[RISKS] Risks Digest 25.37

From: RISKS List Owner <risko_at_private>
Date: Thu, 2 Oct 2008 10:35:06 PDT
RISKS-LIST: Risks-Forum Digest  Thursday 2 October 2008  Volume 25 : Issue 37

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
  <http://catless.ncl.ac.uk/Risks/25.37.html>
The current issue can be found at
  <http://www.csl.sri.com/users/risko/risks.txt>

  Contents:
NASDAQ's Google surprise (PGN)
Computer Failure Hobbles Hubble, Derails Shuttle Mission (Sharon Gaudin)
Amazon multiple account weirdness (Graham Bennett)
Alarm sounded on second-hand kit (Gabe Goldberg)
Seeking tales of IT gone wrong (Andrew Brandt)
Re: Risks of financial systems too complex ,,, (Robert P Schaefer)
Re: When is a backup not a backup? (Mark F)
The folly of retaining default settings (Ken Knowlton)
Weak password reset procedures (identity withheld)
New castle rules in chess? (Andy Walker)
Re: Hacker claims Palin e-mail hacked ... (Rob McCool, Scott Miller,
  Allen Hainer)
Abridged info on RISKS (comp.risks)

----------------------------------------------------------------------

Date: Wed, 1 Oct 2008 8:29:35 PDT
From: "Peter G. Neumann" <neumann_at_private>
Subject: NASDAQ's Google surprise

In the last three minutes of NASDAQ trading on 30 Sep 2008, an amazing event
occurred relating to Google stock.  It was not reported in the 1 Oct issue
of *The New York Times* and mentioned only in passing in a very brief
detail-free summary in the *San Francisco Chronicle*.  This is an excerpt
from NASDAQ.com after the market close:

  GOOG: Stock Quote & Summary Data

  Last Sale  $320.50
  Change Net $60.50  -15.89%
  Today's High/Low $483.63 / $39   [NOT A TYPO. PGN]

In a "glitch" that apparently remains to be explained, the stock price took
a horrendous dive in the last few minutes.  Although some people tried to
profit from it, NASDAQ *canceled* all transactions with Google shares above
$425.29 or below $400.52, and the closing value was readjusted to $400.52.

TheAustralian.news.com.au blames "Erroneous trades" routed to Nasdaq that
sent Google shares tumbling.  Shares rebounded in after-hours trading to
$413.06.

NASDAQ is also investigating trades in Rohm & Haas during the same
three-minute window.

Conceivably, the $39 transaction could have resulted from an erroneous entry
such as $390.  [As I edit this, my old home laptop has suddenly developed a
sticking "a" key.]  And recent studies seem to show that the market is
driven more by rumor and innuendo than by external events.  However, some
sort of range checking would seem to have long ago been in place to prevent
such wild outliers.  In any event, hopefully an insider will be able to let
us know what really happened.

------------------------------

Date: Wed, 1 Oct 2008 14:11:21 -0400
From: technews_at_private
Subject: Computer Failure Hobbles Hubble, Derails Shuttle Mission

NASA scientists announced that a data formatter and control unit on the
Hubble Space Telescope has "totally failed," preventing data from being sent
to Earth and delaying a shuttle mission.  The Science Data Formatter is
designed to collect information from five onboard instruments, format the
data into packets, put headers on the packets, and send the packets to
Earth.  Hubble Space Telescope program executive Michael Moore says the
Hubble's problematic computer, which has been in orbit for more than 18
years, is a simple but vital part of the telescope's communications system.
NASA scientists are now working to switch the Hubble to onboard redundant
systems to resume services until a space shuttle arrives with a replacement
system.  NASA postponed the space shuttle's planned October repair mission
so a replacement computer system can be obtained.  Hubble manager Preston
Burch does not know what caused the failure, but notes that the unit runs at
a relatively high temperature compared to other components, and high
temperatures tend to accelerate the degradation process.  Moore says
switching over to the redundant systems should take about 10 hours, and
technicians and scientists expect to complete the process at the end of the
first week of October.  NASA's Ed Weiler says the switchover and subsequent
installation of new redundant systems should add another five to 10 years to
Hubble's life.  [Source: Sharon Gaudin, *Computerworld*, 30 Sep 2008, via
ACM TechNews, Wednesday, October 1, 2008]
http://www.computerworld.com/action/article.do?command=3DviewArticleBasic&articleId=3D9115903

