precedence: bulk Subject: Risks Digest 21.07 RISKS-LIST: Risks-Forum Digest Sat 30 September 2000 Volume 21 : Issue 07 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at and by anonymous ftp at ftp.sri.com, cd risks . Contents: California DMV fosters identity theft? (PGN) Single points of failure and backup plans (William P.N. Smith) Control of Olympics news coverage (NewsScan) Tighter security poses a security threat (Ray Randolph) Cochise County election computer errors (Nicky L. Sizemore) The risk of identity theft (Amrith Kumar) De Fault is in Default (Charlie Shub) Re: AI strikes again (Perry Bowker, Zygo Blaxell) REVIEW: "CyberShock", Winn Schwartau (Rob Slade) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Mon, 25 Sep 2000 14:08:03 PDT From: "Peter G. Neumann" Subject: California DMV fosters identity theft? An AP item (seen by me on the front page of the *Palo Alto Daily News*, 25 Sep 2000) says that the California Department of Motor Vehicles issued over 100,000 fraudulent drivers' licenses in 1999, and typically makes little or no effort to check the validity of the 900,000 duplicate license requests it receives each year. Examples include duplicate licenses issued to people of the wrong race or the wrong gender, and in one case bogus duplicates of a particular individual's license to 18 different people. The driver's license is called a ``breeding document'' for identity thieves, leading to financial fraud, ruined credit, purchases of firearms by felons, and other misuses. DMV officials claim that implementing an on-line photo-retrieval system would cost $3 million over the next two years. This seems like a useful system -- especially if it were used pervasively. ------------------------------ Date: Mon, 25 Sep 2000 17:00:37 -0400 From: "William P.N. Smith" Subject: Single points of failure and backup plans Last night our cable modem (currently AT&T Roadrunner, name subject to change daily 8*) stopped working, and the constant busy signals from their tech support line led me to believe it wasn't merely Yet Another Outage (TM). Strangely, my cable modem lights were all doing the right thing, and when I checked with my neighbors, their cable modems were working fine. After a couple of hours of redialing I finally got a message saying that there were unspecified problems that they were working on (strange, usually they list the affected towns) and after some time on hold I finally talked to a tech support rep who offered to help "if I can". Turns out the DHCP server for the entire northeast went down, and as people's leases on their IP addresses expired, they were dropped off the network. I asked about the secondary or backup DHCP servers, but apparently there was so much demand due to expired leases that the backup server couldn't respond quickly enough, and was getting overloaded with requests. Risks: Even single users ought to have a backup Internet connection (dialup ISP worked for me, but not my wife, as she has no modem...) You know you're in trouble when your customers have your tech support in their speed dial. Customers know they are in trouble when they get busy signals on your tech support line. Serious system-wide failures might leave some systems operating normally for a while. Your backups might have to be more powerful than your primary servers, or alternately customer growth might mask server deficiencies. William Smith wpns@compusmiths.com N1JBJ@amsat.org ComputerSmiths Consulting, Inc. www.compusmiths.com ------------------------------ Date: Mon, 25 Sep 2000 09:56:04 -0700 From: "NewsScan" Subject: Control of Olympics news coverage Concerned that the Internet will compete with TV coverage and cut into its major source of revenue, the organizers of the 27th Olympics Games are taking a hard line about what words and images can be communicated by Internet about the sporting events now going on in Sydney, Australia. They have forbidden athlete diaries and online chats, and all streaming video (even of trial events that took place months ago. Referring to a recent lawsuit in Virginia supporting the Olympics Committee's efforts to restrict Internet coverage, constitutional lawyer Floyd Abrams thinks it's ironic that "the increased availability of a means of communication leads to a ruling seeking to assure that less is said." (*The New York Times*, 25 Sep 2000 http://partners.nytimes.com/2000/09/25/technology/25WEB.html; NewsScan Daily, 25 September 2000) ------------------------------ Date: Mon, 25 Sep 2000 20:35:49 -0600 From: "Ray Randolph" Subject: Tighter security poses a security threat Today's *Christian Science Monitor* online