Subject: RISKS DIGEST 15.37
REPLY-TO:
[email protected]
RISKS-LIST: RISKS-FORUM Digest Monday 3 January 1994 Volume 15 : Issue 37
FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS
ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator
Contents:
Hacker nurse makes unauthorised changes to prescriptions (John Jones)
Customs Data Diddling (Mich Kabay)
Credit cards again (Mich Kabay)
Tax Frauds (Mich Kabay)
Re: Can SETI signals bear viruses? (Robert Ayers, Dave Weingart,
James Abendschan)
"When H.A.R.L.I.E. Was One" by Gerrold (Rob Slade)
Request for help with RISKy situation (Alan Wexelblat)
The RISKS Forum is a moderated digest. Its USENET equivalent is comp.risks.
Undigestifiers are available throughout the Internet, but not from RISKS.
Contributions should be relevant, sound, in good taste, objective, cogent,
coherent, concise, and nonrepetitious. Diversity is welcome, but not
personal attacks. CONTRIBUTIONS to
[email protected], with appropriate,
substantive "Subject:" line; others may be ignored! Contributions will not
be ACKed; the load is too great. **PLEASE** include your name & legitimate
Internet FROM: address, especially .UUCP folks. If you cannot read RISKS
locally as a newsgroup (e.g., comp.risks), or you need help, send requests
to
[email protected] (not automated). BITNET users may subscribe
via your favorite LISTSERV: "SUBSCRIBE RISKS".
Vol i issue j, type "FTP CRVAX.SRI.COM<CR>login anonymous<CR>YourName<CR>
CD RISKS:<CR>GET RISKS-i.j<CR>" (where i=1 to 15, j always TWO digits).
Vol i summaries in j=00; "dir risks-*.*<CR>" gives directory; "bye<CR>"
logs out. The COLON in "CD RISKS:" is vital. CRVAX.SRI.COM = [128.18.30.65];
<CR>=CarriageReturn; FTPs may differ; UNIX prompts for username, password.
WAIS and
[email protected] are alternative repositories.
IF YOU CANNOT GET RISKS ON-LINE, you may be interested in receiving it
via fax; phone +1 (818) 225-2800, or fax +1 (818) 225-7203 for info
regarding fax delivery. PLEASE DO NOT USE THOSE NUMBERS FOR GENERAL
RISKS COMMUNICATIONS; as a last resort you may try phone PGN at
+1 (415) 859-2375 if you cannot E-mail
[email protected] .
ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY.
Relevant contributions may appear in the RISKS section of regular issues
of ACM SIGSOFT's SOFTWARE ENGINEERING NOTES, unless you state otherwise.
----------------------------------------------------------------------
Date: Mon, 3 Jan 94 10:09:41 GMT
From: John Jones <
[email protected]>
Subject: Hacker nurse makes unauthorised changes to prescriptions
The Guardian (21st December, 1993) reports the conviction of a male
nurse who hacked into a hospital's computer system and modified
entries, including prescriptions. The hacker:
- prescribed drugs normally used to treat heart disease and high
blood pressure to a 9 year old with meningitis.
This change was spotted by a ward sister;
- prescribed antibiotics to a patient in a geriatric ward.
These drugs were administered to the patient, with no apparent
adverse reaction;
- "scheduled" an unnecessary X-ray for a patient;
- "recommended" a discharge for another patient.
The hacker gained access to the computer system after learning the
password through observing a locum doctor having trouble logging in.
He qualified as a nurse in 1989. He is reported to have undergone a
considerable personality change as the result of a road accident in
1984. As well as developing a fascination for computers and other
hi-tec equipment, he had apparently developed a "lack of sensitivity
to the consequences of his actions".
He had been sacked for unprofessional behaviour in 1990, but was
re-employed in 1992 at the same hospital.
He pleaded guilty to unauthorised modification of computer records.
He offered no explanation for his actions, but denied any malicious
intent. He was jailed for 12 months.
