[RISKS] Risks Digest 24.87

From: RISKS List Owner (risko@private)
Date: Mon Oct 22 2007 - 17:15:14 PDT


RISKS-LIST: Risks-Forum Digest  Monday 22 October 2007  Volume 24 : Issue 87

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
  <http://catless.ncl.ac.uk/Risks/24.87.html>
The current issue can be found at
  <http://www.csl.sri.com/users/risko/risks.txt>

  Contents:
Tix-Nix Rocks Rox-Sox Jox
Computerised anti-aircraft gun kills 9 (Gary Hinson)
Russian spacecraft lands short: "computer glitch" (Ken Knowlton)
Loss of control and crash of UAV (Ian Staines)
Re: LI Railroad double bills for tickets (Al Stangenberger, Erik Mooney)
Re: Dutch railway offers easy access to customer profiles (Leon Kuunders)
Risks of cute e-mail (Chris Williams)
SSP 2008: Paper Submission Deadline: Friday, November 9, 2007 (Yong Guan)
REVIEW: "Exploiting Online Games", Greg Hoglund/Gary McGraw (Rob Slade)
Abridged info on RISKS (comp.risks)

----------------------------------------------------------------------

Date: Mon, 22 Oct 2007 16:23:04 PDT
From: "Peter G. Neumann" <neumann@private>
Subject: Tix-Nix Rocks Rox-Sox Jox

Mark Johnson contributed this item from the Colorado Rockies' website:
http://colorado.rockies.mlb.com/content/printer_friendly/col/y2007/m10/d22/c2276226.jsp

  Sales of World Series tickets in Denver had to be suspended after "too
  much activity" on the servers.  Fewer than 500 tickets were sold out of
  over 50,000.  The current plan is to fix the online system and try again.

Mark also added:
  Even more interesting is a *Denver Post* opinion piece that indicates over
  200 clients lost the ability to sell tickets due to this server failure.
  Nothing like putting all your eggs into one basket.

Joe Loughry added this gem from *The Denver Post*:
http://www.denverpost.com/ci_7248448

  But some people found glitches, such as being told to "enable cookies" and
  to set their computer security to the "lowest level." And some fans
  couldn't log in at all.

  Alves explained that those who saw a "page cannot be displayed" message
  had "IP addresses that we blocked due to suspicious/malicious activity to
  our website during the last 24 to 48 hours. As an example, if several
  inquiries came from a single IP address they were blocked."

With baseball's so-called World Series between the Rockies and the Red Sox
about to start on 24 Oct, this item seems timely.  Maybe simultaneous overly
large orders from scalpers brought down the server?  All games will be
broadcast on Fox, but will there be anyone in the stands?

  With Rocks in their Socks,
  And their Jocks on Fox,
  The Rox in the Box
  May get some Knocks
  Off the Sox --
  If they can DeTox,
  Fix the Tix-Nix Mix-
  up, and get in some Lix.
  Rox or Sox in six?
  Seven is heaven.

PGN

------------------------------

Date: Sat, 20 Oct 2007 11:29:38 +1300
From: "Gary Hinson" <Gary@private>
Subject: Computerised anti-aircraft gun kills 9

http://www.mg.co.za/articlePage.aspx?articleid=322117&area=/breaking_news/br
eaking_news__national/

The story speaks for itself.  After the operators cleared a jam in a
Swiss/German Oerlikon 35mm Mark V anti-aircraft twin-barreled gun during a
live-firing military exercise [at the South African National Defence Force
Lohatlha training grounds], the gun turned to the left and fired a rapid
burst of cannon shells directly at adjacent guns in the line, killing 9
soldiers and injuring 14.  At the time, the gun was supposedly on 'manual',
locked on to a target 1.5 to 2km away.  On 'manual', it should not have
turned at all.

http://www.itweb.co.za/sections/business/2007/0710161034.asp?S=IT%20in%20Defence&A=DFN&O=FPTOP,
According to "Defence pundit Helmoed-Roemer Heitman told the Weekend Argus
that if 'the cause lay in computer error, the reason for the tragedy might
never be found.'"  If 'computer error' equates to bug, then I can only
assume the software must be horrendously complex and opaque to be so
resistant to analysis ... which it probably is if it combines target
acquisition/identification, range finding, gun control, oh and safety.

