PRIVACY Forum Digest Saturday, 8 March 1997 Volume 06 : Issue 04 Moderated by Lauren Weinstein (lauren@vortex.com) Vortex Technology, Woodland Hills, CA, U.S.A. ===== PRIVACY FORUM ===== ------------------------------------------------------------------- The PRIVACY Forum is supported in part by the ACM (Association for Computing Machinery) Committee on Computers and Public Policy, "internetMCI" (a service of the Data Services Division of MCI Telecommunications Corporation), and Cisco Systems, Inc. - - - These organizations do not operate or control the PRIVACY Forum in any manner, and their support does not imply agreement on their part with nor responsibility for any materials posted on or related to the PRIVACY Forum. ------------------------------------------------------------------- CONTENTS Privacy Briefs (Lauren Weinstein; PRIVACY Forum Moderator) ActiveX/Quicken=Overdraft! (Useful-Dot-Com) Re: ActiveX/Quicken=Overdraft! (Monty Solomon) Cookie blocking built in to Navigator 4.0 (Stunt Borg) ACTION: Internet Privacy Bills Introduced Today (Bob Palacios) Release of home phone numbers of public (state) teachers? (Joseph T. Magnano) *** Please include a RELEVANT "Subject:" line on all submissions! *** *** Submissions without them may be ignored! *** ----------------------------------------------------------------------------- The Internet PRIVACY Forum is a moderated digest for the discussion and analysis of issues relating to the general topic of privacy (both personal and collective) in the "information age" of the 1990's and beyond. The moderator will choose submissions for inclusion based on their relevance and content. Submissions will not be routinely acknowledged. All submissions should be addressed to "privacy@vortex.com" and must have RELEVANT "Subject:" lines; submissions without appropriate and relevant "Subject:" lines may be ignored. Excessive "signatures" on submissions are subject to editing. Subscriptions are by an automatic "listserv" system; for subscription information, please send a message consisting of the word "help" (quotes not included) in the BODY of a message to: "privacy-request@vortex.com". Mailing list problems should be reported to "list-maint@vortex.com". All messages included in this digest represent the views of their individual authors and all messages submitted must be appropriate to be distributable without limitations. The PRIVACY Forum archive, including all issues of the digest and all related materials, is available via anonymous FTP from site "ftp.vortex.com", in the "/privacy" directory. Use the FTP login "ftp" or "anonymous", and enter your e-mail address as the password. The typical "README" and "INDEX" files are available to guide you through the files available for FTP access. PRIVACY Forum materials may also be obtained automatically via e-mail through the listserv system. Please follow the instructions above for getting the listserv "help" information, which includes details regarding the "index" and "get" listserv commands, which are used to access the PRIVACY Forum archive. All PRIVACY Forum materials are available through the Internet Gopher system via a gopher server on site "gopher.vortex.com". Access to PRIVACY Forum materials is also available through the Internet World Wide Web (WWW) via the Vortex Technology WWW server at the URL: "http://www.vortex.com"; full keyword searching of all PRIVACY Forum files is available via WWW access. ----------------------------------------------------------------------------- VOLUME 06, ISSUE 04 Quote for the day: "I have friends in low places." -- James ("007") Bond (Roger Moore) "Moonraker" (United Artists; 1979) ---------------------------------------------------------------------- Privacy Briefs (Lauren Weinstein; PRIVACY Forum Moderator) --- A new Windows 95/NT application for monitoring of individuals' Internet and intranet usage is being promoted by Kansmen Corporation. The firm describes the program as ideal for a wide variety of monitoring, such as determining who plays games, who transfers large files, who reads newsgroups, etc. They also include tools that they suggest "allows you to see who is the most productive and least as well", and "block activities like visiting explicit pornographic sites etc." The name of the package? "LittleBrother." (No, I'm not kidding...) --- A widely received SPAM offers a service that promises to convert your signature to a font for use by your PC's word processing programs. Just send $28.95 ... and your signature of course! --- The California Judicial Council is considering making extensive court records available on the Internet, many of which contain large amounts of personal information. While this information has theoretically been available to the public previously, it was not easily accessible. Concerns are being raised that Internet access to this data could result in the addition of vast quantities of new personal information to existing commercial databases, and a range of potentially abusive (or possibly illegal) applications. The proposal and related public comment forms are available via: http://www.courtinfo.ca.gov/invitationstocomment/ Comments are being accepted through March 14. ------------------------------ Date: Wed, 12 Feb 1997 07:49:32 -0800 (PST) From: Useful-Dot-Com Subject: ActiveX/Quicken=Overdraft! Hackers belonging to the Hamburg, Germany Chaos Computer Club have demonstrated an ActiveX control that will transfer funds from users' bank accounts without using a personal identification or transaction number. The Chaos crackers demonstrated their hostile ActiveX control on a German TV show to make their point about what they saw as the security risks posed by ActiveX. If made available on a web site, the control could install itself on a users' computer and covertly check to see if the popular personal-finance software package, Quicken, is installed. Continuing the scenario, if the control had found Quicken, it would issue a transfer order and add it to that application's batch of existing