John Jones (
[email protected])
------------------------------
Date: 02 Jan 94 21:12:25 EST
From: "Mich Kabay / JINBU Corp." <
[email protected]>
Subject: Customs Data Diddling
>From the Associated Press newswire via Executive News Service (GO ENS)
on CompuServe:
Customs-Whistleblower, By Michael White, Associated Press Writer
SAN DIEGO (AP, 30 Dec 1993) -- Some of what Mike Horner regards as his best
work ultimately destroyed his career as a U.S. Customs Service inspector on
the Mexican border. Horner left the service after alleging that
intelligence reports he filed identifying suspected drug smugglers and their
vehicles were deleted from Customs' computer network."
This article and another by the same author detail the apparent data diddling
that resulted in first deleting, then re-introducing, Mr Horner's records of
smuggling across the US/Mexican border.
Horner's allegations of malfeasance were ignored by his superiors.
No one can explain how his deleted entries could have re-appeared after he
left the U.S. Customers Service.
White's next story is
Customs Smuggling, By Michael White, Associated Press Writer
LOS ANGELES (AP, 30 Dec 1993) -- Weaknesses in U.S. Customs' cargo tracking
system may have opened a door for smugglers of drugs and other contraband
and cost taxpayers millions of tariff dollars, according to sources and
Customs records.
Among the problems: False inspectors' names are showing up on cargo entry
records, passing containers without inspection; and seals placed on containers
bound for distant destinations are breached in transit, allowing contraband to
be removed or contents stolen between the dock and inspection points."
This article deals with irregularities in the computer system used to
monitor the Port of Los Angeles.
Key points of the article:
o some bonded cargos appear to be opened illegally, allowing contraband
to be removed.
o some inspection records online include names of nonexistent officials;
o records of suspicious shipments which should have initiated followups
have been overridden with false names.
o 200-400 records of in-bond cargo containers are purged each month because
the Customs Service cannot trace the containers; an indendent study by the
Treasury Department estimated data destruction in the thousands per month.
o Some employees say that the computer system fools inspectors into relying on
electronic records instead of their own initiatives when deciding which
shipments to inspect.
Michel E. Kabay, Ph.D., Director of Education, National Computer Security Assn
------------------------------
Date: 02 Jan 94 21:11:50 EST
From: "Mich Kabay / JINBU Corp." <
[email protected]>
Subject: Credit cards again
>From the Reuter newswire via Executive News Service (GO ENS) on CompuServe:
Britons Charged with Europe-Wide Credit Card Fraud
LONDON (Reuter, 30 Dec 1993) - Three Britons have been charged with
conspiracy in a 2.5 million pound ($3.7 million) Europe-wide credit card
fraud, police said on Thursday."
The article says that the Birmingham men are accused of having used fake
credit cards and stole expensive products in France, Britain, Belgium and the
Netherlands. Apparently other arrests are promised.
Once again we see that one of the world's most frequently used
network access control tokens, the common credit card, is wholly inadequate
to protect the public and the banking industry against fraud.
Michel E. Kabay, Ph.D., Director of Education, National Computer Security Assn
------------------------------
Date: 02 Jan 94 17:40:16 EST
From: "Mich Kabay / JINBU Corp." <
[email protected]>
Subject: Tax Frauds
>From the Washington Post newswire via Executive News Service (GO ENS) on
CompuServe
IRS Charges Tax Preparer With $1.1 Million Fraud, By Christopher B. Daly
Special to The Washington Post
BOSTON, Dec. 16 - The president of a nationwide tax-preparation service was
indicted today on charges that he used computers to cheat the Internal Revenue
Service out of more than $1 million in one of the biggest electronic tax fraud
cases on record, officials said.
Richard M. Hersch, 56, of Ardmore, Pa., was accused of using his company,
Quik Tax Dollars Inc. of Bryn Mawr, Pa., to file 431 false tax claims and
launder $1.1 million..."
The article provides details of the case. Key points:
o 12 million returns were filed electronically in the 1992 tax year.
o Hersch is accused of making up "145 false tax returns using
fictitious names and Social Security numbers."
o He then allegedly used an intermediary company, Drake Enterprises,
which is not accused of wrong-doing, to forward the tax returns to the IRS.
o Hersch received cheques from a local bank which assumed that the bogus
returns were OK, based preliminary info from the IRS which simply certified
that there were no obvious errors. Since there were no real filers,
Hersch appears to have kept all the money himself.
o Incidentally, Hersch has been indicted in Philadelphia on charges of
stealing $262,865 from Provident Bank by passing bad cheques. He has also
been indicted on charges of using other people's AmEx cards for more than
$1000 in unauthorized purchases.
o Mr Hersch is currently under house arrest.
