RISKS-LIST: Risks-Forum Digest Thursday 18 December 2008 Volume 25 : Issue 48 ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as <http://catless.ncl.ac.uk/Risks/25.48.html> The current issue can be found at <http://www.csl.sri.com/users/risko/risks.txt> Contents: Computer problem shuts down Toronto Stock Exchange for a day (Mark Brader) "Smart" vehicles - do they introduce new risks? (Mike Martin) An old clock arithmetic problem (Kees Huyser) Another translation adventure (Hal Murray) Cute piece of malware engineering (Drew Dean) Thieves Winning Online War, Maybe Even in Your Computer (John Markoff via Monty Solomon) CheckFree DNS hijacked (Hal Murray) Software Security Top-10 Surprises (Gary McGraw via PGN) iPhone thief thwarted by MobileMe sync (Nick Rothwell) Risks of data retention (Mark Armbrust) Password complexity? Not wiith LinkedIn (Leon Kuunders) Teacher Throws Fit Over Student's Linux CD (Mike Rechtman) FYI - !b404 (Rob Slade) "Helpful" authentication (Erling Kristiansen) Martin Ward <martin_at_private> The Perfect Law: Re: Dangerous Precedence Set REVIEW: "The Business Privacy Law Handbook", Charles H. Kennedy (Rob Slade) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Thu, 18 Dec 2008 16:23:48 -0500 (EST) From: msb_at_private (Mark Brader) Subject: Computer problem shuts down Toronto Stock Exchange for a day This is not what it usually means to say "the stock market was down" or "the stock market crashed"! Yesterday the Toronto Stock Exchange (TSX) and the affiliated TSX Venture Exchange were open for only 18 minutes after early trading revealed a problem with the quotes being sent out. This was reported as a "network firmware issue" that "resulted in complications with data sequencing"; the backup system also failed. The problem was not rectified until late enough in the afternoon that it had already been decided to close for the day. See: http://www.cbc.ca/money/story/2008/12/18/tsxresumption.html Mark Brader, Toronto, msb_at_private | "Fast, cheap, good: choose any two." ------------------------------ Date: Sun, 14 Dec 2008 10:56:48 +1100 From: "mike martin" <mke.martn_at_private> Subject: "Smart" vehicles - do they introduce new risks? The Economist reports this week on technology-based measures that vehicle manufacturers are introducing to prevent or ameliorate traffic accidents: "Many of these safety systems at first give warning of impending danger before taking over. Despite that potential delay they still provide what Rodolfo Schöneburg, Daimler's head of passive safety, has described as an "electronic crumple zone": applying the brakes a bit late rather than not at all will at least reduce the impact of a collision. "Yet sometimes there is no room for any delay in avoiding an accident, for instance when a vehicle jumps a stop sign at a busy junction. This means safety systems will need to become even more autonomous in order to act faster -- faster, probably, than people can. But because cars will be acting independently of each other, this raises safety concerns of its own. "Researchers worry, for example, about what might happen if a child ran into a busy road. If one car automatically slammed on its brakes and swerved, it could prompt others to take evasive action. The result of all these automatic, independent decisions could be a pile-up causing more deaths, injuries and damage than there would have been had drivers remained in charge. So some researchers are now looking at ways in which vehicles could co-ordinate their crash-avoidance manoeuvres. This means that in an emergency cars would have to tell each other at once what they were about to do, says Thomas Batz of the Fraunhofer Institute for Information and Data Processing in Karlsruhe, Germany." http://www.economist.com/science/displaystory.cfm?story_id=3D12758720 Collision avoidance (TCAS) technology has been generally beneficial in aircraft, although the 2002 mid-air collision of two planes over Switzerland resulted from conflict between a TCAS instruction and one from an air traffic controller ("July 2002 air collision revisited", RISKS-23.23 <http://catless.ncl.ac.uk/Risks/23.23.html#subj1>). However motor vehicle drivers rarely have the same degree of training in how to handle emergencies as airline pilots. A study by an Australian university found that while vehicles equipped with ABS (anti-skid) brakes were less likely to be involved in multi-vehicle crashes compared with the same models lacking ABS brakes, they were 35% over-involved in single-car accidents, http://www.racv.com.au/wps/wcm/connect/Internet/Primary/my+car/car+safety/safety+equipment/brakes/ABS/. Advanced technology protection systems may confuse drivers not used to their action in