Police and firefighters had to dismantled the bed to save her. Too bad she didn't bring a palmtop computer with her. She could have sent e-mails for help or even asked the "net" for tips on freeing herself. There might even be a web site just for this occasion... Sometimes technologies seem to cancel one another out, and that may be all we can hope for. [3 Apr date disambiguated in archive copy. PGN] ------------------------------ Date: Sat, 05 Apr 1997 08:57:22 -0600 From: Ian Brogden Subject: Time-change risks and DECnet Several years ago when working late enough to be at work when the clocks fell back, I noticed a very strange phenomena with DECnet. Basically, DECnet stopped for an hour. To make matters somewhat more confusing, we could still use the system from our terminals (via LAT), but couldn't copy files send data between systems. To further demonstrate the risks of working so late, it took us just about an hour to figure out what the problem was. Apparently DECnet uses absolute times to decide when a link has timed out or an acknowledgement message needs to be sent. When the clocks were set back, none of these timers were going to go off for another hour. Ian Brogden ------------------------------ Date: Sun, 6 Apr 97 21:06:27 -0500 From: Rich Mintz Subject: Follow-up on Joseph Jett (Re: RISKS-16.08,09) The front page of *The New York Times* Business section of Sunday, 6 April 1997, has a long and remarkably detailed feature article (by Saul Hansell, entitled "A Scoundrel or a Scapegoat") concerning Joseph Jett, the "former superstar bond trader at Kidder, Peabody & Company" who was fired from the company and stands accused of having engineered a scheme to create transactions that yielded phony profits on such a scale that the company's very survival was threatened. Note the following: "$17 million of Mr. Jett's $28 million in apparent profit [in the first 10 months of 1992] was not from legitimate trades but solely from a glitch in the way its computer system processed the stripping and reconstituting of bonds." Jett's "angle" was to make money off the minor price differential between regular government bonds and what are called "zero coupon bonds," which (according to the article) are created by taking a regular bond (which involves a principal payment and, say, 60 semi-annual interest payments) and "stripping" it into its parts (61 zero-coupon bonds, in this case). "If demand is higher for [zero-coupon bonds] than for regular Government bonds, a trader can buy a bond, then have the [Federal Reserve] strip it and sell the pieces for more." Alternatively, if demand is higher for regular bonds, a trader can buy up the pieces and "reconstitute" them into the original bond, which sells for more. But the computer system Jett was using could handle one of these stripping or reconstituting transactions only as a _pair_ of transactions: a sale (of the 61 pieces, for instance) and then a purchase (or the reconstituted bond). The computer system allowed the sale-purchase transaction to be settled up to five days in the future, because the postponement of settlement is meaningful in the case of many ordinary securities transactions. In this case, though, it isn't, because zero-coupon bonds by definition (because they represent the accrual of interest over time) are more valuable tomorrow than they are today. When Jett entered a reconstitution into the system, "the computer would immediately calculate the transaction as being profitable. That was an error, and it came about because [the pieces] could be bought in the open market on that day for less than they were scheduled to be sold for when the transaction settled -- after interest had a chance to accrue. In a reconstitution scheduled to be settled in five days, for example, the difference between the two prices was equal to five days of interest. The next day, the computer would record a profit...equal to only four days of interest." By settlement day, the "profit" would have disappeared. The question of Jett's guilt (a ruling from the U.S. Securities & Exchange Commission is pending) is essentially irrelevant to this forum, but the RISKS aren't; they include: - When adapting a software system to new uses, assuming those new uses are exactly analogous to existing uses when in fact they are different in some aspect which turns out to be material. - Being too quick to believe what the computer tells you ("it says this is a profitable transaction, and the computer doesn't lie" -- some of Jett's associates apparently believe his inexperience might have made him credulous). Richard Mintz (mintz@netresponse.com) Arlington, Virginia USA ------------------------------ Date: Mon, 7 Apr 97 04:04:12 EDT From: msb@sq.com (Mark Brader) Subject: Re: Elections Canada and the Net (Kabay, RISKS-18.95) Mich Kabay writes: > In the *Globe&Mail*, 27 Mar 1997, p. A6, their Applied Science Reporter > tells another story of how governments are fearful of uncontrolled human > communications. Oh. It looked to me like another story of how governments were slow to take account of the fact that the Net is subject to existing laws. > ... Some background: Canada, like the US and Russia, is so wide that > many people in the Western areas must vote after vote-counting has begun in > Eastern regions. Election officials have long been concerned about the > effects of releasing late public-opinion polls and also preliminary > vote-counts from the East ... [The Globe article, by Mary Gooderham, says] > > Officials have decided that the Internet will face the same rules as other > > news media when it comes to disseminating public opinion polls within 48 > > hours of election day and releasing vote results early on election night. It is bizarre that they had to decide this now. As Mich points out himself, > * The Canada Elections Act forbids premature "publishing" voting results by > any means. Publishing means making public. So the law applies to Usenet or WWW sites just as much as to print or broadcast media. > * Professor John Courtney (political science, University of Saskatchewan) > raised the question of whether the Office would try to forbid electronic > mail from residents of the east to residents of the west. But point-to-point communications are not publishing. Phone calls are not prohibited, so the law cannot affect e-mail either. Individuals who want the information so much that