precedence: bulk Subject: RISKS DIGEST 19.20 RISKS-LIST: Risks-Forum Digest Saturday 31 May 1997 Volume 19 : Issue 20 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator ***** See last item for further information, disclaimers, caveats, etc. ***** Contents: Spam and yeggs? Brake fast, or be devoured! (PGN) KGB infiltrates MI5 on the hotline (Mich Kabay) Privacy and car navigational systems (DonNorman) Prison guards leak sensitive computer data (David Kennedy) Runaway train-ticket vending machine (Tim Pietzcker) Lost Pond: Jurassic Duck (Mich Kabay) Risks of caring for an electronic pet (Mich Kabay) Florida "Computer Gang" Members Arrested (David Kennedy) Grappling with the risks of ATMs and heavy machinery (John Oram) Re: How Secure Is AT&T's WorldNet Security? (Steve Bellovin) Microsoft and Privacy ("cooler" via Mich Kabay) [addendum in archive copy] Re: Computer fraud in subscribing to telephone service? (Geoff Kuenning) Re: Postal Service change of address (Lauren Weinstein) Re: General relativity vs special relativity (Frederick G.M. Roeber) Call for Papers -- IFIP WG 11.3 Working Conf on Database Security (Sushil Jajodia) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Sat, 31 May 1997 13:20:13 -0700 From: "Peter G. Neumann" Subject: Spam and yeggs? Brake fast, or be devoured! In ordinary usage, a yegg is a safecracker or robber. Electronic equivalents of yeggs are using the Internet and its service providers for undesired spams. Some are also victimizing people as well -- through scams, but sometimes with major inconveniences. Here is an example of the latter, exploiting the trick of faking the FROM: address to avoid counterspams and threats. Tracy LeQuey Parker was apparently victimized by C.N. Enterprises (Craig Nowak) in San Diego. C.N. used her FROM: address and her ISP (Zilker Internet Park) to send out a massive e-mail promotion. The message offered information about free cash grants for college students for $19.95. The clinker is that she and her ISP received all the hard bounces (due to the address list containing lots of invalid addresses) and temporary bounces (due to system or network unavailability). (This happens to me every time I send out an issue of RISKS; I once had over 400 bounces in a day! But that's small potatoes compared with what happened to Parker and Zilker.) In response, a lawsuit has been filed against C.N. by Parker, Zilker, the Texas Internet Service Providers' Association, and the Austin TX chapter of the Electronic Frontier Foundation. [Source: Associated Press item in the *Palo Alto Daily News*, 30 May 1997.] We hope they bring home the bacon. ------------------------------ Date: Thu, 29 May 1997 22:00:16 -0400 From: "Mich Kabay [NCSA]" Subject: KGB infiltrates MI5 on the hotline > KGB infiltrates MI5 on the hotline (Reuters World Report, 25 May 1997) > From Executive News Service via CompuServe ("Odds and Ends") > LONDON - Would-be James Bonds bidding to join Britain's secret service got > a shock when they phoned the job application line -- Russia's KGB said it > had taken over. Key points: * After MI5 placed ads for recruits in Britain, 20,000 hopeful security agents called in only to hear a bizarre message on the answering machine: "Hello my name is Colonel Blotch. I am calling on behalf of the KGB. We have taken over MI5 because they are not secret any more and they are a very [useless] organisation." * MI5 investigating how the taped message was altered. [MK comment: of course, with two-digit "security" codes on many answering machines allowing full control of the devices, tampering is no mystery.] M.E. Kabay, PhD, CISSP (Kirkland, QC), Director of Education National Computer Security Association (Carlisle, PA) http://www.ncsa.com ------------------------------ Date: Sat, 31 May 1997 13:08:18 -0700 From: Don Norman Subject: Privacy and car navigational systems Here is yet another inadvertent invasion of privacy, another inadvertent trail of activities: I rented a car from Hertz and requested their in-car navigational system. I ended up in a Ford Taurus with the Hertz "NeverLost" system, made by Rockwell. Among its features is a history list of previously selected destinations. This is a useful feature, especially as during the several days of my trip, I had to return to previous locations. Note that the system allows you to specify destinations by street address or by name of business or scenic attraction. So my list included the street addresses of the house at which I stayed and the people with whom I visited, the names of the restaurants, the airport and the Hewlett-Packard group that I traveled to -- all of which were easy to select from the system's index. Of course, the history list also had the locations of all the places the previous renters