Subject: RISKS DIGEST 16.79

Subject: RISKS DIGEST 16.79
REPLY-TO: [email protected]

RISKS-LIST: RISKS-FORUM Digest Weds 8 February 1995 Volume 16 : Issue 79

FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

***** See last item for further information, disclaimers, etc. *****

Contents:
Proposed Virginia law on self-disabling software (Jeremy Epstein)
Cellular Phone Security (Chip Seymour)
Japanese bank workers steal 140 million yen by PC (Mich Kabay)
Road pricing in Singapore (Phil Agre)
InfoWar Level II in Miami (Mich Kabay)
Phone switch bug causes alarm among NM officials (Mich Kabay)
Telephone RISKS (Ry Jones)
Risks in computerized cockpits (Rob Horn)
Concatenating phrases produces confusing results in bank responses
(Daniel P. B. Smith)
More from the cat file (Phil)
1996 ACM COCCS call for papers (R.F. Graveman)
Info on RISKS (comp.risks), contributions, subscriptions, FTP, etc.

----------------------------------------------------------------------

Date: Sun, 5 Feb 95 17:02:53 EST
From: [email protected] (Jeremy Epstein)
Subject: Proposed Virginia law on self-disabling software

The "Washington Post" reported in Saturday's edition (4 Feb 95) that the
Virginia legislature is considering a law requiring that companies notify
customers if the software they sell has a self-disabling feature (e.g.,
after some period of time). The article was sketchy, but it's intended to
head off people developing software and then demanding ransom to prevent the
software from self-destructing. The law would not *ban* such features, just
require that they be disclosed.

The RISK? Does informing people that the software is self-disabling
encourage them to try to subvert the feature? And if someone did and
that triggered the disable feature, would that come under the law?
And what if it were used in safety critical systems: "I'm sorry, but
the license period on the software in your heart monitor has expired.
Please contact the vendor to reenable."

------------------------------

Date: Mon, 6 Feb 1995 11:43:54 -0500
From: Chip Seymour <[email protected]>
Subject: Cellular Phone Security

Under the heading "CELLULAR PHONE SECURITY", EDUPAGE of 5 Feb 1995 mentions
a *Wall Street Journal* article dated 3 Feb 1995 that states Cellular One of
New York and New Jersey is starting to require new customers to enter a
four-digit security code before placing calls.

This is in an effort to curtail cellular fraud, which is quoted as being
$482 million (3.7% of the industry's revenue) in 1994.

NYNEX began such a program last fall. I spoke with a NYNEX sales
representative who told me the new system changes channels after a user
enters the phone number and presses "Send". The four-digit PIN code is sent
on a new frequency, and would-be ESN thieves now have the added task of
determining which PIN goes with which ESN.

However, if your cellular telephone is equipped with a recall feature,
pressing "RCL" displays, not the telephone number you've just dialed, but
the four-digit PIN number. My Motorola DPL 550 recalls the PIN number even
after a powerdown.

Just a word of warning. Recall your PIN and Clear the display before leaving
your telephone, and consider enabling the automatic-lock feature, if
available.

------------------------------

Date: 05 Feb 95 14:12:50 EST
From: "Mich Kabay [NCSA Sys_Op]" <[email protected]>
Subject: Japanese bank workers steal 140 million yen by PC

>From the Reuters news wire via CompuServe's Executive News Service:

RTw 02/05 0107 Japanese bank workers steal 140 million yen by PC

TOKYO, Feb 5 (Reuter) - A Japanese bank employee and two computer
operators have been arrested and charged with allegedly using a
personal computer money transfer system to steal 140 million yen
($1.4 million), police said on Sunday.

Police said the 140 million yen was illegally sent in December
last year from Tokai Bank Ltd to an account in another bank
using a settlement system operated by personal computers. It
was withdrawn the same day.

The following day, a total of 1,490 million yen ($14.9 million)
was sent from Tokai Bank to accounts in several other banks using
the same system. But this time the fraud was discovered before
any withdrawals could be made.

According to the article, the suspects include employees of the bank systems
group and a computer services supplier. It seems that the scheme was driven
in part by debts owed to organized crime groups.