an emergency or may cause them to become over-confident and take risks that they otherwise would not. Paying hundreds, or perhaps thousands, of dollars extra for technology that allows a driver to feel safer may not result in that driver actually being safer. I haven't even started to speculate on risk of software defects in these systems. ------------------------------ Date: Tue, 9 Dec 2008 09:39:56 +0100 From: Kees Huyser <kees.huyser_at_private> Subject: An old clock arithmetic problem [Re: Risks of assuming constant hours in a day (Sampson, RISKS-25.47)] About 20 years ago my then-boss discovered a systematic difference in the time accounting software that was running on our mainframe computer. This accounting software would calculate for what length of time a user had been using a given resource on the computer. The computer was running Unix and, since we had a source license, the boss started digging into the source code. He eventually found the error not in the accounting software, but on a lower level in the operating system where a programmer in the USA had assumed that the whole world did things the way they were done in America. The error? Seconds = Hertz [I presume that programmer would have been "in Dutch" with your then-boss, with some frequency! PGN] ------------------------------ Date: Thu, 11 Dec 2008 15:33:18 -0800 From: Hal Murray <hmurray_at_private> Subject: Another translation adventure One of Europe's most prestigious scientific journals, the *Max Planck Forschung* (Research) journal had a special issue on China. The cover art in the German language edition was supposed to be an example of Chinese calligraphy, a poem, but actually was an ad for a Hong Kong strip joint. (It had been allegedly vetted by a respected Sinologist.) In the online and subsequent English print versions, the cover art was replaced with calligraphy written by a 16th-century Jesuit titled Illustrated Explanations of Strange Devices, as shown in the website, which also provides some translations of the original. [PGN-ed] http://www.smh.com.au/news/home/technology/eminent-scientific-journal-gets-hit-for-sex/2008/12/11/1228584998876.html ------------------------------ Date: Tue, 9 Dec 2008 11:21:25 -0800 From: Drew Dean <ddean_at_private> Subject: Cute piece of malware engineering Recently, I've been receiving a number of obvious spams with a ZIP file attached, the zip file name being <my email address>.zip. Today, for amusement, I saved the download to take a look at it: there was one file in the ZIP archive, named with my email address: ddean_at_private . The Unix file(1) program told me everything I needed to know: it's a Windows executable. Now, the .COM extension denotes an ancient MS-DOS executable file format, which, IIRC, is restricted to 64KB of code and data, etc. (The file in question is 28KB or so, UPX compressed [whatever that is].) But that's a beautiful attempt at social engineering: most people probably don't remember .com being an executable file format, and what harm could a file named with your email address do? Not having Windows handy, I couldn't easily find out, nor would I want to in any case.... ------------------------------ Date: Tue, 9 Dec 2008 23:15:51 -0500 From: Monty Solomon <monty_at_private> Subject: Thieves Winning Online War, Maybe Even in Your Computer (Markoff) John Markoff, *The New York Times*, 6 Dec 2008 Internet security is broken, and nobody seems to know quite how to fix it. Despite the efforts of the computer security industry and a half-decade struggle by Microsoft to protect its Windows operating system, malicious software is spreading faster than ever. The so-called malware surreptitiously takes over a PC and then uses that computer to spread more malware to other machines exponentially. Computer scientists and security researchers acknowledge they cannot get ahead of the onslaught. As more business and social life has moved onto the Web, criminals thriving on an underground economy of credit card thefts, bank fraud and other scams rob computer users of an estimated $100 billion a year, according to a conservative estimate by the Organization for Security and Cooperation in Europe. A Russian company that sells fake antivirus software that actually takes over a computer pays its illicit distributors as much as $5 million a year. With vast resources from stolen credit card and other financial information, the cyberattackers are handily winning a technology arms race. "Right now the bad guys are improving more quickly than the good guys," said Patrick Lincoln, director of the computer science laboratory at SRI International, a science and technology research group. A well-financed computer underground has built