The South African Department of Defence is under pressure to conduct an
inquiry.
http://www.mg.co.za/articlePage.aspx?articleid=321877&area=/breaking_news/breaking_news__national/

Don't the procurers of such automated weaponry specify mechanical safety
interlocks capable of physically preventing the turret from turning beyond
set azimuth (and perhaps elevation) limits?

  [Other reports on this noted by Ilya Gulko, Martin Ward, and
  Kurtis Lanovaz.  PGN]

------------------------------

Date: Sun, 21 Oct 2007 13:21:39 EDT
From: Ken Knowlton <KCKnowlton@private>
Subject: Russian spacecraft lands short: "computer glitch"

A Russian spacecraft came down a minute early, on a steeper-than-planned
descent, and landed 210 miles off from its designated site, due to a
"computer glitch." And nobody got hurt. Said Alexei Krasnov, head of the
Russian space agency's manned space programs, "It's difficult to immediately
name a specific reason behind the problem.  We need to do an in-depth
analysis."  (AP 21 Oct 2007)
  http://www.abcnews.go.com/Technology/wireStory?id=3756743

------------------------------

Date: Fri, 19 Oct 2007 19:50:07 -0400
From: "Staines, Ian" <istaines@private>
Subject: Loss of control and crash of UAV

AVweb has a good article on the recent loss of control and crash of an
UAV (Unmanned Arial Vehicle).

http://www.avweb.com/avwebflash/news/NTSB_CustomsBorderPatrol_UAVcrash_196405-1.html

The full article is an even better read.  See the full NTSB report:
http://www.ntsb.gov/ntsb/brief2.asp?ev_id=20060509X00531&ntsbno=CHI06MA121&akey=1

There are numerous automation and user faults that RISKS readers will find
familiar.

I think what is poignant here is that although these vehicles have a fairly
long history of use within the military these aircraft are now being
integrated into the civilian airspace.  They are also flying along
international boarders and potentially in international airspace.
Especially troubling for me is this quote: "...Because of national security
issues and past experience with similar UASs, the FAA temporarily waived
this requirement for the issuance of the Certificate of Waiver or
Authorization (COA) to operate in the National Airspace System (NAS)..."

Ian Staines, Delta, BC, CANADA, istaines@private

------------------------------

Date: Sat, 13 Oct 2007 21:50:20 -0700
From: Al Stangenberger <forags@private>
Subject: Re: LI Railroad double bills for tickets (RISKS-24.86)

The railroad now says that the problem was caused by a software update in
late September, rather than an error undiscovered since 2001.  They have
reverted to the previous version of the software and are revising their
testing procedures.

http://www.newsday.com/news/local/wire/newyork/ny-bc-ny--lirrdoublebilling1011oct11,0,3782883.story

------------------------------

Date: Thu, 11 Oct 2007 16:39:41 -0500
From: Erik Mooney <erik@private>
Subject: Re: LI Railroad double-bills for tickets (RISKS-24.86)

Anybody want to bet that the problematic limit was precisely 32,767? :)

This glitch actually hit me personally - I had a LIRR ticket double-billed.
I didn't bother with LIRR customer service, since I had no evidence to
convince a commuter railroad that I didn't ride it two days in succession.
I was waiting for the credit card statement to cycle so I could dispute it
at that level, but fortunately the merchant (the railroad) discovered its
error and credited the account.  'Twas strange, after reading RISKS for
years to find myself actually caught in one!