M.E.Kabay,Ph.D., Director of Education, Natl Computer Security Assn
(Carlisle, PA); Mgmt Consultant, LGS Group Inc. (Montreal, QC)

------------------------------

Date: Sun, 5 Feb 1995 21:48:04 -0800
From: Phil Agre <[email protected]>
Subject: road pricing in Singapore

The LA Times had an article about road pricing in Singapore:

Charles P. Wallace, Singapore in high-tech tangle to fight automobile
gridlock, Los Angeles Times, 3 February 1995, page A5.

The story is that Singapore's streets are rapidly becoming jammed with cars,
and so the authoritarian government is trying to impose a road-pricing
scheme based on automatic vehicle identification (AVI). "Road pricing"
means that every road, or at least every frequently clogged road, is a toll
road. "AVI" means that your car carries a device that can be "pinged" by a
radio signal from a roadside beacon, whereupon it broadcasts a number (its
own serial number in most versions, but perhaps the car's identification
number) that allows a charge to be made to an account. The LA Times article
is basically sympathetic to the government's position despite the
straightforward coercion that the system involves. It pays no attention to
privacy issues. The only existing AVI toll-collection system mentioned is
the voluntary Telepass system in Italy.

The basic argument behind road-pricing is a familiar market argument: when
people can travel on roads for free, they naturally do so at a higher rate
than if they had to pay the actual costs of providing roads. Road pricing,
on this model, seeks to establish the most efficient level of road usage by
letting people decide how much it's worth to them to drive.

In practice this argument generally runs afoul of reality in several ways:

(1) Road pricing schemes have generally required the collection of large
amounts of data about individuals' travel patterns. So long as this data
is accumulating, pressures to use it for other purposes, from marketing to
repression, are more or less inevitable. Digital cash payment schemes might
alleviate this problem, but so far as I am aware they have not been seriously
proposed, much less implemented.

(2) Unless you actually privatize the roads, in practice a "road price"
is really a tax whose levels are set not by a market but by a legislature.
One might argue that this is fine in a properly functioning democracy, but
people often don't see it that way. A road-pricing scheme in Hong Kong
failed a while back due in part to anti-tax sentiments.

(3) It's very difficult to establish a proper competitive market in roads,
since in most areas it's an industry with extremely high barriers to entry.

(4) The whole geography of many countries -- maybe not Singapore, but
certainly the United States -- has been shaped by the availability of free
road travel. Introducing road pricing at this late date would cause great
economic disruption. The resulting process would actually be very interesting
to watch, and in the very long run might even reverse the flight from cities
into the suburban sprawl. But it would be very messy.

(5) When it costs money to drive on roads, the poor cannot legally drive.
When you're looking for a job, free roads are one of those little subsidies
that keep the wolves from the door.

Enormous intelligent vehicle-highway systems (IVHS) including AVI-based toll
collection are coming to most of the world. Singapore is the exception in
declaring that the systems will be mandatory. But do you really believe
that the IVHS in your region will remain voluntary? Will your insurance
company require you to sign up for it? Will the availability of AVI
encourage your local bureaucrats, faced with intractable budgetary woes, to
propose road pricing schemes for the two dozen most overburdened roads in
your region? Will you still refuse to sign up for the system when the
alternatives are traveling strictly on free roads or stopping to pay
thirteen tolls every day? These are questions worth thinking about now,
before IVHS technical standards are established and deployment decisions get
set in stone.

Phil Agre, UCSD

------------------------------

Date: 07 Feb 95 21:45:05 EST
From: "Mich Kabay [NCSA Sys_Op]" <[email protected]>
Subject: InfoWar Level II in Miami

The following item does not involve high technology, but it _does_
illustrate the risk from information warfare level II (inter-corporate):

WP 02/06 Dial and Save's Word-of-Mouth Toll;
Chantilly Long-Distance Firm Battles False Rumors of
Free Service to Cuba

By Kara Swisher, Washington Post Staff Writer

Executives at Dial and Save, a small long-distance company
in Chantilly, never thought they would have something in
common with corporate giants such as Procter & Gamble Co.
and Kentucky Fried Chicken Corp. But recently the firm became
a member of that unfortunate group of companies zapped by
untrue rumors that spread out of control. ... Dial and Save
is contending with thousands of angry customers who say they
thought that certain calls placed through its network were free.

