==Phrack Inc.== Volume Four, Issue Thirty-Eight, File 14 of 15 PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN Phrack World News PWN PWN PWN PWN Issue XXXVIII / Part Two of Three PWN PWN PWN PWN Compiled by Dispater & Friends PWN PWN PWN PWN Special Thanks to Datastream Cowboy PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN What's Wrong With The Computer Crime Statute? February 17, 1992 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ By Thomas A. Guidoboni (ComputerWorld)(Page 33) "Defense and prosecution agree the 1986 Computer Fraud and Abuse Act is flawed but differ on how to fix it." It has become an annual ritual, since the birth of the Internet worm, for Congress to consider amendments to the 1986 Computer Fraud and Abuse Act. At this point, the U.S. Department of Justice can be expected to advocate three things: an expansion of the federal role in the investigation and prosecution of computer crimes, the creation of new categories of offenses, and harsher penalties, including perhaps the current darling of the department, forfeiture of property. Since the law is of recent origin, was substantially revised in 1986 and proved more than adequate to prosecute and convict Robert T. Morris, there seems little justification for expansion of its coverage. Nevertheless, if Congress is determined to review and revise the provisions of the act, there are several narrow, but significant, amendments that are clearly warranted. Of primary importance is the definition of terms. The core of the law suffers from a lack of clarity. Offenses are described by reference to "authorized" or "unauthorized access," yet these terms are not defined anywhere. Perilously Vague In a universe that consists of broad computer networks, bulletin boards, E-mail and anonymous file-transfer protocols, and one in which permissions and rights are established by custom, usage and private understandings, a person is left to speculate at his peril as to what conduct is permitted and what is prohibited by this vague language. The Computer Fraud and Abuse Act should be amended to give precise content to the concepts of "access" and "authorization," thereby providing fair warning of illegal conduct. A second change for the better regarding the act would be to create a distinction between those computer intruders who unintentionally cause a monetary loss and those who maliciously cause such harm. The present law, as interpreted in the Morris case, recognizes no such distinction. This is contrary to long-standing notions of fairness in our system of criminal law, which acknowledges that between two persons who cause the same harm, the one who intended that result is more culpable than the one who did not. A third part of the statute that needs revision relates to computerized medical records. It is too broad because it includes as felonious conduct the unauthorized access to such records that "potentially modifies or impairs" medical treatment or care. Virtually every unauthorized access to computers containing medical records carries this potential. A better solution would be simply to make any "unauthorized access" of computerized medical records data a misdemeanor, with the intentional modification or destruction of such data designated as a felony. Amend, But Don't Expand These slight but important amendments would serve to clarify and improve a basically sound law without stifling the creativity of persons akin to those who have been responsible for many of the advances in computer technology in this country. More expansive revisions are ill-advised, as they may unnecessarily encroach on evolving privacy and free-expression interests. A broadening of federal involvement is also inappropriate. Nearly every state has enacted laws against computer fraud and abuse and, as Congress recognized in 1986, federal jurisdiction should be limited to cases where there is a compelling federal interest. This might include instances where computers belonging to the federal government or to financial institutions are involved, or cases where the crime itself is interstate in nature. Furthermore, other computer crimes should be left to prosecution by the individual states, as is presently the case. In sum, the 1986 Computer Fraud and Abuse Act would benefit from some clarification, but expansion of its coverage and wholesale revisions are both ill-advised and unnecessary. Note: Thomas A Guidoboni is an attorney with Bonner & O'Connell in Washington, D.C. He represented Robert T. Morris in the Internet virus case. _______________________________________________________________________________ Private Social Security Data Sold to Information Brokers February 29, 1992 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ By R.A. Zaldivar (San Jose Mercury News) Washington, D.C. -- The privacy of 200 million Americans with records at the Social Security Administration is threatened by an illegal trade in pilfered computer files. Computerization has dramatically improved our ability to serve the public," Social Security Deputy Commissioner Louis Enoff told a Senate panel. "However, it has also made confidentiality more difficult." Two executives of Nationwide Electronic Tracking, a