[RISKS] Risks Digest 26.24

From: RISKS List Owner <risko_at_private>
Date: Fri, 3 Dec 2010 15:03:30 PST
RISKS-LIST: Risks-Forum Digest  Friday 3 December 2010  Volume 26 : Issue 24

Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
The current issue can be found at

Iran: Computer Malware Sabotaged Uranium Centrifuges (Kim Zetter)
NY City: 195,055 Votes Found a month later! (Sam Roberts)
Millions cashless in bank glitch (fjohn reinke)
AVG Antivirus update kills Win7X64 systems (Jim Garrison)
Missing decimal point leads to frustration (Paul Schreiber)
Another Daylight Saving Time Bug (Frederick.Klein)
Windows Phone 7 jailbreak tool comes, goes within a week (Lauren Weinstein)
Re: Passenger arrested for stripping down to underwear (Dag-Erling Smørgrav)
Risk of RISKS? (Chris D.)
Abridged info on RISKS (comp.risks)


Date: Tue, 30 Nov 2010 8:00:43 PST
From: "Peter G. Neumann" <neumann_at_private>
Subject: Iran: Computer Malware Sabotaged Uranium Centrifuges

Kim Zetter, Iran: Computer Malware Sabotaged Uranium Centrifuges,
*WiReD*, 29 Nov 2010 [PGN-ed]

In what appears to be the first confirmation that the Stuxnet malware hit
Iran's Natanz nuclear facility, Iranian President Mahmoud Ahmadinejad said
Monday that malicious computer code launched by `enemies' of the state had
sabotaged centrifuges used in Iran's nuclear-enrichment program.

The surprise announcement at a press conference coincided with news that two
of Iran's top nuclear scientists had been ambushed Monday by assassins who
killed one scientist and seriously injured the other.

Iran had previously acknowledged that Stuxnet infected the personal
computers of workers at its Bushehr nuclear power plant but had insisted
that the malware had not infected work systems involved in the nuclear
program, and that the program itself had not been harmed. Officials did not
mention then whether any computers at its nuclear facility at Natanz had
been infected.

Natanz is engaged in enriching uranium that could be used to manufacture
weapons. It was therefore believed by various computer security experts to
have been Stuxnet's likely target.

Ahmadinejad did not mention Natanz by name at Monday's press conference but
admitted that malware had ``succeeded in creating problems for a limited
number of our centrifuges.''

According to a recent report from the United Nations/ International Atomic
Energy Agency, Iran had temporarily halted uranium enrichment at its Natanz
plant for unknown reasons earlier this month. Thousands of centrifuges
reportedly stopped production as a result.

Iran has had various problems over the years with equipment used in its
nuclear facilities. The problems have delayed progress in both the country's
nuclear power plants and the uranium-enrichment program, which Iran has
insisted is for peaceful purposes only.

Ahmadinejad said the malware that caused problems with its centrifuges was
in software that the attackers had ``installed in electronic parts.''  He
said the infection had been halted.

``Our specialists stopped that and they will not be able to do it again,''
he said, according to the BBC. Ahmadinejad blamed Israel and ``the West''
for spreading the malware.

The Stuxnet worm was discovered on computers in Iran in June by a Belarusian
security firm and has infected more than 100,000 computer systems worldwide,
most of them in Iran. The targeted code was designed to attack Siemens
Simatic WinCC SCADA systems. The Siemens system is used in various
facilities to manage pipelines, nuclear plants and various utility and
manufacturing equipment.

But speculation has focused on Iran's nuclear facilities -- at Bushehr,
Natanz and other locations -- being the most likely target. The
sophisticated malware is believed to have been created by a well-financed
nation state, with speculation focusing on Israel and/or the United States.

Security firm Symantec recently determined that the malware specifically
targets Siemens systems that are used with frequency-converter drives made
by two firms, one based in Iran and one in Finland. Even more specifically,
Stuxnet targets only frequency drives from these two companies that are also
running at high speeds -- between 807 Hz and 1210 Hz.

