RISKS-LIST: Risks-Forum Digest Thursday 13 January 2011 Volume 26 : Issue 29 ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as <http://catless.ncl.ac.uk/Risks/26.29.html> The current issue can be found at <http://www.csl.sri.com/users/risko/risks.txt> Contents: Jackpot: Bug or Feature? (Chuck Weinstock) Researchers Hack Internet Enabled TVs, Discover Multiple Security Vulnerabilities (Mike Lennon via Monty Solomon) Caveman: Using the cloud to break passwords (Dan Goodin) Infected PC Compromises Pentagon Credit Union (slashdot via Robert Schaefer) 3 Tucson UMC workers fired for records access (Stephanie Innes via Monty Solomon) Bug Causes iPhone Alarm to Greet New Year With Silence (Nick Bilton via Monty Solomon) Wristwatch fails 2010->2011 transition (Bill Stewart) Security risks in PDF documents (Lauren Weinstein) New twist on ATM skimming: put the data collector inside the gas pump! (Paul Saffo) Risks of Touring the White House (Daniel Faigin) Confusing Interface (Gene Wirchenko) Re: "Risk of coffee in the cockpit", maybe, maybe not (Danny Burstein) Re: RISKS of reusing ID numbers (Jonathan Kamens) 50th Anniversary of Eisenhower's Farewell Address (PGN) Call for Papers: RAID'11 (Guofei Gu) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Tue, 4 Jan 2011 09:54:49 -0500 From: Chuck Weinstock <weinstock_at_private> Subject: Jackpot: Bug or Feature? http://www.post-gazette.com/pg/11004/1115414-58.stm A man in Pittsburgh was arrested on a federal warrant accusing him of stealing as much as $1.4 million from US casinos. He was about to stand trial for bilking a local casino out of nearly a half-million dollars in fraudulent jackpots. The jackpots resulted from a flaw in the software of certain IGT machines. These machines apparently awarded a jackpot when a special sequence of buttons was pushed. I wonder if a good defense here is that the machine was doing exactly what it was programmed to do and all the defendant was doing was using expert play to increase his chances of winning. ------------------------------ Date: Sun, 9 Jan 2011 12:05:04 -0500 From: Monty Solomon <monty_at_private> Subject: Researchers Hack Internet Enabled TVs, Discover Multiple Security Vulnerabilities (Mike Lennon) Mike Lennon, Researchers Hack Internet Enabled TVs, Discover Multiple Security Vulnerabilities, *SecurityWeek*, 3 Jan 2011 Internet TVs - The Latest Attack Vector: Researchers Hack Internet Enabled TVs, Discover Multiple Security Vulnerabilities Was your home lucky enough to get a new Internet enabled TV over the holidays? If so, you're probably quite excited and enjoying the features of your new digital media hub while you sit back and sip on some eggnog or hot chocolate from your couch - which you should. But you may also want to be careful, as Internet TVs could be the newest avenue for cybercriminals to infiltrate your home or business. (I know, more FUD from a security vendor, but this is actually interesting stuff and they were able to show us how it was done) Security researchers have discovered several security flaws in one of the best-selling brands of Internet-connected HDTVs, and believe it's likely that similar security flaws exist in other Internet TVs. During the course of its research, Mocana, the security firm that discovered the flaws, demonstrated that the TV's Internet interface failed to confirm script integrity before scripts were run. As a result, an attacker could intercept transmissions from the television to the network using common "rogue DNS", "rogue DHCP server", or TCP session hijacking techniques. Mocana was able to demonstrate that JavaScript could then be injected into the normal datastream, allowing attackers to obtain total control over the device's Internet functionality. This attack could render the product unusable at important times and extend or limit its functionality without the manufacturer's permission. More importantly, however, this same mechanism could be used to extract sensitive credentials from the TV's memory, or prompt the user to fill out fake online forms to capture credit card information. (Mocana did issue a technical report on the details of the security vulnerabilities which is available here - short registration required) Additionally, researchers were able to recover the manufacturer's private "third-party developer keys" from the television, because in many cases, these keys were transmitted unencrypted and "in the clear." Many third-party search, music, video and photo-sharing services delivered over the Internet require such keys, and a big TV manufacturer often purchases high-volume "special" access privileges to these service provider's networks. A hacker could potentially employ these keys, for example, to access these high-volume services at no charge (or at least, on the TV manufacturer's bill). ... http://www.securityweek.com/researchers-hack-internet-enabled-tvs-discover-multiple-security-vulnerabilities ------------------------------ Date: Wed, 12 Jan 2011 1:58:26 PST From: "Peter G. Neumann" <neumann_at_private> Subject: Caveman: Using the cloud to break passwords [Thanks to Jeremy Epstein and Matthew Kruk.] Dan Goodin in San Francisco, Researcher cracks Wi-Fi passwords with Amazon cloud: Return of the Caveman attack, *The Register*, 11 Jan 2011 http://www.theregister.co.uk/2011/01/11/amazon_cloud_wifi_cracking/ A security researcher has tapped Amazon's cloud computing service to crack Wi-Fi passwords in a fraction of the time and for a fraction of the cost of using his own gear. Thomas Roth of Cologne, Germany told Reuters [1] he used custom software running on Amazon's Elastic Compute Cloud service to break into a WPA-PSK protected network in about 20 minutes. With refinements to his program, he said he could shave the time to about six minutes. With EC2 computers available for 28 cents per minute, the cost of the crack came to just $1.68. "People tell me there is no possible way to break WPA, or, if it were possible, it would cost you a ton of