Note: for index of full report see: http://jya.com/nrcindex.htm

---------



                              J


     Examples of Risks Posed by Unprotected Information


   The following cases in which commercial, national security,
and other sensitive information were compromised illustrate
the variety and seriousness of threats to personal assets and
privacy, business interests, and public well-being, among
others. No claim is made that cryptography alone could have
prevented these violations, but in the instances cited,
cryptography might have had some role in protecting
information against misappropriation and misuse. As discussed
in Chapters 1 and 2, cryptographic technologies are part of an
overall strategy to reduce information vulnerability.


             J.1 CRYPTOGRAPHY FOR AUTHENTICATION


   +    A pair of reporters wrote a controversial book about
the hacking activities of a particular group. They
subsequently found that their telephone had been "call
forwarded" without their permission to another location where
callers were greeted with obscenities, and that their Internet
mailboxes had been filled with junk e-mail.(1) Cryptography
for authentication might have reduced the likelihood that the
hackers would be able to penetrate the telephone switch
servicing the reporters' homes.

   +    Secret documents belonging to General Motors (GM)
containing information about a new GM vehicle to be sold in
Europe and a top-secret experimental car were seized at an
apartment used by a former GM executive who had since joined
Volkswagen.(2) Cryptography for authentication that created an
audit trail might have helped to identify the former executive
sooner.

   +    Insiders at the First National Bank of Chicago
transferred $70 million in bogus transactions out of client
accounts. One transaction exceeded permissible limits, but the
insiders managed to intercept the telephone request for manual
authorization.(3) Cryptography for authentication might have
helped to deny access of the insiders to the telephone request
for authorization.

   +    A Dutch bank employee made two bogus computer-based
transfers to a Swiss account, for $8.4 million and $6.7
million, in 1987. Each transfer required the password of two
different people for authorization; however, the employee knew
someone else's password as well as his own.(4) Cryptography
for authentication might have hindered the ability of a single
individual to pretend that he was the second employee.
   +    The First Interstate Bank of California received a
bogus request to transfer $70 million over the automated
clearinghouse network. The request came via computer tape,
accompanied by phony authorization forms, and was detected and
canceled only because it overdrew the debited account.(5)
Cryptography for authentication might have demonstrated that
the authorization was invalid.

   +    Forty-five Los Angeles police officers were cited from
1989 to 1992 for using department computers to run background
checks for personal reasons.(6) Cryptography for
authentication might have been part of an audit trail that
would have reduced the likelihood of abusing the department's
computer system.

----------

   (1)  Philip Elmer-Dewitt, "Terror on the Internet," *Time*,
December 12, 1994, page 73.

   (2)  See Frank Swoboda and Rick Atkinson, "Lopez Said to
Order GM Papers; Volkswagen Denies Receiving Documents,"
*Washington Post*, July 23, 1993.

   (3)  See Peter Neumann, *Computer-Related Risks*,
Addison-Wesley, Reading, Mass., 1995, page 166.

   (4)  Neumann, *Computer-Related Risks*, 1995, page 168.

   (5)  Neumann, *Computer-Related Risks*, 1995, page 167.

   (6)  Neumann, *Computer-Related Risks*, 1995, page 184.

____________________________________________________________


            J.2 CRYPTOGRAPHY FOR CONFIDENTIALITY


   +    According to unclassified sources, a foreign
intelligence service conducted signal intelligence (SIGINT)
operations against a major U.S. airplane manufacturer,
intercepting telemetry data transmitted from an airplane under
development during a particular set of flight tests and a
video teleconference held among company engineers located at
various sites.(7) Encryption of the telemetry data and the
video conference might have kept sensitive information away
from the foreign intelligence service.

   +    A bounty of $80,000 was reportedly posted on the
Internet in 1994 for a notebook computer belonging to any
Fortune 100 executive.(8) Encryption of the files on the
laptop might have helped to keep sensitive information
confidential.

   +    A Green Bay Packer football player was overheard
calling a male escort service and making explicit requests.(9)
A 23-minute conversation allegedly between Princess Diana and
a man who called her "my darling Squidge" was taped by a
retired bank manager in Oxford and transcribed in The Sun.(10)
The transcript of that conversation has now been circulated
widely. Encryption of these communications would have
prevented the disclosure of the information in question.