------------------------------

Date: Tue, 30 Sep 2008 20:54:49 +0100
From: Graham Bennett <graham_at_private>
Subject: Amazon multiple account weirdness

The other day, I logged in to Amazon and got as far as checking out, when I
noticed that my address book only had very old addresses in it (from circa
2001/2002) and the order history stopped around the same time.  After
thinking for a bit I realised that I'd accidentally used an old password
that I don't really use for anything important any more to log in, so I
logged out and logged back in with the correct (newer) password and exactly
the same e-mail address.  Lo and behold, I got my up to date account
information and recent order history.

Now, I don't thinking I'm alone in expecting that when I create an account
with a website, the e-mail address or login id will be the primary key, and
not the login and password combined.  So I was a bit surprised by this.

I sent Amazon e-mail asking them how this could have happened, and asking
them a couple of awkward questions like "What if I change the passwords on
both accounts to be the same?" and "If I delete one account does it delete
both?".  They couldn't really provide satisfactory answers to that and said
I must have inadvertently created the second account (which is probably the
case).

Discussing this with some colleagues at work, it became evident that this is
the usual behaviour - you can create as many accounts as you like for the
same e-mail address, as long as the passwords are different.  Moreover,
creating the account does not require the email address to be confirmed!  So
this means anyone can create an account on Amazon with my e-mail address.

Now, I don't think this in itself is a massive security hole since the new
account doesn't have access to any privileged data, but at the very least
someone malicious could try to do some nasty things.  For example, they
could create a lot of accounts against a target e-mail address with common
passwords, and hope that the victim accidentally logs in with the wrong one
and, not realising their mistake, re-enters their details and makes a
purchase.  The user probably wouldn't notice since the confirmation will get
sent to their e-mail address as expected.

I put these points to Amazon in a customer services enquiry, and for the
most part I got the expected fob-off:

  "Please rest assured that Your Account is secure.

  "In the event of Malicious creating accounts with obvious passwords in the
  hope that someone will accidentally type the wrong one and enter their
  credit card details into an account,Our secure server software encrypts
  all your personal information including credit or debit card number, name
  and address. The encryption process takes the characters you enter and
  converts them into bits of code that are then securely transmitted over
  the Internet.

  "Secondly, An attacker registering many passwords against the e-mail
  address of a victim, even if the attacker was to get access to the
  customer's account,Please know that if someone was able to log in to your
  account, they would still not have access to your payment card details, as
  they are not displayed anywhere on the site.

  "None of the customers who have shopped at Amazon.co.uk have reported
  fraudulent use of a payment card as a result of purchases made with us.
  In fact, we are so confident about the transaction security we offer on
  our site that we back every purchase with a security guarantee."

Well, I'm glad that I've got all those 'bits of code' protecting me!
Unfortunately, they'll be protecting the attacker too... They do make the
valid point that you can't extract credit card details even if you can log
into an account, but you can still make purchases and read or change
addresses.

I have seen posts on the Web saying that the reason for this functionality
is so that people sharing the same e-mail address can have their own
accounts.  This might have been an issue in the early days of online
shopping, but now in the days of widely available free e-mail accounts, I
don't think this is necessary.  Even then, why not have an e-mail
verification step when creating a new account?  I don't think this would be
a barrier for people signing up.

It seems strange to me that such a well-known Web presence as Amazon would
operate a confusing system like this, the disadvantages seem to far outweigh
the advantages.  I'm sure security experts would say that the simpler a
system is, the simpler it is to secure it.

http://graham33.wordpress.com/2008/09/14/amazon-multiple-account-weirdness/

------------------------------

Date: Thu, 02 Oct 2008 10:50:03 -0400
From: Gabe Goldberg <gabe_at_private>
Subject: Alarm sounded on second-hand kit

For less than a pound (UK), a security expert obtained front-door access to
a council's internal network.  Andrew Mason from security firm Random Storm
bought some network hardware from auction site eBay for 99p.  When he
switched it on and plugged it in, the device automatically connected to the
internal network of Kirklees Council in West Yorkshire.  Kirklees council
called the discovery "concerning", but said its data had not been
compromised.
  http://news.bbc.co.uk/2/hi/technology/7635622.stm

------------------------------

Date: Thu, 25 Sep 2008 02:14:46 -0600
From: Andrew Brandt <risks_inquiry_at_private>
Subject: Seeking tales of IT gone wrong

As a sporadic reader of your list, I'm familiar with the kinds of stories
that end up gracing each issue of the ACM Risks Digest.  I've come to ask
you, all of you, for some help.

