RISKS-LIST: Risks-Forum Digest Thursday 2 October 2008 Volume 25 : Issue 37 ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as <http://catless.ncl.ac.uk/Risks/25.37.html> The current issue can be found at <http://www.csl.sri.com/users/risko/risks.txt> Contents: NASDAQ's Google surprise (PGN) Computer Failure Hobbles Hubble, Derails Shuttle Mission (Sharon Gaudin) Amazon multiple account weirdness (Graham Bennett) Alarm sounded on second-hand kit (Gabe Goldberg) Seeking tales of IT gone wrong (Andrew Brandt) Re: Risks of financial systems too complex ,,, (Robert P Schaefer) Re: When is a backup not a backup? (Mark F) The folly of retaining default settings (Ken Knowlton) Weak password reset procedures (identity withheld) New castle rules in chess? (Andy Walker) Re: Hacker claims Palin e-mail hacked ... (Rob McCool, Scott Miller, Allen Hainer) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Wed, 1 Oct 2008 8:29:35 PDT From: "Peter G. Neumann" <neumann_at_private> Subject: NASDAQ's Google surprise In the last three minutes of NASDAQ trading on 30 Sep 2008, an amazing event occurred relating to Google stock. It was not reported in the 1 Oct issue of *The New York Times* and mentioned only in passing in a very brief detail-free summary in the *San Francisco Chronicle*. This is an excerpt from NASDAQ.com after the market close: GOOG: Stock Quote & Summary Data Last Sale $320.50 Change Net $60.50 -15.89% Today's High/Low $483.63 / $39 [NOT A TYPO. PGN] In a "glitch" that apparently remains to be explained, the stock price took a horrendous dive in the last few minutes. Although some people tried to profit from it, NASDAQ *canceled* all transactions with Google shares above $425.29 or below $400.52, and the closing value was readjusted to $400.52. TheAustralian.news.com.au blames "Erroneous trades" routed to Nasdaq that sent Google shares tumbling. Shares rebounded in after-hours trading to $413.06. NASDAQ is also investigating trades in Rohm & Haas during the same three-minute window. Conceivably, the $39 transaction could have resulted from an erroneous entry such as $390. [As I edit this, my old home laptop has suddenly developed a sticking "a" key.] And recent studies seem to show that the market is driven more by rumor and innuendo than by external events. However, some sort of range checking would seem to have long ago been in place to prevent such wild outliers. In any event, hopefully an insider will be able to let us know what really happened. ------------------------------ Date: Wed, 1 Oct 2008 14:11:21 -0400 From: technews_at_private Subject: Computer Failure Hobbles Hubble, Derails Shuttle Mission NASA scientists announced that a data formatter and control unit on the Hubble Space Telescope has "totally failed," preventing data from being sent to Earth and delaying a shuttle mission. The Science Data Formatter is designed to collect information from five onboard instruments, format the data into packets, put headers on the packets, and send the packets to Earth. Hubble Space Telescope program executive Michael Moore says the Hubble's problematic computer, which has been in orbit for more than 18 years, is a simple but vital part of the telescope's communications system. NASA scientists are now working to switch the Hubble to onboard redundant systems to resume services until a space shuttle arrives with a replacement system. NASA postponed the space shuttle's planned October repair mission so a replacement computer system can be obtained. Hubble manager Preston Burch does not know what caused the failure, but notes that the unit runs at a relatively high temperature compared to other components, and high temperatures tend to accelerate the degradation process. Moore says switching over to the redundant systems should take about 10 hours, and technicians and scientists expect to complete the process at the end of the first week of October. NASA's Ed Weiler says the switchover and subsequent installation of new redundant systems should add another five to 10 years to Hubble's life. [Source: Sharon Gaudin, *Computerworld*, 30 Sep 2008, via ACM TechNews, Wednesday, October 1, 2008] http://www.computerworld.com/action/article.do?command=3DviewArticleBasic&articleId=3D9115903 ------------------------------ Date: Tue, 30 Sep 2008 20:54:49 +0100 From: Graham Bennett <graham_at_private> Subject: Amazon multiple account weirdness The other day, I logged in to Amazon and got as far as checking out, when I noticed that my address book only had very old addresses in it (from circa 2001/2002) and the order history stopped around the same time. After thinking for a bit I realised that I'd accidentally used an old password