of the car had visited. Interesting; I even tried to figure out what sort of people they were from the places they had visited. Yes, you can delete items from the history list, but only one item at a time. Moreover, this feature wasn't immediately obvious to me. I had to seek it out and then I had to experiment a bit to figure out how to use it. It's well designed and simple to use - just not immediately obvious. Did I delete the information about my travels? Well, um, I meant to, but -- well, you know how it is. I meant to do it, but on the day of departure, I woke up early in the morning, rushed to the car, set the navigational system to the airport, and took off. I rushed through the traffic, rushed to the check-in lane, rushed to the airport terminal, rushed aboard the airplane, and then sat back and relaxed. Only then do I think "damn, I forgot to erase my history list." I suspect that other travelers will have similar experiences. What do I recommend? I have no brilliant suggestions. The history list is a valuable feature. The designers did put in a selective erasure feature that is pretty easy to use. Problem is, it was designed for the owner of the car, not for the rental car situation. The best I can recommend is that the system have a "forget all" function that the rental car maintenance people are trained to engage during the car servicing between rentals. Not a great solution, and one prone to errors of omission. Do I care? Normally I would say no. I think we are overdoing many of the privacy concerns. Why would I care that the next driver of the car could see where I had gone?. Well, it actually didn't take much thought to think of some reasons why I would care. A competing company might find out about my hot new, yet-still-secret product by noting which companies I had visited. Moreover, I have been told by a very reliable source that senior computer company executives are targeted by an international crime ring with standard prices for stealing their personal computers or briefcases (no, I am not making this up). My boss was told that he is on the list, and was even told how much his PC was worth. Am I on the list? I certainly could be. And the navigational system has the address of the house at which I stayed - and where I will stay again. In many ways, this example is less serious than the trail we already leave with our cell phones and credit cards, but it differs in that ordinary citizens can get to it. In any event, it's useful to compile a complete list. So, add this item to your list of RISKS. Don Norman, Hewlett-Packard Laboratories dnorman@ucsd.edu http://cogsci.ucsd.edu/~norman ------------------------------ Date: Fri, 30 May 1997 03:45:14 -0400 From: David Kennedy <76702.3557@compuserve.com> Subject: Prison guards leak sensitive computer data Courtesy of Reuters News via CompuServe's Executive News Service: > Federal agents arrest 11 New York prison guards > NEW YORK (Reuter, 22 May 1997) - Federal investigators Thursday arrested > 11 guards assigned to the Metropolitan Detention Center in Brooklyn on > charges of smuggling and supporting jailed mobsters, according to grand > jury indictments. They were charged with smuggling drugs, liquor, food > and other supplies into the jail and helping prisoners from the mob > conduct meetings and search computer files for potential witnesses. The > prisoners were also warned about searches. :: One guard, Anthony Martinez demanded US$800/wk for favors that included "the names of informants in their cases after checking through prison computers." :: Max penalty--15 years and US$250K fines. Dave Kennedy [CISSP] Research Team Chief, National Computer Security Assoc. ------------------------------ Date: Sat, 31 May 1997 12:49:32 +0200 (MET DST) From: Tim Pietzcker Subject: Runaway train-ticket vending machine An interesting incident was reported in our local newspaper recently: A young man wanted to buy a train ticket from Freiburg to Herbolzheim, a trip of about 30 miles. Since tickets for short journeys like this cannot be bought at the regular ticket stands but have to be purchased from a computerized ticket vending machine, he tried to do so. The machine took his money (about $10) and gave him a ticket that had several flaws: - no destination was printed on the ticket - the expiry date for the ticket was Dec 31st, 1969 (!) The young man went to the ticket office to complain. However, the officials claimed that he had forged the ticket (since the computer never makes mistakes) and refused to give him a refund. He tried to make clear to them that nobody would ever forge a ticket in such a stupid way, but to no avail. He gave up and tried to board the train anyway, but they would not let him and threatened to impose an extra fine upon him