  [R.G. Newbury and Scott Nicol also suggested this likely explanation.
  Scott: "Could this have been a 16-bit signed int rollover bug?"  PGN]

------------------------------

Date: Fri, 12 Oct 2007 00:24:21 +0200
From: Leon Kuunders <leon@private>
Subject: Re: Dutch railway offers easy access to customer profiles (R-24.86)

For what it's worth: in the meantime some minor inconsistencies (spelling
errors, very broad error messages that include instructions on how their
cards are numbered) have been detected on their website.  Also, and of more
interest, is the way their privacy policy is set up: they point for part of
the transaction process to another company (owned by 5 large Dutch public
transport organizations), who in return point back at them.  Bottom-line:
they can (and will) identify you, even if you are using an anonymous card,
through the bank-transaction that is needed to buy the (anonymous) card...

Noothoven van Goorstraat 14, 2806 RA, GOUDA  http://leon.kuunders.info
W: +31 641 164 995  P: +31 620 624 702

------------------------------

Date: Thu, 11 Oct 2007 11:40:18 -0600
From: Chris Williams <cwilliams@private>
Subject: Risks of cute e-mail

Recently here in the Denver area, a very cute e-mail has been making the
rounds.  The story goes:

-----Original Message-----

  Scott rescued 6 black lab (mix) puppies out of the middle of the road on
  Saturday. PLEASE help me find them homes - otherwise, it's Animal Control
  - which means they only have 5 days. We've bathed them, sprayed them for
  fleas and wormed them....but we can't keep them. They are currently in a
  kennel in my basement since I don't have a fence. I've lost count of the
  number of rescue groups that I've contacted, only to be turned down due to
  no room.

  Please check with every dog person you know to see if they need a puppy.
  Regards,

  Tim Aumack

  If you know someone looking for a pet, please contact:
  Bryan Pratt , CPA, Manager - Corporate Tax, Bill Barrett Corporation
  .... 18th Street, Suite 2300, Denver , CO 80202 PH: 303-293-....
  FAX: 303-291-....  DIR: 303-312-....  bpratt@<domainname deleted>

-----End Message-----

And of course there was a appropriately cute picture attached of six black
lab mix puppies (omitted here).

I first saw this e-mail early last week as it made the rounds at my
girlfriend's place of work.  A day or so later I heard from several other
friends and they forwarded it along as well.  Now this week it appears to
still be circulating as it made it to my work as well.  It does appear that
this is (or was originally) a legit e-mail and the photo attached was just
that, but the RISKS here are several:

1) Who needs a bot army to send spam/viruses when you can get people to
   willingly forward things along for you?

2) If you attach a picture with something as cute as puppies looking for a
   home, everybody is going to open it.

3) Since this appears to have started as a local phenomenon and has slipped
   by every anti-spam and anti-virus engine, the potential for malice is
   high.

4) Before speculating on the legitimacy of something in a public forum,
   research, research, research!

A search of the interwebs revealed this e-mail to be a nationwide phenomenon.
Despite the fact this e-mail is indeed a hoax, it doesn't detract from the
validity of the first three RISKS.

It will be interesting to see if this e-mail makes it out of the
Denver/Boulder area to other parts of the country or if we see someone on
the dark side take this localized phenomenon and twist it to work for the
dark side.

chris williams, manager of information technology, jabber, inc. 1-303.308.3292
[Address, phone numbers & e-mail address in the original e-mail suppressed.-c]

------------------------------

Date: Tue, 16 Oct 2007 20:15:27 -0500
From: Yong Guan <guan@private>
Subject: SSP 2008: Paper Submission Deadline: Friday, November 9, 2007

2008 IEEE Symposium on Security and Privacy
The Claremont Resort, Berkeley/Oakland, California, USA, May 18-22, 2008

PAPER SUBMISSION DEADLINE: Friday, 9 Nov 2007 23:59:00 EST (GMT-5)
(No extensions!)
For more information on the symposium, please visit:
  http://www.ieee-security.org/TC/SP2008/oakland08.html

------------------------------

Date: Mon, 22 Oct 2007 10:16:10 -0800
From: Rob Slade <rmslade@private>
Subject: REVIEW: "Exploiting Online Games", Greg Hoglund/Gary McGraw

