[RISKS] Risks Digest 26.18

From: RISKS List Owner <risko_at_private>
Date: Sat, 2 Oct 2010 19:16:35 PDT
RISKS-LIST: Risks-Forum Digest  Saturday 2 October 2010  Volume 26 : Issue 18

Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
The current issue can be found at

DC Internet voting trial intermediate results (Jeremy Epstein)
Cyberwar Chief Calls for Secure Network (Tom Shanker via Gabe Goldberg)
Cross-site scripting bug leads to massive Twitter worm attacks
  (Lauren Weinstein)
Monty Solomon <monty_at_private>
Subject: Lone $4.1 Billion Sale Led to 'Flash Crash' in May (Graham Bowley
  via Monty Solomon)
Failure of recovery time - Virgin Blue (Jared Gottlieb)
Some Android apps caught covertly sending GPS data to advertisers (Ryan Paul
  via Monty Solomon)
You can no longer rely on encryption to protect a BlackBerry (Martin Heller
  via Monty Solomon)
Code That Tracks Users' Browsing Prompts Lawsuits (Gabe Goldberg)
Facebook Outage blamed on handling of error condition (Robert Johnson
  via Jim Reisert)
User interface modification: Titanic risk (Lee Rudolph)
Robbers sweep in and siphon up money with vacuum cleaner (Michael Rosa)
Fresh ACS:Law file-sharing lists expose thousands more (Daniel Emery
  via Gene Wirchenko)
Risks of UEFI replacement for BIOS in PCs (Nick Brown)
Show's Title, in Symbols, Defies DVR users (Monty Solomon)
Re: Malicious e-mail with executable pdf (Danny Burstein)
Re: A Strong Password Isn't the Strongest Security (Raj Mathur)
Abridged info on RISKS (comp.risks)


Date: Fri, 1 Oct 2010 18:50:32 -0400
From: Jeremy Epstein <jeremy.j.epstein_at_private>
Subject: DC Internet voting trial intermediate results

For many years, computer scientists have warned that Internet voting is not
a good idea - it's too vulnerable to all sorts of attacks, whether against
the voter's workstation, the network infrastructure, or the server - not to
mention usability, accessibility, and interoperability issues.  The District
of Columbia is, against advice from many computer scientists, pursuing a
trial of a prototype system for the November election.  To their credit,
they've made the source code and some design documentation available, along
with an open server with "get out of jail free" permissions to hack during a
test period.

A brief timeline:

* Summer 2010: DC announces the pilot, with the open testing period to
  be in August
* Sep 20: DC releases a network map and requirements document; test
  server to be available Sep 24-30 [1]
* Sep 24: Common Cause and Verified Voting write to Mary Cheh, chair
  of the DC Council oversight committee on elections, suggesting that
  Internet voting appears to violate DC law due to lack of
  voter-verifiable ballot [2]
* Sep 24: 13 prominent computer scientists and lawyers write to Mary
  Cheh, pointing out numerous difficulties with the test program [3]
* Sep 24: Test server availability delayed for an undefined time
* Sep 28: Test server available, source code availability announced
  publicly; test period to run through Oct 06 at 5pm
* Sep 30 morning: After casting a "vote" on the test server, the
  browser plays the Univ of Michigan fight song
* Oct 01 afternoon: DC takes the test server down, citing "usability issues"

It's unclear when the test period will resume, if it all.  It's also not
clear at this point the extent of the compromise of the system.  While it's
true that the DC BoEE can fix whatever problems allowed introduction of the
"fight song", it's also clear that this is the tip of the iceberg - we know
from 30 years of experience that the "penetrate and patch" method doesn't
produce secure systems.

The RISK?  Ignoring the advice of computer scientists and charging
full steam ahead on a technology project doesn't work!