for travelling without a ticket. Since the young man's clothes were of a somewhat unclean appearance, he suspected that this explained a good deal of the officials' unfriendliness, a suspicion that was confirmed the next day when he returned in a suit and met the officials in a much friendlier attitude. This story was reported in our newspaper. A few days later, several officials of other train stations wrote to the newspaper that they knew about this problem and had already reported it to their superiors. It's the same risks again: Computers are never wrong, and if they are, the errors are not reported to other users. Also, you can expect to be discriminated against when improperly dressed. Tim Pietzcker, University of Freiburg ------------------------------ Date: Wed, 28 May 1997 20:21:10 -0400 From: "Mich Kabay [NCSA]" Subject: Lost Pond: Jurassic Duck The news wires (via PointCast News on the Industries channel) report another Web site hacked: > Hackers leave print on ``Lost World'' (Reuter, 28 May 1997) The opening page for the Web site for the film ``The Lost World: Jurassic Park'' wasn't all it was quacked up to be after hackers got through with it Tuesday. In place of the film's trademark dinosaur logo was a profile of a prehistoric-looking duck, accompanied by the title ``The Lost Pond: Jurassic Duck.'' The report makes the following key points: * Signed "hackers." * Alan Sutton, Universal Studios vice president for distribution and marketing, said he thought prank was amusing and done in a spirit of fun. * Universal plan to improve their security. M.E. Kabay, PhD, CISSP (Kirkland, QC), Director of Education National Computer Security Association (Carlisle, PA) http://www.ncsa.com ------------------------------ Date: Thu, 29 May 1997 22:00:27 -0400 From: "Mich Kabay [NCSA]" Subject: Risks of caring for an electronic pet Via Executive News Service on CompuServe: > CYBER PET `DEATHS' MAY LEAVE OWNERS NEEDING COUNSELLING > PA News May 22, 1997 16:03:00 > Heartbroken Tamagotchi computer pet owners may need bereavement > counselling to help them get over the "virtual" deaths of the little > gizmos, experts said today. ... The egg-shaped "pets", which have an > interactive screen, were invented for children not allowed real animals. > Owners press buttons to feed, stroke and exercise the computer toys, > which beep if they become "ill" - and "die" if neglected. According to the article, * Dr Daniel DeSouza, of Toronto, Canada says the children may grieve over the "death" of these "pets." * He has set up a support group on the Internet to help bereaved owners. * Dr Sidney Crown of the Royal London Hospital said that "lonely children are most at risk." * At Nottingham Trent University, Dr Mark Griffiths, an expert in addiction to computer games, supported these concerns. [MK comment: This is no different, as far as I can see, from weeping over the death of creatures existing only in books and in our imagination: certainly I wept when Gandalf "died" in _The Lord of the Rings_ when I was a kid. Oops, excuse me, but now I have to go feed my pet electrons.] M.E. Kabay, PhD, CISSP (Kirkland, QC), Director of Education National Computer Security Association (Carlisle, PA) http://www.ncsa.com ------------------------------ Date: Fri, 30 May 1997 03:45:10 -0400 From: David Kennedy <76702.3557@compuserve.com> Subject: Florida "Computer Gang" Members Arrested Courtesy of United Press International via CompuServe's Executive News Service: > Florida computer gang members arrested > LECANTO, Fla., 22 May 1997 (UPI) -- Florida authorities have arrested two > alleged leaders of a so-called computer "gang" they say set up a Web site > that accused a teacher of having a homosexual affair with a student. The > Web site displayed a photograph of the student's prom picture with the > teacher's head superimposed onto the head of the boy's female date. :: Two 19 year olds were charged with "publication of material that exposes a person to hatred, contempt or ridicule." Because they worked together, anti-gang laws apply upgrading the charges from misdemeanors to felonies. :: The victim-teacher has been the target of harassment before, another former student was sentenced to 6 months' probation last December. Dave Kennedy [CISSP] Research Team Chief, National Computer Security Assoc. ------------------------------ Date: Fri, 30 May 1997 01:32:28 -0700 From: John Oram <*benz@havkt.hop.pn> Subject: Grappling with the risks of ATMs and heavy machinery Well, it looks as if the wily criminals of rural British Columbia have taken to the spirit of crimes reported in RISKS, specifically trying to steal the hardware itself (a la CalTrans and the various DMV break-ins.) Using a "grapple-loader" (imagine a bulldozer with a big, well, grapple