Tampa, Florida, company, pleaded guilty to conspiracy charges in January for their part in a national network selling Social Security records. Twenty-three people, including agency employees and police officials, have been indicted in the case -- the largest known theft of government computer data. "Information brokers" will pay Social Security employees $25 for a person's earnings history and then sell the data for as much as $300. Their growing list of customers includes lawyers, private investigators, employers, and insurance companies. Social Security records contain a mother lode of information that includes not only a person's past earnings but names of employers, family history and even bank account numbers of people who receive benefits by direct deposit. The information can be used to find people or to make decisions on hiring, firing, suing or lending, said Larry Morey, deputy inspector general of the Health and Human Services Department. "Here we have a large-scale invasion of the Social Security system's confidentiality," said Senator Daniel P. Moynihan, D-N.Y., chairman of the Social Security subcommittee. Information from other government data bases with records on individuals -- such as the FBI's National Criminal Information Center -- is also available on the underground market. All a broker needs is the cooperation of a clerk at a computer terminal. Congress may revise privacy laws to increase penalties for illegally disclosing information in the private files of individuals. Enoff said Social Security is studying ways to improve computer security, as well as keeping closer tabs on employees with access to files, and stressing to its workers that unauthorized disclosure of information is a federal crime. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Related articles can be found in Phrack World News, Issue 37, Part One: Indictments of "Information Brokers" January 1992 Taken from The Privacy Journal SSA, FBI Database Violations Prompt Security Evaluations January 13, 1992 By Kevin M. Baerson (Federal Computer Week)(Pages 1, 41) _______________________________________________________________________________ Back to Act I March 3, 1992 ~~~~~~~~~~~~~ Taken from Communications Daily (Page 2) "Supreme Court Lets Stand Ruling That FCC Ban On Indecency Is Unconstitutional" FCC's 24-hour ban on indecent programming is unconstitutional, U.S. Supreme Court ruled in refusing to consider unanimous U.S. Appeals Court, D.C., decision. Supreme Court action also effectively overruled December 1988 rider to Senate appropriations bill directing FCC to ban all indecent programming. Last summer, en banc Appeals Court had refused to reconsider May decision by unanimous 3-judge panel that FCC ban is unconstitutional. FCC, with support of Justice Department, had asked Supreme Court to reconsider case. Coalition of 14 intervenors, including Action for Children's TV (ACT), had opposed FCC in Appeals Court and Supreme Court. En banc Appeals Court said that none of 13 judges who participated "requested the taking of a vote" on whether to rehear case. On Supreme Court, Justices Sandra O'Connor and Byron White voted to reconsider case. FCC's definition of indecency: "Language or material that depicts or describes, in terms patently offensive as measured by contemporary community standards . . . sexual or excretory activities or organs." Agency has fined several stations for indecent programming in the last year. With loss in Supreme Court, FCC official told us "we don't have any choices left" but to permit such programming to be broadcast. "We're back to Act I." Source predicted, and other FCC officials agreed, that agency soon will issue rulemaking to make a ban on indecent programming later than 8 p.m. Same sources expect Congress once again to take up issue. ACT President Peggy Charren said: "It's very exciting for ACT to have won one for the First Amendment. We always knew it's preposterous for the FCC to try to ban speech at 3 o'clock in the morning to protect children . . . It's very satisfying to have this particular [conservative] Supreme Court agree with us." NAB (which also was intervernor in case) Associate General Counsel Steve Bookshester said Supreme Court "correctly" acted in not reviewing lower court decision: "Now, it's up to the Commission to adopt new procedures to determine when such material is permitted to be broadcast." Washington attorney Timothy Dyk, who represented intervenors, said: "I think it's a very happy result . . . The Court of Appeals decision is exactly where it should be in terms of a safe harbor." _______________________________________________________________________________ Drug Enforcement Data Are Vulnerable Through Phone Lines March 4, 1992 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Taken from Communications Daily (Page 5) Classified information in computers of Drug Enforcement Administration (DEA) is at risk, General Accounting Office (GAO) said in a report. It said DEA doesn't provide adequate protection of classified information because too many people have access to computers that store data, and computers with classified information are hooked into nonsecure telephone lines, making them