[1] The DC BoEE site for this experiment can be found at
[2] http://voices.washingtonpost.com/debonis/Common_Cause_letter_to_BOEE.pdf
[3] http://voices.washingtonpost.com/debonis/CS_letter_to_Cheh.pdf


Date: Thu, 23 Sep 2010 16:44:07 -0400
From: Gabe Goldberg <gabe_at_private>
Subject: Cyberwar Chief Calls for Secure Network

The new commander of the military's cyberwarfare operations is advocating
the creation of a separate, secure computer network to protect civilian
government agencies and critical industries like the nation's power grid
against attacks mounted over the Internet.  The officer, Gen. Keith
B. Alexander, suggested that such a heavily restricted network would allow
the government to impose greater protections for the nation's vital,
official on-line operations. General Alexander labeled the new network "a
secure zone, a protected zone."  Others have nicknamed it "dot-secure."  It
would provide to essential networks like those that tie together the
banking, aviation, and public utility systems the kind of protection that
the military has built around secret military and diplomatic communications
networks --- although even these are not completely invulnerable.  [...]
  [Source: Thom Shanker, *The New York Times*, 23 Sep 2010]

Gabriel Goldberg, Computers and Publishing, Inc.          (703) 204-0433
3401 Silver Maple Place, Falls Church, VA 22042        gabe_at_private

  [Also noted by Matthew Kruk.  PGN]


Date: Tue, 21 Sep 2010 10:54:32 -0700
From: Lauren Weinstein <lauren_at_private>
Subject:  Cross-site scripting bug leads to massive Twitter worm attacks

Cross-site scripting bug leads to massive Twitter worm attacks
http://bit.ly/a3kgvi  (Kaspersky Lab) [From NNSquad]


Date: Fri, 1 Oct 2010 21:44:12 -0400
From: Monty Solomon <monty_at_private>
Subject: Lone $4.1 Billion Sale Led to 'Flash Crash' in May (Graham Bowley)

Graham Bowley, *The New York Times*, 1 Oct 2010

It was a stock market mystery that had everyone guessing for months: just
what caused that harrowing flash crash last May?

On Friday, after months of investigation and speculation, federal
authorities finally provided the answer: it all began with the click of a
computer mouse in Kansas.

In a long-awaited report on one of wildest days in Wall Street's history,
regulators said that the automated sale of a large block of futures by a
mutual fund - not named in the report, but identified by officials as
Waddell & Reed Financial, of Overland Park, Kan. - touched off a chain
reaction of events on May 6. The Dow Jones industrial average plunged more
than 600 points in a matter of minutes that day and then recovered in a

The finger-pointing and speculation that followed - Were high-speed traders
behind it? A rogue computer program? Financial terrorists? - captivated Wall
Street. But in the report released on Friday, the authorities said they
found no evidence of market manipulation.  Instead, the temporary crash
resulted from a confluence of forces after a single fund company tried to
hedge its stock market investment position legitimately, albeit in an
aggressive and abrupt manner.

The mutual fund started a program at about 2:32 p.m. on May 6 to sell $4.1
billion of futures contracts, using a computer sell algorithm that over the
next 20 minutes dumped 75,000 contracts onto the market, even automatically
accelerating its selling as prices plunged.

The regulators hope the report lifts the uncertainty that has hung over the
nation's exchanges - and investors' minds - since the crash.  Certainly,
officials at the Securities and Exchange Commission and the Commodity
Futures Trading Commission seemed confident they had established the causes
of the crash and answered any final doubts, and the findings were welcomed
by some in the markets.

But it also left lingering questions among many who felt it did not explain
why the crash took place on that particular day in May, or provide any
assurance that this could not occur again. ...