According to the author, over 10,000 people in the Miami area thought they
were getting free calls to Cuba--and they placed over $2 million in calls in
a few weeks. Now people are reacting to unexpected bills (some as high as
$10,000).

The furious callers insisted that they had placed the calls
only because they had heard they were using free test lines.
Customers said they would never have made the calls if they
had known the costs; they had believed that Dial and Save's
access number was the code for a free ride to reach their
relatives in Cuba.

The article continues with an extensive discussion of the public-relations
nightmare caused by the angry customers (or perhaps I should say, "would-be
non-customers") over their unexpected bills. In addition, the company
has felt obliged to hire 20 extra Spanish-speaking operators to handle
the thousands of angry calls they are currently receiving.

[Comments by MK: I don't want to discuss the possible motivations of
people claiming they expected free service by calling an access number.
My reason for posting this fairly low-tech story is to illustrate the
economic consequences of a simple rumour. Now imagine this rumour
spreading through cyberspace, aided by anonymous postings and repostings
in innumerable news groups, e-mail messages and bulletin board systems.

This story reminds me of the lament recently posted by an anonymous
executive in _Network World_ 11(49):41 (94.12.05) entitled, "Ad leads to
a nightmare on Cyber-Street." This poor fellow spammed the Net in a
small way and got a slew of nastygrams e-mail and was publicly pilloried
in many news groups.

Unfortunately, "someone uploaded a message to most of the alt.sex groups
that listed my company's two 800 numbers as phone sex lines." The
consequences of _that_ rumour were horrendous: flooded phone lines,
angry and embarrassed receptionists, and complete humiliation of the
naive Internet advertiser.

Now, such childish pranks have already had expensive consequences, yet
they are as nothing compared to the potential for economic terrorism
posed by anonymity and pseudonymity on the Internet. As yet, I think,
only some people on the Net have internalized the appropriate level of
skepticism about _any_ information gleaned from the Internet, let alone
about _anonymous_ postings. With a growth rate estimated by some at 10%
_per month_ in the number of people using IDs that can access the Internet,
we will see a natural increase in credulous newcomers. If thousands of
people can believe that a phone-sex service would use an 800 number (or
that a commercial phone service supplier would make free long-distance
calls available), I think millions of people will be prepared to believe
all sorts of other nonsense--and, alas for the victims, act upon those
mistaken beliefs.

So what are we gonna do, eh? Even my usual leitmotiv (We need
non-repudiatable identification and authentication for access to the
Internet -- etc. etc. etc.) fails: the people using the "free" access codes
for calls to Cuba were tracked unerringly by their normal phone company
accounts. No doubt the gullible seekers after, ah, aural sex were equally
traceable--but so what? The damage was done regardless of non-repudiation.

I dunno what we're going to do. Any ideas?]

M.E.Kabay,Ph.D., Director of Education, Natl Computer Security Assn
(Carlisle, PA), Chief Sysop, CompuServe NCSA Forum

------------------------------

Date: 07 Feb 95 21:45:39 EST
From: "Mich Kabay [NCSA Sys_Op]" <[email protected]>
Subject: Phone switch bug causes alarm among NM officials

>From the Washington Post news wire via CompuServe's Executive News Service:

WP 02/06 DIGITAL FLUBS

According to the brief report,

The Albuquerque Tribune reported that many calls placed to
numbers that use the state government's main Sante Fe prefix,
827, were erroneously routed to a recording that announced
that the number was not in service.

Since these events coincided with New Mexico Governor Gary Johnson's announced
intention to replace many government officials, the bug in the phone switching
software caused an unusual number of strong emotional responses.

M.E.Kabay,Ph.D., Director of Education, Natl Computer Security Assn
(Carlisle, PA); Mgmt Consultant, LGS Group Inc. (Montreal, QC)

------------------------------

Date: 5 Feb 1995 20:12:58 GMT
From: [email protected] (Ry Jones)
Subject: Telephone RISKS

Two items have recently become news in the PNW. One, we had an earthquake
centered in Tacoma. According to articles in the Tacoma News-Tribune, the
Seattle Post-Intelligencer, and The Daily Olympian, all three counties 911
systems were knocked out due to people calling to see if there had been an
earthquake, or to get information about the quake. All three articles
mentioned very high call volumes; the Seattle article mentioned 350 calls in
the first 10 minutes after the quake.