in the front), the criminals broke through the wall of the shopping centre and tried to lift the ATM into a pick-up truck. However, they dropped it, ran and abandoned the grapple-loader. (Bobbling the grapple loader is boggling given there aren't googols of them around - pretty easy to trace I would think.) No word if they planned to set it up in a mall and steal PINs... John Oram benz@havkt.hop.pn (* rot13 to unscramble e-mail address) ------------------------------ Date: Thu, 29 May 1997 23:04:22 -0400 From: Steve Bellovin Subject: Re: How Secure Is AT&T's WorldNet Security? (RISKS-19.19) The story about an eavesdropping incident on AT&T Worldnet is incorrect. In fact, a later story by the same author says as much (see http://www.pcworld.com/news/daily/data/0597/970523154723.html). But there are some lessons to be learned from what happened. The original report noted that certain Web pages do not use encryption. We were already aware of this, and the upgrade was in progress even before this incident. But the report also claimed that as a result of the lack of encryption, a customer was able to observe other accounts and passwords going by. This struck us as more than slightly odd, since the user was coming in from a dial-up modem... I won't bother enumerating all the possibilities we considered and investigated. The ultimate answer was that there was no eavesdropping going on; rather, a network administrator had extracted accounts and passwords for a number of users from a LAN-based file server, and fed these into a simulated network monitor program. And how did these passwords get there? Well, various people used a shared facility -- that is, a network of PCs -- as their platform for connecting to AT&T Worldnet. This exposed their passwords to anyone with suitable access to the file server -- which is what happened. What can we learn from this? The first point, of course, is that the system administrator wins -- always. Nothing short of token-based encryption is even a plausible defense against someone who can read any file, and plant programs to monitor keystrokes. (That latter didn't happen here, to my knowledge.) A corollary is that you can't meaningfully encrypt such files, if the enemy is a knowledgeable administrator. If the key is stored in your programs, it can be extracted; the same skills that are used to defeat copy protection will suffice. At most, such encryption is a minor hurdle; more likely, it's security through obscurity, giving the same grade of protection as the lock on a bathroom door. Could the user supply the key? Part of the answer is "no, see above about keystroke monitors". But there's a more fundamental issue, one that goes to the heart of the real problem. When we deploy computer systems, we engineer them. That is, we choose among many possible designs, to balance needs against costs. There is no such thing as absolute security, of course; more importantly, there is a price to any security system, and it makes no sense to spend more on security than it can save you. We're dealing here with a mass market product. J. Random Customer *will*, with a fairly high probability, forget his or her password. The cost of an unrecoverable account is quite high -- we probably lose the customer. But it has to be taken a step further -- it's important to minimize the number of calls to Customer Care. (Customer Care is expensive in the mass market world. There are a fair number of software packages around for which the vendor loses money on any copy that generates even a single call.) This, then, is the bottom line. The engineers who made certain security choices -- storing account information in the clear -- saved a moderate amount of money, traded against a small diminution in security. The customers who used a shared facility to store these account information files (unknowingly) trusted someone else. The overall complexity of the total system -- the AT&T Worldnet end, the user software, the end users, and their environment, including an untrustworthy administrator -- led to some accounts being compromised. And the one simple palliative cited -- encryption of certain network sessions -- would have done nothing to protect anyone. Steve Bellovin ------------------------------ Date: Thu, 29 May 1997 12:04:45 -0400 From: "Mich Kabay [NCSA]" Subject: Microsoft and Privacy >From Computer Privacy Digest Wed, 28 May 97, Volume 10 : Issue: 026 Date: 27 May 1997 14:45:37 -0600 >From: cooler Subject: Microsoft and Privacy Yesterday I became aware of an online privacy issue involving Microsoft, and I hope to bring an awareness of this issue to anyone who can take that awareness further. The issue is this: Microsoft has begun to set up a series of "Sidewalk" sites, ostensibly to provide