Date: Mon, 27 Sep 2010 12:11:30 -0600
From: jared gottlieb <jared_at_private>
Subject: Failure of recovery time - Virgin Blue

The risk is when computer 'recovery time' stretches out, compounded by the
business' recovery time thereafter.  This incident occurred at a peak time
of school holidays and as fans were leaving Melbourne after the (almost)
Australian Rules Football Grand Final. (Almost because the result was a draw
and the teams play again this next weekend.)  Melbourne 'The Age' newspaper

"Virgin Blue has blamed the company it contracted to run its reservations
system for the nationwide flight chaos since Sunday morning [26.9.10]. It
took nearly 24 hours to get a back-up system running. The agreement with the
company, Navitaire, requires ''mission-critical'' systems to be recovered in
two hours.The delay has angered Virgin Blue almost as much as its stranded
passengers, some of whom bunkered down for a second night away from home at
the airline's expense."

"The Age believes Virgin Blue is reviewing its contract with the company, a
subsidiary of global outsourcing giant Accenture.  Yesterday afternoon
Virgin Blue received a preliminary explanation from Navitaire as to why
computers in its Sydney data centre, which run the airline's internet
booking, reservations, check-in and boarding systems, failed about 8am on
Sunday. At 5am yesterday, Virgin Blue said the computer system was working
again, but facing a huge backlog. Navitaire identified that a computer
server's solid- state drive had failed, and an ''initial decision to seek to
repair the device proved less than fruitful and also contributed to the
delay in initiating a cut-over to a contingency hardware platform'', the
airline said. A spokeswoman for Accenture added on behalf of Navitaire: 'We
obviously did detailed testing prior to putting the system back on line.'"

"Navitaire boasts its outsourced aviation systems 'let your business run
like clockwork'. That's not how some passengers described it. The effects
are still being felt: yesterday the airline had to cancel 17 flights. It is
not taking any new bookings for flights leaving before Thursday, frustrating
football fans wanting to organise flights to Melbourne for the AFL grand
final rematch."


Date: Thu, 30 Sep 2010 18:15:58 -0400
From: Monty Solomon <monty_at_private>
Subject: Some Android apps caught covertly sending GPS data to advertisers
  (Ryan Paul)

Ryan Paul, *Arstechnica*, 30 Sep 2010

The results of a study conducted by researchers from Duke University, Penn
State University, and Intel Labs have revealed that a significant number of
popular Android applications transmit private user data to advertising
networks without explicitly asking or informing the user. The researchers
developed a piece of software called TaintDroid that uses dynamic taint
analysis to detect and report when applications are sending potentially
sensitive information to remote servers.

They used TaintDroid to test 30 popular free Android applications selected
at random from the Android market and found that half were sending private
information to advertising servers, including the user's location and phone
number. In some cases, they found that applications were relaying GPS
coordinates to remote advertising network servers as frequently as every 30
seconds, even when not displaying advertisements. These findings raise
concern about the extent to which mobile platforms can insulate users from
unwanted invasions of privacy. ...



Date: Fri, 1 Oct 2010 15:47:31 -0400
From: Monty Solomon <monty_at_private>
Subject: You can no longer rely on encryption to protect a BlackBerry

You can no longer rely on encryption to protect a BlackBerry A Russian
passcode-breaker firm exploits a weakness in RIM's encryption to crack open

Martin Heller, *InfoWorld*, 1 Oct 2010


Date: Mon, 20 Sep 2010 23:16:36 -0400
From: Gabe Goldberg <gabe_at_private>
Subject: "Code That Tracks Users' Browsing Prompts Lawsuits"

Sandra Person Burns used to love browsing and shopping online. Until she
realized she was being tracked by software on her computer that she thought
she had erased.  Ms. Person Burns, 67, a retired health care executive who
lives in Jackson, Miss., said she is wary of online shopping: "Instead of
going to Amazon, I'm going to the local bookstore."  Ms. Person Burns is one
of a growing number of consumers who are taking legal action against
companies that track computer users' activity on the Internet. At issue is a
little-known piece of computer code placed on hard drives by the Flash
program from Adobe when users watch videos on popular Web sites like YouTube
and Hulu.

Firefox add-on BetterPrivacy (not mentioned in the article!) to the rescue.