an advantage by working in countries that have global Internet connections but authorities with little appetite for prosecuting offenders who are bringing in significant amounts of foreign currency. That was driven home in late October when RSA FraudAction Research Lab, a security consulting group based in Bedford, Mass., discovered a cache of half a million credit card numbers and bank account log-ins that had been stolen by a network of so-called zombie computers remotely controlled by an online gang. ... http://www.nytimes.com/2008/12/06/technology/internet/06security.html ------------------------------ Date: Mon, 08 Dec 2008 20:07:15 -0800 From: Hal Murray <hmurray_at_private> Subject: CheckFree DNS hijacked Hackers Hijacked Large E-Bill Payment Site http://voices.washingtonpost.com/securityfix/2008/12/hackers_hijacked_large_e-bill.html The attack, first reported by *The Register* began in the early morning hours of 2 Dec 2008, when CheckFree's home page and the customer login page were redirected to a server in the Ukraine. CheckFree spokeswoman Melanie Tolley said users who visited the sites during the attack would have been redirected to a blank page that tried to install malware. Digging Deeper Into the CheckFree Attack http://voices.washingtonpost.com/securityfix/2008/12/digging_deeper_into_the_c heckf.html?nav=rss_blog The hijacking of the nation's largest e-bill payment system this week offers a glimpse of an attack that experts say is likely to become more common in 2009. A spokeswoman for Network Solutions, the Herndon, Va., domain registrar that CheckFree used to register its Web site name, told Security Fix Wednesday that someone had used the correct credentials needed to access and make changes to CheckFree's Web site records. CheckFree controls between 70 to 80 percent of the U.S. online bill pay market. Still, the phishing angle suggests that the attackers managed to phish not only an employee at CheckFree, but an employee who happened to know the credentials needed to administer the company's site records. - - - - - - I can think of a couple of ideas that would help avoid disasters like this. Spreading the word about this particular event is probably the most important. People need to understand why they are doing all the extra silly work. I think the registration update procedure for major domains should require more than a simple web login. One approach would be a phone call by the registrar to a number setup out of band. The cost would be minor since the data doesn't change very often. Of course, people with valuable passwords should take good care of them. Using it on a Windows machine is obviously a high risk. So is using a system you aren't familiar with. If I was paranoid enough, I'd probably store the password on paper and never store it on a disk. To do something that needs that password I'd boot a system that runs from a CD. If I had to use Windows, I'd use a system that had been freshly installed and was behind a good firewall. A good web proxy and lots of logging might help. How many other important passwords does a company like CheckFree have? ------------------------------ Date: Thu, 18 Dec 2008 14:04:03 PST From: "Peter G. Neumann" <neumann_at_private> Subject: Software Security Top-10 Surprises Gary McGraw <gem_at_private> thought RISKS readers might get a kick out of an article just published by Gary, Brian Chess, and Sammy Migues: http://www.informit.com/articles/article.aspx?p=1315431 ------------------------------ Date: Thu, 18 Dec 2008 16:14:55 +0000 From: Nick Rothwell <nick_at_private> Subject: iPhone thief thwarted by MobileMe sync "While at the dry cleaner one day, Rob's iPhone was stolen. He immediately chalked it up as gone forever, and proceeded to purchase a brand new one that same evening. It was the next day when unfamiliar contacts began to appear on the new phone. The (not-too-bright) thief was unwittingly supplying him with names and phone numbers of his or her closest friends, via the magic of MobileMe synchronization from the stolen phone to the cloud and eventually to his new phone." http://www.tuaw.com/2008/12/17/iphone-thief-thwarted-by-mobileme-sync/ Nick Rothwell / Cassiel.com Limited www.cassiel.com ------------------------------ Date: Thu, 18 Dec 2008 14:17:58 -0700 From: Mark Armbrust <mark.armbrust_at_private> Subject: Risks of data retention I received a phone call yesterday morning from Fed Ex Freight confirming that I had equipment available to unload the 28 foot beam that they were delivering today. My name, my cell phone number, my home address. Well, I'm happy they called to make sure I can get my load off the flatbed truck that's delivering it, but there's a small problem -- this is not my order. I've never hear of the shipper, some redwood products company in California. I haven't heard anything more from Fed Ex so I assume they figured out where this beam was supposed to go. I had some furniture shipped by Fed Ex Freight earlier this year. A one time shipment that was arranged by the furniture vendor with shipping fees paid through the vendor. I'm assuming that an account was created for the destination address for my shipment, and that account still exists and somebody at Fed Ex mistyped the account number for the actual destination and got my (should have been temporary) account number and the beam made an erroneous 1200 mile trip to Colorado. Two things are fairly obvious: o One-time accounts should be very hard, if not impossible, to reuse. They should also have short purge times. o Account numbers should have check codes to preclude typical entry errors like transpositions and off by ones. I wonder where that beam was supposed to go! I wonder if I'll get a bill for the shipping! ------------------------------ Date: Fri, 12 Dec 2008 10:30:59 +0100 From: Leon Kuunders <leon_at_private> Subject: Password complexity? Not wiith LinkedIn The social network website LinkedIn is very well known. It is the place where professionals meet and extend their networks. Just as other social network sites the LinkedIn network offers third parties the ability to add applications to their framework. Their are API's for Amazon, Huddle, Google and also one for Slideshare.net. This last website offers you the possibility to publish your presentations online. When you add the Slideshare API to your LinkedIn profile you are able to connect your Slideshare account to your LinkedIn profile. The way it works: you enter your user-id and password of Slideshare into a box, and presto! your Slideshare profile is Linked. I tried it several times but failed. Somehow the system kept telling me that my user-id and/or password did not match the ones used at Slideshare. First I wondered: is it my username ("leon") which has too few characters? But then it occurred to me: it was the "complexity" of my password that caused the problems. My password (generated with a password generator) was "az<VK/gq#". Notice the "<" sign? The risks: a chain is as strong as the weakest link (..edIn). leon@private http://xri.net/@trusted-id/leon skype://leonkuunders ------------------------------ Date: Sat, 13 Dec 2008 15:58:31 +0200 From: Mike Rechtman <mike_at_private> Subject: Teacher Throws Fit Over Student's Linux CD http://austinist.com/2008/12/10/aisd_teacher_throws_fit_over_studen.php Free? - That's illegal! A teacher has thrown a student into detention and threatened to call the police for using Linux in her classroom. The teacher spotted one of her students giving a demonstration of the HeliOS distro to other students. In a somewhat over-the-top reaction, she confiscated the CDs, put the student on detention and whipped off a letter to the HeliOS Project threatening to report it to the police for distributing illegal software. Home: http://alpha.mike-r.com/ QOTD: http://alpha.mike-r.com/php/qotd.php ------------------------------ Date: Wed, 10 Dec 2008 17:37:33 -0800 From: Rob Slade <rMslade_at_private> Subject: FYI - !b404 An interesting study. As one who has published an infosec dictionary, I've seen, first hand, how fast our technical jargon has changed (and often degraded). The effect of the technology, and the pervasive nature of the changes, is intriguing. Highlights: - new communications technology, particularly text messaging abbreviations (textese), creating new terms entering the language - errors by the technology ("predictive" numeric keypad text interpretation of "book" instead of "cool") creating new slang (book now means cool or good) * - terms from local technologies (the Oyster card error codes) are entering the language more broadly - testese messages take longer to read, and generate more errors http://news.bbc.co.uk/2/hi/technology/7775013.stm ftp://ftp.royalmail.com/Downloads/public/ctf/po/TechChat-Draft2.pdf (Unfortunately, a link to the Australian study seems to be missing.) Relevance to security? Well, I don't agree with the final statement in the BBC story. Any change to the language that increases the error level in communications has got to be dangerous. * I've heard my grandkids say this, and wondered where it came from. The technical reasons for this are fascinating in themselves. Predictive typing technology is based on the numeric keypad equivalent of words, and is based on the frequency of word usage in English. "Book" and "cool" are equivalent (2665) on a numeric keypad. In general English, book is going to be the more widely