local information for various cities. One example is at http://www.newyork.sidewalk.com/ . If you visit that site, you can see a link (toward the right) to "Terms and Conditions". The link is to a page explaining the "Terms of Use" of the Sidewalk site. This is rather unusual; I don't know any other site that has "Terms of Use". Reading through six paragraphs of fine print you will see that they are asserting that your usage of their site entitles them to sell your e-mail address together with any demographic data they might gather about you. I believe there is a serious online privacy issue because: 1) Few visitors will be aware that they have implicitly consented to allow the sale of their personal data. 2) Providing local information about cities increases the chance that your personal data will be tied to geodemographic data. 3) Microsoft also makes a browser. We have no way to know that they can't grab your e-mail address with it. Indeed, their new browser integrates seamlessly with the information on your desktop, so the potential is there for them to grab much more data. While the selling of personal data is nothing new, I believe that Microsoft has an unusual advantage here. Their willingness to gather and sell this data, together with the intimacy of their browser, presents a new and possibly dangerous threat to personal privacy. - - - - - - - - - - - - MICROSOFT: SIDEWALK WEB SITE TERMS, CONDITIONS, AND NOTICES [omitted by "cooler" and RISKS-19.20, but added to the archive copy by request. PGN] Locator information" consists of a user's name, e-mail address, physical address and/or other data about the user that enables the recipient to personally identify the user. Any user who does not wish to receive any special offers or communications from Microsoft on behalf of suppliers, or directly from Microsoft or its affiliates, may so notify Microsoft at the listed below under SERVICE CONTACT. (Note that a user's election not to receive such information will not affect the user's receipt of offers and communications that were processed prior to the user's election.) Locator information and individual information will be processed and stored by Microsoft in the United States and, if the user does not live in the United States, possibly in the country of residence. Users may contact Microsoft to determine whether such information has been accurately recorded and, if not, to request correction of any inaccuracies in the information recorded by Microsoft. USE OF INFORMATION The name, address and payment information (if applicable) that the user provides via this Web site, together with information regarding the manner in which the user uses this Web site, will not be processed or disclosed by Microsoft except as permitted by these terms and conditions. By being a user of this Web site, the user agrees that Microsoft may share with other parties both aggregate information, individual information and locator information gathered by Microsoft in the course of the user's continuing individual use of this Web site. "Aggregate information" is information that describes the habits, usage patterns and/or demographics of users as a group but does not describe or reveal the identity of any particular user. "Individual information" is information about a user that is presented in a form distinguishable from information relating to other users but not in a form that personally identifies any user or enables the recipient to communicate directly with any user. "Locator information" consist accurately recorded and, if not, to request correction of any inaccuracies in the information recorded by Microsoft. INDEMNITY As a condition of use of this Web site, you, the end user, agree to indemnify Microsoft and its suppliers from and against any and all liabilities, expenses (including attorneys' fees) and damages arising out of claims resulting from your use of this Web site, including without limitation any claims alleging facts that if true would constitute a breach by you of these terms and conditions. [...] ------------------------------ Date: Thu, 29 May 1997 15:16:00 -0700 From: Geoff Kuenning Subject: Re: Computer fraud in subscribing to telephone service? (RISKS-19.19) Thomas Brazil tells of receiving "automated" phone calls consisting of 10 seconds of hum, followed by a hangup. He accuses BellSouth of generating these calls in an attempt to get subscribers to sign up for automated call return, an accusation supported by no evidence except the coincidence of *one* of these calls with a telemarketing call from BellSouth. It seems to me that if this were the case, it would be a very short time before somebody used call return, CNID, or a call tracing facility to identify the perpetrator as BellSouth, and the FCC would