transfer orders. The next time the Quicken user paid their bills, the illicit transfer would be included, unnoticed by the victim. Quicken claims to have more than 9 million active users worldwide. Computer security experts, who have been highly critical of Microsoft's ActiveX, said this was just another example of why the technology should be abandoned. "ActiveX may be very useful for intranets, but it has no place on the Internet because of the security problems," said Kevin McCurley, a cryptography expert at Sandia National Laboratories. [ The entire issue of potential risks in ActiveX and related technologies is a significant network security hot topic these days. This Quicken story (a response from Intuit is below) is but a very minor aspect of a much broader concern over ActiveX issues which has been raging in some quarters. It seems clear that some new systems to tightly couple users to remote environments are being deployed with, in my opinion, insufficient consideration being given to the "real world" issues which are unlikely to be solved through technological wizardry alone, to say the least. -- MODERATOR ] ------------------------------ Date: Thu, 13 Feb 1997 09:42:49 -0500 From: Monty Solomon Subject: Re: ActiveX/Quicken=Overdraft! FYI, following is Intuit's official response to this: 2/10/97 Questions and Answers on German Unauthorized Transfer Issue Q: What happened in Germany? A: The German media reported that computer hackers could transfer funds electronically without needing a PIN by inserting an unauthorized funds transfer into a German Quicken datafile when a user downloaded an ActiveX application from a website. They implied that the next time that the user connected online to send instructions, the unauthorized transactions would be sent as well. However, this is highly unlikely because of the automatic security features built into Quicken that would help to protect customers from such unauthorized transfers. Quicken prompts customers with a list of the transfers that will be sent and provides customers with the opportunity to delete any transactions they do not recognize before going online Even if an unauthorized transfer is sent, Quicken gives customers the ability to spot such transactions by providing a confirmation list of the instructions that have just been sent. Customers noticing an unauthorized transaction can then take steps to notify their financial institution. Furthermore, this situation can only occur if consumers override the security warning messages generated by the Internet Explorer web browser. The default security setting (high) for Internet Explorer alerts users to the installation of an unauthorized or unregistered ActiveX component. Netscape Navigator does not support the download and installation of ActiveX components. In addition, we have received no reports that any unauthorized transfers of this type have even been attempted. Intuit, like other software publishers, recommends that customers take advantage of built-in security provisions to prevent inadvertent use of potentially malicious software. In particular, Intuit recommends that customers only download or use ActiveX controls that have been digitally signed by a reputable software developer or publisher. Customers also have the option to completely turn off ActiveX support in their browsers. Q: Can unauthorized funds transfers of this sort happen in the United States using Quicken? A: No. The U.S. version of Quicken software is different from that used in Germany and has different capabilities. The U.S. version of Quicken only allows funds transfers to preauthorized customer accounts at the same financial institution. Funds cannot be transferred to non-customer accounts or accounts at another financial institution. Q: Can ActiveX be used as shown on the German television show to send unauthorized bill payments in the United States using Quicken? A: In such a situation, it is highly unlikely that unauthorized bill payments could actually occur given security features built into both the Quicken software and Internet browsers. Although, it might be possible for an external application to add a transaction to Quicken, online payments are only made to online payees in Quicken's payee list. In the situation described in Germany, the hackers did not create any unauthorized bill payments. In addition, even if an unauthorized payment were added to the Quicken datafile in the way described in the German situation, the customer would be able to see it before s/he goes online. Before each connection, Quicken prompts the user by displaying a list of instructions, giving customers the opportunity to review the instructions created and delete any instructions they do not recognize. As a further safeguard, instructions sent online are confirmed in the Transmission Summary window that follows each online connection. Customers noticing an unauthorized transaction in the summary window can then take steps to notify their financial institution. Furthermore, it is important to note that such a situation can only occur if consumers override the security warning messages generated by the Internet Explorer web browser. The default security setting (high) for Internet Explorer alerts users to the installation of an unauthorized or unregistered ActiveX component. Netscape Navigator does not support the download and installation of ActiveX components. Intuit, like other software publishers, recommends that customers take advantage of the built-in security provisions to prevent inadvertent use of potentially malicious software In particular, Intuit recommends that customers only download or use ActiveX controls that have been digitally signed by a reputable software developer or publisher. Customers also have the option to completely turn off ActiveX support in their browsers. Q: What steps can consumers take to protect themselves from electronic fraud? A: In working to guard against this particular situation: Customers should take the proper precautions when