[RISKS] Risks Digest 26.03

From: RISKS List Owner <risko_at_private>
Date: Sun, 25 Apr 2010 17:45:07 PDT
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
The current issue can be found at

April Fools: 7,500 Online Shoppers Unknowingly Sold Their Souls (Sam Posten)
Teens and Mobile Phones (Pew via Monty Solomon)
Social Netting lets the mosquitos through (Renay San Miguel via PGN)
Anti-malware backfires (Jeremy Epstein)
Computer error affected West Virginia mine scrutiny (Sam Hananel via PGN)
Software controlled Toyota roll-over (Jeremy Epstein)
Bogus Jury Duty notices lead to identity theft (PGN)
School Admin Takes Fifth Amendment in "Peeping Tom" Case (David Murphy
  via Monty Solomon)
Barclay Card Rewards Advert Promotes PIN Insecurity (Chris J Brady)
Penguin recalls cookbooks (Nick Rothwell)
Re: RFID zapper made from a disposable camera! (Oliver Leistert)
Re: Apache Bug tracker attack (Steve Loughran)
Re: YOUR SAT NAV IS WRONG - GO BACK! (Dimitri Maziuk, Nick Brown)
Re: Canada's planned electronic passports ... (James Cameron)
Re: Incorrect software change to emergency ambulance call-handling (Chris D)
Re: Is your security policy smarter than a 3rd grader? (David-Sarah Hopwood)
Re: ... circumventing Bayesian filters (Raj Mathur)
Broadband survivability and certification (Charles Jackson)
Abridged info on RISKS (comp.risks)


Date: April 19, 2010 9:12:34 AM EDT
From: Sam Posten <sposten_at_private>
Subject: April Fools: 7,500 Online Shoppers Unknowingly Sold Their Souls

  [From Dave Farber's IP distribution.  PGN-ed]

  [Be careful what you agree to when you click that EULA...  Sam]

A computer game retailer revealed that it legally owns the souls of
thousands of online shoppers, thanks to a clause in the terms and
conditions agreed to by online shoppers.
[Source; FOXNews.com, 15 Apr 2010; PGN-ed]

British game retailer *GameStation* has revealed that it legally owns the
souls of thousands of online shoppers, thanks to a clause in the terms and
conditions agreed to by online shoppers.  On April Fools' Day they had added
the "immortal soul clause" to the contract that you would sign before making
any online purchases.  It states that customers grant the company the right
to claim their soul.

  "By placing an order via this Web site <#> on the first day of the fourth
  month of the year 2010 Anno Domini, you agree to grant Us a non
  transferable option to claim, for now and for ever more, your immortal
  soul. Should We wish to exercise this option, you agree to surrender your
  immortal soul, and any claim you may have on it, within 5 (five) working
  days of receiving written notification from gamesation.co.uk or one of its
  duly authorised minions."

GameStation's form http://www.gamestation.co.uk/Help/TermsAndConditions/
also points out that "we reserve the right to serve such notice in
6-foot-high letters of fire, however we can accept no liability for any loss
or damage caused by such an act. If you a) do not believe you have an
immortal soul, b) have already given it to another party, or c) do not wish
to grant Us such a license, please click the link below to nullify this
sub-clause and proceed with your transaction."

The GameStation folks apparently intended to make a very real point: No one
reads the online terms and conditions of shopping, and companies are free to
insert whatever language they want into the documents.

While all shoppers during the test were given a simple tick box option to
opt out, very few did this, which would have also rewarded them with a
5-pound voucher.  Due to the number of people who ticked the box,
GameStation claims believes as many as 88 percent of people do not read the
terms and conditions of a Web site before they make a purchase.

The company noted that it would not be enforcing the ownership rights,
and planned to e-mail customers nullifying any claim on their soul.