that I don't really use for anything important any more to log in, so I logged out and logged back in with the correct (newer) password and exactly the same e-mail address. Lo and behold, I got my up to date account information and recent order history. Now, I don't thinking I'm alone in expecting that when I create an account with a website, the e-mail address or login id will be the primary key, and not the login and password combined. So I was a bit surprised by this. I sent Amazon e-mail asking them how this could have happened, and asking them a couple of awkward questions like "What if I change the passwords on both accounts to be the same?" and "If I delete one account does it delete both?". They couldn't really provide satisfactory answers to that and said I must have inadvertently created the second account (which is probably the case). Discussing this with some colleagues at work, it became evident that this is the usual behaviour - you can create as many accounts as you like for the same e-mail address, as long as the passwords are different. Moreover, creating the account does not require the email address to be confirmed! So this means anyone can create an account on Amazon with my e-mail address. Now, I don't think this in itself is a massive security hole since the new account doesn't have access to any privileged data, but at the very least someone malicious could try to do some nasty things. For example, they could create a lot of accounts against a target e-mail address with common passwords, and hope that the victim accidentally logs in with the wrong one and, not realising their mistake, re-enters their details and makes a purchase. The user probably wouldn't notice since the confirmation will get sent to their e-mail address as expected. I put these points to Amazon in a customer services enquiry, and for the most part I got the expected fob-off: "Please rest assured that Your Account is secure. "In the event of Malicious creating accounts with obvious passwords in the hope that someone will accidentally type the wrong one and enter their credit card details into an account,Our secure server software encrypts all your personal information including credit or debit card number, name and address. The encryption process takes the characters you enter and converts them into bits of code that are then securely transmitted over the Internet. "Secondly, An attacker registering many passwords against the e-mail address of a victim, even if the attacker was to get access to the customer's account,Please know that if someone was able to log in to your account, they would still not have access to your payment card details, as they are not displayed anywhere on the site. "None of the customers who have shopped at Amazon.co.uk have reported fraudulent use of a payment card as a result of purchases made with us. In fact, we are so confident about the transaction security we offer on our site that we back every purchase with a security guarantee." Well, I'm glad that I've got all those 'bits of code' protecting me! Unfortunately, they'll be protecting the attacker too... They do make the valid point that you can't extract credit card details even if you can log into an account, but you can still make purchases and read or change addresses. I have seen posts on the Web saying that the reason for this functionality is so that people sharing the same e-mail address can have their own accounts. This might have been an issue in the early days of online shopping, but now in the days of widely available free e-mail accounts, I don't think this is necessary. Even then, why not have an e-mail verification step when creating a new account? I don't think this would be a barrier for people signing up. It seems strange to me that such a well-known Web presence as Amazon would operate a confusing system like this, the disadvantages seem to far outweigh the advantages. I'm sure security experts would say that the simpler a system is, the simpler it is to secure it. http://graham33.wordpress.com/2008/09/14/amazon-multiple-account-weirdness/ ------------------------------ Date: Thu, 02 Oct 2008 10:50:03 -0400 From: Gabe Goldberg <gabe_at_private> Subject: Alarm sounded on second-hand kit For less than a pound (UK), a security expert obtained front-door access to a council's internal network. Andrew Mason from security firm Random Storm bought some network hardware from auction site eBay for 99p. When he switched it on and plugged it in, the device automatically connected to the internal network of Kirklees Council in West Yorkshire. Kirklees council called the discovery "concerning", but said its data had not been