Gabriel Goldberg, Computers and Publishing, Inc.  (703) 204-0433
3401 Silver Maple Place, Falls Church, VA 22042   gabe_at_private


Date: Fri, 24 Sep 2010 06:58:13 -0600
From: Jim Reisert AD1C <jjreisert_at_private>
Subject: Facebook Outage blamed on handling of error condition

I'm impressed by the detailed description of the failure.  I wonder how many
people on FB actually understand any of this?


More Details on Today's Outage
by Robert Johnson on Thursday, September 23, 2010 at 6:29pm

Early today Facebook was down or unreachable for many of you for
approximately 2.5 hours. This is the worst outage we've had in over four
years, and we wanted to first of all apologize for it. We also wanted to
provide much more technical detail on what happened and share one big lesson

The key flaw that caused this outage to be so severe was an unfortunate
handling of an error condition. An automated system for verifying
configuration values ended up causing much more damage than it fixed.

The intent of the automated system is to check for configuration values that
are invalid in the cache and replace them with updated values from the
persistent store. This works well for a transient problem with the cache,
but it doesn't work when the persistent store is invalid.

Today we made a change to the persistent copy of a configuration value that
was interpreted as invalid. This meant that every single client saw the
invalid value and attempted to fix it. Because the fix involves making a
query to a cluster of databases, that cluster was quickly overwhelmed by
hundreds of thousands of queries a second.

To make matters worse, every time a client got an error attempting to query
one of the databases it interpreted it as an invalid value, and deleted the
corresponding cache key. This meant that even after the original problem had
been fixed, the stream of queries continued. As long as the databases failed
to service some of the requests, they were causing even more requests to
themselves. We had entered a feedback loop that didn't allow the databases
to recover.

The way to stop the feedback cycle was quite painful - we had to stop all
traffic to this database cluster, which meant turning off the site.  Once
the databases had recovered and the root cause had been fixed, we slowly
allowed more people back onto the site.

This got the site back up and running today, and for now we've turned off
the system that attempts to correct configuration values. We're exploring
new designs for this configuration system following design patterns of other
systems at Facebook that deal more gracefully with feedback loops and
transient spikes.

We apologize again for the site outage, and we want you to know that we take
the performance and reliability of Facebook very seriously.

Jim Reisert AD1C, <jjreisert@private>, http://www.ad1c.us


Date: Thu, 23 Sep 2010 22:03:36 -0400 (EDT)
From: lrudolph_at_private (Lee Rudolph)
Subject: User interface modification: Titanic risk


  Confusion about steering orders was responsible for the Titanic sinking,
  according to a relative of one of the ship's officers. ...  Mrs Patten
  said the tragedy had occurred during a period when shipping communications
  were in transition from sail to steam.  Two different systems were in
  operation at the time, Rudder Orders (used for steam ships) and Tiller
  Orders (used for sailing ships).  Crucially, Mrs Patten said, the two
  steering systems were the complete opposite of one another, so a command
  to turn 'hard a-starboard' meant turn the wheel right under one system and
  left under the other.  She said when the helmsman, who had been trained in
  sail, received the direction, he turned the vessel towards the iceberg
  with tragic results. ...  [Of course it is not computer-relevant <!>, but
  it is certainly RISKS-relevant!  Similar events have been computer
  related.  PGN]


Date: Wed, 29 Sep 2010 16:52:10 +0930
From: "Michael Rosa" <MRosa_at_private>
Subject: Robbers sweep in and siphon up money with vacuum cleaner

Burglars broke into their latest store near Paris and drilled a hole in the
pneumatic tube that siphons money from the checkout to the strong-room.
[Slightly retitled by Pneumanntic.]