The RISKS are obvious. As a denial of service attack, this was perfect.
Hundreds of well-meaning people (like rubberneckers on the information
superhighway?) slowed or stopped vital services from being delivered. All
three counties exhorted people to only call 911 after you have been hurt in
an earthquake.

As an aside, I got on the net and hit
gopher://geophys.washington.edu:79/0quake and had instant, up-to-date
information. Much better than what was available on the radio or TV.
Perhaps if someone made a VMB that recited the most recent event to
all callers? Then we could lose access to one switch somewhere,
instead of to the 911 switch.

Two: page A9, Saturday Feb 4 1995 issue of The Daily Olympian.
LOSER: AUTOMATIC CALLING
Poor Kenneth Calkins. The retired South Sound resident has received
the same call once a week, every week, for nearly a year. The call,
made through the Employment Security Department, is for a job
opening Calkins has no interest in. Officials say the call,
portions of which are in spanish, was meant for another person at
another number. ...
They go on to talk about how he didn't know how to remove himself from
whatever list was generating the calls.

The RISKS here are the annoyance of the voting elderly by newfangled
computers with Automatic Calling Units. You could get voted out of office if
enough people get angry...

Finest handcrafted code since 1987.

------------------------------

Date: Wed, 08 Feb 1995 10:04:00 -0500 (EST)
From: Rob Horn 6-4365 <horn%[email protected]>
Subject: Risks in computerized cockpits

Last week's (30 Jan 1995) and this week's (6 Feb 1995) Aviation Week & Space
Technology have two moderately large sections on investigations, theories,
and practices with the new computerized cockpits. In general the articles
are good. The authors take the perspective of pilots. They discuss how
pilots interact with the computerized systems and how these interactions
improve or decrease effectiveness and safety.

R Horn

[Also noted by [email protected] (David Lesher), who added that
the first issue includes "detailed (make that *very* detailed) discussions
on some of the [in]famous Airbus incidents." PGN]

------------------------------

Date: Thu, 2 Feb 1995 22:56:33 +0001 (EST)
From: "Daniel P. B. Smith" <[email protected]>
Subject: Concatenating phrases produces confusing results in bank responses

BayBank, a Massachusetts chain, has recently started offering "linked
accounts." For example, a recent ad shows the former hockey player, Bobby
Orr, using his telephone to transfer money from his account to his son's. I
figured it would be neat to have something in common with Bobby Orr, so I
had them set up the same thing for me and my daughter who's at U. Mass.
Before setting up the link, my accounts, as shown at ATM machines or over
the phone, were identified as "savings" and "checking."

BayBank has a feature which they call "custom account names." You might
think this means you can pick any name you want, but what it actually means
is that you can select from a list of about a hundred names, with highly
personalized choices like "daughter 1" and "son 2." The BayBank rep who set
up my account suggested the "custom" names "my checking," "daughter's
checking," "my savings," and "daughter's savings," which sounded sensible to
me.

The first time I tried to be like Bobby Orr, here's what the confirmation
dialog I got over the phone was: "Seventy dollars have been transferred from
your my savings account to your daughter's checking account. The reference
number for this transaction is one thousand eight hundred and four." This
caused me to say "huh?" three times. The (British?) grammar of "seventy
dollars have" isn't bad; I would have preferred that the transaction number
be read as "one eight zero four;" but the phrase "your my savings account"
stopped me cold.

So, next month my daughter gets her bank statement and, yep, you guessed it:
her statement shows this as "BayBank XP24 Transfer From BB Boston My
Savings." See, it's my daughter's statement, but it's not _her_ my savings,
it's _my_ my savings.

Daniel P. B. Smith [email protected]

------------------------------

Date: Fri, 3 Feb 95 14:35:45 +1300
From: [email protected]
Subject: More from the cat file

You think *you've* got problems...