I'm a freelance reporter, currently on assignment to write a story for
*Infoworld*.  The gist of the story is "Greatest IT Mistakes," where I hope
to relate true anecdotes of people who -- perhaps in an ill-advised,
well-intentioned state of mind -- set off a cascade of errors that resulted
in serious computer downtime, lost data, or other notable information
technology failures or problems.

As opposed to the typical story in RISKS, I'm searching for the stories
about problems that, while they may have been aggravated or magnified by
automated systems, were initiated by humans.

Many such historical events (e.g., the Morris Worm) are well known.  Many
more end up in the Snopes urban legend archive. I'm looking for examples
that fall outside the parameters of the well-known events of this type, and
I won't print anything the veracity of which I cannot authenticate. Please
send me true stories, preferably where you have direct, personal knowledge
of the details and parties involved.

The goal of the story is not to humiliate a person, or call attention to a
company with poor IT policies. This isn't a name-and-shame piece. I'd like
the story to serve as a cautionary tale to others, with a humorous angle, if
that's possible. And I think it is. To that end, I'm willing to anonymize
what anyone cares to share with me to whatever extent is necessary to avoid
such humiliation. Of course, if the person or people responsible for, by way
of entirely hypothetical example, deleting a company's entire e-mail archive
in the process of performing a backup are willing to have their identities
disclosed, I'd be more than happy to oblige.

I'll be searching the archives for stories dating back no further than about
18 months that suit the needs of my article; If you know of a particularly
juicy tidbit, please contact me directly with anecdotes. You can use the
risks_inquiry_at_private e-mail address, with the word "risks"
somewhere in the subject line.

Thanks very much in advance for your assistance.

  [I suggested to Andrew that he cull through the RISKS archives and my
  annotated index (http://www.csl.sri.com/neumann/illustrative.html),
  especially those with the descriptor "h" (for human) and "i" (for
  interface).  PGN]

------------------------------

Date: Tue, 30 Sep 2008 15:55:58 -0400
From: "Schaefer, Robert P  \(US SSA\)" <robert.p.schaefer_at_private>
Subject: Re: Risks of financial systems too complex ,,, (Schaefer, R-25.36)

PGN missed my follow-up correction.  Ouroboros was written in 1926, before
the crash.  A good read though.  The book I meant to cite was:

  Garet Garrett, The Bubble that Broke the World, 1932
  http://www.mises.org/books/bubbleworld.pdf

------------------------------

Date: Wed, 01 Oct 2008 20:13:38 -0400
From: Mark F <mark49607_at_private>
Subject: Re: When is a backup not a backup? (Ward, RISKS-25.36)

> We have had systems fail because the backup system was not able to handle
> the peak load on the main system: in other words, the "backup" turned out to
> be unable to take over when most needed. So it wasn't a "backup" at all.

I've been on commercial flights that weren't permitted to take off because
they had only 2 of 3 navigational devices functioning.

The irony is that only 2 were required, but the airline had decided that it
wanted the extra reliability of having 3, not realizing that the FAA rules
said that ALL of the installed units had to be working.

(This was in about 1965, so the rules may have changed.)

------------------------------

Date: Wed, 1 Oct 2008 10:16:03 EDT
From: Ken Knowlton <KCKnowlton_at_private>
Subject: The folly of retaining default settings (Re: Haynes, RISKS-25.36)

[Re: Jim Haynes RISKS 25.36: Default passwords and gasoline thefts,
and George Santayana's "Those who cannot remember the past..."]

Sixty five years ago Richard Feynman created a minor ruckus by opening
several filing cabinets containing super-secret info at Los Alamos simply by
dialing the standard factory setting of their combination locks.

------------------------------

Date: Wed, 1 Oct 2008 11:52:58
From: [Identity withheld by request]
Subject: Weak password reset procedures

There's always a tradeoff in making password resets easy vs. secure.  I ran
into what (to me) was a new low point today.