have a dandy time punishing them. It is far more likely that the calls, if truly automated, are purely accidental. Suppressing them may be a pain, but I doubt a nefarious purpose. The only RISK I see here is that as the RISKS list becomes more widespread, our moderator is less and less able to filter out unsupported and illogical claims from the overly paranoid. Geoff Kuenning geoff@fmg.cs.ucla.edu http://fmg-www.cs.ucla.edu/geoff/ [But maybe I let a few through just to see who is paying attention? PGN] ------------------------------ Date: Thu, 29 May 97 15:01:21 PDT From: Lauren Weinstein Subject: Re: Postal Service change of address As others have pointed out, the web page in question only creates a form for you to print and mail. USPS especially likes this since it results in a form without a very common risk--the usual illegible handwriting. But there still are a variety of privacy-related concerns surrounding change of addresses, and these issues were the subject of my PRIVACY Forum Radio interview with Mike Selnick of USPS Washington, D.C. headquarters late last year. > I wonder if it's possible to instruct one's post office not to accept any > change of address except in person? This point was also covered in that interview. The answer at the current time appears to be no. The full interview is available online for playback through the PRIVACY Forum; it runs about thirty minutes. It can be accessed through the PRIVACY Forum/PRIVACY Forum Radio links via: http://www.vortex.com --Lauren-- Moderator, PRIVACY Forum www.vortex.com ------------------------------ Date: Thu, 29 May 1997 18:09:29 -0700 From: "Frederick G.M. Roeber" Subject: Re: General relativity vs special relativity (Schweda, RISKS-19.19) > Special relativity says there's no difference. General Relativity > says there _is_ a difference. The non-meaningfulness is actually due to the fact that simultaneity is not well-defined for spacelike-separated events. If two events have a spacelike separation -- basically, if they happen "close enough in time / far apart enough in space" such that there isn't time for a photon to go from one to the other -- then various observers may see the events happen in different orders. This isn't an illusion: take everything into account, including the speed of light, clock differences, etc., and different observers can still see this difference. Causality is still preserved because neither event can possibly affect the other. But it does mean that simultaneity is a somewhat fuzzy concept: "this exact moment, somewhere else" can actually correspond to a range of times at that other location. This is why it's not meaningful to compare two clocks a few (light-)milliseconds apart to within a microsecond. Frederick G.M. Roeber, Physicist in Residence, Netscape ------------------------------ Date: Wed, 28 May 1997 12:04:52 -0400 (EDT) From: Sushil Jajodia Subject: Call for Papers -- IFIP WG 11.3 Working Conf on Database Security Twelfth Annual IFIP WG 11.3 Working Conference on Database Security Porto Carras Complex, Chalkidiki, Greece 15-17 July, 1998 ["Conference" limited to 40 people. Consequently, CFP truncated for RISKS. PGN] More information about the conference and about IFIP WG 11.3 can be found at URL: http://www.cs.rpi.edu/ifip/ ------------------------------ Date: 1 Apr 1997 (LAST-MODIFIED) From: RISKS-request@csl.sri.com Subject: Abridged info on RISKS (comp.risks) The RISKS Forum is a MODERATED digest. Its Usenet equivalent is comp.risks. => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) if possible and convenient for you. Or use Bitnet LISTSERV. Alternatively, (via majordomo) DIRECT REQUESTS to with one-line, SUBSCRIBE (or UNSUBSCRIBE) [with net address if different from FROM:] or INFO [for unabridged version of RISKS information] => The INFO file (submissions, default disclaimers, archive sites, .mil/.uk subscribers, copyright policy, PRIVACY digests, etc.) is also obtainable from http://www.CSL.sri.com/risksinfo.html ftp://www.CSL.sri.com/pub/risks.info The full info file will appear now and then in future issues. *** All contributors are assumed to have read the full info file for guidelines. *** => SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line. => ARCHIVES are available: ftp://ftp.sri.com/risks or ftp ftp.sri.comlogin anonymous[YourNetAddress]cd risks [volume-summary issues are in risks-*.00] [back volumes have their own subdirectories, e.g., "cd 18" for volume 18] or http://catless.ncl.ac.uk/Risks/VL.IS.html [i.e., VoLume, ISsue]. The ftp.sri.com site risks directory also contains the most recent PostScript copy of PGN's comprehensive historical summary of one liners: get illustrative.PS ------------------------------ End of RISKS-FORUM Digest 19.20 ************************