We have three little furry friends. The other morning (about 5 am) I was
obliged to remove one of them from my bedroom in response to demands for
food. Said mammal was carried to the kitchen and fed in an attempt to get
some more sleep.

On the return trip to my room I was alerted by the distinctive sound of the
dial tone from the `handsfree' phone in my study. Then I heard it dial...

It had only rung twice by the time I cancelled the call (it's a long hall,
ok? :-). It appears that the kitten was asleep in the empty paper box on
the corner of my desk and had been aroused by the sound of cat biscuits
hitting the food bowl. In the process of heading for the easy way off my
desk (via my chair) he had managed to stand on my phone and take advantage
of the `one-touch hands-off dialing' facility.

Later that morning I used the redial function to see who had been disturbed
and to apologise profusely for the obscenely early call. Luckily, the
recipients were somewhat amused and quite forgiving.

There is now an empty box over my phone whenever I'm not sitting right next
to it...

phil

------------------------------

Date: Sat, 4 Feb 1995 10:50:03 -0500
From: "R.F. Graveman" <[email protected]>
Subject: 1996 ACM COCCS call for papers

Call for Papers
Third ACM Conference on Computer and Communications Security

Hyatt Regency, New Delhi, India
March 14-16, 1996

Sponsored by ACM SIGSAC
Hosted by Indian NIC and AIMIL,
Bell Atlantic, and George Mason University

High quality, original, and unpublished (and not submitted elsewhere)
research and practice papers in the area of computer and
communications security are solicited. All aspects of computer
security are relevant, such as theories, techniques, applications, and
practical experiences. They include:

access control, accounting and audit, applied cryptography (block ciphers,
hash functions, digital signatures, key escrowing, cryptographic protocols),
authentication, authorization, data/system integrity, electronic commerce,
intrusion detection, key management, open systems security, privacy,
protection of software and intellectual property, secure networking (LANs,
WANs, firewalls, ATM, Internet, mobile, wireless, and telecommunications),
secure operating systems and APIs, security architectures and models,
security management, security of distributed systems and databases, security
protocols, and smart-cards and secure PDAs.

Instruction for authors:

Submit seven (7) copies of your paper (not exceeding 7500 words or 25 pages)
to either of the Program co-Chairs, in a form suitable for anonymous review
(no author names, affiliations, obvious references), with a cover letter
including author names, email and postal addresses, phone and fax numbers.
Electronic or late submissions will be rejected without review. Where
possible all further communications to authors will be via email.

Paper submission: July 1, 1995
Acceptance decision: September 1, 1995
Camera-ready papers due: December 1, 1995

General Chairs:
Ravi Ganesan, Bell Atlantic, USA
Ravi Sandhu, George Mason University, USA

Program Chairs:

Li Gong
SRI International
Computer Science Laboratory
333 Ravenswood Avenue
Menlo Park, California 94025, U.S.A.
Tel: + 1-415-859-3232
Fax: + 1-415-859-2844
Email: [email protected]

Jacques Stern
ENS-DMI
45 Rue d'Ulm
75230-05 Paris, France
Tel: + 33-1-44322029
Email: [email protected]

Local Arrangement:
N. Seshagiri, National Informatics Center, India
H.C. Verma, AIMIL, India

Awards: Raymond Pyle, Bell Atlantic, USA
Publication: Clifford Neuman, U. of Southern California, USA
Publicity: Richard Graveman, Bellcore, USA

Program Committee Members:

Aditya Bagchi, Indian Statistical Institute
Elisa Bertino, University of Milan, Italy
Matt Blaze, AT&T Bell Laboratories, USA
Claude Crepeau, Universite de Montreal, Canada
Matthew Franklin, AT&T Bell Laboratories, USA
Virgil Gligor, University of Maryland, USA
Richard Graveman, Bellcore, USA
Sushil Jajodia, George Mason University, USA
Kwok-Yan Lam, National University of Singapore
E. Stewart Lee, University of Toronto, Canada
Arjen K. Lenstra, Bellcore, USA
Kaicheng Lu, Tsinghua University, China
Shyh-Wei Luan, IBM Almaden Research Center, USA
Tsutomu Matsumoto, Yokohama National University, Japan
Catherine Meadows, Naval Research Laboratory, USA
Clifford Neuman, University of Southern California, USA
Luke O'Connor, DSTC, Australia
Bart Preneel, K.U. Leuven, Belgium
Jean-Jacques Quisquater, UCL-MathRiZK, Belgium
Lakshmi Raman, Bellcore, USA
Michael Reiter, AT&T Bell Laboratories, USA
Nachum Shacham, SRI International, USA
Y.K. Sharma, National Informatics Center, India
Shiuh-Pyng Shieh, Chiao-Tung University, Taiwan
Stuart Stubblebine, AT&T Bell Laboratories, USA
Paul Syverson, Naval Research Laboratory, USA
Paul Van Oorschot, Bell-Northern Research, Canada
Vijay Varadharajan, University of Western Sydney, Australia
Gio Wiederhold, Stanford University, USA
Michael Wiener, Bell-Northern Research, Canada
Rebecca Wright, AT&T Bell Laboratories, USA
Moti Yung, IBM T.J. Watson Research Center, USA

More information, access http://www.csl.sri.com/acm-ccs/ccs.html or
email to [email protected].

------------------------------

Date: 6 February 1995 (LAST-MODIFIED)
From: [email protected]
Subject: Info on RISKS (comp.risks), contributions, subscriptions, FTP, etc.

The RISKS Forum is a moderated digest. Its USENET equivalent is comp.risks.
Undigestifiers are available throughout the Internet, but not from RISKS.

SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) on
your system, if possible and convenient for you. BITNET folks may use a
LISTSERV (e.g., LISTSERV@UGA): SUBSCRIBE RISKS or UNSUBSCRIBE RISKS. U.S.
users on .mil or .gov domains should contact <[email protected]>
(Dennis Rears <[email protected]>). UK subscribers please contact
<[email protected]>. Local redistribution services are
provided at many other sites as well. Check FIRST with your local system or
netnews wizards. If that does not work, THEN please send requests to
<[email protected]> (which is not yet automated). SUBJECT: SUBSCRIBE
or UNSUBSCRIBE; text line (UN)SUBscribe RISKS [address to which RISKS is sent]

CONTRIBUTIONS: to [email protected], with appropriate, substantive Subject:
line, otherwise they may be ignored. Must be relevant, sound, in good taste,
objective, cogent, coherent, concise, and nonrepetitious. Diversity is
welcome, but not personal attacks. PLEASE DO NOT INCLUDE ENTIRE PREVIOUS
MESSAGES in responses to them. Contributions will not be ACKed; the load is
too great. **PLEASE** include your name & legitimate Internet FROM: address,
especially from .UUCP and .BITNET folks. Anonymized mail is not accepted.
ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY.
Relevant contributions may appear in the RISKS section of regular issues
of ACM SIGSOFT's SOFTWARE ENGINEERING NOTES, unless you state otherwise.
All other reuses of RISKS material should respect stated copyright notices,
and should cite the sources explicitly; as a courtesy, publications using
RISKS material should obtain permission from the contributors.

RISKS can be read on the web at URL http://catless.ncl.ac.uk/Risks
Individual issues can be accessed using a URL of the form
http://catless.ncl.ac.uk/Risks/VL.IS.html
(Please report any format errors to [email protected])

RISKS ARCHIVES: "ftp unix.sri.com<CR>login anonymous<CR>YourName<CR>
cd risks<CR> or cwd risks<CR>, depending on your particular FTP.
Issue J of volume 16 is in that directory: "get risks-16.J<CR>". For issues
of earlier volumes, "get I/risks-I.J<CR>" (where I=1 to 15, J always TWO
digits) for Vol I Issue j. Vol I summaries in J=00, in both main directory
and I subdirectory; "bye<CR>" I and J are dummy variables here. REMEMBER,
Unix is case sensitive; file names are lower-case only. <CR>=CarriageReturn;
UNIX.SRI.COM = [128.18.30.66]; FTPs may differ; Unix prompts for username and
password. Also ftp [email protected]. WAIS repository exists at
server.wais.com [192.216.46.98], with DB=RISK (E-mail [email protected] for info)
or visit the web wais URL http://www.wais.com/ .

------------------------------

End of RISKS-FORUM Digest 16.79
************************