Date: Fri, 01 Oct 2010 13:32:53 -0700
From: Gene Wirchenko <genew_at_private>
Subject: Fresh ACS:Law file-sharing lists expose thousands more

The personal details of a further 8,000 people alleged to have shared music
or films illegally have appeared online.  A list of more than 8,000 Sky
broadband subscribers and a second of 400 PlusNet users surfaced following a
security breach of legal firm ACS:Law.  It comes after a database of more
than 5,000 people suspected of downloading adult films emerged on Monday.
The UK's Information Commissioner said ACS:Law could be fined up to half a
million pounds for the breaches.  The two new lists, produced by ACS:Law,
contain the names, addresses and Internet addresses (IP addresses) of users
suspected of illegally sharing music.  "In relation to the individual names,
these are just the names and addresses of the account owner and we make no
claims that they themselves were sharing the files."  Mr Crossley said he
had no further comment when asked why the Excel documents was unencrypted,
but said he had notified the police, the ICO and was in communication with
the SRA.  [Source: Daniel Emery, BBC News, 28 Sep 2010]


Date: Fri, 1 Oct 2010 19:11:12 +0200
From: "Nick Brown" <Nick.BROWN_at_private>
Subject: Risks of UEFI replacement for BIOS in PCs

A BBC article (http://www.bbc.co.uk/news/technology-11430069) reports on the
ongoing introduction of Unified Extensible Firmware Interface, a replacement
for the vintage BIOS boot architecture which has been used in most PCs for
nearly 30 years.  A particular highlight:

> Before now, said Mr Doran, getting [large numbers of PCs in a corporate
> environment] working has been "pretty painful" because of the limited
> capabilities of Bios.  By contrast, he said, UEFI has much better support
> for basic net protocols - which should mean that remote management is
> easier from the "bare metal" upwards.

So, we're going to have half a billion PCs, presumably running protocols
with the power of TFTP or above, and with block-level access to every
storage device in the system.  What could possibly go wrong?


Date: Sat, 25 Sep 2010 23:17:32 -0400
From: Monty Solomon <monty_at_private>
Subject: Show's Title, in Symbols, Defies DVR users (Brian Stelter)

[Source: Brian Stelter, Show's Title, in Symbols, Defies DVRs, *The New York
Times*, 22 Sep 2010]

CBS knew that when it ordered a sitcom with a vulgar word in the title, it
would get attention. The network also knew there would be some hand-wringing
about the coarseness of popular culture.

Here's what the network did not know: that the title would trip up some
digital video recorders.  It turns out that the search tools on some DVRs
cannot find the new show, `$#*! My Dad Says', because the symbols cannot be
read. (Maybe some DVR developers could not foresee a world where TV shows
would have a dollar sign in the titles.) Before the show's premiere on
Thursday, CBS released a viewers' guide of sorts on Wednesday to help people
program their DVRs accordingly.

The case illustrates how some TV networks have embraced the DVR, though
tepidly. Despite the commercial-skipping abilities of the recording devices,
highly rated shows become even more so when DVR playback is included in the
Nielsen ratings that help determine prices for advertising time. About 38
percent of households now have DVRs, though the vast majority of programming
is still watched in real-time. ...



Date: Mon, 20 Sep 2010 20:53:16 -0400 (EDT)
From: danny burstein <dannyb_at_private>
Subject: Re: Malicious e-mail with executable pdf

And once again we're treated to a malware warning, make that a near
hysterical warning (especially the way it was covered by the mass media)
which leaves out a key point, namely which computer operating systems and
software packages are potentially affected.

When there's a safety concern with cars, there's no reluctance in
publicizing the brand name. Even when the company is a major advertiser.

Why do we see so much hesitation in computer issues?


Date: Sat, 25 Sep 2010 09:33:59 +0530
From: Raj Mathur <raju_at_linux-delhi.org>
Subject: Re: A Strong Password Isn't the Strongest Security

There are at least three technologies that are mitigating the need to
remember multiple, complex passwords today:

OpenID is gaining popularity, and as more Internet-based services permit
OpenID authentication, the need for individual passwords will dramatically
decrease.  I hear Facebook is a recent addition to the OpenID fan club.

