RISKS-LIST: Risks-Forum Digest Saturday 2 October 2010 Volume 26 : Issue 18 ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as <http://catless.ncl.ac.uk/Risks/26.18.html> The current issue can be found at <http://www.csl.sri.com/users/risko/risks.txt> Contents: DC Internet voting trial intermediate results (Jeremy Epstein) Cyberwar Chief Calls for Secure Network (Tom Shanker via Gabe Goldberg) Cross-site scripting bug leads to massive Twitter worm attacks (Lauren Weinstein) Monty Solomon <monty_at_private> Subject: Lone $4.1 Billion Sale Led to 'Flash Crash' in May (Graham Bowley via Monty Solomon) Failure of recovery time - Virgin Blue (Jared Gottlieb) Some Android apps caught covertly sending GPS data to advertisers (Ryan Paul via Monty Solomon) You can no longer rely on encryption to protect a BlackBerry (Martin Heller via Monty Solomon) Code That Tracks Users' Browsing Prompts Lawsuits (Gabe Goldberg) Facebook Outage blamed on handling of error condition (Robert Johnson via Jim Reisert) User interface modification: Titanic risk (Lee Rudolph) Robbers sweep in and siphon up money with vacuum cleaner (Michael Rosa) Fresh ACS:Law file-sharing lists expose thousands more (Daniel Emery via Gene Wirchenko) Risks of UEFI replacement for BIOS in PCs (Nick Brown) Show's Title, in Symbols, Defies DVR users (Monty Solomon) Re: Malicious e-mail with executable pdf (Danny Burstein) Re: A Strong Password Isn't the Strongest Security (Raj Mathur) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Fri, 1 Oct 2010 18:50:32 -0400 From: Jeremy Epstein <jeremy.j.epstein_at_private> Subject: DC Internet voting trial intermediate results For many years, computer scientists have warned that Internet voting is not a good idea - it's too vulnerable to all sorts of attacks, whether against the voter's workstation, the network infrastructure, or the server - not to mention usability, accessibility, and interoperability issues. The District of Columbia is, against advice from many computer scientists, pursuing a trial of a prototype system for the November election. To their credit, they've made the source code and some design documentation available, along with an open server with "get out of jail free" permissions to hack during a test period. A brief timeline: * Summer 2010: DC announces the pilot, with the open testing period to be in August * Sep 20: DC releases a network map and requirements document; test server to be available Sep 24-30 [1] * Sep 24: Common Cause and Verified Voting write to Mary Cheh, chair of the DC Council oversight committee on elections, suggesting that Internet voting appears to violate DC law due to lack of voter-verifiable ballot [2] * Sep 24: 13 prominent computer scientists and lawyers write to Mary Cheh, pointing out numerous difficulties with the test program [3] * Sep 24: Test server availability delayed for an undefined time * Sep 28: Test server available, source code availability announced publicly; test period to run through Oct 06 at 5pm * Sep 30 morning: After casting a "vote" on the test server, the browser plays the Univ of Michigan fight song * Oct 01 afternoon: DC takes the test server down, citing "usability issues" It's unclear when the test period will resume, if it all. It's also not clear at this point the extent of the compromise of the system. While it's true that the DC BoEE can fix whatever problems allowed introduction of the "fight song", it's also clear that this is the tip of the iceberg - we know from 30 years of experience that the "penetrate and patch" method doesn't produce secure systems. The RISK? Ignoring the advice of computer scientists and charging full steam ahead on a technology project doesn't work! [1] The DC BoEE site for this experiment can be found at http://www.dcboee.us/DVM/ [2] http://voices.washingtonpost.com/debonis/Common_Cause_letter_to_BOEE.pdf [3] http://voices.washingtonpost.com/debonis/CS_letter_to_Cheh.pdf ------------------------------ Date: Thu, 23 Sep 2010 16:44:07 -0400 From: Gabe Goldberg <gabe_at_private> Subject: Cyberwar Chief Calls for Secure Network The new commander of the military's cyberwarfare operations is advocating the creation of a separate, secure computer network to protect civilian government agencies and critical industries like the nation's power grid against attacks mounted over the Internet. The officer, Gen. Keith B. Alexander, suggested that such a heavily restricted network would allow the government to impose greater protections for the nation's vital, official on-line operations. General Alexander labeled the new network "a secure zone, a protected zone." Others have nicknamed it "dot-secure." It would provide to essential networks like those that tie together the banking, aviation, and public utility systems the kind of protection that the military has built around secret military and diplomatic communications networks --- although even these are not completely invulnerable. [...] [Source: Thom Shanker, *The New York Times*, 23 Sep 2010] http://www.nytimes.com/2010/09/24/us/24cyber.html?