they will "willingly seek it out" themselves are free to do so. > I expect this sort of nonsense from authoritarians in the PRC, Burma, and > so on; it's distressing to see people in Canada uttering such rubbish. It's distressing to see someone fail to realize that an election where people in the west can have extra information when they vote is unfair. (The interesting part is that it's mostly the people in the *west* who have complained, when rationally they're the ones with the advantage.) > The fundamental issue is ... whether a government has any business at > all controlling what information individuals willingly seek out. The fundamental issue is how to hold a election where all electors are on an equal footing, in a world where the Sun shines on different places at different times. And the weirdest part of this whole exchange is that the election law WAS CHANGED in December to eliminate a large part of the issue in the first place, and yet nothing was said about that. The change to the law was to adjust the polling hours. Instead of 9 am to 8 pm local time in each of six time zones, the polls will be open 12 hours, opening and closing (am/pm) at: Time zone Local time Pacific Time Newfoundland 8:30 4:00 Atlantic 8:30 4:30 Eastern 9:30 6:30 Central 8:30 6:30 Mountain 7:30 6:30 Pacific 7:00 7:00 Since the voters in the two easternmost time zones are numerically few, and since it takes about half an hour before the vote counts reach numbers that anything significant can be deduced from, the information available, by whatever channels, before the polls close in the Pacific time zone will now be very limited. Mark Brader, msb@sq.com SoftQuad Inc., Toronto ------------------------------ Date: Mon, 7 Apr 1997 11:27:25 -0500 (CDT) From: Vivek Sadananda Pai Subject: Not a forgery! For about 6 months now, I've been receiving repeated mailings from a student at a large public university in New York about commercial parties that his company is promoting. I asked his postmaster to put a stop to it, and after that failed, I set up a procmail filter. Soon, he changed domains (but still within the same university in New York), and I saw the spam again. I asked his new postmaster to look into the matter, and his frequency of mailing actually _increased_. I later received a note from the postmaster telling me that she and her co-workers determined that one of the notes I forwarded to her had been a forgery. No other information about how this determination was made was provided. I replied with the header and a header from a known un-forged note, and I also showed a clear pattern in the timings of all the mail he'd sent over the past 6 months (from my procmail log), and I asked how the determination of forgery had been made. No response. I then personally mailed the user again immediately after he sent another mailing, and he replied immediately - indicating that he (a business student) was logged in around the time a new mailing was sent. I once again sent this to the postmaster and pointed out that it probably wasn't coincidence. No response. To make a long story short, I then had a discussion with the user directly again, and got him to admit that he was still sending me mail. I forwarded this info to the postmaster, asking once again how they had (clearly incorrectly) determined that the previous note was a forgery. No response. The risks? People who are supposed to be administering systems and acting as postmasters somehow incorrectly determined that a real letter was a forgery, even though there was a fair bit of circumstantial evidence to the contrary. If they couldn't figure out when a relatively clueless _non-malicious_ user was logged in, what chance do they have of tracking down a real break-in? Of course, it's also annoying that they never divulged how they determined the mailing was a forgery - the user never denied (to me) that he was sending the mailings, so it seems that they never even bothered asking the user in question... -Vivek ------------------------------ Date: Mon, 07 Apr 97 16:53:49 -0700 From: heydon@pa.dec.com (Allan Heydon) Subject: Re: The ghost of the Pentium FDIV bug (Solomon, RISKS-19.04) > I pressed the recalculate key (F9) to no avail. This behavior is easily explained. The "recalculate" key behaves incrementally: it causes only those cells that depend on at least one cell that has been invalidated since the last update to be recomputed. The cell in question depends on no other cells, so unless its contents are edited, it will never be recalculated. That explains why "retyp[ing] the formulas over the originals" corrected the problem. Perhaps not unreasonably, the authors of Excel assumed that the same cell contents would always produce the same results. In cases where this assumption proves wrong, a variant of the recalculate function that recalculates *all* cells would be useful. Allan Heydon (heydon@pa.dec.com) ------------------------------ Date: 1 Apr 1997 (LAST-MODIFIED) From: RISKS-request@csl.sri.com Subject: Abridged info on RISKS (comp.risks) The RISKS Forum is a MODERATED digest. Its Usenet equivalent is comp.risks. => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) if possible and convenient for you. Or use Bitnet LISTSERV. Alternatively, (via majordomo) DIRECT REQUESTS to with one-line, SUBSCRIBE (or UNSUBSCRIBE) [with net address if different from FROM:] or INFO [for unabridged version of RISKS information] => The INFO file (submissions, default disclaimers, archive sites, .mil/.uk subscribers, copyright policy, PRIVACY digests, etc.) is also obtainable from http://www.CSL.sri.com/risksinfo.html ftp://www.CSL.sri.com/pub/risks.info The full info file will appear now and then in future issues. *** All contributors are assumed to have read the full info file for guidelines. *** => SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line. => ARCHIVES are available: ftp://ftp.sri.com/risks or ftp ftp.sri.comlogin anonymous[YourNetAddress]cd risks [volume-summary issues are in risks-*.00] [back volumes have their own subdirectories, e.g., "cd 18" for volume 18] or http://catless.ncl.ac.uk/Risks/VL.IS.html [i.e., VoLume, ISsue]. The ftp.sri.com site risks directory also contains the most recent PostScript copy of PGN's comprehensive historical summary of one liners: get illustrative.PS ------------------------------ End of RISKS-FORUM Digest 19.05 ************************