RISKS-LIST: Risks-Forum Digest Friday 26 March 2010 Volume 25 : Issue 97 ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as <http://catless.ncl.ac.uk/Risks/25.97.html> The current issue can be found at <http://www.csl.sri.com/users/risko/risks.txt> Contents: Unmanned goods train crash in Norway (Martyn Thomas) NRC to VA: you endangered patients, you owe us $227k (Danny Burstein) FBI Faces New Setback in Computer Overhaul (Eric Lichtblau via David Lesher) IRS systems can't be trusted (Randall Webmail) Risks to the power grid (Gary McGraw) Pwn2Own 2010: iPhone hacked, SMS database hijacked (Ryab Naraine via Monty Solomon) Warnings about Wifi-enabled air travel (David Strom via Gabe Gold) Cops inadvertently harass couple: real address used as test data (Mark Brader) Police raid wrong address 50+ times (David Lesher) UK SAS base "exposed" through Google Streetview (Peter Baker) Netflix Data Deanonymized (Bob Gezelter) Hacked "miss a payment, brick your car" system (Jeremy Epstein) Colombian vote count delayed (PGN) Surveillance via bogus SSL certificates (Matt Blaze) More on School Webcam Scandal (Gene Wirchenko) Couldn't logout from Facebook Mobile (jidanni) Re: Old models of PS3 failed to connect to network (DoN Nichols) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Wed, 24 Mar 2010 15:15:27 +0000 From: Martyn Thomas <martyn_at_thomas-associates.co.uk> Subject: Unmanned goods train crash in Norway Several railway cars in a 16-car train broke loose, sped at 100km/h, derailed, smashed into a building, killed three people, injured three others, and wound up in a fjord. http://news.bbc.co.uk/1/hi/world/europe/8585315.stm ------------------------------ Date: Thu, 18 Mar 2010 11:55:34 -0400 (EDT) From: danny burstein <dannyb_at_private> Subject: NRC to VA: you endangered patients, you owe us $227k The Nuclear Regulatory Commission has proposed a $227,500 fine against the Department of Veterans Affairs (DVA) for violations of NRC regulations associated with an unprecedented number of medical errors identified at the Veterans Affairs Medical Center in Philadelphia (VA Philadelphia). Medical errors at VA Philadelphia involved the incorrect placement of iodine-125 seeds to treat prostate cancer. Out of 116 procedures performed between 2002 and 2008, 97 were executed incorrectly. ... [NRC press release] http://www.nrc.gov/reading-rm/doc-collections/news/2010/10-005.iii.html [I'm not entirely comfortable with their use of the term "executed" in this context...] ------------------------------ Date: Fri, 19 Mar 2010 09:20:50 -0400 From: David Lesher <wb8foz_at_private> Subject: FBI Faces New Setback in Computer Overhaul (Eric Lichtblau) [Source: Eric Lichtblau, *The New York Times*, 18 Mar 2010] http://www.nytimes.com/2010/03/19/us/19fbi.html?hp=&pagewanted=print The Federal Bureau of Investigation has suspended work on parts of its huge computer overhaul, dealing the agency the latest costly setback in a decade-long effort to develop a modernized information system to combat crime and terrorism. The overhaul was supposed to be completed this fall, but now will not be done until next year at the earliest. The delay could mean at least $30 million in cost overruns on a project considered vital to national security, Congressional officials said. FBI officials said that design changes and "minor" technical problems prompted the suspension of parts of the third and fourth phases of the work, which is intended to allow agents to better navigate investigative files, search databases and communicate with one another. The decision to suspend work on the $305 million program is particularly striking because the current contractor, Lockheed Martin, was announced to great fanfare in 2006 after the collapse of an earlier incarnation of the project with the Science Applications International Corporation. So after both classified and unclassified reviews, Congressional scrutiny, and "we'll do better next time" promises... Esther Dyson: ``Always make new mistakes.'' ------------------------------ Date: March 23, 2010 5:41:53 PM EDT From: Randall Webmail <rvh40_at_private> Subject: IRS systems can't be trusted According to a new Government Accountability Office report, the Internal Revenue Service has failed to fix almost 70 percent of control weaknesses and program deficiencies identified a year ago. The report concludes that the IRS's failure to use strong passwords, install patches quickly, and adequately control access to computer systems and information makes the system vulnerable