_r=1&th&emc=th Gabriel Goldberg, Computers and Publishing, Inc. (703) 204-0433 3401 Silver Maple Place, Falls Church, VA 22042 gabe_at_private [Also noted by Matthew Kruk. PGN] ------------------------------ Date: Tue, 21 Sep 2010 10:54:32 -0700 From: Lauren Weinstein <lauren_at_private> Subject: Cross-site scripting bug leads to massive Twitter worm attacks Cross-site scripting bug leads to massive Twitter worm attacks http://bit.ly/a3kgvi (Kaspersky Lab) [From NNSquad] ------------------------------ Date: Fri, 1 Oct 2010 21:44:12 -0400 From: Monty Solomon <monty_at_private> Subject: Lone $4.1 Billion Sale Led to 'Flash Crash' in May (Graham Bowley) Graham Bowley, *The New York Times*, 1 Oct 2010 It was a stock market mystery that had everyone guessing for months: just what caused that harrowing flash crash last May? On Friday, after months of investigation and speculation, federal authorities finally provided the answer: it all began with the click of a computer mouse in Kansas. In a long-awaited report on one of wildest days in Wall Street's history, regulators said that the automated sale of a large block of futures by a mutual fund - not named in the report, but identified by officials as Waddell & Reed Financial, of Overland Park, Kan. - touched off a chain reaction of events on May 6. The Dow Jones industrial average plunged more than 600 points in a matter of minutes that day and then recovered in a blink. The finger-pointing and speculation that followed - Were high-speed traders behind it? A rogue computer program? Financial terrorists? - captivated Wall Street. But in the report released on Friday, the authorities said they found no evidence of market manipulation. Instead, the temporary crash resulted from a confluence of forces after a single fund company tried to hedge its stock market investment position legitimately, albeit in an aggressive and abrupt manner. The mutual fund started a program at about 2:32 p.m. on May 6 to sell $4.1 billion of futures contracts, using a computer sell algorithm that over the next 20 minutes dumped 75,000 contracts onto the market, even automatically accelerating its selling as prices plunged. The regulators hope the report lifts the uncertainty that has hung over the nation's exchanges - and investors' minds - since the crash. Certainly, officials at the Securities and Exchange Commission and the Commodity Futures Trading Commission seemed confident they had established the causes of the crash and answered any final doubts, and the findings were welcomed by some in the markets. But it also left lingering questions among many who felt it did not explain why the crash took place on that particular day in May, or provide any assurance that this could not occur again. ... http://www.nytimes.com/2010/10/02/business/02flash.html ------------------------------ Date: Mon, 27 Sep 2010 12:11:30 -0600 From: jared gottlieb <jared_at_private> Subject: Failure of recovery time - Virgin Blue The risk is when computer 'recovery time' stretches out, compounded by the business' recovery time thereafter. This incident occurred at a peak time of school holidays and as fans were leaving Melbourne after the (almost) Australian Rules Football Grand Final. (Almost because the result was a draw and the teams play again this next weekend.) Melbourne 'The Age' newspaper http://www.theage.com.au/travel/passengers-still-waiting-on-virgin-20100927-15u4j.html "Virgin Blue has blamed the company it contracted to run its reservations system for the nationwide flight chaos since Sunday morning [26.9.10]. It took nearly 24 hours to get a back-up system running. The agreement with the company, Navitaire, requires ''mission-critical'' systems to be recovered in two hours.The delay has angered Virgin Blue almost as much as its stranded