vulnerable to outside intrusion. Report, Computer Security: DEA Is Not Adequately Protecting National Security Information (GAO/IMTEC-92-31), said it found several instances of lax physical and electronic security at DEA computers in several locations. Although there are no known instances of security breaches, "these disturbing security weaknesses pose serious risks that could potentially hinder DEA's mission and threaten the lives of federal agents," the report said. The report found that DEA isn't complying with standard security guidelines outlined by National Security Agency. In preliminary findings, GAO was so concerned with security weaknesses that it called in Department of Justice on January 9 and furnished it with a "limited official use" version of its report to give DEA time to correct problems, said Rep. Wise (D-W.Va.), chairman of House Government Operations Subcommittee, who ordered the investigation. He said other government agencies should be wary of sharing information with DEA until security problems have been eliminated. Calls to DEA on progress of follow-up security procedures weren't returned. Findings are "indicative" of typical "apathetic security attitude" that the government has, said David Banisar, security expert for Computer Professionals for Social Responsibility. GAO investigators found DEA couldn't adequately identify what computers used classified information. "DEA cannot ensure that adequate safeguards are in place for protecting national security information," report said. In spite of federal guidelines, GAO found that DEA hasn't "completed a risk analysis" of computer system. Some classified computers were found to be operated in areas where contractors -- with no security clearances -- moved around with no restrictions. No computers were found to be "tempest" hardened, meaning electronic emissions from keyboards can't be picked up. In light of concern on outside intrusion from "hackers," GAO found several DEA computers were connected by phone lines "that are not encrypted" -- which it described as clear violation of national security guidelines. The report said "unauthorized individuals can intercept or monitor information emanating from and transmitted by" the agency without being detected. Classified information was found to be stored on hard disks in an "inadvertent" manner, allowing for the possibility that computers, when resold, still might hold data. One such occurrence, recorded by GAO in its report, occurred last year when sensitive grand jury information on informants was left on surplus computers sold by DoJ at a public auction. The report said that DEA has acknowledged weaknesses "and is taking action to correct them." _______________________________________________________________________________ BBS Controversy Brews Close To Home March 1992 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Taken from Puget Sound Computer User Special Thanks: Peter Marshall in Telecom Digest In a case before the Public Utility Commission of Oregon, US West is maintaining three phone lines connected to a free-access BBS in a residence should be billed at business rates. Because of the similarities in tariffs >from state to state and US West's position in the case, many are predicting that if US West prevails, the company will be authorized to raise all Oregon BBS lines to business rates and try to raise rates for BBS lines in US West's remaining 13 states. The case started when Tony Wagner, a Portland system operator, received a letter from US West in October, 1991. In the letter, Communications Consultant Sandi Ouelette said "Bulletin board services are considered a business, therefore, subject to business rates ..." One Seattle attorney interested in telecommunications said these attempts by the phone companies to raise rates for BBSes are "just another attempt to swipe people's communication." _______________________________________________________________________________ 1-800-54-PRIVACY March 10, 1992 ~~~~~~~~~~~~~~~~ Taken from Communications Daily American Newspaper Publishers Association (ANPA) President Cathleen Black asked American Paper Institute to support the newspaper industry's fight against RHCs, warning that the market for paper could drop if phone companies are allowed to expand activities into information services. Increased electronic classified ads and other services could lead to cutbacks in demand for newsprint, Black said. Newspaper producers, traditionally allied with ANPA, said they would study the matter. Meanwhile, full-page newspaper ads placed by ANPA and allied Consumer Federation, Graphic Communications International Union, National Newspaper Association, and Weatherline have generated thousands of calls to an 800 number >from readers concerned about potential invasions of privacy by telephone companies. The latest ad ran in the March 7 Washington Post, under the headline: "Unless they're stopped, the Bells will know more about you than even the IRS." The ad advised callers to dial 1-800-547-7482, referred to in the telephone message as "1-800-54-privacy." Gary Slack, of the Chicago PR firm Slack, Brown & Myers, which is coordinating the 800 campaign, said that the angle in the