to insider threats and attacks from outside. http://news.cnet.com/8301-27080_3-20000987-245.html?part=rss&subj=news&tag=2547-1_3-0-20 http://tinyurl.com/yapnjb2 ------------------------------ Date: Fri, 26 Mar 2010 08:18:56 -0400 From: Gary McGraw <gem_at_private> Subject: Risks to the power grid We have known for years that the power grid system is a fragile engineering kludge. Adopting Internet technology to bring it kicking and screaming into this Millennium may not help. Some of the RISKS described in A keynote talk I gave for the NRECA (video) http://www.cigital.com/justiceleague/2010/03/22/smart-grid-equals-dumb-security/ My colleague Sammy's talk http://www.cigital.com/justiceleague/2010/03/24/at-the-nreca-conference/ An informIT article I just wrote about the subject: The Smart (Electric) Grid and Dumb Cybersecurity http://www.informit.com/articles/article.aspx?p=1577441 http://www.cigital.com/~gem ------------------------------ Date: Thu, 25 Mar 2010 23:25:39 -0400 From: Monty Solomon <monty_at_private> Subject: Pwn2Own 2010: iPhone hacked, SMS database hijacked (Ryan Naraine) A pair of European researchers used the spotlight of the CanSecWest Pwn2Own hacking contest [in about two weeks] to break into a fully patched iPhone and hijack the entire SMS database, including text messages that had already been deleted. Using an exploit against a previously unknown vulnerability, the duo -- Vincenzo Iozzo (Zynamics) and Ralf Philipp Weinmann (University of Luxembourg) -- lured the target iPhone to a rigged Web site and exfiltrated the SMS database in about 20 seconds. The exploit crashed the iPhone's browser session, but Weinmann said that, with some additional effort, he could have a successful attack with the browser running. "Basically, every page that the user visits on our [rigged] site will grab the SMS database and upload it to a server we control," Weinmann explained. Iozzo, who had flight problems, was not on hand to enjoy the glory of being the first to hijack an iPhone at the Pwn2Own challenge. [Source: Ryan Naraine, zdnet, datelined Vancouver BC, 24 Mar 2010; PGN-ed] http://blogs.zdnet.com/security/?p=5836 ------------------------------ Date: Mon, 15 Mar 2010 12:40:07 -0400 From: gabe_at_private Subject: Warnings about Wifi-enabled air travel -- ------ Original Message -------- Date: Mon, 15 Mar 2010 08:06:49 -0500 From: David Strom <david_at_private> To: webinformant_at_private Web Informant 15 March 2010: Warnings about Wifi-enabled air travel I have been on a few planes in the past couple of weeks that are Wifi-enabled. American has created an entirely new opportunity for identity thieves here, and while the opportunity to surf and e-mail at 30,000 feet is tempting, count me out for those that will become frequent users. The problem is that most people get lost in the wonderfulness of the Web and tend to forget that their seatmates can watch every move, see every keystroke (it doesn't take much to follow along, especially at the speed that many people type), and collect all sorts of information. By the end of one flight I was on, I had Larry (not his real name) the HP sales rep's Amazon account, read several of his e-mails, got to see his new sales presentations that HP corporate sales office had sent him, figured out that he was a recent hire as he was checking HP's Intranet to understand some corporate travel policies, found out who his clients that he had just visited were, and more. Now, I wasn't really paying that much attention. I was tired, and just wanted to be left by myself for the trip. And I think we exchanged maybe ten words between us all told. But if I really wanted to do some damage, I could be all over Larry's accounts by now (he had some nice taste from what I could see he was looking for on Amazon, too). Yes, people have been using laptops on planes for years. I used to do it all the time, back when the middle seat was rarely occupied and you didn't have to almost disrobe to get to the gate. But those days are almost as much part of history as calling the people that worked on planes stews. The difference is now that we have Internet piped directly to the seat, people are free to go anywhere and everywhere, and where they go are places that are critical to their life. I wouldn't be surprised if someone was doing their online banking in-flight. So people (and HP, you might want to consider this a corporate-wide purchase) if you are going online up in the air, get a privacy filter for your laptop so that no one else can see your