passengers, some of whom bunkered down for a second night away from home at the airline's expense." "The Age believes Virgin Blue is reviewing its contract with the company, a subsidiary of global outsourcing giant Accenture. Yesterday afternoon Virgin Blue received a preliminary explanation from Navitaire as to why computers in its Sydney data centre, which run the airline's internet booking, reservations, check-in and boarding systems, failed about 8am on Sunday. At 5am yesterday, Virgin Blue said the computer system was working again, but facing a huge backlog. Navitaire identified that a computer server's solid- state drive had failed, and an ''initial decision to seek to repair the device proved less than fruitful and also contributed to the delay in initiating a cut-over to a contingency hardware platform'', the airline said. A spokeswoman for Accenture added on behalf of Navitaire: 'We obviously did detailed testing prior to putting the system back on line.'" "Navitaire boasts its outsourced aviation systems 'let your business run like clockwork'. That's not how some passengers described it. The effects are still being felt: yesterday the airline had to cancel 17 flights. It is not taking any new bookings for flights leaving before Thursday, frustrating football fans wanting to organise flights to Melbourne for the AFL grand final rematch." ------------------------------ Date: Thu, 30 Sep 2010 18:15:58 -0400 From: Monty Solomon <monty_at_private> Subject: Some Android apps caught covertly sending GPS data to advertisers (Ryan Paul) Ryan Paul, *Arstechnica*, 30 Sep 2010 The results of a study conducted by researchers from Duke University, Penn State University, and Intel Labs have revealed that a significant number of popular Android applications transmit private user data to advertising networks without explicitly asking or informing the user. The researchers developed a piece of software called TaintDroid that uses dynamic taint analysis to detect and report when applications are sending potentially sensitive information to remote servers. They used TaintDroid to test 30 popular free Android applications selected at random from the Android market and found that half were sending private information to advertising servers, including the user's location and phone number. In some cases, they found that applications were relaying GPS coordinates to remote advertising network servers as frequently as every 30 seconds, even when not displaying advertisements. These findings raise concern about the extent to which mobile platforms can insulate users from unwanted invasions of privacy. ... http://arstechnica.com/security/news/2010/09/some-android-apps-found-to-covertly-send-gps-data-to-advertisers.ars ------------------------------ Date: Fri, 1 Oct 2010 15:47:31 -0400 From: Monty Solomon <monty_at_private> Subject: You can no longer rely on encryption to protect a BlackBerry You can no longer rely on encryption to protect a BlackBerry A Russian passcode-breaker firm exploits a weakness in RIM's encryption to crack open backups Martin Heller, *InfoWorld*, 1 Oct 2010 http://www.infoworld.com/t/mobile-device-management/you-can-no-longer-rely-encryption-protect-blackberry-436 ------------------------------ Date: Mon, 20 Sep 2010 23:16:36 -0400 From: Gabe Goldberg <gabe_at_private> Subject: "Code That Tracks Users' Browsing Prompts Lawsuits" Sandra Person Burns used to love browsing and shopping online. Until she realized she was being tracked by software on her computer that she thought she had erased. Ms. Person Burns, 67, a retired health care executive who lives in Jackson, Miss., said she is wary of online shopping: "Instead of going to Amazon, I'm going to the local bookstore." Ms. Person Burns is one of a growing number of consumers who are taking legal action against companies that track computer users' activity on the Internet. At issue is a little-known piece of computer code placed on hard drives by the Flash program from Adobe when users watch videos on popular Web sites like YouTube and Hulu. http://www.nytimes.com/2010/09/21/technology/ Firefox add-on BetterPrivacy (not mentioned in the article!) to the rescue. Gabriel Goldberg, Computers and Publishing, Inc. (703) 204-0433 3401 Silver Maple Place, Falls Church, VA 22042 gabe_at_private ------------------------------ Date: Fri, 24 Sep 2010 06:58:13 -0600 From: Jim Reisert AD1C <jjreisert_at_private> Subject: Facebook Outage blamed on handling of error condition I'm impressed by the detailed description of the failure. I wonder how many people on FB actually understand any of this? http://www.facebook.com/note.php?note_id=431441338919&id=9445547199 More Details on Today's Outage by Robert Johnson on Thursday, September 23, 2010 at 6:29pm Early today Facebook was down or unreachable for many of you for approximately 2.5 hours. This is the worst outage we've had in over four years, and we wanted to first of all apologize for it. We also wanted to provide much more technical detail on what happened and share one big lesson learned. The key flaw that caused this outage to be so severe was an unfortunate handling of an error condition. An automated system for verifying configuration values ended up causing much more damage than it fixed. The intent of the automated system is to check for configuration values that are invalid in the cache and replace them with updated values from the persistent store. This works well for a transient problem with the cache, but it doesn't work when the persistent store is invalid. Today we made a change to the persistent copy of a configuration value that was interpreted as invalid. This meant that every single client saw the invalid value and attempted to fix it. Because the fix involves making a query to a cluster of databases, that cluster was quickly overwhelmed by hundreds of thousands of queries a second. To make matters worse, every time a client got an error attempting to query one of the databases it interpreted it as an invalid value, and deleted the corresponding cache key. This meant that even after the original problem had been fixed, the stream of queries continued. As long as the databases failed to service some of the requests, they were causing even more requests to themselves. We had entered a feedback loop that didn't allow the databases to recover. The way to stop the feedback cycle was quite painful - we had to stop all traffic to this database cluster, which meant turning off the site. Once the databases had recovered and the root cause had been fixed, we slowly allowed more people back onto the site. This got the site back up and running today, and for now we've turned off the system that attempts to correct configuration values. We're exploring new designs for this configuration system following design patterns of other systems at Facebook that deal more gracefully with feedback loops and transient spikes. We apologize again for the site outage, and we want you to know that we take the performance and reliability of Facebook very seriously. Jim Reisert AD1C, <jjreisert@private>, http://www.ad1c.us ------------------------------ Date: Thu, 23 Sep 2010 22:03:36 -0400 (EDT) From: lrudolph_at_private (Lee Rudolph) Subject: User interface modification: Titanic risk http://www.bbc.co.uk/news/uk-northern-ireland-11390144 Confusion about steering orders was responsible for the Titanic sinking, according to a relative of one of the ship's officers. ... Mrs Patten said the tragedy had occurred during a period when shipping communications were in transition from sail to steam. Two different systems were in operation at the time, Rudder Orders (used for steam ships) and Tiller Orders (used for sailing ships). Crucially, Mrs Patten said, the two steering systems were the complete opposite of one another, so a command to turn 'hard a-starboard' meant turn the wheel right under one system and left under the other. She said when the helmsman, who had been trained in sail, received the direction, he turned the vessel towards the iceberg with tragic results. ... [Of course it is not computer-relevant <!>, but it is certainly RISKS-relevant! Similar events have been computer related. PGN] ------------------------------ Date: Wed, 29 Sep 2010 16:52:10 +0930 From: "Michael Rosa" <MRosa_at_private> Subject: Robbers sweep in and siphon up money with vacuum cleaner Burglars broke into their latest store near Paris and drilled a hole in the pneumatic tube that siphons money from the checkout to the strong-room. [Slightly retitled by Pneumanntic.] http://www.thesun.co.uk/sol/homepage/news/3149962/Robbers-clean-up-with-vacuum.html ------------------------------ Date: Fri, 01 Oct 2010 13:32:53 -0700 From: Gene Wirchenko <genew_at_private> Subject: Fresh ACS:Law file-sharing lists expose thousands more The personal details of a further 8,000 people