ad has become an effective weapon against RHCs because "there are a lot of people concerned about privacy." Callers are sent a 4-page letter signed by Black and "action guidelines" for asking legislators to support bills by Representative Cooper (D-Tenn.) (HR-3515) and Senator Inouye (D-Hawaii) (S-2112) that would restrict RHC entry into information services. ANPA has argued that, through data on telephone bills, information can be collected about callers. RHCs didn't have the incentive to use that data before, but now with the ability to offer information services, they do, ANPA said. ANPA generally doesn't pay for ads, but offers them to newspapers to run when they have space, a spokesman said. Pacific Telesis Vice-President Ronald Stowe said ANPA ads "show desperation and questionable ethics." He said ANPA is using some of same tactics it has accused RHCs of using, including collecting information on subscribers. ANPA ads are "really sewer-level stuff," Stowe said: "There are enough legitimate issues that ought to be debated." *** Editor's Note: For more information on this story, please see "Standing Up To Fight The Bells" by Knight Lightning in this issue of Phrack. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Missouri Bulletin Board Case Settled March 24, 1992 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Taken from Communications Daily (Page 6) Southwestern Bell in Missouri has filed a new tariff with the Missouri Public Service Commission (PSC) to allow computer bulletin board (BBS) operators to use residential lines. The tariff would take effect April 10 if there are no complications. Under proposal, the BBS operators at homes would be allowed to continue to use residence lines if they don't "solicit or require any remuneration, directly or indirectly, in exchange for access" and use 4 or fewer residential lines priced at flat rates. BBSes that don't meet those requirements would be required to use business lines. The tariff, negotiated between SWB and representatives of BBS operators, defines a BBS as "a data calculating and storage device(s) utilized as a vehicle to facilitate the exchange of information through the use of Southwestern Bell Telephone Company facilities." BBS language is part of a high-grade Information Terminal Service originally aimed at business users with computers, but interpreted by BBS operators as targeted at them. SWB originally had wanted to make the new service mandatory for computers with modems, but the new proposal, submitted March 11, makes it optional. *** Editor's Note: For more information, please see the numerous articles on this topic in Phrack World News, Issue 37, Part 3. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - In a surprising turn of events, the April 14, 1992 issue of Communications Daily reports that U.S. West in the state of Washington has decided not to follow the example of Oregon attempt to raise rates for electronic bulletin board (BBS) hobbyists. Patsy Dutton, consumer affairs manager for Washington Utilities & Transportation Commission (WUTC), asked U.S. West about its policy after receiving request from BBS operators. In a letter dated March 31 to system operator Bruce Miller, Dutton said she had reviewed U.S. West tariff and had talked with company representatives as to current and future plans for BBS service: "The company indicates it has no intention of changing its current procedure." Residential service would be available for hobbyists, with business rates applying under other conditions. An Oregon PUC law judge is currently considering complaint against U.S. West for raising rates of bulletin board operators there. _______________________________________________________________________________ Congress Explores Dropping Subsidy of Federal Science Network March 13, 1992 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Taken from Communications Daily (Page 6) "Fairness For All Is Urged" In hearing, Representative Boucher (D-Va.) questioned National Science Foundation (NSF) on its management policies and future direction of NSFnet, national research network. He said it's "essential" that NSFnet be structured so all commercial providers of network services "receive equal treatment" and that government policy for managing the network "not favor any provider" or set of providers. The current process of using federal money to subsidize NSFnet is "obsolete" said Mitchell Kapor, representing Commercial Internet Exchange (CIX) Association, a consortium of commercial network services suppliers. Although federal money was necessary in the "early stages," when technology for building the network still was "experimental," now that the network is in place, government subsidy should stop, Kapor said. He said CIX members can provide "any level of service" needed by the same community served by NSFnet -- research and education. Kapor said CIX members could build and service national backbones with "off-the-shelf" technology; however, he said, because federal money goes to support the current network backbone, NSFnet users are allowed on the network free and don't have an incentive to use commercial services. William Schrader, president of Performance Systems