screen. They cost about $30. This isn't complex technology: it has been available almost as long as Windows has been around. And while you are at it, dim your screens to save on power anyway (Larry had one of those nifty power-packs to boost his battery, too). Or better yet: don't work on anything important on a crowded plane -- and these days, what other kinds of planes are there? Bring a book or watch a movie if you must be immersed in your electronic cocoon. I am reminded of a story from my early days as a reporter for PC Week, back in the late 1980s. We were very scoop-oriented, and would always try to get information from the vendors through all sorts of means, some of them probably unethical or at least uncomfortable in the light of the present day. One of our reporters was having dinner with her boyfriend (now husband) at a quaint and cozy Cambridge Mass. restaurant, and overhead two businessmen at the next table gossiping about work. What was unusual was they were speaking rapid German, and both were working for Lotus Development, at the time a powerhouse spreadsheet player. They were in town to discuss the company's future product plans. Trouble was, my colleague spoke German fluently, and got a couple of scoops that were published the next week in the paper. No one knew who the source of the leak was. Remember loose lips sink ships, the World War 2 posters put up by the government? We need something similar on Wifi-enabled planes. Be careful out there people. You never know whom you are sitting next to. ------------------------------ Date: Sun, 21 Mar 2010 01:42:00 -0400 (EDT) From: msb_at_private (Mark Brader) Subject: Cops inadvertently harass couple: real address used as test data http://www.theregister.co.uk/2010/03/19/police_raid_glitch/ Note especially the last paragraph in this one. In 2002 the New York Police Department was testing a new computer system and put in "random material" as test data. This included the real address of Walter and Rose Martin -- which inadvertently ended up in the system as live data. The result was that the Martins' address appeared in police computers as the address of a variety of crime suspects and victims; so police were repeatedly banging on the door demanding the suspects appear, as well as sending them mail. In 2007 the Martins finally complained to the police commissioner, but the problems remained unresolved. By now the Martins are 82 and 83 years old, police have come to their house 50 times, and the story has reached the news media. Both the mayor, Michael Bloomberg, and the police commissioner, Ray Kelly, have apologized to the couple, and the problem is now supposed to have been fixed. http://news.bbc.co.uk/2/hi/americas/8577579.stm http://www.nydailynews.com/news/2010/03/18/2010-03-18_six_examples_of_cops_mistakenly_visiting_elderly_brooklyn_couples_home.html http://www.nydailynews.com/news/ny_crime/2010/03/19/2010-03-19_bloomberg_apologizes_to_couple_mistakenly_raided_by_nypd_over_50_times.html http://www.washingtonpost.com/wp-dyn/content/article/2010/03/19/AR2010031900906.html ------------------------------ Date: Fri, 19 Mar 2010 08:58:49 -0400 (EDT) From: "David Lesher" <wb8foz_at_private> Subject: Police raid wrong address 50+ times [Also noted here:] http://www.nypost.com/p/news/local/brooklyn/computer_glitch_blamed_home_years_mHUCrXCM8vhEyVGJolFIPK Maybe they need a special doorbell "For police raids..." Once again, the lack of sanity checks at multiple levels rears its head. a) Did each raid have a valid warrant? If so, who obtained the warrants? Who signed the affidavits? What judge approved them? [Is this process just rubber-stamps?] b) After fifty raids, the NYPD has not yet figured out it is worth a moment's thought before kicking their way in? [Harald Hanche-Olsen added: New York's police chief has delivered a cheesecake to an elderly couple in Brooklyn, to apologise for dozens of mistaken police visits to their home. PGN] http://news.bbc.co.uk/2/hi/americas/8577579.stm ------------------------------ Date: Sat, 20 Mar 2010 14:18:33 +0100 From: Peter Baker <peter.baker_at_safe-mail.net> Subject: UK SAS base "exposed" through Google Streetview A UK newspaper reports "fury" as Google Streetview was found to display detailed pictures of the SAS headquarters <http://www.dailymail.co.uk/news/article-1259162/Google-Street-View-shows-secret-SAS-base-major-security-breach.html>. I would personally wonder about perimeter security if a vehicle that is very obviously taking pictures can drive past without a