alleged to have shared music or films illegally have appeared online. A list of more than 8,000 Sky broadband subscribers and a second of 400 PlusNet users surfaced following a security breach of legal firm ACS:Law. It comes after a database of more than 5,000 people suspected of downloading adult films emerged on Monday. The UK's Information Commissioner said ACS:Law could be fined up to half a million pounds for the breaches. The two new lists, produced by ACS:Law, contain the names, addresses and Internet addresses (IP addresses) of users suspected of illegally sharing music. "In relation to the individual names, these are just the names and addresses of the account owner and we make no claims that they themselves were sharing the files." Mr Crossley said he had no further comment when asked why the Excel documents was unencrypted, but said he had notified the police, the ICO and was in communication with the SRA. [Source: Daniel Emery, BBC News, 28 Sep 2010] http://www.bbc.co.uk/news/technology-11425789 ------------------------------ Date: Fri, 1 Oct 2010 19:11:12 +0200 From: "Nick Brown" <Nick.BROWN_at_private> Subject: Risks of UEFI replacement for BIOS in PCs A BBC article (http://www.bbc.co.uk/news/technology-11430069) reports on the ongoing introduction of Unified Extensible Firmware Interface, a replacement for the vintage BIOS boot architecture which has been used in most PCs for nearly 30 years. A particular highlight: > Before now, said Mr Doran, getting [large numbers of PCs in a corporate > environment] working has been "pretty painful" because of the limited > capabilities of Bios. By contrast, he said, UEFI has much better support > for basic net protocols - which should mean that remote management is > easier from the "bare metal" upwards. So, we're going to have half a billion PCs, presumably running protocols with the power of TFTP or above, and with block-level access to every storage device in the system. What could possibly go wrong? ------------------------------ Date: Sat, 25 Sep 2010 23:17:32 -0400 From: Monty Solomon <monty_at_private> Subject: Show's Title, in Symbols, Defies DVR users (Brian Stelter) [Source: Brian Stelter, Show's Title, in Symbols, Defies DVRs, *The New York Times*, 22 Sep 2010] CBS knew that when it ordered a sitcom with a vulgar word in the title, it would get attention. The network also knew there would be some hand-wringing about the coarseness of popular culture. Here's what the network did not know: that the title would trip up some digital video recorders. It turns out that the search tools on some DVRs cannot find the new show, `$#*! My Dad Says', because the symbols cannot be read. (Maybe some DVR developers could not foresee a world where TV shows would have a dollar sign in the titles.) Before the show's premiere on Thursday, CBS released a viewers' guide of sorts on Wednesday to help people program their DVRs accordingly. The case illustrates how some TV networks have embraced the DVR, though tepidly. Despite the commercial-skipping abilities of the recording devices, highly rated shows become even more so when DVR playback is included in the Nielsen ratings that help determine prices for advertising time. About 38 percent of households now have DVRs, though the vast majority of programming is still watched in real-time. ... http://www.nytimes.com/2010/09/23/business/media/23dad.html ------------------------------ Date: Mon, 20 Sep 2010 20:53:16 -0400 (EDT) From: danny burstein <dannyb_at_private> Subject: Re: Malicious e-mail with executable pdf And once again we're treated to a malware warning, make that a near hysterical warning (especially the way it was covered by the mass media) which leaves out a key point, namely which computer operating systems and software packages are potentially affected. When there's a safety concern with cars, there's no reluctance in publicizing the brand name. Even when the company is a major advertiser. Why do we see so much hesitation in computer issues? ------------------------------ Date: Sat, 25 Sep 2010 09:33:59 +0530 From: Raj Mathur <raju_at_linux-delhi.org> Subject: Re: A Strong Password Isn't the Strongest Security There are at least three technologies that are mitigating the need to remember multiple, complex passwords today: OpenID is gaining popularity, and as more Internet-based services permit OpenID authentication, the need for individual passwords will dramatically