International (PSI), said government could level the playing field by providing money directly to individual universities and letting them choose, on a "free-market" basis, which network service provider to use. That system, he said, would provide incentive for several suppliers to upgrade networks in efforts to corral most customers. Kapor said it also would "push the envelope" of technology to an even greater level. With the current system in place, the technological level of the network will evolve more slowly because there would be no incentive to provide a higher level of service, he said. Current users of NSFnet spoke against changing the status quo. Michael Roberts, VP-networking for Educom, a task force of 48 universities, said that removing funding for the network would be "horrendous." By requiring individual universities to seek out their own service providers, he said, government would have to institute another level of bureaucracy, creating "thousands of entitlements," which would be impossible logistically. Douglas Van Houweling, speaking for NSFnet manager Merit, said removal of funding most likely would upset the networks' level of stability, leading to disruption in service that "millions of users" have become accustomed to. By letting "any number" of commercial providers supply network services, there would be no guarantee of level of service, which is a "vital" mission of research labs, universities and federal agencies now using the network, Van Houweling said. Federal agencies would rather have a stable network than improved service, said Stephen Wolff, director of NSF's Networking & Communications Division. He told Boucher that federal agencies didn't want the network open to competition because they feared it would degrade the quality of service. Wolff said NSF would proceed with its plan to commercialize network "within 5 years" as requested under the recently voted High-Performance Computing Act. He also said he had presented to universities the idea of providing them with federal money and letting them purchase network services in the free market. The proposal was "soundly rejected," he said, because universities didn't feel they were able to make such decisions. Instead, they supported NSF's current proposal of rebidding network management so that 2 network providers would be in place. The new system would operate on model of government's FTS 2000 program. NSF would grant awards for network services to 2 companies and have an independent 3rd party act as "traffic manager" to ensure one network provider wasn't favored over another. _______________________________________________________________________________ MCI and Sprint Take Steps To Cut Off Swindlers April 1, 1992 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ By Kent Gibbons (The Washington Times)(Page C1) MCI and Sprint are cracking down on telephone fraud. The two long-distance carriers are tackling different kinds of swindles, though: * MCI said it will stop sending out bills for pay-per-call operators who promise help getting a loan, credit, a credit card or a job. * Sprint said it will offer large business customers a form of liability insurance against unauthorized use of corporate switchboard lines. MCI Communications Corporation of the District said it wanted to protect consumers who might be gulled into overpaying for some "900-number" services during economic troubles. But long-distance carriers are also guarding their own bottom lines by tightening up pay-per-call standards, said telecommunications analyst James Ivers. "They're acting fiscally responsibly because traditionally, these were the types of programs that created a high level of uncollectible" bills when ripped-off consumers refused to pay, said Mr. Ivers, senior analyst with Strategic Telemedia, a consulting firm in New York. Last September, Sprint Corporation, of Kansas City, MO, told more than 90 percent of its 900-number customers it would no longer do their billing. Long- distance firms cannot refuse to carry pay-per-call services, but most 900- number operators do not want the expense and trouble of doing their own collections. American Telephone & Telegraph Co., of New York, said it has set up strict guidelines for all 900-number firms, such as disclosing in advertising any fees charged for credit processing. AT&T spokesman Bob Nersesian said: "We still think there are legitimate providers of this kind of service and our guidelines keep the dishonest guys off the network." Sprint's switchboard-fraud liability protection is aimed at big customers, whose Sprint bills are more than $30,000 per month. For an installation fee (up to $5,000) and a monthly charge (also up to $5,000), Sprint will absorb fraudulent phone charges above $25,000 per switchboard. The customer pays the first $25,000. Sprint's liability ends at $1 million. Large and medium-sized companies can rack up huge bills if their private switches, known as private branch exchanges or PBXes, are broken into and used to make calls to other countries. In a recent case, more than 20,000 calls were made on a company's PBX over a weekend, with the charges estimated at more than $1 million, said M.R. Snyder, executive director of