edition discusses a newly released report, the *Baker-Hamilton Report*, prepared at the request of the DOE. The report says in essence that scientists at Los Alamos National Weapons Labs have become afraid of reporting or admitting even minor security breaches as a result of the threat of an aggressive prosecution and in the wake of the Wen Ho Lee situation. Who can blame them? The RISKS should be fairly obvious. The entire article can be accessed at: http://www.christiansciencemonitor.com/durable/2000/09/26/fp2s2-csm.shtml A quick search for the "Baker-Hamilton report" on the DOE web site didn't turn up anything, but I would imagine that the report itself would make for fairly interesting reading for any RISK follower. [The Government gave a terrible example of *when holey* prosecutions can run amok (holey, i.e., having holes). Perhaps the "situation" (as Ray calls it) will become known as an *Un-Ho-Lee Mess* (unholy, i.e., of questionable authority). PGN] ------------------------------ Date: Thu, 28 Sep 2000 20:31:41 -0700 From: "Nicky L. Sizemore" Subject: Cochise County election computer errors Cochise county, in the southwest corner of Arizona, had a primary and special election Tuesday, 12 September. In it they used a new computer tallying system obtained by the state for rural ballot counting. Our local paper, *The Sierra Vista Herald*, reports that results from the elections were delayed due to software errors in the new system. According to the paper, the major errors centered around counting as major party votes those cast in nonpartisan (non-primary) positions and overcounting third-party, e.g., Libertarian, votes. In addition to the usual issues of inadequate verification, validation, and test (VV&T), this was the first election here in which everyone could vote in a primary. Seems rash to implement a new voting protocol and a new ballot tally system in the same election. Votes are being recounted using the old system, which was kept as a backup provision. At least they got that right. Reporting on story from Sierra Vista Herald: http://www.svherald.com/news/bnews/stories/00030203bn.html http://www.svherald.com/news/bnews/stories/00091301bn.html http://www.svherald.com/news/stories/00091301n.html http://www.svherald.com/news/bnews/stories/00091402bn.html http://www.svherald.com/news/bnews/stories/00091501bn.html ------------------------------ Date: Fri, 29 Sep 2000 16:18:02 -0400 (EDT) From: Amrith Kumar Subject: The risk of identity theft In October 1998, the company that I worked for (let's call it A Inc) was acquired by another company (let's call it B Inc). "A Inc" issued me a corporate credit card (from Amex) a long time before that. Around January 1999, B Inc decided that they needed to issue me a new corporate credit card ... But, "B Inc" also wanted to spin of a portion of the acquired company and in February 1999, they created a spinoff company (let's call it C Inc). In all this confusion, I was left with an Amex Credit card from A Inc which expired in February, I got a new Amex Credit card for C Inc in February and I was fat dumb and happy. I never quite got the Amex card from B Inc, maybe they never had it mailed out or something weird happened there; or maybe it was just lost in the mail. But, B Inc went ahead and told our in-house Amex Travel Agency to change my travel profile to use the new credit card that they had issued for me. In January 2000, I moved and informed Amex of my address change in regards to the card from C Inc. Then in February 2000, I made a purchase through the in-house Amex Travel Agency for a ticket for business travel. The way in which A Inc and C Inc handle business travel tickets is that Amex directly charges the corporation and no charge appears on my credit card bill. Today, September 29th, I get a call from a collection agency indicating that an Amex card in my name, with my SSN, my correct name and my old address was delinquent and the charges were airline tickets issued in February. After much investigation, I gathered all the information I presented above but here's where it begins to get interesting. I have the Amex Credit Aware reporting service. That, when I started getting it in March 2000, did not list the personal Amex card that I had, the card that they were charging $5.99 or whatever ... Second, it did not list my corporate card (the one from A Inc or C Inc). It surely did not list the one from B Inc. As part of all this investigation, I called Amex Fraud Investigation and they took my SSN and they showed all three cards. I called Experian and because initially it was being handled as a fraud, they actually took my SSN and said they showed three Amex cards on my SSN. They took SSN, last name, first name, address and all that to verify that I was in fact the person whose records they were looking at and then they confirmed the last 5 digits of all three accounts, my personal one, my corporate one from C Inc and the corporate one from B Inc What caused this whole mixup ? 