Date: Sun, 25 Apr 2010 14:58:45 -0400
From: Monty Solomon <monty_at_private>
Subject: Teens and Mobile Phones (Pew)

Amanda Lenhart, Rich Ling, Scott Campbell, Kristen Purcell, Teens and Mobile
Phones, Pew Internet & American Life Project 20 Apr 2010

Daily text messaging among American teens has shot up in the past 18 months,
from 38% of teens texting friends daily in February of 2008 to 54% of teens
texting daily in September 2009. And it's not just frequency - teens are
sending enormous quantities of text messages a day. Half of teens send 50 or
more text messages a day, or 1,500 texts a month, and one in three send more
than 100 texts a day, or more than 3,000 texts a month. Older teen girls
ages 14-17 lead the charge on text messaging, averaging 100 messages a day
for the entire cohort. The youngest teen boys are the most resistant to
texting - averaging 20 messages per day. ...


Date: Thu, 22 Apr 2010 14:20:08 PDT
From: "Peter G. Neumann" <neumann_at_private>
Subject: Social Netting lets the mosquitos through (Renay San Miguel)

[Source: Renay San Miguel, Hackers and Social Networking: A Love Story,
*TechNewsWorld*, 22 Apr 2010; PGN-ed, with thanks to Gary McGraw.]

This is a fascinating article on the Social Networking bandwagon and the
Cloud Computing megaballoon.  It quotes Cloud Computing Alliance's Wen
Tseng, Entrust's Eric Skinner, and Cigital's Gary McGraw.  I won't begin to
summarize it, but Gary gets the last words: "Generally speaking, it looks
like HR is all for the social networking thing, and so they're kind of
pushing for the networking -- using LinkedIn and Twitter and outreach
communications without thinking through the implications of it all.  So
stepping back and thinking,  'What's the downside' is always a good
idea. Just because you can do something doesn't mean you should."

  [See also Brad Stone and Ashlee Vance, Companies Slowly Join
  Cloud-Computing, *The New York Times*, 18 Apr 2010.  PGN's favorite
  quote from the Stone/Vance article is this:
    Ah, the cloud - these days, Silicon Valley can't seem to get its head
    out of it. The idea, though typically expressed in ways larded with
    jargon, is actually rather simple.  Cloud providers, large ones like
    Amazon, Microsoft, Google and AT&T, and smaller ones like Rackspace and
    Terremark, aim to convince other companies to give up building and
    managing [in-house] data centers and to use [the provider's] computer
    capacity instead.  PGN]


Date: Wed, 21 Apr 2010 16:05:08 -0400
From: Jeremy Epstein <jeremy.j.epstein_at_private>
Subject: Anti-malware backfires

There's a McAfee anti-virus update today that went wrong.  It is bringing
down millions of XP machines worldwide.  So if you decided to be "safe" and
run McAfee, your machine is dead.  If you decided to live dangerously, you
haven't lost anything.  The rational economic argument for users is on the
side of not using anti-virus (in this case)...


  [Lauren Weinstein notes a *USA Today* article on the COST.  PGN]
    Total cost of McAfee's antivirus error will be many millions


Date: Tue, 20 Apr 2010 20:32:24 PDT
From: "Peter G. Neumann" <neumann_at_private>
Subject: Computer error affected West Virginia mine scrutiny (Sam Hananel)

A computer error prevented the West Virginia coal mine where 29 workers died
in an explosion last week from receiving a warning about safety violations.
Evidently, a computer program used by the Mine Safety and Health
Administration screens mines for patterns of violations.  Because eight
citations at the mine in question were apparently omitted, the program did
not flag the mine for safety violations.  However, the mine operators
apparently had fixed the identified problems earlier.  Nevertheless, the
inadequate reporting has alerted U.S. House lawmakers.  [Source: Sam
Hananel, AP item, 13 Apr 2010; PGN-ed. Thanks to dkross.]


Date: Mon, 19 Apr 2010 17:18:43 -0400
From: Jeremy Epstein <jeremy.j.epstein_at_private>
Subject: Software controlled Toyota roll-over

In the aftermath of Consumer Reports recommendation against buying the
Toyota GX 460 SUV because of a risk of rollovers, Toyota is recalling 9400
vehicles in the US (and others overseas) for a software upgrade - a flaw in
the Vehicle Stability Control (VSC) software can allow unstable handling.
The part I find disconcerting is that the update is going to be available by
the end of April (less than two weeks from now), which hardly seems long
enough to make a software fix and perform adequate testing.

'nuff said.



