PRIVACY Forum Archive Document

PRIVACY Forum Home Page

PFIR - "People For Internet Responsibility" Home Page

Vortex Technology Home Page


PRIVACY Forum Digest      Saturday, 8 March 1997      Volume 06 : Issue 04

            Moderated by Lauren Weinstein (lauren@vortex.com)         
              Vortex Technology, Woodland Hills, CA, U.S.A.
        
                       ===== PRIVACY FORUM =====              

    -------------------------------------------------------------------
               The PRIVACY Forum is supported in part by the          
                 ACM (Association for Computing Machinery)
                 Committee on Computers and Public Policy,      
          "internetMCI" (a service of the Data Services Division         
      of MCI Telecommunications Corporation), and Cisco Systems, Inc.
                                 - - -
             These organizations do not operate or control the     
          PRIVACY Forum in any manner, and their support does not
           imply agreement on their part with nor responsibility   
        for any materials posted on or related to the PRIVACY Forum.
    -------------------------------------------------------------------


CONTENTS 
        Privacy Briefs (Lauren Weinstein; PRIVACY Forum Moderator) 
        ActiveX/Quicken=Overdraft! (Useful-Dot-Com)
        Re: ActiveX/Quicken=Overdraft! (Monty Solomon)
        Cookie blocking built in to Navigator 4.0 (Stunt Borg)
        ACTION: Internet Privacy Bills Introduced Today (Bob Palacios)
        Release of home phone numbers of public (state) teachers?
           (Joseph T. Magnano)


 *** Please include a RELEVANT "Subject:" line on all submissions! ***
            *** Submissions without them may be ignored! ***

-----------------------------------------------------------------------------
The Internet PRIVACY Forum is a moderated digest for the discussion and
analysis of issues relating to the general topic of privacy (both personal
and collective) in the "information age" of the 1990's and beyond.  The
moderator will choose submissions for inclusion based on their relevance and
content.  Submissions will not be routinely acknowledged.

All submissions should be addressed to "privacy@vortex.com" and must have
RELEVANT "Subject:" lines; submissions without appropriate and relevant
"Subject:" lines may be ignored.  Excessive "signatures" on submissions are
subject to editing.  Subscriptions are by an automatic "listserv" system; for
subscription information, please send a message consisting of the word
"help" (quotes not included) in the BODY of a message to:
"privacy-request@vortex.com".  Mailing list problems should be reported to
"list-maint@vortex.com". 

All messages included in this digest represent the views of their
individual authors and all messages submitted must be appropriate to be
distributable without limitations. 

The PRIVACY Forum archive, including all issues of the digest and all
related materials, is available via anonymous FTP from site "ftp ftp.vortex.com",
in the "/privacy" directory.  Use the FTP login "ftp" or "anonymous", and
enter your e-mail address as the password.  The typical "README" and "INDEX"
files are available to guide you through the files available for FTP
access.  PRIVACY Forum materials may also be obtained automatically via
e-mail through the listserv system.  Please follow the instructions above
for getting the listserv "help" information, which includes details
regarding the "index" and "get" listserv commands, which are used to access
the PRIVACY Forum archive.  

All PRIVACY Forum materials are available through the Internet Gopher system
via a gopher server on site "gopher.vortex.com/".  Access to PRIVACY Forum
materials is also available through the Internet World Wide Web (WWW) via
the Vortex Technology WWW server at the URL: "http://www.vortex.com";
full keyword searching of all PRIVACY Forum files is available via
WWW access.
-----------------------------------------------------------------------------

VOLUME 06, ISSUE 04

   Quote for the day:

        "I have friends in low places."

                -- James ("007") Bond (Roger Moore)
                   "Moonraker" (United Artists; 1979)

----------------------------------------------------------------------

Privacy Briefs (Lauren Weinstein; PRIVACY Forum Moderator) 

---

A new Windows 95/NT application for monitoring of individuals' Internet and 
intranet usage is being promoted by Kansmen Corporation.  The firm
describes the program as ideal for a wide variety of monitoring, 
such as determining who plays games, who transfers large files,
who reads newsgroups, etc.  They also include tools that they suggest
"allows you to see who is the most productive and least as well", 
and "block activities like visiting explicit pornographic sites etc."