1. Your SSN is not your sole identifier for purposes of Credit, name is also significant. 2. Amex (for my personal card) had my last name and first name interchanged which is why the card would not show up on the Credit Aware Service. 3. Corporate Cards don't appear to show up on there for some reason, not sure if it's the same as 2. 4. An employer can / may apply for a card in your name, maybe without your knowledge. They reveal your name, SSN and all that nice stuff to someone. 5. When companies get bought and sold, strange things happen to these cards and the information there. B Inc was not paying me any salary but they had an active card in my name. I called them and told the folks there in their Finance office and sure enough they had my card on file ... 6. If you have no balance on a card, you sometimes get no bill. In my case, for the four months in 1998/1999, I had no balance on the card because I never knew I had it. So I never got a statement. People move, addresses change ... the bills suddenly appear. I used to live in an apt and mail for previous tenants is regular; it usually goes to the trash can. and finally 7. I had two Amex cards that I knew of, both had valid addresses. Amex could not find me or figure out that the address was wrong when the card went deliquent. I don't believe they even contacted the company that I was supposed to work for (it was a corporate card). And yet, a collection agency could find me. 8. A credit monitoring service is somewhat questionable. What if any is the real solution to this problem? Thankfully, my employer readily agreed to help out, the amount in question was about $800, and I paid and will get reimbursed etc. But what's the real solution? Amrith Kumar ------------------------------ Date: Fri, 29 Sep 2000 10:18:44 -0600 (MDT) From: Charlie Shub Subject: De Fault is in Default My trash company bills quarterly. I would rather pay every six months. This June, I got the $36.00 bill and paid the $72.00 by check. Last week, I got a bill for $36.00 for the final quarter of this year. Apparently, (if I understood the customer-service person correctly) they use a piece of billing software in which the amount paid defaults to the amount owed once the account number is entered, and the data-entry person must manually override the amount if a customer remits any amount other than the default. Fortunately, my record showed a history of paying semiannual amounts every six months, so the rep fixed it on the spot, taking my word that the check had cleared in the larger amount. His comment was to the effect that "I know how his software works, and I'm almost certain of what happened, so I'll take your word for it." charlie shub University of Colorado at ColSpgs http://cs.uccs.edu/~cdash cdash@cs.uccs.edu -or- cdash@mail.uccs.edu (719) 262-3492 [It is unusual that Pride goeth before Default. PGN] ------------------------------ Date: Tue, 26 Sep 2000 20:36:40 -0400 From: "Perry Bowker/Markham/IBM" Subject: Re: AI strikes again (Whitlock, RISKS-21.06) I think this is unfair to the issuing bank. I also once received a call from the same bank, because their computer detected that I was charging a few things in Toronto, and I also seemed to be in Jamaica, running up several $K in cash advances! Someone had obviously captured my card number and was using it for all it was worth (with the apparent compliance of some Jamaican merchants) Within minutes, the card was frozen, and I received a replacement by courier within 24 hours. Otherwise, it would have been weeks before I even knew this was happening, and likely many months to sort out the problem, and with a high risk of cost to me. I think it was a pretty good trade-off. If this bothers you, better to carry two different cards, just in case, and be thankful someone is trying to protect your backside! Perry Bowker, Toronto, Canada [It obviously works (or doesn't work) both ways. PGN] ------------------------------ Date: 26 Sep 2000 13:55:25 -0400 From: uryse0d5@umail.furryterror.org (Zygo Blaxell) Subject: Re: AI strikes again (Whitlock, RISKS-21.06) Actually, this protocol can work reasonably well if you have a cell phone. On two occasions, with two different banks (one of them was the CIBC), I've been