Communications Fraud Control Association, a Washington trade group. "It is certainly a fraud target that is ripe for being abused," Ms. Snyder said, especially since telephone carriers have improved their ability to spot unauthorized credit-card calls more quickly. Overall, telecommunications fraud costs phone carriers and customers an estimated $1.2 billion per year, although the figure is really just a "guesstimate," Ms. Snyder said. Company PBXes often have features that allow traveling employees, or distant customers, to call in and tap an outgoing line. With computer programs, hackers can randomly dial numbers until they hit security codes. Sometimes the codes are only four digits, so hackers don't even need a computer, said Bob Fox, Sprint's assistant vice president of corporate security. Along with the fees, customers must agree to take certain precautions. Those include using security codes at least eight digits long and eliminating the ability to tap outside lines through voice mail. In return, Sprint will also monitor PBX use every day, instead of the five days per week currently done free for customers, Mr. Fox said. MCI spokesman John Houser said his company will be watching Sprint to see if the program is a success. Spokesman Andrew Myers said AT&T offers fraud protection to some corporate customers, but is not considering extending that to cover PBX abuse. AT&T is currently involved in several lawsuits over disputed PBX charges that total "many millions" of dollars, Mr. Myers said. Sprint officials said they have not sued any customers to collect on PBX fraud bills. _______________________________________________________________________________ Sprint Offers Liability Limit For Corporate Phone Fraud April 1, 1992 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ By Edmund L. Andrews (New York Times)(Page D4) The Sprint Communications Company, the nation's third-largest long-distance carrier, said that it would limit the liability of large corporate customers for the huge bills rung up by phone-service thieves who manipulate a company's telephone switching equipment and voice-mail systems. Typically, such thieves call into a company on one of its toll-free "800" numbers and then figure out the codes necessary to obtain an outgoing line that can be used to call anywhere in the world. These telephone "hackers" often sell plundered telephone codes to illegal operators who then sell overseas calls to hundreds of people at a time. Sprint officials said this sort of fraud approached $1 billion a year. The new Sprint plan would be available to companies that signed two-year contracts to buy at least $30,000 of international long-distance service a month and agreed to adopt a series of protective measures. These include installing longer telephone codes that are harder for thieves to crack and new limits on the ability of voice-mail systems to obtain outgoing lines. In exchange, customers would be held responsible for no more than $25,000 in stolen calls for each round of break-ins, and a maximum limit of $1 million a year. Although that is still a substantial sum, it is much less than many companies have lost in recent years from theft of service by telephone hackers. A Point of Contention Thieves broke into the switchboard of Mitsubishi International in New York in 1990, for example, and ran up $430,000 in overseas telephone calls. Procter & Gamble lost $300,000 in a similar incident in 1988. Had either company been operating under the new Sprint plan, its liability would have been limited to $25,000. Long-distance carriers and their corporate customers have long argued over who should bear responsibility for the huge bills caused by service theft. The carriers have maintained that their customers are responsible for these bills, even if fraud is undisputed, arguing that the thieves took advantage of weaknesses in the customers' equipment, rather than in the weaknesses of the long-distance network itself. But some corporate victims have argued that they had no idea their systems were vulnerable, while others contend that they incurred big losses even after adopting special security procedures. MCI Moves Against '900' Fraud In a separate issue involving telephone fraud, MCI Communications Corporation said it would no longer provide billing services for companies that use "900" numbers to offer credit cards, and that it would place tough new restrictions on the use of 900 numbers to sell job-placement services, contests and sweepstakes. The long-distance company said its decision was based on numerous complaints about abusive and fraudulent sales practices. Companies that provide information through the use of telephone numbers with the 900 area code charge callers a fee each time they call the number. MCI and other long-distance companies carry these calls and bill customers on behalf of the company that provides the information service. Pam Small, an MCI spokeswoman, declined to say how much revenue the company would lose because of the suspension. But she said the 900 services that would be affected represented a small part of its pay-per-call business. _______________________________________________________________________________