   +    In one instance relayed to the committee, a large
multinational manufacturer dispatched a salesperson to engage
in negotiations with a foreign nation. A laptop computer that
carried a great deal of sensitive information relevant to
those negotiations was seized by the border authorities and
returned to the salesperson three days later. As the
negotiations proceeded, it became clear to the salesperson
that his opposites had all of the information carried on his
laptop. In another instance, a major multinational company
with customer support offices in China experienced a break-in
in which Chinese nationals apparently copied paper documents
and unencrypted computer files. Encryption of the stored files
might have reduced the likelihood that the data contained
therein would have been compromised.

----------

   (7)  Peter Schweizer, *Friendly Spies*, The Atlantic
Monthly Press, New York, 1993, pages 122-124.

   (8)  Dan Costa, "Not-So-Soft Security," *Mobile Offce*,
August 1995, page 75.

   (9)  John Flinn, *San Francisco Examiner*, November 1,
1992; see also Neumann, *Computer-Related Risks*, 1995, page
186.

   (10) John Flinn, *San Francisco Examiner*, 1992; see also
Neumann, *Computer-Related Risks*, 1995, page 186.

____________________________________________________________


          J.3 CRYPTOGRAPHY FOR BOTH AUTHENTICATION
                     AND CONFIDENTIALITY


   In the following instances, both authentication and
confidentiality might have had a useful role to play.
Authentication could have been useful to keep intruders out of
the computer systems in question, while confidentiality could
have helped frustrate their attempt to view or obtain
plaintext of information stored on those systems. However, in
any individual example, it is not known if cryptographic
authentication or encryption was or was not a part of the
computer systems or networks that were penetrated.

   +    A reporter for Newsweek who wrote an article on
malicious hacking activities was subjected to an electronic
bulletin board trial and pronounced guilty. Subsequently,
someone accessed a TRW credit database to obtain and post the
reporter's credit card numbers. As a result, $1,100 in
merchandise was charged to him, and his home computer was
crashed remotely via his unlisted telephone number.(11)

   +    An employee of Disney World gained illegal access to
Disney computer systems in 1994, reading confidential data
files on employees and deleting information from the systems.
(12)

   +    A major multinational chemical manufacturer
headquartered in the United States has deployed an on-line
videotext system that contains considerable amounts of
proprietary information about processes used by that company.
This manufacturer has disconnected one of its plants, located
in the Far East, from the videotext network because of
evidence that the government of the nation in which the plant
is located is both willing and able to tap into this network
to obtain valuable information that could be passed on to the
manufacturer's foreign competitors.

   +    The domestic security service of a major Westem
European nation found information belonging to a major
multinational manufacturer headquartered in the United States
in the private homes of individuals with no connection to the
manufacturer. This information was found marked for sale to a
competitor of the manufacturer in question and was apparently
obtained through the computer hacking efforts of these
individuals.

----------

   (11) Neumann, *Computer-Related Risks*, 1995, page 137.

   (12) Richard Burnett, "More Hackers Speak in Code; Rise in
Peeping Toms Alarms Central Florida Businesses," *The Orlando
Sentinel*, July 4, 1994, page 10.

____________________________________________________________


             J.4 CRYPTOGRAPHY FOR DATA INTEGRITY


   +    A convicted forger serving a 33-year term was released
from jail after a forged fax had been received ordering his
release. A legitimate fax had been altered to bear his
name.(13) Cryptography to ensure data integrity might have
helped to detect the forgery.
             +    A prison inmate gained access to the on-line prison
information system and managed to alter his release date. The
alteration was detected by a suspicious deputy comparing the
on-line entry with manual records, after the inmate had
bragged about how he was going to get out early.(14)
Cryptography to ensure data integrity might have helped to
detect the alteration of the files.

----------

   (13) See "Fraudulent Fax Gets Forger Freed," *San Francisco
Chronicle*, December 18, 1991, page A3.

   (14) *San Jose Mercury News*, December 14. 1984.

____________________________________________________________

[End Appendix J]





