From: CSBVAX::MRGATE!NEUMANN@KL.SRI.COM@SMTP 26-JUL-1988 12:51 To: ARISIA::EVERHART Subj: RISKS DIGEST 7.26 Date: Tue, 26 Jul 88 09:44:59 PDT From: Peter G. Neumann Subject: RISKS DIGEST 7.26 To: EVERHART%ARISIA.decnet@GE-CRD.ARPA In-Reply-To: <8807260250.AA00767@csl.sri.com> Message-ID: <12417419945.19.NEUMANN@KL.SRI.COM> RISKS-LIST: RISKS-FORUM Digest Saturday 23 July 1988 Volume 7 : Issue 26 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator Contents: Misuse of the UK Data Protection Act (Brian Randell) Risks of not running new software in parallel with old (Jon Reeves) Computer Error causes bills to be mailed to wrong address (Todd Medlin) Penetrating the Phone System (John Markoff via Geoff Goodfellow) Electronic IQ Testing (Stephen Colwill) Re: IRS and Electronic Filing (Bill Bohrer) Re: The IRS Illinois Experiment (Henry Spencer) Re: "Man in the loop" (Will Martin) The RISKS Forum is moderated. Contributions should be relevant, sound, in good taste, objective, coherent, concise, and nonrepetitious. Diversity is welcome. CONTRIBUTIONS to RISKS@CSL.SRI.COM, with relevant, substantive "Subject:" line (otherwise they may be ignored). REQUESTS to RISKS-Request@CSL.SRI.COM. FOR VOL i ISSUE j / ftp kl.sri.com / login anonymous (ANY NONNULL PASSWORD) / get stripe:risks-i.j ... (OR TRY cd stripe: / get risks-i.j ... Volume summaries in (i, max j) = (1,46),(2,57),(3,92),(4,97),(5,85),(6,95). ---------------------------------------------------------------------- Date: Thu, 21 Jul 88 11:29:20 WET DST From: Brian Randell Subject: Misuse of the UK Data Protection Act RISKS readers are all too used to learning of new ways in which the power of computers has been creatively misused. This posting, however, concerns misuse of a law which was itself in part intended to prevent computer misuse! One of the provisions of the UK Data Protection Act, which is now in force, enables individuals to have the right to obtain copies of information held about them in computers (excepting by the security organisations, etc.). An article in the 21 July 1988 issue of Computing reveals that the Act is being abused by employers who are using it to check up on prospective employee's backgrounds. It quotes the fourth report of the Data Protection Registrar as complaining that: "Employers are using the Act as a back door for getting an individual's record, and this is wrong... To use the Act to force individuals to find and reveal information about themselves is contrary to the objectives of data protection and should be stopped." The article explains that this misuse is most common by local authorities checking up on taxi drivers prior to granting trading licenses, It quotes the Assistant data protection registrar: "Individuals are in a difficult position as they want the job and are not too keen to stand up for their rights ... the problem is that minor offences, which under the Rehabilitation of Offenders Act no longer count against an individual, still appear on police records." Apparently it will take a change in the law to make it illegal for someone to be forced to exercise his rights under the Data Protection Act. Brian Randell, Computing Laboratory, University of Newcastle upon Tyne JANET = Brian_Randell@uk.ac.newcastle UUCP = ...!ukc!newcastle.ac.uk!Brian_Randell PHONE = +44 91 232 9233 ------------------------------ Date: Wed, 20 Jul 88 21:05:42 EDT From: reevesdecvax.dec.com (Jon Reeves) Subject: Risks of not running new software in parallel with old Regular readers have probably heard stories like this before, but it's worth repeating. The Bill's in the Mail [Corporate Report Minnesota, July 1988; by Lee Schafer] Mona, Meyer & McGrath, the Bloomington [Minnesota] public relations firm that placed 470 on the 1987 Inc. [magazine] 500 list of fastest growing companies, is still feeling the effects of a no-growth course of action that it unwittingly adopted late last year and early this year. It all started last summer when Mona, Meyer decided that it had outgrown its accounting and billing system, which, according to partner Scott Meyer, was suited to a company with $1 million in annual revenue, rather than the $5 million company Mona, Meyer had become. ... The partners ... decided to hire a Dallas firm, Data Directions Inc., to create a custom system. In October 1987, the software firm figured the necessary work was completed, but advised Mona, Meyer to continue to run the old system--just in case. This advice was ignored. "We decided to pull the plug on the old system and flip the switch on the new one," Meyer says. The intent was to save some staff time by running a single system. "Well, we flipped the switch and it didn't work." October, November, and December billings went uncompleted while Mona, Meyer scrambled for solutions. October and November bills were finally mailed in