The name of the package?  "LittleBrother."  (No, I'm not kidding...)

---

A widely received SPAM offers a service that promises to convert
your signature to a font for use by your PC's word processing
programs.  Just send $28.95 ... and your signature of course!

---

The California Judicial Council is considering making extensive court
records available on the Internet, many of which contain large amounts of
personal information.  While this information has theoretically been
available to the public previously, it was not easily accessible.  Concerns
are being raised that Internet access to this data could result in the
addition of vast quantities of new personal information to existing
commercial databases, and a range of potentially abusive (or possibly
illegal) applications.

The proposal and related public comment forms are available via:
http://www.courtinfo.ca.gov/invitationstocomment/
Comments are being accepted through March 14. 

------------------------------

Date: Wed, 12 Feb 1997 07:49:32 -0800 (PST)
From: Useful-Dot-Com <now@pobox.com>
Subject: ActiveX/Quicken=Overdraft!

            Hackers belonging to the Hamburg, Germany Chaos Computer
Club have demonstrated an ActiveX control that will transfer funds from
users' bank accounts without using a personal identification or
transaction number.

            The Chaos crackers demonstrated their hostile ActiveX
control on a German TV show to make their point about what they saw as
the security risks posed by ActiveX.  If made available on a web site,
the control could install itself on a users' computer and covertly check
to see if the popular personal-finance software package, Quicken, is
installed.

            Continuing the scenario,  if the control had found Quicken,
it would issue a transfer order and add it to that application's batch
of existing transfer orders.  The next time the Quicken user paid their
bills,  the illicit transfer would be included,  unnoticed by the
victim.  Quicken claims to have more than 9 million active users
worldwide.

            Computer security experts, who have been highly critical of
Microsoft's ActiveX, said this was just another example of why the
technology should be abandoned.

            "ActiveX may be very useful for intranets, but it has no
place on the Internet because of the security problems,"  said Kevin
McCurley, a cryptography expert at Sandia National Laboratories.

                [ The entire issue of potential risks in ActiveX and related
                  technologies is a significant network security hot topic
                  these days.  This Quicken story (a response from Intuit is
                  below) is but a very minor aspect of a much broader
                  concern over ActiveX issues which has been raging in some
                  quarters.  

                  It seems clear that some new systems to tightly couple
                  users to remote environments are being deployed with, in my
                  opinion, insufficient consideration being given to the
                  "real world" issues which are unlikely to be solved
                  through technological wizardry alone, to say the least.

                     -- MODERATOR ]

------------------------------

Date:    Thu, 13 Feb 1997 09:42:49 -0500
From:    Monty Solomon <monty@roscom.COM>
Subject: Re: ActiveX/Quicken=Overdraft!

FYI, following is Intuit's official response to this:

2/10/97

Questions and Answers on German Unauthorized Transfer Issue

Q:  What happened in Germany? 
A: The German media reported that computer hackers could transfer funds
electronically without needing a PIN by inserting an unauthorized funds
transfer into a German Quicken datafile when a user downloaded an ActiveX
application from a website. They implied that the next time that the user
connected online to send instructions, the unauthorized transactions would
be sent as well.

However, this is highly unlikely because of the automatic security features
built into Quicken that would help to protect customers from such
unauthorized transfers.  Quicken prompts customers with a list of the
transfers that will be sent and provides customers with the opportunity to
delete any transactions they do not recognize before going online Even if an
unauthorized transfer is sent, Quicken gives customers the ability to spot
such transactions by providing a confirmation list of the instructions that
have just been sent. Customers noticing an unauthorized transaction can then
take steps to notify their financial institution.