Frequency-converter drives are used to control the speed of a device.
Although it's not known what device Stuxnet aimed to control, it was
designed to vary the speed of the device wildly but intermittently over a
span of weeks, suggesting the aim was subtle sabotage meant to ruin a
process over time but not in a way that would attract suspicion.

``Using nuclear enrichment as an example, the centrifuges need to spin at a
precise speed for long periods of time in order to extract the pure
uranium,'' Symantec's Liam O Murchu told Threat Level earlier this month.
``If those centrifuges stop to spin at that high speed, then it can disrupt
the process of isolating the heavier isotopes in those centrifuges -- and
the final grade of uranium you would get out would be a lower quality.

Iran's confirmation this week that malware was behind recent problems with
its centrifuges suggests that Stuxnet may indeed have been designed
specifically to target Iran's nuclear program. But if this is the case, the
assassinations on Monday could indicate that whoever targeted Iran felt the
malware was insufficient to halt Iran's nuclear program.

According to news reports, the scientists were targeted in separate but
nearly simultaneous car bomb attacks near Shahid Beheshti University.  Majid
Shahriari and Fereydoun Abbasi, along with their wives, were driving to work
when assailants on motorcycles zipped by their vehicles and slapped
magnetized explosives to the cars, which were detonated within seconds.

Shahriari, who was head of an unnamed Iranian nuclear program, was
killed. Abbasi, a high-ranking Ministry of Defense official who reportedly
holds a Ph.D. in nuclear physics, was wounded. Both wives were wounded in
the attacks.

Two other Iranian nuclear scientists have been killed in recent years. A
senior physics professor at Tehran University was killed in January, when a
bomb attached to a motorcycle exploded near his car as he was leaving for
work. A second nuclear scientist died in 2007 from gas poisoning.

Ahmadinejad blamed Monday's assassination attacks on Israel and the West.

``Undoubtedly, the hand of the Zionist regime and Western governments is
involved in the assassination,'' he said, according to an Associated Press
account of the news conference.

Sunday's disclosure of U.S. State Department documents also show that Arab
nations share the same concerns that Israel and the United States have about
Iran's nuclear programs. The documents, given to various media outlets by
the secret-spilling site WikiLeaks, reveal that King Abdullah of Saudi
Arabia pleaded with the United States to stop Iran before it could develop
an atomic weapon. Other Arab leaders were equally urgent that Iran had to be

There have been suggestions, however, that the Iranian government itself
could have been responsible for the attacks on the two nuclear scientists.


Date: Thu, 2 Dec 2010 11:41:38 PST
From: "Peter G. Neumann" <neumann_at_private>
Subject: NY City: 195,055 Votes Found a month later!

[Source: A Month After Elections, 200,000 Votes Found; Every vote counts,
eventually.  Sam Roberts (Uli Seit for *The New York Times*), 2 Dec 2010;
PGN-ed, with thanks to Jeremy Epstein]

The city's Board of Elections routinely reminds New Yorkers that the
election night vote count is unofficial and preliminary.  Still, the
difference in the results from Nov. 2 and in the returns formally certified
by the board on Wednesday seems striking: The board found 195,055 votes, or
17 percent more votes, than were originally reported.

  [The article is not clear on the details, so I'll let you interpret
  from Kim's original.  PGN] 


Date: Tue, 30 Nov 2010 09:06:07 -0500
From: fjohn reinke <fjohn_at_private>
Subject: Millions cashless in bank glitch

* One of Australia's biggest banks is scrambling to process payments to
  millions of customers, who potentially face days of uncertainty about when
  they will be able to access their money.

* A corrupted file in the National Australia Bank's computers on Wednesday
  jammed its payment system, hitting customers from a range of banks who
  rely on the NAB to process payments.


Interesting in that it demonstrates how fragile the financial "eco-system" is.