January, but they were prepared by hand. Only by mid-March did the system work well enough to allow a combined January and February billing to be mailed. As one might expect with ceased income but continued outgo, Mona, Meyer faced a cash-flow crunch by mid-January. ... Meyer says bank loans carried the firm until the billing situation was straightened out. Although phones weren't ringing off the hook with clients wondering about their bills, a few customers were unhappy with the situation because they had to pay for 1987 services out of 1988 budgets. Jon Reeves ------------------------------ Date: Thu, 21 Jul 88 18:23:07 edt From: medlin@csclea (Todd Medlin) Subject: Computer Error causes bills to be mailed to wrong address Local radio stations (in the Research Triangle Park, NC area) carried a story this morning concerning incorrect billing to students at NC State. It seems that the program used to generate bills would correctly generate a student's bill, but, then address it to the wrong student. The problem was discovered only after 6000 bills were mailed to the wrong students. ------------------------------ Date: Fri, 22 Jul 88 09:39:16 PST From: geoff@Fernwood.MPK.CA.US (the tty of Geoff Goodfellow) Subject: Penetrating the Phone System PERSONAL COMPUTER USERS PENETRATING NATION`S TELEPHONE SYSTEM By JOHN MARKOFF with ANDREW POLLACK (c.1988 N.Y. Times News Service) NEW YORK - Sophisticated personal computer users are becoming increasingly adept at penetrating the nation's telephone system, raising questions about the security and privacy of the phone system, industry experts and law enforcement offiials say. The vulnerability of the phone system to such tampering has grown significantly in the past decade or so as telephone companies have largely replaced electro-mechanical call-routing equipment with computer-controlled switches. As a result, people with the expertise can illegally connect their personal computers to the phone network. With the proper commands, these intruders can do such things as eavesdrop, add calls to someone's bill, alter or destroy data, have all calls to a particular number automatically forwarded to another number or keep someone's line permanently busy, it was disclosed in an internal memorandum written by a manager of electronic security operations at the San Francisco-based Pacific Bell Telephone Co. and in interviews with company officials. Peter Neumann, a computer security consultant at SRI International Inc. in Menlo Park, Calif., said telephone companies are only beginning to awaken to the security problems created by the increasing computerization of the telephone network. ``As far as our vulnerability, we all have our heads in the sand,'' he said. ``We have to redefine our notions of what we entrust to computers and to communication networks.'' Some personal computer enthusiasts, often called ``hackers,'' view the task of breaking into the telephone system as a test of their skills and only infrequently inflict damage, industry officials and consultants say. But others act with criminal intent. In his memo, the Pacific Bell security manager also warned that an electronic intruder could essentially disable an entire central switching office for routing calls, disrupting telephone service to entire neighborhoods. Furthermore, he said, organized-crime groups or terrorists might use such technology to their own advantage. The integrity of customer bills could also be compromised, he said. Customers might rightfully or wrongfully dispute expensive calls, claiming the calls were placed on their bills by computer hackers. Earlier this month, a teen-age computer enthusiast who requested anonymity provided The New York Times with the Pacific Bell memo, which was written a year ago. He said it had been obtained by a fellow hacker who illicitly eavesdropped on a facsimile transmission between Pacific Bell offices in San Francisco. The memo, which Pacific Bell verified as authentic, concluded that ``the number of individuals capable of entering Pacific Bell operating systems is growing'' and that ``computer hackers are becoming more sophisticated in their attacks.'' In one of two cases cited in the memo, a group of teen-age computer hobbyists were able to do such things as ``monitor each other's lines for fun'' and ``seize another person's dial tone and make calls appear on their bill,'' the memo said. One of the hackers used his knowledge to disconnect and tie up the telephone services of people he did not like. In addition, ``he would add several custom-calling features to their lines to create larger bills,'' the memo said. In the second case, police searched the Southern California home of a man thought to be breaking into the computers of a Santa Cruz, Calif., software company. They discovered the man could also gain access to all of Pacific