compromised. http://news.bbc.co.uk/2/hi/technology/7635622.stm ------------------------------ Date: Thu, 25 Sep 2008 02:14:46 -0600 From: Andrew Brandt <risks_inquiry_at_private> Subject: Seeking tales of IT gone wrong As a sporadic reader of your list, I'm familiar with the kinds of stories that end up gracing each issue of the ACM Risks Digest. I've come to ask you, all of you, for some help. I'm a freelance reporter, currently on assignment to write a story for *Infoworld*. The gist of the story is "Greatest IT Mistakes," where I hope to relate true anecdotes of people who -- perhaps in an ill-advised, well-intentioned state of mind -- set off a cascade of errors that resulted in serious computer downtime, lost data, or other notable information technology failures or problems. As opposed to the typical story in RISKS, I'm searching for the stories about problems that, while they may have been aggravated or magnified by automated systems, were initiated by humans. Many such historical events (e.g., the Morris Worm) are well known. Many more end up in the Snopes urban legend archive. I'm looking for examples that fall outside the parameters of the well-known events of this type, and I won't print anything the veracity of which I cannot authenticate. Please send me true stories, preferably where you have direct, personal knowledge of the details and parties involved. The goal of the story is not to humiliate a person, or call attention to a company with poor IT policies. This isn't a name-and-shame piece. I'd like the story to serve as a cautionary tale to others, with a humorous angle, if that's possible. And I think it is. To that end, I'm willing to anonymize what anyone cares to share with me to whatever extent is necessary to avoid such humiliation. Of course, if the person or people responsible for, by way of entirely hypothetical example, deleting a company's entire e-mail archive in the process of performing a backup are willing to have their identities disclosed, I'd be more than happy to oblige. I'll be searching the archives for stories dating back no further than about 18 months that suit the needs of my article; If you know of a particularly juicy tidbit, please contact me directly with anecdotes. You can use the risks_inquiry_at_private e-mail address, with the word "risks" somewhere in the subject line. Thanks very much in advance for your assistance. [I suggested to Andrew that he cull through the RISKS archives and my annotated index (http://www.csl.sri.com/neumann/illustrative.html), especially those with the descriptor "h" (for human) and "i" (for interface). PGN] ------------------------------ Date: Tue, 30 Sep 2008 15:55:58 -0400 From: "Schaefer, Robert P \(US SSA\)" <robert.p.schaefer_at_private> Subject: Re: Risks of financial systems too complex ,,, (Schaefer, R-25.36) PGN missed my follow-up correction. Ouroboros was written in 1926, before the crash. A good read though. The book I meant to cite was: Garet Garrett, The Bubble that Broke the World, 1932 http://www.mises.org/books/bubbleworld.pdf ------------------------------ Date: Wed, 01 Oct 2008 20:13:38 -0400 From: Mark F <mark49607_at_private> Subject: Re: When is a backup not a backup? (Ward, RISKS-25.36) > We have had systems fail because the backup system was not able to handle > the peak load on the main system: in other words, the "backup" turned out to > be unable to take over when most needed. So it wasn't a "backup" at all. I've been on commercial flights that weren't permitted to take off because they had only 2 of 3 navigational devices functioning. The irony is that only 2 were required, but the airline had decided that it wanted the extra reliability of having 3, not realizing that the FAA rules said that ALL of the installed units had to be working. (This was in about 1965, so the rules may have changed.) ------------------------------ Date: Wed, 1 Oct 2008 10:16:03 EDT From: Ken Knowlton <KCKnowlton_at_private> Subject: The folly of retaining default settings (Re: Haynes, RISKS-25.36) [Re: Jim Haynes RISKS 25.36: Default passwords and gasoline thefts, and George Santayana's "Those who cannot remember the past..."] Sixty five years ago Richard Feynman created a minor ruckus by opening several filing cabinets containing super-secret info at Los Alamos simply by dialing the standard factory setting of their combination locks. ------------------------------ Date: Wed, 1 Oct 2008 11:52:58 From: [Identity withheld by request] Subject: Weak password reset procedures There's always a tradeoff in making password resets easy vs. secure. I ran into what (to me) was a new low point today. At Starwood.com, if you forget your account info, you can type in