At Starwood.com, if you forget your account info, you can type in your
e-mail address.  It then gives you a choice of e-mailing you a temporary
password (the normal approach), or recovering it using your "secret"
question - which I did.  So the answer to my "secret" question is as good as
my password....  but most people's secret question is probably *less* secure
than a password, since it's more likely to be something that can be
recovered from a credit report, or at least brute force guessed.  (I don't
know if there are limits as to how many failures you can have before they
lock you out.)

OK, that's pretty weak.  But then the big surprise - once I logged in
(again, having only provided the answer to my secret question), I changed
passwords - and the profile screen displays all 16 digits of my credit card
number, plus the expiration date.  Not the usual twelve stars and the last
four digits, but the full 16 digits.

The risk?  Making recovery easy for customers (and hence increasing revenue
and reducing help desk costs) can increase the risk to customers, even those
who don't lose their passwords!

------------------------------

Date: Thu, 2 Oct 2008 00:13:40 +0000 (UTC)
From: anw_at_private (Andy Walker)
Subject: New castle rules in chess? (Re: RISKS-25.36)

We've become used to confusions between assorted Sydneys, Gibraltars and
so on.  "Right Move", an organ of the English Chess Federation, reports
on one between Newcastles.  To cut quite a long story short, lady wants
to find a chess club in Newcastle for her son, and quite sensibly googles
for "junior chess Newcastle".  The organiser in Newcastle-under-Lyme, a
modest town, is quite used to this confusion, and passes her on to his
counterpart in Newcastle-upon-Tyne, a large city whose university is
well-known to readers of these articles.  Said organiser finds her some
nearby schools with chess clubs.  Slightly puzzled mother says those
schools are across the city, and aren't there any in nearby suburbs?
Turns out [of course] that she is in Newcastle NSW, Oz -- yet another
of the 33 Newcastles (and more variants) listed by Wiki.

I suppose it shouldn't be a surprise that emigrants to new countries name
not only their towns and cities but also some of their suburbs, streets and
schools after those in their old countries.  The problem is, of course, that
Google and other computerised tools are international in scope, and locals
don't always recognise the need for disambiguation.

[I've just run the same google, and the Lyme one is not only now fifth
(behind two Tynes and two NSWs) but is also clearly a Lyme rather than a
random Newcastle, so either the web pages have changed or else the lady was
somewhat careless.]

[I have a personal interest in this confusion, as my house was once owned by
the Duke of Newcastle, the "most hated man in England" at the time of the
Reform Act riots (when his home, Nottingham Castle, was burned down).  As
Lyme is much too small to have a proper Duke, I always assumed he was a
Tyne.  But I found out fairly recently that the Tynes had died out, the
title had had to be re-created, and they had used the Lyme version as a
figleaf to give a different name but allow the same abbreviation.]

------------------------------

Date: Tue, 30 Sep 2008 20:23:12 -0700 (PDT)
From: Rob McCool <robm_at_private>
Subject: Re: Hacker claims Palin e-mail hacked ... (Miller, R-25.36)

I think Scott Miller raises an interesting question, which is how did the
hacker know to look for her e-mail at Yahoo to begin with.

I agree that it's unlikely that he knew her alternate e-mail address.  I
would think only an insider would know that.

Yahoo IDs can be public, although I can't remember if it's opt-in or
opt-out, at http://members.yahoo.com/

Since the Yahoo ID was deleted after the incident, we don't know if her ID
was listed or not. But that's one way her Yahoo ID could have been found.
For fun, try looking for Arnold Schwarzenegger or Gray Davis in that
directory.  But then again, some of those accounts may have been created by
mischief makers as a result of this incident.

It's also possible that the Yahoo ID recovery process was changed
after this incident and that the mechanism we're looking at isn't
the one that was in place at the time. This may have only been the most
high-profile of cases where the prior mechanism was abused and the Yahoo
security team may have enhanced it since then.

All these possibilities are there, and while I agree that they're slim chances,
I'm not willing to conclude that it's BS yet. But the question remains,
how did this person know that the real Sarah Palin was using Yahoo e-mail?