downloading from the Internet. Customers should only connect to sites that they trust and should use the security features built into ActiveX and their browsers for additional protection. The default security setting (high) for Internet Explorer alerts the user to the installation of an unauthorized or unregistered ActiveX component. Customers would have to override the warning messages displayed by Internet Explorer in order to encounter this situation. Customers also have the option to completely turn off ActiveX support in their browsers. Netscape does not support the download and installation of ActiveX components. Customers should always review the list of instructions that Quicken provides before going online. They should delete any instructions they do not want sent before going online. Additionally, customers should always review the Transmission Summary report that confirms the instructions they have just sent. If they notice any unauthorized transactions, they should notify their financial institution immediately. In general, customers should consider the following: Always keep PINs confidential. You should reveal your PIN only to those people authorized to use your services Change PINs regularly to reduce the chance that others will learn your PIN and use it to access your accounts For additional security, you may wish to use a datafile password that prevents unauthorized access to your Quicken datafile. Q: What should customers do if they ever suspect that an unauthorized transaction from Quicken has occurred? A: Customers should contact their financial institution to understand whether an unauthorized transaction has actually taken place. All transactions originating from Quicken are traceable. Q: What measures does Intuit take to protect the security of online transactions? A: Protecting the security of customers' financial information is a top priority for the online banking and payment services available through Quicken. The U.S. versions of Quicken use three levels of security to guard your data: RSA encryption: Online banking and online payment services take advantage of state-of-the-art encryption technology to protect the security of your financial information. (Encryption technology works by coding financial information into an unreadable format.) To maximize the security of your data, all your online transactions are protected by RSA encryption and authentication tools licensed directly from RSA Data Security, Inc., a world leader in encryption technology. PIN: The online banking and payment services use Personal Identification Numbers (PINs) to protect your account. When you receive your online banking and online payment materials, you also receive a PIN that you can change. No one at Intuit or your financial institution has access to this PIN. Only you and those people you choose to tell know your PIN. As an additional measure of protection, keep your PIN confidential and change it regularly. Password: A password is a barrier against an unauthorized attempt to access a system of information. Quicken allows you to use a password feature to ensure that only people with the correct password have access to your financial information . The Quicken file password feature restricts access to the financial information in your datafile. Once you have assigned a password to your datafile, only those people with the password will be able to access your account or transaction information. Q: What about QuickBooks and BankNOW? A: The answers given above apply for these products as well ------------------------------ Date: Fri, 28 Feb 1997 14:50:40 -0800 (PST) From: Stunt Borg Subject: Cookie blocking built in to Navigator 4.0 I just downloaded Netscape Navigator 4.0 preview release 2. At long last, Navigator has an option that will block all cookies without popping up a warning for each one. It is in Edit->Preferences->Advanced. It seems to work properly, too! Curiously, when I installed it it ignored my current setting (Always warn before accepting a cookie) and set me up with "Always accept cookies." Users upgrading should be aware of this. Gozer@oro.net ------------------------------ Date: Thu, 27 Feb 1997 18:54:36 -0500 From: Bob Palacios Subject: ACTION: Internet Privacy Bills Introduced Today Today, Senators Conrad Burns (R-MT) and Patrick Leahy (D-VT) each introduced legislation designed to enhance privacy and security on the Internet by reforming US encryption policy. The text the "Promotion of Commerce Online in the Digital Era (Pro-CODE) Act," (sponsored by Senators Burns, Leahy, Wyden, and 16 other Senators), the "Encrypted Communications Privacy Act (ECPA II)," (sponsored by Senators Burns, Leahy, and Wyden), and other detailed information are available at http://www.cdt.org/crypto/ and http://www.crypto.com/. CDT will post a detailed analysis of these proposals in the next few days. In the mean time, attached below is a joint alert from CDT, VTW and EFF containing a short summary of Pro-CODE and information on what you can do to help fight for privacy and security on the Internet. Please take a moment to read the Alert. Thanks for your support! Jonah Seiger, CDT Communications Director [ The complete texts referred to can be found at the web site addresses listed by the author above. -- MODERATOR ] ------------------------------ Date: Mon, 3 Mar 1997 10:21:23 -0800 (PST) From: "Joseph T. Magnano" Subject: Release of home phone numbers of public (state) teachers? A state public college system wants to RELEASE the addresses AND HOME PHONE NUMBERS of all employees of the colleges INCLUDING Professors home telephone numbers. The state says the home phone numbers (and addresses) of public college employees is PUBLIC information and is NOT subject to EXEMPTION under state (Connecticut) FOI laws. What are federal and other state case laws on this? Please send replies to my email address listed. Thanks in advance. Joseph T. Magnano magna@hotmail.com ------------------------------ End of PRIVACY Forum Digest 06.04 ************************