Date: Tue, 20 Apr 2010 8:04:30 PDT
From: "Peter G. Neumann" <neumann_at_private>
Subject: Bogus Jury Duty notices lead to identity theft

A caller claims to be a jury coordinator.  If you protest that you never
received a summons for jury duty, the scammer asks you for your Social
Security number and date of birth to be able to verify the information and
cancel the arrest warrant.  Giving out such information has resulted in
identity fraud in at least 11 states, including Oklahoma, Illinois, and
Colorado.  The FBI and the federal court system have issued nationwide
alerts on their websites, warning consumers about the fraud.
  http://www.fbi.gov/page 2/June 06/jury_scams060206.htm


Date: Sun, 18 Apr 2010 15:55:37 -0400
From: Monty Solomon <monty_at_private>
Subject: School Admin Takes Fifth Amendment in "Peeping Tom" Case

Around 2,300 students across two schools in the Lower Merion School District
of Ardmore, PA earlier have received $1,000 Macintosh laptops for use with
preinstalled video-monitoring software that can be remotely activated.  A
motion against the District was filed on 15 Apr.  The suit accuses the
school district of violating various federal and state statutes against
surveillance and wiretapping, including the federal Electronics
Communications Privacy Act.  [Source: David Murphy, *PC Magazine*, 18 Apr
2010; PGN-ed.  This follows up on the earlier items in RISKS-25.95,97.]


Date: Sun, 11 Apr 2010 22:42:10 -0700 (PDT)
From: Chris J Brady <chrisjbrady_at_private>
Subject: Barclay Card Rewards Advert Promotes PIN Insecurity

With so many credit/debit card cloning scams and the consequent
multi-million (multi-billion?) pound losses it might be expected that banks
such as Barclays would be promoting security with card transactions
especially with regards to the use of 'chip and pin.'

However, the latest advert for Barclay Card's 'Rewards' programme - which is
airing regularly on British t.v. - depicts just the opposite. Indeed it is
an excellent example of how to NOT carry out a 'chip and pin' transaction.

The advert shows a somewhat narcissistic and effeminate guy - for some
reason carrying a piece rolled up carpet - shopping and paying for goods and
services by 'chip and pin.' However whilst the chip might be secure, he
openly flouts his PIN to all and everyone including shop assistants and
waiters and anyone standing in his near vicinity. The smirk on his face at
every successful transaction - as he punches in his PIN accompanied by
annoying musical 'plinks and plonks' - in full view of anyone watching - is
indicative of his total ignorance of card cloning and fraud.

This irritating advert demonstrates the very worst of Barclay's attitude
towards security both of customers credit/debit card accounts and the losses
it sustains due to card cloning and fraud.

Apparently musical 'plinks and plonks' of customers punching in their PINs
to earn some ephemeral 'rewards' for using their cards is more important
than demonstrating the necessity of keeping one's PIN secret, i.e. NOT
allowing others to see the PIN punched in. The mind boggles at Barclays
utter stupidity in using this advert for their services.

Risks: You can't beat the Banks for demonstrating stupity when looking after
someone else's hard-earned cash and credit card accounts.


Date: Wed, 21 Apr 2010 11:29:21 +0100
From: Nick Rothwell <nick_at_private>
Subject: Penguin recalls cookbooks

Penguin is destroying all 7000 copies of its Pasta Bible after a misprint
suggesting that a dish requires "salt and freshly ground black people".  The
head of publishing "defended proofreaders for letting through a misprint
that he suggested came from a spell-check program."

The RISKS archives are of course peopled - er, peppered - with such

  [Mark Brader suggested a title for this item:
  "Freshly ground books and msipelt tagliatelle."
  Actually, blaming spelling checkers is *not a legitimate defense*.


Date: Mon, 19 Apr 2010 17:03:55 +0200
From: Oliver Leistert <leistert_at_private-paderborn.de>
Subject: Re: RFID zapper made from a disposable camera! (RISKS-26.02)

This is nothing new. The RFID Zapper had been already presented at the Chaos
Computer Congress in Berlin in 2005.[1] Prof. Wool is definitely not the
first person to publish and present on this topic. But the statement in the
RISKS Newsletter reads like that. The Zapper had been developed by Computer
Science students from Berlin.