your e-mail address. It then gives you a choice of e-mailing you a temporary password (the normal approach), or recovering it using your "secret" question - which I did. So the answer to my "secret" question is as good as my password.... but most people's secret question is probably *less* secure than a password, since it's more likely to be something that can be recovered from a credit report, or at least brute force guessed. (I don't know if there are limits as to how many failures you can have before they lock you out.) OK, that's pretty weak. But then the big surprise - once I logged in (again, having only provided the answer to my secret question), I changed passwords - and the profile screen displays all 16 digits of my credit card number, plus the expiration date. Not the usual twelve stars and the last four digits, but the full 16 digits. The risk? Making recovery easy for customers (and hence increasing revenue and reducing help desk costs) can increase the risk to customers, even those who don't lose their passwords! ------------------------------ Date: Thu, 2 Oct 2008 00:13:40 +0000 (UTC) From: anw_at_private (Andy Walker) Subject: New castle rules in chess? (Re: RISKS-25.36) We've become used to confusions between assorted Sydneys, Gibraltars and so on. "Right Move", an organ of the English Chess Federation, reports on one between Newcastles. To cut quite a long story short, lady wants to find a chess club in Newcastle for her son, and quite sensibly googles for "junior chess Newcastle". The organiser in Newcastle-under-Lyme, a modest town, is quite used to this confusion, and passes her on to his counterpart in Newcastle-upon-Tyne, a large city whose university is well-known to readers of these articles. Said organiser finds her some nearby schools with chess clubs. Slightly puzzled mother says those schools are across the city, and aren't there any in nearby suburbs? Turns out [of course] that she is in Newcastle NSW, Oz -- yet another of the 33 Newcastles (and more variants) listed by Wiki. I suppose it shouldn't be a surprise that emigrants to new countries name not only their towns and cities but also some of their suburbs, streets and schools after those in their old countries. The problem is, of course, that Google and other computerised tools are international in scope, and locals don't always recognise the need for disambiguation. [I've just run the same google, and the Lyme one is not only now fifth (behind two Tynes and two NSWs) but is also clearly a Lyme rather than a random Newcastle, so either the web pages have changed or else the lady was somewhat careless.] [I have a personal interest in this confusion, as my house was once owned by the Duke of Newcastle, the "most hated man in England" at the time of the Reform Act riots (when his home, Nottingham Castle, was burned down). As Lyme is much too small to have a proper Duke, I always assumed he was a Tyne. But I found out fairly recently that the Tynes had died out, the title had had to be re-created, and they had used the Lyme version as a figleaf to give a different name but allow the same abbreviation.] ------------------------------ Date: Tue, 30 Sep 2008 20:23:12 -0700 (PDT) From: Rob McCool <robm_at_private> Subject: Re: Hacker claims Palin e-mail hacked ... (Miller, R-25.36) I think Scott Miller raises an interesting question, which is how did the hacker know to look for her e-mail at Yahoo to begin with. I agree that it's unlikely that he knew her alternate e-mail address. I would think only an insider would know that. Yahoo IDs can be public, although I can't remember if it's opt-in or opt-out, at http://members.yahoo.com/ Since the Yahoo ID was deleted after the incident, we don't know if her ID was listed or not. But that's one way her Yahoo ID could have been found. For fun, try looking for Arnold Schwarzenegger or Gray Davis in that directory. But then again, some of those accounts may have been created by mischief makers as a result of this incident. It's also possible that the Yahoo ID recovery process was changed after this incident and that the mechanism we're looking at isn't the one that was in place at the time. This may have only been the most high-profile of cases where the prior mechanism was abused and the Yahoo security team may have enhanced it since then. All these possibilities are there, and while I agree that they're slim chances, I'm not willing to conclude that it's BS yet. But the question remains, how did this person know that the real Sarah Palin was using Yahoo e-mail? ------------------------------ Date: Wed, 1 Oct 2008 09:10:25 -0400 From: SMiller_at_private Subject: Re: Hacker claims Palin e-mail hacked ... (McCool, RISKS-25.37) Rob, Well, regardless of the accuracy of these reports, there's your risk: Using a "something you know" factor as part of the recovery authentication that could in fact be "something that you and everyone else in the Internet universe knows or can trivially discover". It is indeed possible that Yahoo! changed recovery methods after (and as a result of) the incident, but my observation after over a year of using Yahoo! mail is that they seem to have a _lot_ of trouble replicating any behavior changes across their server farm, so I am somewhat skeptical that such a revision was successfully completed within 48 hours of the initial published reports. I created the new account to see if there was some option to allow additional recovery questions (e.g., the "high school" data mining allegation) that was only available at set-up time - there was not. I doubt that the reports are without a germ of truth, but I think that two things are obvious: The reports as they stand are at best incomplete; The media (unfortunately including many IT specialty sites and bloggers) embarrassed itself (again unfortunately, as usual) with its complete inability to do even rudimentary fact checking. Although perhaps I need to check my assumption that anyone working in the media remains capable of embarrassment... ------------------------------ Date: Wed, 01 Oct 2008 15:55:36 +0200 From: Allen Hainer <risks_at_hain-veilchen.de> Subject: Re: Hacker claims Palin e-mail hacked ... (RISKS-25.36) Scott Miller raises the question of whether a yahoo account can be reset without knowing the yahoo ID. The yahoo ID in question can easily be found using yahoo advanced search: http://members.yahoo.com/interests?.oc=a Enter the first and last name. The picture was last updated in 2006, so I don't think it is a recent spoof. ------------------------------ Date: Thu, 29 May 2008 07:53:46 -0900 From: RISKS-request_at_private Subject: Abridged info on RISKS (comp.risks) The ACM RISKS Forum is a MODERATED digest, with Usenet equivalent comp.risks. => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) if possible and convenient for you. The mailman Web interface can be used directly to subscribe and unsubscribe: http://lists.csl.sri.com/mailman/listinfo/risks Alternatively, to subscribe or unsubscribe via e-mail to mailman your FROM: address, send a message to risks-request_at_private containing only the one-word text subscribe or unsubscribe. You may also specify a different receiving address: subscribe address= ... . You may short-circuit that process by sending directly to either risks-subscribe_at_private or risks-unsubscribe_at_private depending on which action is to be taken. Subscription and unsubscription requests require that you reply to a confirmation message sent to the subscribing mail address. Instructions are included in the confirmation message. Each issue of RISKS that you receive contains information on how to post, unsubscribe, etc. => The complete INFO file (submissions, default disclaimers, archive sites, copyright policy, etc.) is online. <http://www.CSL.sri.com/risksinfo.html> The full info file may appear now and then in RISKS issues. *** Contributors are assumed to have read the full info file for guidelines. => .UK users should contact <Lindsay.Marshall_at_private>. => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you NEVER send mail! => SUBMISSIONS: to risks_at_private with meaningful SUBJECT: line. *** NOTE: Including the string "notsp" at the beginning or end of the subject *** line will be very helpful in separating real contributions from spam. *** This attention-string may change, so watch this space now and then. => ARCHIVES: ftp://ftp.sri.com/risks for current volume or ftp://ftp.sri.com/VL/risks for previous VoLume <http://www.risks.org> redirects you to Lindsay Marshall's Newcastle archive http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue. Lindsay has also added to the Newcastle catless site a palmtop version of the most recent RISKS issue and a WAP version that works for many but not all telephones: http://catless.ncl.ac.uk/w/r <http://the.wiretapped.net/security/info/textfiles/risks-digest/> . ==> PGN's comprehensive historical Illustrative Risks summary of one liners: <http://www.csl.sri.com/illustrative.html> for browsing, <http://www.csl.sri.com/illustrative.pdf> or .ps for printing ==> Special Offer to Join ACM for readers of the ACM RISKS Forum: <http://www.acm.org/joinacm1> ------------------------------ End of RISKS-FORUM Digest 25.37 ************************Received on Thu Oct 02 2008 - 10:35:06 PDT
This archive was generated by hypermail 2.2.0 : Thu Oct 02 2008 - 11:08:35 PDT