Furthermore, this situation can only occur if consumers override the security
warning messages generated by the Internet Explorer web browser. The default
security setting (high) for Internet Explorer alerts users to the
installation of an unauthorized or unregistered ActiveX component. Netscape
Navigator does not support the download and installation of ActiveX
components.  

In addition, we have received no reports that any unauthorized transfers of
this type have even been attempted.

Intuit, like other software publishers, recommends that customers take
advantage of built-in security provisions to prevent inadvertent use of
potentially malicious software.  In particular, Intuit recommends that
customers only download or use ActiveX controls that have been digitally
signed by a reputable software developer or publisher. Customers also have
the option to completely turn off ActiveX support in their browsers.

Q: Can unauthorized funds transfers of this sort happen in the United States
using Quicken?
A: No. The U.S. version of Quicken software is different from that used in
Germany and has different capabilities. The U.S. version of Quicken only
allows funds transfers to preauthorized customer accounts at the same
financial institution.  Funds cannot be transferred to non-customer accounts
or accounts at another financial institution. 

Q: Can ActiveX be used as shown on the German television show to send
unauthorized bill payments in the United States using Quicken?
A: In such a situation, it is highly unlikely that unauthorized bill payments
could actually occur given security features built into both the Quicken
software and Internet browsers.  Although, it might be possible for an
external application to add a transaction to Quicken, online payments are
only made to online payees in Quicken's payee list. In the situation
described in Germany, the hackers did not create any unauthorized bill
payments.  

In addition, even if an unauthorized payment were added to the Quicken
datafile in the way described in the German situation, the customer would be
able to see it before s/he goes online. Before each connection, Quicken
prompts the user by displaying a list of instructions, giving customers the
opportunity to review the instructions created and delete any instructions
they do not recognize.

As a further safeguard, instructions sent online are confirmed in the
Transmission Summary window that follows each online connection. Customers
noticing an unauthorized transaction in the summary window can then take
steps to notify their financial institution.

Furthermore, it is important to note that such a situation can only occur if
consumers override the security warning messages generated by the Internet
Explorer web browser. The default security setting (high) for Internet
Explorer alerts users to the installation of an unauthorized or unregistered
ActiveX component. Netscape Navigator does not support the download and
installation of ActiveX components.  

Intuit, like other software publishers, recommends that customers take
advantage of the built-in security provisions to prevent inadvertent use of
potentially malicious software In particular, Intuit recommends that
customers only download or use ActiveX controls that have been digitally
signed by a reputable software developer or publisher. Customers also have
the option to completely turn off ActiveX support in their browsers.

Q: What steps can consumers take to protect themselves from electronic fraud?
A: In working to guard against this particular situation:  Customers should
take the proper precautions when downloading from the Internet. 

Customers should only connect to sites that they trust and should use the
security features built into ActiveX and their browsers for additional
protection.  The default security setting (high) for Internet Explorer
alerts the user to the installation of an unauthorized or unregistered
ActiveX component. Customers would have to override the warning messages
displayed by Internet Explorer in order to encounter this situation.
Customers also have the option to completely turn off ActiveX support in
their browsers.  Netscape does not support the download and installation of
ActiveX components.  Customers should always review the list of instructions
that Quicken provides before going online. They should delete any
instructions they do not want sent before going online. 

Additionally, customers should always review the Transmission Summary report
that confirms the instructions they have just sent. If they notice any
unauthorized transactions, they should notify their financial institution
immediately. 

In general, customers should consider the following:  Always keep PINs
confidential. You should reveal your PIN only to those people authorized to
use your services Change PINs regularly to reduce the chance that others
will learn your PIN and use it to access your accounts For additional
security, you may wish to use a datafile password that prevents unauthorized
access to your Quicken datafile.

Q: What should customers do if they ever suspect that an unauthorized
transaction from Quicken has occurred?  
A: Customers should contact their financial institution to understand
whether an unauthorized transaction has actually taken place. All
transactions originating from Quicken are traceable.