Comment: how did this man get to run a tax-preparation service at all?
Aren't there any background checks for people in this kind of position?
And how about some kind of verification of the fake Social Security
Numbers? Is it not possible to check that the SSN is assigned to the
person for whom the fake return was made?
Michel E. Kabay, Ph.D., Director of Education, National Computer Security Assn
------------------------------
Date: Mon, 3 Jan 94 09:17:33 PST
From:
[email protected] (Robert Ayers)
Subject: Can SETI signals bear viruses? (Cantillo, RISKS-15.36)
The sci-fi classic "A is for Andromeda" by Fred Hoyle is the story
of a SETI signal which is exactly the plans for, and a program for,
a very large computer. The excitement begins, of course, when
(against the advice of one scientist) the computer is built ...
------------------------------
Date: Mon, 3 Jan 1994 09:12:52 -0500
From:
[email protected] (the person your mother warned you about)
Subject: Can SETI signals bear viruses? (Cantillo, RISKS-15.36)
Not sure if this has been treated seriously by industry or academia, but
in Vernor Vinge's (marvelous and Hugo-winning) _A_Fire_Upon_The_Deep_, this
very method was used by a malicious intelligence to take over remote systems.
(In the book, one main method of communication is by a cosic equivalent of
Usenet (called either the Known Net or (frequently, and accurately) the Net of
a Million Lies). The Blight (abovementioned intelligence) transmitted
intelligent packets to take over the remote system).
Personally, I don't think that this is going to be much of a problem right now.
In order for the information to wreak any real damage (unless you overload the
front end with a powerful signal), the virii would need to run, and unless
the evil LGMs at the other end somehow know the architecture of the system
doing the decoding, I can't see that this is a serious problem.
73 de Dave Weingart KB2CWF
[email protected] (212) 746-3638
------------------------------
Date: Sun, 2 Jan 1994 21:04:28 +0000 (GMT)
From:
[email protected] (James Abendschan)
Subject: Can SETI signals bear viruses? (Cantillo, RISKS-15.36)
I can't help but think you've been reading "Snow Crash" :-)
The relevance is that, in the course of the narrative, it is discovered the
antagonist can cause a biological "crash" of the minds of programmers who have
"firmwired the binary code in the deep structures of their brain." He picked
this data stream from stellar emissions recorded via a SETI-like antenna
network.
A bit esoteric, but it made an amusing read.
(The antagonist also vaguely reminded me of H. Ross Perot; odd.)
For those of you interested, the author is Neal Stephenson and the publisher
is Bantam Spectra.
James
------------------------------
Date: 30 Dec 93 15:28 -0600
From: "Rob Slade, Ed. DECrypt & ComNet, VARUG rep" <
[email protected]>
Subject: "When H.A.R.L.I.E. Was One" by Gerrold
BKHARLIE.RVW 931222
Ballantine Books
101 Fifth Avenue
New York, NY 10003
or
Bantam Doubleday Dell
666 Fifth Avenue
New York, NY 10103
"When H.A.R.L.I.E. Was One", Gerrold, 1972/1988
HARLIE is not a virus. He/it is an experiment in artificial intelligence.
For the purposes of the book the experiment is a success and HARLIE is alive:
is a person. The plot revolves (slowly) around the efforts of corporate
management to kill the project (and HARLIE) and the efforts of the computer
(program) and its creators to stave this off. As in most of Gerrold's books,
the plot is primarily there to set up dialogues in which he can expound his
philosophies. (The most blatant example of this is in "A Rage for Revenge"
most of which takes place in a seminar, the largest chunk of which is devoted
to an illustration of the standard five-stage model of grieving.)
In both versions, the "virus" is a mere diversion. It has nothing to do with
the story at all, and is a discussion point between two characters, never
referred to again. Indeed, in the first version it is introduced as a science
fiction story, "but the thing had been around a long time before that." Make
of this latter statement what you will. My resident science fiction expert
can't think of what the prior story might be and ventures that this might be
Asimovian self-citation.