discussion with either the driver in question or the organisation behind it. However, it made me curious if that other "off the map" place was featured, and yes, ECHELON is available in Streetview too <http://bit.ly/GoogleEchelon> (well, for the moment). The RISK is obvious: if you don't want your perimeter in the news, patrol it. If you want to remove such pictures, have a *quiet* word or expect the Streisand effect to strike with a vengeance. It wasn't Google Streetview exposing the base, it was the resulting publicity. Duh.. ------------------------------ Date: Sun, 14 Mar 2010 11:30:50 -0500 From: Bob Gezelter <gezelter_at_private> Subject: Netflix Data Deanonymized The movies you rent may tell a lot about you, perhaps more than you may want. This collation hazard, collating anonymized data with other data to de-anonymize the data has serious implications. This hazard was noted in RISKS many years ago, with regards to pharmacy data (which was not protected) and medical files (which were protected) [to Editor: I do not have the reference at hand, it may be pre-online RISKS, perhaps you recall when?] In The New York Times Bits blog, Steve Lohr published an article noting the latest round of the Netflix competition has been canceled. [see http://bits.blogs.nytimes.com/2010/03/12/netflix-cancels-contest-plans-and-settles-suit/] Apparently, researchers at the University of Texas were able to unmask the data. [see http://arxiv.org/PS_cache/cs/pdf/0610/0610105v2.pdf]. This is only the latest in a series of episodes involving "collation", a hazard that was included in "Security on the Internet" (Chapter 23, Computer Security Handbook (1995), section 23.4, pp 23-6) and its 2002 sequel (outline available at http://www.computersecurityhandbook.com/csh4/chapter22.html). The mass adoption of micro-blogging and applications that reveal ones physical location only make this hazard more severe. I daresay this will not be the last we see of anonymized data becoming uncloaked through collation. - Bob Gezelter, http://www.rlgsc.com ------------------------------ Date: Wed, 17 Mar 2010 19:16:24 -0400 From: Jeremy Epstein <jeremy.j.epstein_at_private> Subject: Hacked "miss a payment, brick your car" system A vendor offers a black box system that will remotely disable a car's ignition or start the horn honking, to allow easy recovery if the owner doesn't make the car payments. A laid-off auto dealership worker took advantage of the system and got his revenge for being laid off by logging into the system using a (former) co-worker's credentials, and going through one-by-one and disabling all of the cars sold by his former employer equipped with the device. The vendor of the remote control device says this is the first time it's ever happened. (I'd guess it's not the last!) The Risk? Any time you have a remote control device, you've opened a new attack surface. While this attack was essentially an insider (since the person knew a co-worker's password), what's the odds that someone can guess passwords, or find them posted on monitors in the car dealership, or find a vulnerability in the web application, or .... There are also potential attacks going directly against the devices, completely bypassing the web-based control system. I'd bet that the dealerships were assured the system is completely secure, because it uses SSL. http://www.wired.com/threatlevel/2010/03/hacker-bricks-cars/ [Also noted by Steven J Klein, and Steve Summit, who commented: The Risks? The usual: An unsuspected, perhaps too-powerful system, which although it had some safeguards, perhaps didn't have enough... David Lesher noted a UPI item, and remarked: Gee, shades of the Greek Wiretapping Saga, and multiple other cases. When you build Big Brother in, you can expect misuse. PGN] ------------------------------ Date: Wed, 17 Mar 2010 18:02:02 PDT From: "Peter G. Neumann" <neumann_at_private> Subject: Colombian vote count delayed Unidentified attackers reportedly struck the computerized system used to transmit voting data in Colombia's legislative elections, disrupting the vote count just as the polls closed and continuing. Three days after the polls, final results still had not been released. (AFP, 17 Mar 2010) http://www.google.com/hostednews/afp/article/ALeqM5iqkjRi-yQWVJ6Dp3CcsKr8k9AQEw ------------------------------ Date: March 24, 2010 3:09:19 PM EDT From: Matt Blaze <mab_at_private> Subject: Surveillance via bogus SSL certificates [From Dave Farber's IP list] Over a decade ago, I observed that commercial certificate