called almost immediately after making a large purchase and challenged to recite various pieces of information from my credit application (doing that with a cell phone has its own risks, of course, which can be mitigated by phoning back using the merchant's phone). I note that this protocol doesn't seem to stop the initial transaction from being completed. In both cases I was called some minutes after I had left the store with my purchases. ------------------------------ Date: Mon, 25 Sep 2000 08:35:06 -0800 From: Rob Slade Subject: REVIEW: "CyberShock", Winn Schwartau BKCBRSHK.RVW 20000625 "CyberShock", Winn Schwartau, 2000, 1-56025-246-4, U$24.95 %A Winn Schwartau winn@infowar.com,winns@gte.net %C Fourth Floor, 841 Broadway, New York, NY 10003 %D 2000 %G 1-56025-246-4 %I Thunder's Mouth/Inter.Pact Press %O U$24.95 212-780-0380 fax: 813-393-6361 %P 470 p. %T "CyberShock: Surviving Hackers, Phreakers, Identity Thieves, Internet Terrorists and Weapons of Mass Disruption" As some may know, Winn Schwartau and I do not see eye-to-eye on the emphasis to be given to certain exhortations in alerting the public to matters of computer security. So when he informed me of his latest book, he noted that I might like to do the usual hatchet job on it. Unfortunately, I can't fully comply. While I may quibble with some aspects of his latest book, overall it is a good overview of the existing computer security situation, and would make a helpful introduction for new computer and Internet users. Part one is an outline of hackers and hacking. "The Great New Global Society" appears to be (although erudite and readable it's not exactly straightforward) a presentation of society as seriously messed up, and hackers as curious and determined. The results of a number of surveys of computer penetration are described in "Whole Lotta Hacking Goin' On," with unfortunately little space given to the design of the studies. There are some examples of Web site defacement and an ad for Linux in "CyberGraffiti." (And it's attrition.org, not attrition.com.) "Who Are the Hackers?" gives a reasonable structure to the current security breaking population and environment, although, as Schwartau notes, the game has become so big and ill-defined that one might be forgiven for coming out of this chapter thinking that anyone could be a hacker and a hacker could be anyone. Some stories from the annual DefCon (and the inadequacies of the Plaza Hotel) are retailed in "CyberChrist at the Hacker Con." "Hacktivism" lists a few examples of digital civil disobedience. "An American Alien Hacks Through Customs" is probably fair warning to customs agents that if you mess with Schwartau at the border you are going to look really silly in his next book. Part two looks into protecting you and yours. "In Cyberspace You're Guilty Until Proven Innocent" describes identity theft, and the ease and dangers thereof. (It also includes a rather odd section on Web privacy security.) The chapter admits that there is not much you can do about identity theft. It is also very US-centric: for example, the Canadian SIN (Social Insurance Number), as opposed to the US SSN (Social Security Number), is very seldom used for commercial transactions. The advice in "Protecting Your Kids and Family From Hackers" is not an easy or quick fix, but it is (with the notable exception of the piece on cyberstalking) realistic and well written. So is the counsel in "Spam." "Scam Spam" offers very useful and relevant guidance on dealing with fraud on the net. Part three outlines the techniques of hacking itself. "Getting Anonymous" is a quick overview of anonymizing services and spoofing. Some of the basics are skipped in "Password Hacking," but there is a nice introduction to biometric techniques. While not getting into the gritty details, there is a quick lesson on eavesdropping on promiscuous networks in "Hack and Sniff." "Scanning, Breaking and Entering" lays out the information that is--must be--available to anyone wanting to mount a network attack. "War Dialing" basically notes that phones are a means of access. Leaving aside a minor quibble with the definition of trojan horse software (like the Trojans who "installed" the horse of their own destruction because they didn't know what it contained, users generally install trojans because of a misrepresentation of what the software does), most of "Trojan Hacking" only describes Back Orifice. There is some small degree of comfort for credit card users, and some rather embarrassing points for credit card merchants, in "Hacking for $." While it waffles a little, "Viruses, Hoaxes, and Other