Statements have been made that the virus aspect was downplayed in the second
version. This is rather ironic. The virus story gets roughly the same amount
of ink in both versions, but the early one is definitely superior. HARLIE72
gives a fairly simple and straightforward account of a self-propagating
program. In fact, aside from the dependence upon dial-up links, the parallels
between the HARLIE72 virus and the actual CHRISTMA infestation fifteen years
later are uncanny. Specifics include the use of an information source for
valid contacts, and a mutation which loses the self-deletion characteristic.
The HARLIE88 discussion is much more convoluted, bringing in malaria, spores,
phages and parasites. The are even two separate invocations of the worm, one
lower case and one capitalized, both with different definitions. (One refers
to a logic bomb, and the other to a virus directed at a specific target.
Neither definition is so used by anyone else.) The end result is a completely
iconoclastic set of terminology bearing almost no relation to anything seen in
real life.
To further the irony, HARLIE88 could have been viral. HARLIE72 could not:
part of the system was advanced hardware which did not exist in other
computers. Therefore, while HARLIE72 had the ability to program other
computers, such programming could never have resulted in a reproduction without
the additional hardware. HARLIE88, however, was software only. To be sure,
the environment included "2k channel, multi-gated, soft-lased, hyper-state"
processors, roughly a million times more powerful than the home user's "Mac-
9000", but still, as one character has it, just chips. HARLIE88 *could*
survive, albeit running more slowly, on other computers. However, while one
character realizes that HARLIE could be "infectious" the discussion dies out
without realizing that the primary tension of the story has just been
eliminated.
copyright Robert M. Slade, 1993 BKHARLIE.RVW 931222
Vancouver Institute for Research into User Security Canada V7K 2G6 604-984-4067
[email protected] [email protected] [email protected] [email protected]
------------------------------
Date: Thu, 30 Dec 93 15:10:10 -0500
From: "Alan (Miburi-san) Wexelblat" <
[email protected]>
Subject: Request for help with RISKy situation
My bank has installed one of those bank-by-phone services. You call up,
give your 10-digit account number, password is the last 4 digits of your
SSN, and off you go. At the moment the transactions available are purely
informational (get balance, get last 5 checks that cleared, etc.), but they
say they plan to allow operational transactions (e.g. pay bills, transfer
money) soon.
The problems of this kind of system have been well-covered here in the past;
what I need help with is also a known problem, but in this case it appears
to be particularly severe. To wit:
In this system, if you time out too often or enter incorrect information
twice, you are transferred to a human being who is supposed to help you
figure out the system. In my case I encountered this human twice. The
first time I had misunderstood which subset of the account digits they
wanted. When I got to the human, he could apparently see the digits I had
typed and he told me the correct digits to use for my account (how helpful,
I thought).
I then called back and tried the new digit set, and it still failed twice.
I talked to another human being who revealed that not only did he have on
his screen my account #, but also he had the 4-digit password I had typed
*and* the correct password. It turns out that there was a data
transcription error in my account and they had a wrong SSN for me; thus the
password was different than I expected.
The helpful gentleman -- with NO confirmation of who I was -- provided the
correct four digits to me!! ARGH! And I wasn't even *trying* to do social
engineering.
Now, what I would like help from RISKS readers on is how I should draft my
letter of protest/alarm. To whom within the bank/government/BBB/SEC/etc
should it be sent? How do I explain to them that (a) they have to guard
this information at least as closely as bank-card PINs; (b) they should
provide some way for me to change my password; (c) they have to train their
people a whole lot better! At the moment I'm tempted to rant and rave at
them, but I know a calm, well-thought-out, detailed response is more likely
to get the results I want. Should I start off with a phone call? Has
anyone on this list dealt successfully with similar problems?
Please send suggestions directly to me; I will summarize back to RISKS and
let y'all know if there is any change in the future.
--Alan Wexelblat, Reality Hacker, Author, and Cyberspace Bard
Media Lab - Advanced Human Interface Group
[email protected] 617-258-9168
------------------------------
End of RISKS-FORUM Digest 15.37
************************