BKEXONGA.RVW   20070913

"Exploiting Online Games", Greg Hoglund/Gary McGraw, 2008,
0-13-227191-5, U$44.99/C$55.99
%A   Greg Hoglund www.rootkit.com
%A   Gary McGraw www.exploitingonlinegames.com gem@private
%C   P.O. Box 520, 26 Prince Andrew Place, Don Mills, Ontario  M3C 2T8
%D   2008
%G   978-0-13-227191-2 0-13-227191-5
%I   Addison-Wesley Publishing Co.
%O   U$44.99/C$55.99 416-447-5101 fax: 416-443-0948 bkexpress@private
%O  http://www.amazon.com/exec/obidos/ASIN/0132271915/robsladesinterne
  http://www.amazon.co.uk/exec/obidos/ASIN/0132271915/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0132271915/robsladesin03-20
%O   Audience i+ Tech 2 Writing 2 (see revfaq.htm for explanation)
%P   340 p.
%T   "Exploiting Online Games: Cheating Massively Distributed Systems"

Shall We Play A Game? or
Being a Review of "Exploiting Online Games"
With Much Editorializing and Extensive Digressions

Fair warning, then: this review is going to be a bit different.

Why games?  Isn't this topic a bit trivial?  After all, Hoglund and McGraw
are among the very select few who have been able to use the "hack to
protect" style work.  By examining vulnerabilities they have created books
like "Software Security" (cf. BKSWSBSI.RVW) that have contributed useful
guidance to those attempting to build more robust and reliable programs.
Therefore, the foreword, preface, and first chapter all attempt to provide
reasons why such a book is needed.

First off, there is a very large virtual economy that interpenetrates with
the [real|cash] one.  Since gamers have started selling abilities, "game
gold," and even characters, game objects now have cash values in the real
world.  As with anything that has an exchangeable value, the criminal world
has taken an interest.  Trade in game objects now comprises a large fraction
of online frauds, identity theft, and money laundering.  (The trojan posted
at the Dolphin Stadium Website, and others, around SuperBowl time had a
subordinate payload looking specifically for "World of Warcraft" accounts.)

Everything that relates to software insecurity (and security) in the online
gaming environment applies (though possibly not equally) to security in
other systems.  Therefore, a book noting the security vulnerabilities of
game systems provides an introduction to system security in general, and
application security in particular.  It helps that the gaming topic is of
intrinsic interest to a number of people, and therefore may spark interest
in information security.

(Interestingly, no argument is made in the book is that the existence of
vulnerabilities in the game system itself, and particularly on the client
side, may open the gamer to various forms of attack [and not just by
axe-swinging berserkers].  Loopholes in the client software could lead to
openings for intrusions, means of gaining information about the user or
system, or entry points for malware.  We have seen numerous instances of
problems associated with widely used client software packages, such as those
for instant messaging and peer-to- peer file sharing.)

Chapter two contains a discussion of various ways of manipulating games.
Most of these are at a conceptual level, although some are extremely
detailed, including macro and C code.  The material also addresses some
countermeasures to the cheats, and a few ways to defeat the safeguards, as
well.  Instances and examinations of the virtual economies that have sprung
up around online games are presented in chapter three.  Given the earlier
stress on the importance of the point (as a rationale for the book itself),
the content is disappointingly thin in this separate chapter.  American
copyright and related laws (particularly the Digital Millennium Copyright
Act) and End-User Licence Agreements are the substance of chapter four.

Chapter five notes a number of bugs, primarily those involving interactions
of complex functions and states of games.  Tools and techniques for
examining and manipulating client software are described in chapter six.
There is a lot of C code, and, although the programming is extensive it
can't be exhaustive, since the chapter basically covers a topic to which
whole books are devoted.  (Most of the suggestions are directed at attacking
the server, and, again, there are few mentions of the risks of
vulnerabilities in the client.)  Chapter seven provides C code for
programming robots to cheat at the game for you.  The chapter seems oddly
placed, since eight returns to the topic of reverse engineering of software,
and lists more tools.  (There is also a rather comprehensive guide to basic
functions in assembly code.)  Advanced game hacking, in chapter nine, deals
mostly with the modification of clients or the creation of alternate game
servers.