[1] http://events.ccc.de/congress/2005/static/r/f/i/RFID-Zapper(EN)_77f3.html

Oliver Leistert, Universitšt Paderborn, Warburger Str. 100 33098 Paderborn
+49-5251/60-3275 www.upb.de/gk-automatismen/kollegiatinnen/oliver-leistert/


Date: Mon, 19 Apr 2010 11:48:19 +0100
From: Steve Loughran <steve.loughran_at_private>
Subject: Re: Apache Bug tracker attack (RISKS-26.02)

One of the great features of humanity is that we can not only learn from our
own mistakes, we can learn from other peoples -and, through the written word
and youtube videos, from people at a distance, after the event. It's a shame
that some people felt that the best comment they could add was criticism,
but perhaps they resented having to change their single-web-site password
across all web sites.

Looking at the apache attack, it appears that the escalation from JIRA admin
to system admin was due to inadequate password policy, rather than any OS
vulnerability. Once on the machine they attempted to cross over from the
public, apache committer-accessible server to the main SVN servers, and fell
foul of the fact that it's login mechanism is much stricter -and failures
picked up on immediately.

The fact that an attack came from a rented VM is interesting as it shows a
trend to worry about in future: now all you need is a stolen credit card to
gain a small cluster of machines with good network access and a restricted
audit trail. The network load of a VM trying to log in to a remote service
isn't going to show up on the billing and monitoring infrastructure of a
hosting datacentre, so it will be up to every endpoint to defend for
that. Fail2Ban is a solution -one which requires every service to log
unauthenticated operations. If you have a login point, log failures. That
includes every SOAP or REST endpoint -but you also need to make sure the
logs themselves don't trigger a failure, else you have created a new DoS

Some other issues

* ASF Hardware is often donated, and is colocated on different sites.  There
is no "secure datacentre", back end subnet or other multi-layer defences:
everything is in the DMZ. This makes it harder to secure systems, but stops
you getting complacent. If there is a network -even a VPN- which grants
extra rights to callers, you need a plan to deal with it being compromised
and the tests to detect it.

* If the JIRA cookies had been marked HttpOnly, then XSS scripts would be
unable to read them. I wasn't personally aware of HttpOnly cookies until
this incident; I shall be adding Jetty and Tomcat filters to my applications
in future to make cookies HttpOnly regardless of the applications' policies.

* Log analysis would be easier if events were not scattered across different
machines, but instead analysable across them "show me all requests to ASF
infrastructure from IPAddr". The cloud computing projects within
Apache are building tooling which could do this: anyone wiling to apply the
CouchDB and Hadoop project's products for such capture and mining would be
encouraged to do so.

* TinyURL was used to obfuscate the XSS attack, so the script did not appear
in any (sanitised) email bug reports. There's no easy defence against that,
except maybe to use some tooling other than the web browser to resolve
tinyURL links. longSHORE, at http://long-shore.com/ (
http://tinyurl.com/y4kta7o ) can do that; the thought of a Firefox plugin
that works with this service appeals to me, though of course as longshore is
accessed via HTTP, you have to trust DNS in your browsing location.

* The https://issues.apache.org/ HTTPS certificate has to be considered
compromised. This is why it's important to have a different https
certificate for every host, not save money for a *.mydomain.com
certificate. It is also why client applications should check certificates
for revocation.

It's easy for people to look at the post mortem and criticise, but consider
this: the team wrote up what happened, in enough detail for the readers to
follow. We don't see that very often; it would have been easier to say "A
zero-day exploit" and leave it at that.


Date: Mon, 19 Apr 2010 12:09:23 -0500
From: Dimitri Maziuk <dmaziuk_at_private>
Subject: Re: YOUR SAT NAV IS WRONG - GO BACK! (RISKS-26.02 and others)

A few observations from a recent road trip with our brand new TomTom:

"Fastest route" seems to assume you'll be doing speed limit and thus prefers
major freeways. It's a reasonable assumption, except major freeways in big
cities tend to be congested most of the time -- presumably paid subscription
to real-time traffic reports service helps with that.