Animals" contains good advice and a reasonable picture of the current situation. "Crypto Hacking" is (absent an impossible IP address) a nice history of cryptography, although it's a bit thin on details. "Steganography" defines the term, but misses a few points on usage. The discussion of computer forensics in "Hacking for Evidence" is limited to data recovery, but has some good points for users and companies. Part four deals with destructive activities. "Denial of Service" rather overstates the point, since the term generally is restricted to operations that inhibit use but do not harm hardware or data. "Schwartau to Congress" appears to be a minor aside. The discussion of electromagnetic weaponry in "Weapons of Mass Disruption" is fascinating, but does downplay a few inconvenient laws of physics, such as inverse square distance relationships. Part five analyses some tips for protecting yourself. "Hiring Hackers" examines both sides of the question. The basics of intrusion detection is outlined in "Catching Hackers." There is a decent introduction to firewalls in "Defensive Hacking," along with a pointer to simple automated penetration testing. "Corporate Anti-Hacking" presents a number of good points (although if you follow all of them blindly you'll likely face mass resignations). Deception is promoted in "Lying to Hackers is OK By Me." Part six discusses law enforcement. "Hacking and Law Enforcement" is rather depressing, but reasonable. The advice on striking back boils down to "be careful" in "Corporate Vigilantism." "Infrastructure Is Us" seems to be a bit out of place, in that it presents no protective measures: only a warning. Similarly, the material on infowar is alarming but not really illuminating in "Something Other Than War." Part seven looks to the future. "Luddite's Lament" expresses frustration with phones. "The Future of Microsoft" is one of the standard jokes about Microsoft's fight with the US federal government. Digital manipulation of propaganda is mentioned in "Messing With the Collective Mind." "Extreme Hacking" gives short takes on some new technologies. "The Toaster Rebellion of '08" is one of the standard scifi plots. While there is a heavy emphasis on the sensational, overall this book does provide the security novice with a fairly reliable picture of the current security environment. Possibilities are generally presented as such, and the analysis of relative dangers is usually good. A number of useful tips are given that can help home and small business computer users be more secure in their computer and network use. Security specialists will find little that is new here, but that is not the target audience for the book. I have frequently been asked for a recommendation for a general security introduction directed at the non-technical computer and Internet user, and, for all its flaws, I think this work may be the closest I've seen. copyright Robert M. Slade, 2000 BKCBRSHK.RVW 20000625 rslade@vcn.bc.ca rslade@sprint.ca slade@victoria.tc.ca p1@canada.com http://victoria.tc.ca/techrev or http://sun.soci.niu.edu/~rslade ------------------------------ Date: 15 Aug 2000 (LAST-MODIFIED) From: RISKS-request@csl.sri.com Subject: Abridged info on RISKS (comp.risks) The RISKS Forum is a MODERATED digest. Its Usenet equivalent is comp.risks. => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) if possible and convenient for you. Alternatively, via majordomo, SEND DIRECT E-MAIL REQUESTS to with one-line, SUBSCRIBE (or UNSUBSCRIBE) [with net address if different from FROM:] or INFO [for unabridged version of RISKS information] .MIL users should contact (Dennis Rears). .UK users should contact . => The INFO file (submissions, default disclaimers, archive sites, copyright policy, PRIVACY digests, etc.) is also obtainable from http://www.CSL.sri.com/risksinfo.html ftp://www.CSL.sri.com/pub/risks.info The full info file will appear now and then in future issues. *** All contributors are assumed to have read the full info file for guidelines. *** => SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line. => ARCHIVES are available: ftp://ftp.sri.com/risks or ftp ftp.sri.comlogin anonymous[YourNetAddress]cd risks [volume-summary issues are in risks-*.00] [back volumes have their own subdirectories, e.g., "cd 20" for volume 20] http://catless.ncl.ac.uk/Risks/VL.IS.html [i.e., VoLume, ISsue]. http://the.wiretapped.net/security/textfiles/risks-digest/ . ==> PostScript copy of PGN's comprehensive historical summary of one liners: illustrative.PS at ftp.sri.com/risks . ------------------------------ End of RISKS-FORUM Digest 21.07 ************************