authorities protect you from anyone from whom they are unwilling to take money. That turns out to be wrong; they don't even do that. Chris Soghoian and Sid Stamm published a paper today that describes a simple "appliance"-type box, marketed to law enforcement and intelligence agencies in the US and elsewhere, that uses bogus certificates issued by *any* cooperative certificate authority to act as a "man-in-the-middle" for encrypted web traffic. Their paper is available at http://files.cloudprivacy.net/ssl-mitm.pdf What I found most interesting (and surprising) is that this sort of surveillance is widespread enough to support fairly mature, turnkey commercial products. It carries some significant disadvantages for law enforcement -- most particularly it can be potentially can be detected. I briefly discuss the implications of this kind of surveillance at http://www.crypto.com/blog/spycerts/ Also, Wired has a story here: http://www.wired.com/threatlevel/2010/03/packet-forensics/ [IP Archives: https://www.listbox.com/member/archive/247/=now ------------------------------ Date: Mon, 22 Mar 2010 13:44:51 -0700 From: Gene Wirchenko <genew_at_private> Subject: More on School Webcam Scandal http://www.infoworld.com/d/adventures-in-it/high-school-web-cam-follies-part-ii-dumb-and-dumber-371?source=IFWNLE_nlt_notes_2010-03-22 InfoWorld Home / Adventures in IT / Notes from the Field / Robert X. Cringely March 22, 2010 High school Webcam follies, part II: Dumb and dumber The Lower Merion School District's 'Webcamgate' scandal continues. Cringely updates us on the latest twists and turns Though it's not getting quite the 24/7 cable news treatment as it garnered when it first hit the wires, the Webcam scandal in Southeastern Pennsylvania (aka "Webcamgate") is still twisting and turning in unpredictable ways. We still don't know exactly what happened, but we do know there are lessons here for everyone concerned about IT security and personal privacy. ------------------------------ Date: Mon, 22 Mar 2010 05:48:56 +0800 From: jidanni_at_private Subject: Couldn't logout from Facebook Mobile There I was at a certain university library who had blocked access to facebook.com. However I found I could still get through to Facebook Moblie: m.facebook.com. All was hunky-dory until I tried to logout, a link which surprise, surprise, depends on accessing the main facebook.com site! So I was forced to rid the cookies and close the browser. ------------------------------ Date: Fri, 19 Mar 2010 21:12:00 -0500 From: "DoN. Nichols" <dnichols_at_d-and-d.com> Subject: Old models of PS3 failed to connect to network due to leap-year miscalculation (Ishikawa, RISKS-25.96) I think that the problem was more a miscalculation of the year, as apparently occurred in some cell-phones and was reported here at the beginning of the year. I encountered it in my watch -- a Citizen "Eco" solar-powered watch which updates itself nightly from whatever time station is most reachable. (For the USA, it is WWVB.) There is one station in Europe, and two in Japan which it also knows about. Anyway -- I first became aware of the problem after the rollover from February 2010 to March 2010. It started displaying the day of the month one lower than it should have been. On going into the setting mode to correct this, I discovered that it thought that the year was 2016. Apparently, this had been since the beginning of 2010, but since the year is only displayed in setting mode, it was not obvious until the rollover. Since 2010 is not a leap year, but 2016 *is*, it started calculating the day of the month incorrectly -- presumably from an internal count of days since the start of the year. I fixed the date, and it recurred after the nighttime contact with WWVB -- every night, so I just turned off the automatic updates while tracing down the proper way to get it fixed. The problem seems to be in the conversion of the BCD coded information from WWVB to the binary data within the watch. What it was doing was converting the bottom four bits to a decimal digit and setting that, then taking the next four bits and adding it shifted up by four bits -- thus adding a value of 16 to the total, instead of multiplying the next to LSD by ten and adding it to the binary value. Since the upper two digits of the year are correct, I presume that it is simply using the two lowest digits and adding to 2000 internally. So -- I wonder what happens when we reach 2100? Not likely to be a problem for me, unless there are some miraculous advances in