Bell's Southern California switching computers. wFiles were found containing codes and employee passwords for connecting with -- or ``logging on to'' -- the Pacific Bell switching systems and related computers. The man also had commands for controlling the equipment. In another case involving tampering with telephone company switching equipment, local police and the FBI in the San Francisco area are investigating Kevin Poulsen, a former programmer at Sun Microsystems, said Joseph Burton, an assistant U.S. attorney in San Jose, and John Glang, a deputy district attorney for San Mateo County. Authorities searched Poulsen's apartment in Menlo Park in February as well as the residence of a suspected accomplice in San Francisco, the officials said. Poulsen was said to be in Southern California and was unavailable for comment. Burton said he could not discuss a current investigation. Glang would say only that the case had been taken over by the federal government because ``there are some potential national security overtones.'' But a security expert familiar with the case, who requested anonymity, said that Poulsen ``pretty clearly demonstrated you can get in and romp around inside a Bell operating system.'' ``What it pointed out,'' he said, ``was the serious vulnerability.'' Security consultants said other phone companies are equally vulnerable to such breaches. They noted that most phone service in the nation is provided by companies that were part of the Bell System until it was broken up in 1984 and still use similar equipment and procedures. Michigan Bell officials said they had caught an intruder who tampered with the company's switching equipment last year. A spokesman declined to give details of the incident but said no arrest was made. ``We have been able to tighten our security arrangements,'' said Phil Jones, a company spokesman. ``There were lessons to be learned here.'' Jack Hancock, vice president for information systems at Pacific Bell, said his company had also taken steps to make it tougher to penetrate its systems. He said, however, that the company had to strike a balance between security and cost considerations so the phone system would still be widely affordable and easy to maintain. ``We could secure the telephone system totally, but the cost would be enormous,'' he said. ``A public service will probably always have certain insecurities in it.'' Though Pacific Bell refused to disclose the security measures it had taken, the company said it had restricted the ability to dial into its computers from remote points. As computerized communications become more sophisticated, companies will be able to improve security at a reasonable cost, said Barry K. Schwartz, a systems planning manager at Bell Communications Research, which does research for the seven Bell operating companies. It will be increasingly possible to program a computer so it will only answer a call from an authorized phone, he said. Another new technology on the horizon, he said, is electronic voice verification. A security system using this technology would be able to recognize those authorized to gain access to a computer by their voice patterns. Telephone companies have long had to worry about electronic abuse of their networks. For several decades individuals have used electronic equipment to make long-distance phone calls for free. Some have used devices that generate a series of tones that provides access to long-distance lines. Telephone companies have installed equipment on their lines to detect and thwart such abuse. In other instances, people have used personal computers to find long-distance access codes belonging to other users. They do this by programming computers to keep trying various numbers until they hit upon one that works. But while costly, these kinds of abuse are not much of a threat to the integrity of the system because they do not affect the system itself. The new problems involving network tampering are arising, experts say, because the switches that route calls are now mostly electronic, meaning they are essentially big computers. If a customer wants an option like call forwarding or call waiting added to his or her telephone service, that is done by typing commands into a computer, not by moving wires and switches. Pacific Bell said 79 percent of its customers are now served by computerized switching systems. Experts say these electronic networks are especially vulnerable to tampering because it is possible to dial up the computers controlling the switches from the outside. Phone companies designed their systems this way to make it easier for them to change the system and diagnose problems. For example, a technician in the field trying to diagnose problems on a line needs to be able to dial certain test circuits in the central office. But such a dial-up capability can