Chapter ten starts off with the statement that the primary goal (of the
book) is to "understand the security implication of massively distributed
software systems that have millions of users."  That's a worthy goal, and
one that is indicated by the subtitle.  Therefore, it is strange to note
that not only is this intent omitted from the rationale given at the
beginning, but also that the topic really isn't addressed in the text.
There are so many notions that could be explored under that subject, such as
the social engineering aspects of working with large groups, the emergent
properties that might arise from simple functions operating in large numbers
of nodes, the massive power of distributed systems, or even the relation to
the botnets that are currently such a concern.  None of these ideas are
explored in the book or in chapter ten itself, which is simply a fairly
brief review of some decent but basic software security guidelines.

The book is, therefore, a partial success.  The introduction to the
fundamentals of software security via the gaming medium is a potentially
useful and valuable device.  The work does tend to concentrate more on the
game aspects, and less on the generic principles, but that emphasis is not
necessarily a flaw.  The precepts are sound, and those who do become
interested in security will be able to apply them, and move on to more
advanced areas.

copyright Robert M. Slade, 2007   BKEXONGA.RVW   20070913
rslade@private     slade@private     rslade@private
http://victoria.tc.ca/techrev/rms.htm

------------------------------

Date: 17 Oct 2007 (LAST-MODIFIED)
From: RISKS-request@private
Subject: Abridged info on RISKS (comp.risks)

 The ACM RISKS Forum is a MODERATED digest, with Usenet equivalent comp.risks.
=> SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent)
 if possible and convenient for you.   The mailman web interface can
 be used directly to subscribe and unsubscribe:
   http://lists.csl.sri.com/mailman/listinfo/risks
 Alternatively, to subscribe or unsubscribe via e-mail to mailman
 your FROM: address, send a message to
   risks-request@private
 containing only the one-word text subscribe or unsubscribe.  You may
 also specify a different receiving address: subscribe address= ... .
 You may short-circuit that process by sending directly to either
   risks-subscribe@private or risks-unsubscribe@private
 depending on which action is to be taken.

 Subscription and unsubscription requests require that you reply to a
 confirmation message sent to the subscribing mail address.  Instructions
 are included in the confirmation message.  Each issue of RISKS that you
 receive contains information on how to post, unsubscribe, etc.

=> The complete INFO file (submissions, default disclaimers, archive sites,
 copyright policy, etc.) is online.
   <http://www.CSL.sri.com/risksinfo.html>
 The full info file may appear now and then in RISKS issues.
 *** Contributors are assumed to have read the full info file for guidelines.

=> .UK users should contact <Lindsay.Marshall@private>.
=> SPAM challenge-responses will not be honored.  Instead, use an alternative
 address from which you NEVER send mail!
=> SUBMISSIONS: to risks@private with meaningful SUBJECT: line.
 *** NOTE: Including the string "notsp" at the beginning or end of the subject
 *** line will be very helpful in separating real contributions from spam.
 *** This attention-string may change, so watch this space now and then.
=> ARCHIVES: ftp://ftp.sri.com/risks for current volume
     or ftp://ftp.sri.com/VL/risks for previous VoLume
 <http://www.risks.org> redirects you to Lindsay Marshall's Newcastle archive
 http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue.
   Lindsay has also added to the Newcastle catless site a palmtop version
   of the most recent RISKS issue and a WAP version that works for many but
   not all telephones: http://catless.ncl.ac.uk/w/r
 <http://the.wiretapped.net/security/info/textfiles/risks-digest/> .
==> PGN's comprehensive historical Illustrative Risks summary of one liners:
    <http://www.csl.sri.com/illustrative.html> for browsing,
    <http://www.csl.sri.com/illustrative.pdf> or .ps for printing
==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
    <http://www.acm.org/joinacm1>

------------------------------

End of RISKS-FORUM Digest 24.87
************************



This archive was generated by hypermail 2.1.3 : Mon Oct 22 2007 - 17:49:22 PDT