As an IT guy, I assume they are talking about a corrupted database, where
the the software develops the IT equivalent of Alzheimer's.  ("Let's see Joe
Jones' record please." "Don't have Joe's in that slot have Sam's."
"Tilt. Summon programmer." To which the programmer says: "<synonym for
excrement>" and schedules rebuilding the index. That's like a Doctor's
secretary having to go through every file folder recreating an index into
the filing cabinet. Long and cumbersome for people. Same for computers.) The
fact that there's a "holiday" around when the problem occurs makes me
suspect that there was a change or testing going on. When I had a Dister
Recovery Group, Tday Weekend was a great time for testing. Basically four
days with minimal requirement from "real people". It's one of the most
highly sought weekends by IT people to do "stuff". So, when ANY holiday
comes, think of the herds of nerds globally changing stuff.  If that doesn't
inspire you to take a little extra cash and make a few preps for at least a
little outage, then you are truly clueless. :-)

   [On 2 Dec 2010, fjohn noted another description on Australian ATM
   outage. Disappearing Bank Accounts. Robert Wenzel


Date: Thu, 2 Dec 2010 16:48:12 -0600
From: Jim Garrison <Jim.Garrison_at_private>
Subject:  AVG Antivirus update kills Win7X64 systems


In their instructions are the lines:

* If you have unfortunately met mentioned error, please follow these
  steps: (sic)
* If possible to boot into Safe Mode, then run System Restore before the
  night AVG update and **reinstall AVG.** (sick)

(my emphasis)

Yeah, right.

Also, "we have met the error and he is us" (bonus points for identifying the


Date: Thu, 2 Dec 2010 11:07:12 -0500
From: Paul Schreiber <paulschreiber_at_private>
Subject: Missing decimal point leads to frustration

Bound checking would have helped here:


Woodie Williams' experience may serve as a cautionary tale for those who
have shifted to paying bills online or are thinking about it.  Williams, 79
[in Pittsburg, California], found that a decimal point means a lot when he
apparently left one out when paying his cable TV bill to Comcast on Nov. 8.
Williams, a retired Contra Costa County employee, meant to pay the company
$68.94 but actually paid $6,894 when he omitted the decimal point.  "I had
enough money in the bank, so the payment cleared," he said.  Williams
received a refund check Monday morning for the overpayment, but it took
longer than he expected.


Date: Thu, 2 Dec 2010 21:31:47 +0000
From: Frederick.Klein_at_private
Subject:  Another Daylight Saving Time Bug

I have an alarm clock that "knows" about daylight saving time.  This fall on
a Sunday night at 12:15 AM (really it was Monday) I noted that the displayed
time was 11:15.  I remembered that the old dates for time change were built
into the clock, so the clock automatically changed the time a few weeks
early.  I wound the time ahead to the correct 12:15 AM.

The next morning I awoke and noted that it was past the set alarm time of
6:20 AM.  Further, I noted that it was getting light and checked another
clock that said it was after 7:20 AM.  After some consideration, I realized
that when setting the time ahead from 11:15 PM to 12:15 AM, the date didn't
change so I had really set it to 12:15 AM on Sunday morning.  Then, at 2 AM
(this being Sunday in the mind of the clock), the clock set the time ahead
again!  Also, as the clock still thought it was Sunday, the alarm wouldn't
go off anyway (it is set to alarm only on weekdays).


Date: Wed, 1 Dec 2010 19:53:30 -0800
From: Lauren Weinstein <lauren_at_private>
Subject: Windows Phone 7 jailbreak tool comes, goes within a week

Windows Phone 7 jailbreak tool comes, goes within a week  [NNSquad]
http://bit.ly/hGc3ay  (arc technica)

Exercise for readers, compare and contrast this closed attitude with that of


Date: Tue, 30 Nov 2010 11:22:15 +0100
From: Dag-Erling Smørgrav <des_at_private>
Subject: Re: Passenger arrested for stripping down to underwear (R 26 23)

The TSA sure didn't mind when a good-looking young woman walked through
security in a bikini.  Nor did the press.  It's hard to find an article
about this event that doesn't have drool stains on it, so I won't post
any links or excerpts, but you can get the full story (complete with
video footage and slide shows) by googling "Corinne Theile".