longevity medicine. :-) And I have doubts that the battery will last that long, even with proper sun exposure to keep it charged. And I also doubt that the battery will remain in production that long. So it will probably become non-functional long before the 2100 date arrives. To their credit -- once I got in touch with the right part of the Citizen repair organization (no simple task, given the layout of their web page) they instantly recognized the problem, told *me* the model of the watch, and started processing to get me a free shipping via UPS to their site. (I have about three years of the five year warranty left, but they did not even ask about that.) They have just received the watch, and I am now awaiting its return in an updated state. Subsequent e-mail with them determined that they had discovered the problem and sent information to the dealers to send the watches back for a firmware update (which they are calling a software update). Some did, and some did not. I purchased mine about the time that they discovered the problem and issued the notice, so I don't know whether it should have been sent back at the time I got it or not. The dealer was totally puzzled by the problem, and their own contact with the repair organization suggested that it was a problem of the battery dying (and the indicator showed a perfectly good charge on it). So -- they have a similarly difficult information channel. All watches made after the early part of 2008 were shipped with the firmware fixed. (I tested one at the store to make sure of this before I was told that they were fixed by the repair facility.) http://www.d-and-d.com/dnichols/DoN.html Voice: (703) 938-4564 ------------------------------ Date: Thu, 29 May 2008 07:53:46 -0900 From: RISKS-request_at_private Subject: Abridged info on RISKS (comp.risks) The ACM RISKS Forum is a MODERATED digest, with Usenet equivalent comp.risks. => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) if possible and convenient for you. The mailman Web interface can be used directly to subscribe and unsubscribe: http://lists.csl.sri.com/mailman/listinfo/risks Alternatively, to subscribe or unsubscribe via e-mail to mailman your FROM: address, send a message to risks-request_at_private containing only the one-word text subscribe or unsubscribe. You may also specify a different receiving address: subscribe address= ... . You may short-circuit that process by sending directly to either risks-subscribe_at_private or risks-unsubscribe_at_private depending on which action is to be taken. Subscription and unsubscription requests require that you reply to a confirmation message sent to the subscribing mail address. Instructions are included in the confirmation message. Each issue of RISKS that you receive contains information on how to post, unsubscribe, etc. => The complete INFO file (submissions, default disclaimers, archive sites, copyright policy, etc.) is online. <http://www.CSL.sri.com/risksinfo.html> The full info file may appear now and then in RISKS issues. *** Contributors are assumed to have read the full info file for guidelines. => .UK users should contact <Lindsay.Marshall_at_private>. => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you NEVER send mail! => SUBMISSIONS: to risks_at_private with meaningful SUBJECT: line. *** NOTE: Including the string "notsp" at the beginning or end of the subject *** line will be very helpful in separating real contributions from spam. *** This attention-string may change, so watch this space now and then. => ARCHIVES: ftp://ftp.sri.com/risks for current volume or ftp://ftp.sri.com/VL/risks for previous VoLume <http://www.risks.org> redirects you to Lindsay Marshall's Newcastle archive http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue. Lindsay has also added to the Newcastle catless site a palmtop version of the most recent RISKS issue and a WAP version that works for many but not all telephones: http://catless.ncl.ac.uk/w/r <http://the.wiretapped.net/security/info/textfiles/risks-digest/> . ==> PGN's comprehensive historical Illustrative Risks summary of one liners: <http://www.csl.sri.com/illustrative.html> for browsing, <http://www.csl.sri.com/illustrative.pdf> or .ps for printing ==> Special Offer to Join ACM for readers of the ACM RISKS Forum: <http://www.acm.org/joinacm1> ------------------------------ End of RISKS-FORUM Digest 25.97 ************************Received on Fri Mar 26 2010 - 11:15:19 PDT
This archive was generated by hypermail 2.2.0 : Fri Mar 26 2010 - 12:17:00 PDT