In a couple of places "shortest route" had us turn off a highway into a side
street (across oncoming traffic), turn right into another side street, and
then back into the same highway (left, across all traffic again). A look at
the map showed the highway turning left in wide bend. I expect the
"shortcut" was indeed a few metres shorter.

Then there's GPS/map/address accuracy: we're coming to a motel hiding at the
end of a driveway on the left side of a wide boulevard, right next to a
major intersection. To follow TomTom's "make a u-turn and you've arrived at
your destination", I'd have drive over the divider lawn and into some sort
of an office building. There was left turn pocket a few metres back, with a
big "no u-turn" sign on it. It does into the driveway we wanted, but the
driveway entrance is probably not exactly at the motel's listed address, the
driveway veers back a little (causing TomTom -- I guess -- to insist on
"u-turn" instead of just "turn left"), and by the time TomTom decides
"you're there", you've actually already passed the turn.

Not too unreasonable, and once you get the hang of it and look at the screen
and/or map (traffic conditions permitting) instead of blindly following the
voice prompts, no worse than any other piece of software I get to work with.
Of course, I do software for living, by now I have an intuitive feel for how
it works and what the limitations would be. I've no problem believing that
an average GPS user would drive off a non-existing bridge or wedge a truck
under a too-low overpass.


Dimitri (Dima) Maziuk, BioMagResBank, UW-Madison -- http://www.bmrb.wisc.edu


Date: Wed, 21 Apr 2010 10:15:30 +0200
From: "BROWN Nick" <Nick.BROWN_at_private>
Subject: Re: YOUR SAT NAV IS WRONG - GO BACK! (RISKS-26.02 and others)

Even when you choose the alternative of "shortest time", that doesn't always
help.  A lot of GPS map data seems to divide roads into a rather small
number of classes, with all roads within a class considered to be equally
"fast".  Typically, minor asphalted country roads may be considered to be in
the same class as farm tracks, so whichever route appears to be shorter will
always be chosen.


Date: Tue, 20 Apr 2010 15:44:32 +1000
From: James Cameron <quozl_at_private>
Subject: Re: Canada's planned electronic passports ... (Laurie, RISK-26.01)

> ... it relayed a passport I was holding to a similar reader in the UK,
> using a mobile phone data link.

Presumably the same attack would work against many RFID systems?

Beware of people sidling up to you in a pub, they may be opening your
car, home, workplace, lab ...

At least with the old coded metal bar keys they could be reasonably
hidden in trouser pockets.  ;-)


Date: Tue, 20 Apr 2010 22:00:15 +0100
From: "Chris D." <e767pmk_at_private>
Subject: Re: Incorrect software change to emergency ambulance call-handling
  (Horrocks, RISKS-25.98).

NB: E-mail address munged to defeat spam, "yeeha" = "yahoo", of course.

> It's not clear from the article whether the change was incorrectly
> implemented or exactly as requested.

As the old joke goes, the trouble with software engineers is that
they give you what you asked for, not what you actually wanted...


Date: Wed, 21 Apr 2010 01:10:06 +0100
From: David-Sarah Hopwood <david-sarah_at_private>
Subject: Re: Is your security policy smarter than a 3rd grader? (RISKS-26.02)

This article says, "Blackboard and school officials clarified Thursday th=
at the boy had not found and exploited a security vulnerability, but rather
that he had obtained a teacher's password."

So allowing privilege escalation from "teacher" to "administrator" is not a
security vulnerability? Of course it is -- if those roles were not intended
to be equivalent, then there is a mismatch between the intended policy and
the implemented one. Exploiting that can certainly be described as

David-Sarah Hopwood   http://davidsarah.livejournal.com


Date: Mon, 19 Apr 2010 08:34:35 +0530
From: Raj Mathur <raju_at_linux-delhi.org>
Subject: Re: ... circumventing Bayesian filters (Kamens, RISKS-26.02)

Facing precisely that problem, I'd created spamtune.pl back in 2005, a sort
Perl script that generates an OpenOffice.org spreadsheet which loads up
SpamAssassin configuration and known spam and ham messages.  Once loaded,
you can tweak individual SpamAssassin scores in the spreadsheet itself and
see their effect on spam/ham classification in real-time.  The script also
shows you the number of false positives and negatives for a set of scores in

The program is available at:


Feedback appreciated.