Dag-Erling Smørgrav - des_at_private

  [PGN adds that this item was also noted by Chris D.: ``As it happens, this
  week's newspaper features underwear with strategically-placed shield
  panels, invented by a guy called Jeff Buske -- a Google search for his
  name comes up with many links to this.  (Probably the closest that RISKS
  has ever come to featuring glamour models!)'']


Date: Thu, 02 Dec 2010 21:03:37 +0000
From: "Chris D." <e767pmk_at_private>
Subject: Risk of RISKS? (RISKS-26.23)

Several items contain URL-shorteners like this:

>   U.S. may require jamming of cell phone use inside vehicles
>   http://bit.ly/deUpGb  (Daily Caller)
>   Two items on this for Secretary LaHood:

I've seen it claimed that shortened URLs like bit.ly and goo.gl can be a
RISK as they may hide something nasty, which isn't obvious as you can't see
where the link actually ends up.  

  [We noted in RISKS long ago that short URLs may be ephemeral.  But I gave
  up on trying to chase down the real URLs, because browsers can generally
  find desired items anyway.  PGN]


Date: Thu, 29 May 2008 07:53:46 -0900
From: RISKS-request_at_private
Subject: Abridged info on RISKS (comp.risks)

 The ACM RISKS Forum is a MODERATED digest, with Usenet equivalent comp.risks.
=> SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent)
 if possible and convenient for you.   The mailman Web interface can
 be used directly to subscribe and unsubscribe:
 Alternatively, to subscribe or unsubscribe via e-mail to mailman
 your FROM: address, send a message to
 containing only the one-word text subscribe or unsubscribe.  You may
 also specify a different receiving address: subscribe address= ... .
 You may short-circuit that process by sending directly to either
   risks-subscribe_at_private or risks-unsubscribe_at_private
 depending on which action is to be taken.

 Subscription and unsubscription requests require that you reply to a
 confirmation message sent to the subscribing mail address.  Instructions
 are included in the confirmation message.  Each issue of RISKS that you
 receive contains information on how to post, unsubscribe, etc.

=> The complete INFO file (submissions, default disclaimers, archive sites,
 copyright policy, etc.) is online.
 The full info file may appear now and then in RISKS issues.
 *** Contributors are assumed to have read the full info file for guidelines.

=> .UK users should contact <Lindsay.Marshall_at_private>.
=> SPAM challenge-responses will not be honored.  Instead, use an alternative
 address from which you NEVER send mail!
=> SUBMISSIONS: to risks_at_private with meaningful SUBJECT: line.
 *** NOTE: Including the string "notsp" at the beginning or end of the subject
 *** line will be very helpful in separating real contributions from spam.
 *** This attention-string may change, so watch this space now and then.
=> ARCHIVES: ftp://ftp.sri.com/risks for current volume
     or ftp://ftp.sri.com/VL/risks for previous VoLume
 <http://www.risks.org> redirects you to Lindsay Marshall's Newcastle archive
 http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue.
   Lindsay has also added to the Newcastle catless site a palmtop version
   of the most recent RISKS issue and a WAP version that works for many but
   not all telephones: http://catless.ncl.ac.uk/w/r
 <http://the.wiretapped.net/security/info/textfiles/risks-digest/> .
==> PGN's comprehensive historical Illustrative Risks summary of one liners:
    <http://www.csl.sri.com/illustrative.html> for browsing,
    <http://www.csl.sri.com/illustrative.pdf> or .ps for printing
==> Special Offer to Join ACM for readers of the ACM RISKS Forum:


End of RISKS-FORUM Digest 26.24
Received on Fri Dec 03 2010 - 15:03:30 PST

This archive was generated by hypermail 2.2.0 : Fri Dec 03 2010 - 17:06:02 PST