------------------------------

Date: Wed, 1 Oct 2008 09:10:25 -0400
From: SMiller_at_private
Subject: Re: Hacker claims Palin e-mail hacked ... (McCool, RISKS-25.37)

Rob, Well, regardless of the accuracy of these reports, there's your risk:
Using a "something you know" factor as part of the recovery authentication
that could in fact be "something that you and everyone else in the Internet
universe knows or can trivially discover".  It is indeed possible that
Yahoo! changed recovery methods after (and as a result of) the incident, but
my observation after over a year of using Yahoo! mail is that they seem to
have a _lot_ of trouble replicating any behavior changes across their server
farm, so I am somewhat skeptical that such a revision was successfully
completed within 48 hours of the initial published reports.  I created the
new account to see if there was some option to allow additional recovery
questions (e.g., the "high school" data mining allegation) that was only
available at set-up time - there was not.  I doubt that the reports are
without a germ of truth, but I think that two things are obvious: The
reports as they stand are at best incomplete; The media (unfortunately
including many IT specialty sites and bloggers) embarrassed itself (again
unfortunately, as usual) with its complete inability to do even rudimentary
fact checking.  Although perhaps I need to check my assumption that anyone
working in the media remains capable of embarrassment...

------------------------------

Date: Wed, 01 Oct 2008 15:55:36 +0200
From: Allen Hainer <risks_at_hain-veilchen.de>
Subject: Re: Hacker claims Palin e-mail hacked ... (RISKS-25.36)

Scott Miller raises the question of whether a yahoo account can be reset
without knowing the yahoo ID.  The yahoo ID in question can easily be found
using yahoo advanced search:
  http://members.yahoo.com/interests?.oc=a

Enter the first and last name.  The picture was last updated in 2006, so I
don't think it is a recent spoof.

------------------------------

Date: Thu, 29 May 2008 07:53:46 -0900
From: RISKS-request_at_private
Subject: Abridged info on RISKS (comp.risks)

 The ACM RISKS Forum is a MODERATED digest, with Usenet equivalent comp.risks.
=> SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent)
 if possible and convenient for you.   The mailman Web interface can
 be used directly to subscribe and unsubscribe:
   http://lists.csl.sri.com/mailman/listinfo/risks
 Alternatively, to subscribe or unsubscribe via e-mail to mailman
 your FROM: address, send a message to
   risks-request_at_private
 containing only the one-word text subscribe or unsubscribe.  You may
 also specify a different receiving address: subscribe address= ... .
 You may short-circuit that process by sending directly to either
   risks-subscribe_at_private or risks-unsubscribe_at_private
 depending on which action is to be taken.

 Subscription and unsubscription requests require that you reply to a
 confirmation message sent to the subscribing mail address.  Instructions
 are included in the confirmation message.  Each issue of RISKS that you
 receive contains information on how to post, unsubscribe, etc.

=> The complete INFO file (submissions, default disclaimers, archive sites,
 copyright policy, etc.) is online.
   <http://www.CSL.sri.com/risksinfo.html>
 The full info file may appear now and then in RISKS issues.
 *** Contributors are assumed to have read the full info file for guidelines.

=> .UK users should contact <Lindsay.Marshall_at_private>.
=> SPAM challenge-responses will not be honored.  Instead, use an alternative
 address from which you NEVER send mail!
=> SUBMISSIONS: to risks_at_private with meaningful SUBJECT: line.
 *** NOTE: Including the string "notsp" at the beginning or end of the subject
 *** line will be very helpful in separating real contributions from spam.
 *** This attention-string may change, so watch this space now and then.
=> ARCHIVES: ftp://ftp.sri.com/risks for current volume
     or ftp://ftp.sri.com/VL/risks for previous VoLume
 <http://www.risks.org> redirects you to Lindsay Marshall's Newcastle archive
 http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue.
   Lindsay has also added to the Newcastle catless site a palmtop version
   of the most recent RISKS issue and a WAP version that works for many but
   not all telephones: http://catless.ncl.ac.uk/w/r
 <http://the.wiretapped.net/security/info/textfiles/risks-digest/> .
==> PGN's comprehensive historical Illustrative Risks summary of one liners:
    <http://www.csl.sri.com/illustrative.html> for browsing,
    <http://www.csl.sri.com/illustrative.pdf> or .ps for printing
==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
    <http://www.acm.org/joinacm1>

------------------------------

End of RISKS-FORUM Digest 25.37
************************
Received on Thu Oct 02 2008 - 10:35:06 PDT

This archive was generated by hypermail 2.2.0 : Thu Oct 02 2008 - 11:08:35 PDT