Biometric-based validation is now available for local authentication on many
new computers.  I don't really know how far technology has progressed with
standard, secure protocols for performing biometric authentication remotely,
but, unless there are insurmountable issues with security, surely that will
be available in the fullness of time.

Key- and certificate-based authentication has been around for ages, and
administrators of large numbers of Unix/Linux servers need no prompting to
start eulogising the benefits of SSH keys.  Generating self-signed
certificates is trivial, and for mundane authentication purposes (e.g., to
your e-mail account) there is no need to bring certificate authorities and
governments into the picture.

To sum up, what we seem to be suffering from is a surfeit of authentication
mechanisms.  I look forward to the day when one method (which may be a
combination of more than one technology above, or of technologies that I
haven't thought of) is as ubiquitous as password- based authentication was a
few decades back.

Aside: All the technologies listed have some potential issue or the other.
Whether it is a single point of failure or immaturity of the technology
involved, there is scope for abuse.  On the other hand, whether we will ever
see a time when absolute novices will be able to safely authenticate on the
Internet is a question that I, for one, would be loath to try to answer.

Raj Mathur                raju@private      http://kandalaya.org/
PsyTrance & Chill: http://schizoid.in/


Date: Thu, 29 May 2008 07:53:46 -0900
From: RISKS-request_at_private
Subject: Abridged info on RISKS (comp.risks)

 The ACM RISKS Forum is a MODERATED digest, with Usenet equivalent comp.risks.
=> SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent)
 if possible and convenient for you.   The mailman Web interface can
 be used directly to subscribe and unsubscribe:
 Alternatively, to subscribe or unsubscribe via e-mail to mailman
 your FROM: address, send a message to
 containing only the one-word text subscribe or unsubscribe.  You may
 also specify a different receiving address: subscribe address= ... .
 You may short-circuit that process by sending directly to either
   risks-subscribe_at_private or risks-unsubscribe_at_private
 depending on which action is to be taken.

 Subscription and unsubscription requests require that you reply to a
 confirmation message sent to the subscribing mail address.  Instructions
 are included in the confirmation message.  Each issue of RISKS that you
 receive contains information on how to post, unsubscribe, etc.

=> The complete INFO file (submissions, default disclaimers, archive sites,
 copyright policy, etc.) is online.
 The full info file may appear now and then in RISKS issues.
 *** Contributors are assumed to have read the full info file for guidelines.

=> .UK users should contact <Lindsay.Marshall_at_private>.
=> SPAM challenge-responses will not be honored.  Instead, use an alternative
 address from which you NEVER send mail!
=> SUBMISSIONS: to risks_at_private with meaningful SUBJECT: line.
 *** NOTE: Including the string "notsp" at the beginning or end of the subject
 *** line will be very helpful in separating real contributions from spam.
 *** This attention-string may change, so watch this space now and then.
=> ARCHIVES: ftp://ftp.sri.com/risks for current volume
     or ftp://ftp.sri.com/VL/risks for previous VoLume
 <http://www.risks.org> redirects you to Lindsay Marshall's Newcastle archive
 http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue.
   Lindsay has also added to the Newcastle catless site a palmtop version
   of the most recent RISKS issue and a WAP version that works for many but
   not all telephones: http://catless.ncl.ac.uk/w/r
 <http://the.wiretapped.net/security/info/textfiles/risks-digest/> .
==> PGN's comprehensive historical Illustrative Risks summary of one liners:
    <http://www.csl.sri.com/illustrative.html> for browsing,
    <http://www.csl.sri.com/illustrative.pdf> or .ps for printing
==> Special Offer to Join ACM for readers of the ACM RISKS Forum:


End of RISKS-FORUM Digest 26.18
Received on Sat Oct 02 2010 - 19:16:35 PDT

This archive was generated by hypermail 2.2.0 : Sat Oct 02 2010 - 20:42:10 PDT