used word, and so the algorithm chooses book first when you type 2665. However, textese is used by teens much more widely than by the rest of the population, and I am morally certain that teen textese uses cool much more frequently than it uses book. I am also interested in competition in terms of the acronyms. LAMP has been widely used in technical (and particularly online) circles to refer to the use of Linux, Apache, MySQL, and PHP/Python/Perl for the creation of Websites. It is interesting to note a completely different use of LAMP in the financial arena. (We already have a similar confusion of SOA depending upon whether the speaker is from the BS 7799/ISO 27K community [statement of applicability, aka scope] or the ITIL tribe [service oriented architecture].) rslade_at_private rslade_at_private victoria.tc.ca/techrev/rms.htm blogs.securiteam.com/index.php/archives/author/p1/ ------------------------------ Date: Fri, 12 Dec 2008 17:06:08 +0100 From: Erling Kristiansen <erling.kristiansen_at_private> Subject: "Helpful" authentication I phoned my credit card company. After giving my name and address, the following conversation took place: Credit card guy: Please give me you date of birth for authentication. Me: <my date of birth> Credit card guy, sounding genuinely surprised: Strange, I have a completely different date. I have <another date>. Me: That's my wife's date of birth. (which is true, but he couldn't really know that, my wife hasn't got a card with that company; I could have said that to whatever date he had given me). This seemed to satisfy him, and we proceeded with the business I called about. ------------------------------ Date: Tue, 9 Dec 2008 11:34:02 +0000 From: Martin Ward <martin_at_private> Subject: The Perfect Law: Re: Dangerous Precedence Set (Re: Federal Criminal Charges for Violation of Commercial Online ToS?) >From the government's point of view, the "Perfect Law" is one which everyone has broken. With this law, anyone the government does not like (for whatever reason) can be arrested and imprisoned. >From the citizen's point of view, such a law means the end of the rule of law. You are now living in a tyranny: any criticism of the government could land you in jail with no recourse. "But," you protest, "I haven't violated the Terms of Service of any web site!" Whay about that government-run web site which just about everyone in the country is required to sign up for. On page 16 of the voluminous Terms of Service is a poorly-worded note to the effect that anyone who criticises any action of the government is in violation of the Terms of Service of this web site. martin@private http://www.cse.dmu.ac.uk/~mward/ ------------------------------ Date: Thu, 18 Dec 2008 12:18:25 -0800 From: Rob Slade <rMslade_at_private> Subject: REVIEW: "The Business Privacy Law Handbook", Charles H. Kennedy BKBUPRLH.RVW 20081123 "The Business Privacy Law Handbook", Charles H. Kennedy, 2008, 978-1-59693-176-3, U$109.00 %A Charles H. Kennedy ckennedy_at_private %C 685 Canton St., Norwood, MA 02062 %D 2008 %G 978-1-59693-176-3 1-59693-176-0 %I Artech House/Horizon %O U$109.00 617-769-9750 800-225-9977 artech_at_artech-house.com %O http://www.amazon.com/exec/obidos/ASIN/1596931760/robsladesinterne http://www.amazon.co.uk/exec/obidos/ASIN/1596931760/robsladesinte-21 %O http://www.amazon.ca/exec/obidos/ASIN/1596931760/robsladesin03-20 %O Audience a- Tech 2 Writing 2 (see revfaq.htm for explanation) %P 312 p. %T "The Business Privacy Law Handbook" The preface states that this is a survey of business privacy law in the United States, and the changes that field is undergoing, intended for business managers and those advising them. The introduction is rather interesting: on the one hand, it lays out a five-step process to guide the task of ensuring compliance with privacy regulations, and on the other, it points out how complex this undertaking is, in the labyrinthine legal environment of the US. Part one addresses issues of information relating to consumers and customers. Chapter one deals with information collected on the Internet and through Websites. As the US has no general national standards in this regard, most of the discussion deals with the design of corporate privacy policies for Websites. There is also an examination of the Children's Online Privacy Protection Act (COPPA). Various US and state laws with implications for general information security and protection are noted in chapter two, which also has a brief section on information risk identification. Legislation relating to companies in the financial industry are reviewed in chapter three. Chapter four notes the provisions of the Electronic Communications Privacy Act, the Stored