also be used by outsiders with personal computers and modems who know the proper numbers to call and the proper procedures to get on the system. The ability to eavesdrop on telephone calls is included in the system to allow an operator to check to see whether a line that is busy for a long time is being used or whether the phone is off the hook or the line is broken. One security consultant who requested anonymity said this capability had also made it much easier for law enforcement officials to wiretap a line. When the police receive court permission to conduct a wiretap, they can have the phone company dial up the switch serving the line so conversations can be monitored from a remote location. Obtaining the information needed to break into the phone system can be difficult, but intruders often do it by impersonating phone company employees -- a practice that hackers call ``social engineering.'' A teen-ager interviewed by Pacific Bell officials after his arrest told investigators that he had entered a number of Pacific Bell facilities in the San Francisco area disguised as a Federal Express delivery man in order to search for manuals and other documents, according to the company memo. The youth also said he had impersonated telephone security officials to obtain passwords and other information. ------------------------------ Date: Thu, 21 Jul 88 9:58:09 BST From: Stephen Colwill Subject: Electronic IQ Testing People interested in scenarios arising from the possibility of mechanised IQ testing might like to read `Player Piano' by Kurt Vonnegut. I say no more! ------------------------------ Date: Fri 22 Jul 88 00:59:28-CDT From: ASTROBOY Subject: Re: IRS and Electronic Filing Lars Poulson writes (regarding the IRS Tax return proposal): >The note projects that the IRS would save $63.50 for each electronically filed >return, and that the tax preparers would charge $60-$80 on top of their >preparation fee. This seems like a lot of money for what would seem like a >10-minute data entry task. I thought data entry jobs paid about $10-$15/hour; >double that for G&A overheads, and I get $5/return. Network costs may be >another $5, but while these would be a cost to the tax preparers, the IRS woul >incur them. I don't know where you got your information about what data-entry pays, but, at least in the Austin TX job market, you're off by as much as 300%. Data entry clerks (the key word here is `clerks') at the IRS facility here start at $4.65/hr and all you need is a high school diploma. This salary is true of the market in general. (I have checked.) Wendy's starts at $4.25/hr, for crying out loud, and you don't even need a *brain* to work there. The biggest advantage in having a tax preparer file your return electronically is that you will circumvent the underpaid, overworked, slightly addled civil servant and can be reasonably sure that the numbers were correctly entered. If you send in your paper from, and the caffeine-crazed/caffeine-depleted drone enters the numbers incorrectly, you then have to deal with the Tax Examiner. They are paid the premium salary of $5.50/hr, and need a college degree for that. Needless to say, these jobs do not garner the nation's best. Bill Bohrer ------------------------------ Date: Fri, 22 Jul 88 20:31:58 EDT From: mnetor!utzoo!henry@uunet.UU.NET Subject: Re: The IRS Illinois Experiment >... Where do these savings come from ? The key point is that money that used to come out of the IRS budget now will come out of yours. This is why the IRS is big on the idea. The question is whether they can make it attractive enough to sell it. Henry Spencer @ U of Toronto Zoology ------------------------------ Date: Tue, 19 Jul 88 15:51:22 CDT From: Will Martin -- AMXAL-RI Subject: Re: "Man in the loop" > The July 18 Los Angeles Times carries an op-ed piece by Peter D. Zimmerman > ... But the real lesson from the tragedy in the Persian Gulf is that > computers, no matter how smart, are fallible. Sensors, no matter how > good, will often transmit conflicting information. The danger is not > that we will fail to prepare the machines to cope with expected situa- > tions. It is the absolute certainty that crucial events will be ones > we have not anticipated. I would have a lot more respect for Mr. Zimmerman if he had added the line, " -- and that people, too, no matter how smart, are fallible." to the first sentence above. GIGO applies not only to computers but to humans, except that we are complex enough computing devices to often perform unconscious "sanity checks" that we probably would fail to implement in software. After all, there WAS a "man in the loop" on the Vincennes -- the computers did not automatically fire the missiles without human intervention. Will Martin ------------------------------ End of RISKS-FORUM Digest 7.26 ************************ -------