Raj Mathur raju@private http://kandalaya.org/


Date: Fri, 23 Apr 2010 14:46:45 -0400
From: "Charles Jackson" <clj_at_private>
Subject: Broadband survivability and certification

Notice of Inquiry, 21 Apr 2010: The FCC adopted a Notice of Inquiry to
enhance its understanding of the present state of survivability in broadband
communications networks and to explore potential measures to reduce network
vulnerability to failures in network equipment or severe over-load
conditions, such as would occur in natural disasters, pandemics, and other
disasters. The Commission seeks comment on the ability of existing networks
to withstand localized or distributed physical damage, including whether
there is adequate network redundancy and the extent of survivability of
physical enclosures in which network elements are located. Comments are due
45 days from publication in the Federal Register; replies 75 days from

Notice of Inquiry, 21 Apr 2010: The FCC issued a Notice of Inquiry that
seeks comment on whether the Commission should establish a voluntary program
under which participating communications service providers would be
certified by the FCC or a yet to be determined third party entity for their
adherence to a set of cyber security objectives and/or practices. The
Commission also seeks comment on the components of such a program, if any,
and whether such a program would create business incentives for providers of
communications services to sustain a high level of cybersecurity culture and
practice. Comments will be due 60 days after the NOI is published in the
Federal Register; replies will be due 120 days after publication.

Charles L. Jackson, PO Box 221, Port Tobacco, MD 20677, 1-301 656 8716

  [Don't you love these easily remembered URLs?  PGN]


Date: Thu, 29 May 2008 07:53:46 -0900
From: RISKS-request_at_private
Subject: Abridged info on RISKS (comp.risks)

 The ACM RISKS Forum is a MODERATED digest, with Usenet equivalent comp.risks.
=> SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent)
 if possible and convenient for you.   The mailman Web interface can
 be used directly to subscribe and unsubscribe:
 Alternatively, to subscribe or unsubscribe via e-mail to mailman
 your FROM: address, send a message to
 containing only the one-word text subscribe or unsubscribe.  You may
 also specify a different receiving address: subscribe address= ... .
 You may short-circuit that process by sending directly to either
   risks-subscribe_at_private or risks-unsubscribe_at_private
 depending on which action is to be taken.

 Subscription and unsubscription requests require that you reply to a
 confirmation message sent to the subscribing mail address.  Instructions
 are included in the confirmation message.  Each issue of RISKS that you
 receive contains information on how to post, unsubscribe, etc.

=> The complete INFO file (submissions, default disclaimers, archive sites,
 copyright policy, etc.) is online.
 The full info file may appear now and then in RISKS issues.
 *** Contributors are assumed to have read the full info file for guidelines.

=> .UK users should contact <Lindsay.Marshall_at_private>.
=> SPAM challenge-responses will not be honored.  Instead, use an alternative
 address from which you NEVER send mail!
=> SUBMISSIONS: to risks_at_private with meaningful SUBJECT: line.
 *** NOTE: Including the string "notsp" at the beginning or end of the subject
 *** line will be very helpful in separating real contributions from spam.
 *** This attention-string may change, so watch this space now and then.
=> ARCHIVES: ftp://ftp.sri.com/risks for current volume
     or ftp://ftp.sri.com/VL/risks for previous VoLume
 <http://www.risks.org> redirects you to Lindsay Marshall's Newcastle archive
 http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue.
   Lindsay has also added to the Newcastle catless site a palmtop version
   of the most recent RISKS issue and a WAP version that works for many but
   not all telephones: http://catless.ncl.ac.uk/w/r
 <http://the.wiretapped.net/security/info/textfiles/risks-digest/> .
==> PGN's comprehensive historical Illustrative Risks summary of one liners:
    <http://www.csl.sri.com/illustrative.html> for browsing,
    <http://www.csl.sri.com/illustrative.pdf> or .ps for printing
==> Special Offer to Join ACM for readers of the ACM RISKS Forum:


End of RISKS-FORUM Digest 26.03
Received on Sun Apr 25 2010 - 17:45:07 PDT

This archive was generated by hypermail 2.2.0 : Sun Apr 25 2010 - 18:50:42 PDT