Communications Act, and special provisions for communications carriers. The implications of HIPAA (the Health Insurance Portability and Accountability Act) for the health industry are outlined in chapter five, which also notes some related state laws. Although ostensibly about the European Union privacy directives, the rather terse material in chapter six is more about the Safe Harbor framework of the US Department of Commerce. Part two looks at job applicants and employees. Chapter seven is a brief review of the hiring process, and it is interesting to note that the common opposition (by employers) to providing detailed references has little objective basis. The examination of internal investigations, as discussed in chapter eight, is limited, and repeats content from chapter seven. Chapter nine's deliberation on surveillance is primarily concerned with tapping of phone and email conversations. Part three turns to communications with customers and consumers, with three successive chapters on marketing types of intercourse; telemarketing (in chapter ten), fax advertising (eleven), and spam (twelve). Chapter thirteen, on the monitoring of customer communications, is a mere three paragraphs in total length, and is a reiteration of some of the content of chapter nine. Appendices list state privacy and data security laws. It is unfortunate that the title does not make clear the US-centric nature of the material, but it is reasonable for a legal text to concentrate on one jurisdiction. Despite occasional shortcomings in specific areas, this text does provide a detailed, up-to-date and quite comprehensive overview of the convoluted mess of American privacy law. copyright Robert M. Slade, 2008 BKBUPRLH.RVW 20081123 rslade_at_private slade_at_private rslade_at_private victoria.tc.ca/techrev/rms.htm blogs.securiteam.com/index.php/archives/author/p1/ ------------------------------ Date: Thu, 29 May 2008 07:53:46 -0900 From: RISKS-request_at_private Subject: Abridged info on RISKS (comp.risks) The ACM RISKS Forum is a MODERATED digest, with Usenet equivalent comp.risks. => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) if possible and convenient for you. The mailman Web interface can be used directly to subscribe and unsubscribe: http://lists.csl.sri.com/mailman/listinfo/risks Alternatively, to subscribe or unsubscribe via e-mail to mailman your FROM: address, send a message to risks-request_at_private containing only the one-word text subscribe or unsubscribe. You may also specify a different receiving address: subscribe address= ... . You may short-circuit that process by sending directly to either risks-subscribe_at_private or risks-unsubscribe_at_private depending on which action is to be taken. Subscription and unsubscription requests require that you reply to a confirmation message sent to the subscribing mail address. Instructions are included in the confirmation message. Each issue of RISKS that you receive contains information on how to post, unsubscribe, etc. => The complete INFO file (submissions, default disclaimers, archive sites, copyright policy, etc.) is online. <http://www.CSL.sri.com/risksinfo.html> The full info file may appear now and then in RISKS issues. *** Contributors are assumed to have read the full info file for guidelines. => .UK users should contact <Lindsay.Marshall_at_private>. => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you NEVER send mail! => SUBMISSIONS: to risks_at_private with meaningful SUBJECT: line. *** NOTE: Including the string "notsp" at the beginning or end of the subject *** line will be very helpful in separating real contributions from spam. *** This attention-string may change, so watch this space now and then. => ARCHIVES: ftp://ftp.sri.com/risks for current volume or ftp://ftp.sri.com/VL/risks for previous VoLume <http://www.risks.org> redirects you to Lindsay Marshall's Newcastle archive http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue. Lindsay has also added to the Newcastle catless site a palmtop version of the most recent RISKS issue and a WAP version that works for many but not all telephones: http://catless.ncl.ac.uk/w/r <http://the.wiretapped.net/security/info/textfiles/risks-digest/> . ==> PGN's comprehensive historical Illustrative Risks summary of one liners: <http://www.csl.sri.com/illustrative.html> for browsing, <http://www.csl.sri.com/illustrative.pdf> or .ps for printing ==> Special Offer to Join ACM for readers of the ACM RISKS Forum: <http://www.acm.org/joinacm1> ------------------------------ End of RISKS-FORUM Digest 25.48 ************************Received on Thu Dec 18 2008 - 17:59:07 PST
This archive was generated by hypermail 2.2.0 : Thu Dec 18 2008 - 18:24:22 PST