Q: What measures does Intuit take to protect the security of online
transactions? 
A:  Protecting the security of customers' financial information is a top
priority for the online banking and payment services available through
Quicken.  The U.S. versions of Quicken use three levels of security to guard
your data:

RSA encryption: Online banking and online payment services take advantage of
state-of-the-art encryption technology to protect the security of your
financial information. (Encryption technology works by coding financial
information into an unreadable format.)  To maximize the security of your
data, all your online transactions are protected by RSA encryption and
authentication tools licensed directly from RSA Data Security, Inc., a world
leader in encryption technology.

PIN: The online banking and payment services use Personal Identification
Numbers (PINs) to protect your account. When you receive your online banking
and online payment materials, you also receive a PIN that you can change. No
one at Intuit or your financial institution has access to this PIN. Only you
and those people you choose to tell know your PIN. As an additional measure
of protection, keep your PIN confidential and change it regularly. 

Password: A password is a barrier against an unauthorized attempt to access a
system of information. Quicken allows you to use a password feature to ensure
that only people with the correct password have access to your financial
information .  The Quicken file password feature restricts access to the
financial information in your datafile. Once you have assigned a password to
your datafile, only those people with the password will be able to access
your account or transaction information. 

Q:  What about QuickBooks and BankNOW?
A:  The answers given above apply for these products as well

------------------------------

Date:    Fri, 28 Feb 1997 14:50:40 -0800 (PST)
From:    Stunt Borg <gozer@oro.net>
Subject: Cookie blocking built in to Navigator 4.0

I just downloaded Netscape Navigator 4.0 preview release 2.  At long
last, Navigator has an option that will block all cookies without
popping up a warning for each one.  It is in Edit->Preferences->Advanced.
It seems to work properly, too!

Curiously, when I installed it it ignored my current setting (Always warn
before accepting a cookie) and set me up with "Always accept cookies."
Users upgrading should be aware of this.

Gozer@oro.net

------------------------------

Date: Thu, 27 Feb 1997 18:54:36 -0500
From: Bob Palacios <cdt-edit@cdt.org>
Subject: ACTION: Internet Privacy Bills Introduced Today

Today, Senators Conrad Burns (R-MT) and Patrick Leahy (D-VT) each
introduced legislation designed to enhance privacy and security on the
Internet by reforming US encryption policy.

The text the "Promotion of Commerce Online in the Digital Era (Pro-CODE)
Act," (sponsored by Senators Burns, Leahy, Wyden, and 16 other Senators),
the "Encrypted Communications Privacy Act (ECPA II)," (sponsored by
Senators Burns, Leahy, and Wyden), and other detailed information are
available at http://www.cdt.org/crypto/ and http://www.crypto.com/.

CDT will post a detailed analysis of these proposals in the next few days.
In the mean time, attached below is a joint alert from CDT, VTW and EFF
containing a short summary of Pro-CODE and information on what you can do
to help fight for privacy and security on the Internet.  Please take a
moment to read the Alert.

Thanks for your support!

Jonah Seiger, CDT Communications Director
<jseiger@cdt.org>

        [ The complete texts referred to can be found at the 
          web site addresses listed by the author above.

                        -- MODERATOR ]

------------------------------

Date:    Mon, 3 Mar 1997 10:21:23 -0800 (PST)
From:    "Joseph T. Magnano" <magna@hotmail.com>
Subject: Release of home phone numbers of public (state) teachers?

A state public college system wants to RELEASE the addresses AND HOME PHONE
NUMBERS of all employees of the colleges INCLUDING Professors home telephone
numbers. The state says the home phone numbers (and addresses) of public
college employees is PUBLIC information and is NOT subject to EXEMPTION under
state (Connecticut) FOI laws.

What are federal and other state case laws on this? 
Please send replies to my email address listed.

Thanks in advance.

Joseph T. Magnano
magna@hotmail.com

------------------------------

End of PRIVACY Forum Digest 06.04
************************


PRIVACY Forum Home Page

Vortex Technology Home Page

Copyright © 2005 Vortex Technology. All Rights Reserved.