decrease. I hear Facebook is a recent addition to the OpenID fan club. Biometric-based validation is now available for local authentication on many new computers. I don't really know how far technology has progressed with standard, secure protocols for performing biometric authentication remotely, but, unless there are insurmountable issues with security, surely that will be available in the fullness of time. Key- and certificate-based authentication has been around for ages, and administrators of large numbers of Unix/Linux servers need no prompting to start eulogising the benefits of SSH keys. Generating self-signed certificates is trivial, and for mundane authentication purposes (e.g., to your e-mail account) there is no need to bring certificate authorities and governments into the picture. To sum up, what we seem to be suffering from is a surfeit of authentication mechanisms. I look forward to the day when one method (which may be a combination of more than one technology above, or of technologies that I haven't thought of) is as ubiquitous as password- based authentication was a few decades back. Aside: All the technologies listed have some potential issue or the other. Whether it is a single point of failure or immaturity of the technology involved, there is scope for abuse. On the other hand, whether we will ever see a time when absolute novices will be able to safely authenticate on the Internet is a question that I, for one, would be loath to try to answer. Raj Mathur raju@private http://kandalaya.org/ PsyTrance & Chill: http://schizoid.in/ ------------------------------ Date: Thu, 29 May 2008 07:53:46 -0900 From: RISKS-request_at_private Subject: Abridged info on RISKS (comp.risks) The ACM RISKS Forum is a MODERATED digest, with Usenet equivalent comp.risks. => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) if possible and convenient for you. The mailman Web interface can be used directly to subscribe and unsubscribe: http://lists.csl.sri.com/mailman/listinfo/risks Alternatively, to subscribe or unsubscribe via e-mail to mailman your FROM: address, send a message to risks-request_at_private containing only the one-word text subscribe or unsubscribe. You may also specify a different receiving address: subscribe address= ... . You may short-circuit that process by sending directly to either risks-subscribe_at_private or risks-unsubscribe_at_private depending on which action is to be taken. Subscription and unsubscription requests require that you reply to a confirmation message sent to the subscribing mail address. Instructions are included in the confirmation message. Each issue of RISKS that you receive contains information on how to post, unsubscribe, etc. => The complete INFO file (submissions, default disclaimers, archive sites, copyright policy, etc.) is online. <http://www.CSL.sri.com/risksinfo.html> The full info file may appear now and then in RISKS issues. *** Contributors are assumed to have read the full info file for guidelines. => .UK users should contact <Lindsay.Marshall_at_private>. => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you NEVER send mail! => SUBMISSIONS: to risks_at_private with meaningful SUBJECT: line. *** NOTE: Including the string "notsp" at the beginning or end of the subject *** line will be very helpful in separating real contributions from spam. *** This attention-string may change, so watch this space now and then. => ARCHIVES: ftp://ftp.sri.com/risks for current volume or ftp://ftp.sri.com/VL/risks for previous VoLume <http://www.risks.org> redirects you to Lindsay Marshall's Newcastle archive http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue. Lindsay has also added to the Newcastle catless site a palmtop version of the most recent RISKS issue and a WAP version that works for many but not all telephones: http://catless.ncl.ac.uk/w/r <http://the.wiretapped.net/security/info/textfiles/risks-digest/> . ==> PGN's comprehensive historical Illustrative Risks summary of one liners: <http://www.csl.sri.com/illustrative.html> for browsing, <http://www.csl.sri.com/illustrative.pdf> or .ps for printing ==> Special Offer to Join ACM for readers of the ACM RISKS Forum: <http://www.acm.org/joinacm1> ------------------------------ End of RISKS-FORUM Digest 26.18 ************************Received on Sat Oct 02 2010 - 19:16:35 PDT
This archive was generated by hypermail 2.2.0 : Sat Oct 02 2010 - 20:42:10 PDT