money to do so," Roth told the news service. "But it is easy to brute force them." Roth is the same researcher who in November used Amazon's cloud to brute force SHA-1 hashes [2]. Roth said he cracked 14 hashes from a 160-bit SHA-1 hash with a password of between one and six characters in about 49 minutes. He told The Register at the time he'd be able to significantly reduce that time with minor tweaks to his software, which made use of "Cluster GPU Instances" of the EC2 service [3]. As the term suggests, brute force cracks are among the least sophisticated means of gaining unauthorized access to a network. Rather than exploit weaknesses, they try huge numbers of possible passwords until the right phrase is entered. Roth has combined this caveman approach with a highly innovative technique that applies it to extremely powerful servers that anyone can rent at highly affordable rates. Roth's latest program uses EC2 to run through 400,000 possible passwords per second, a massive amount that only a few years ago would have required the resources of a supercomputer. He is scheduled to present his findings [4] at next week's Black Hat security conference in Washington, DC. 1. http://uk.reuters.com/article/idUKTRE70641M20110107 2. http://www.theregister.co.uk/2010/11/18/amazon_cloud_sha_password_hack/ 3. https://aws.amazon.com/ec2/ 4. http://www.blackhat.com/html/bh-dc-11/bh-dc-11-briefings.html#Roth ------------------------------ Date: Thu, 13 Jan 2011 08:21:30 -0500 From: Robert Schaefer <rps_at_private> Subject: Infected PC Compromises Pentagon Credit Union "The credit union used by members of the U.S. armed forces and their families has admitted that a laptop infected with malware was used to access a database containing the personal and financial information of customers. The Pentagon Federal Credit Union (PenFed) issued a statement to the New Hampshire Attorney General that said data, including the names, addresses, Social Security Numbers and PenFed banking and credit card account information of its members were accessed by the infected PC." slashdot, 12 Jan 2011 https://threatpost.com/en_us/blogs/infected-pc-compromises-pentagon-credit-union-011211 robert schaefer, Atmospheric Sciences Group, MIT Haystack Observatory Westford, MA 01886 1-781-981-5767 http://www.haystack.mit.edu ------------------------------ Date: Thu, 13 Jan 2011 10:31:04 -0500 From: Monty Solomon <monty_at_private> Subject: 3 Tucson UMC workers fired for records access (Stephanie Innes) Stephanie Innes, *Arizona Daily Star*, 12 Jan 2011 Three employees at Tucson's University Medical Center have been fired for violating patient privacy in connection with accessing confidential medical records in the high-profile shooting rampage that killed six people and left Congresswoman Gabrielle Giffords in critical condition, hospital officials said. All the remaining injured patients from the shootings, including Giffords, are at UMC. ... http://azstarnet.com/news/local/crime/article_4f789a48-1e8c-11e0-929a-001cc4c002e0.html ------------------------------ Date: Mon, 3 Jan 2011 19:20:51 -0500 From: Monty Solomon <monty_at_private> Subject: Bug Causes iPhone Alarm to Greet New Year With Silence Nick Bilton, Bug Causes iPhone Alarm to Greet New Year With Silence, *The New York Times*, 2 Jan 2011 Pat Kiernan, a morning anchor on NY1, the New York City cable news channel, is no stranger to alarm clock problems. That's why he usually relies on several clocks, phones and other devices to wake him in time for his early newscasts. That redundancy paid off for Mr. Kiernan on Saturday when his primary alarm, the one built into his Apple iPhone, failed to go off because of a programming error in the phone's calendar software. "Before I went to bed I set two iPhone alarms, and both completely failed to go off," said Mr. Kiernan, adding that he uses the iPhone as his alarm clock when he travels. "Luckily I had an Android phone with me as a third backup alarm, and it woke me up in time for my news segment." Many people weren't as lucky as Mr. Kiernan, voicing frustration online after they overslept on the first morning of the new year. By Sunday morning thousands more people were posting angry missives about the iPhone problem on Twitter, Facebook and other social networks, noting that they had missed a breakfast meeting or were running late for work or church. ... http://www.nytimes.com/2011/01/03/technology/03iphone.html ------------------------------ Date: Sat, 01 Jan 2011 01:59:51 -0800 From: Bill Stewart <bill.stewart_at_private> Subject: Wristwatch fails 2010->2011 transition At last night's New Years Eve party, we were already disturbed to find significant time skew between people who had cell phones and wristwatches that are automatically set from WWV. (Most of the phones either had the same time or didn't show seconds.) And then at midnight, somebody's new digital wristwatch failed :-) We're not really sure what happened, and it fixed itself about 10 minutes later, but the owner said it spent a while going back and forth between 00:12 and 00:13 or something equally strange. This being a techie crowd, it led to the usual stories about Y2K and programs on punched cards that needed to be rewritten for the one-digit-date rollover from 1979->1980 and such, but after Y2K you'd think people would just Know Better. ------------------------------ Date: Sun, 2 Jan 2011 08:48:11 -0800 From: Lauren Weinstein <lauren_at_private> Subject: Security risks in PDF documents [From Network Neutrality Squad] http://bit.ly/gUuFCU (The H Security) Depending on implementation details, this may be an argument for viewing PDF documents in inherently more "sandboxed" environments like Google Chrome (which has a basic internal PDF viewer) rather than using full-blown Adobe readers (when possible and practical, given current feature requirements in any given case). ------------------------------ Date: Wed, 12 Jan 2011 07:23:50 -0800 From: Paul Saffo <psaffo_at_private> Subject: New twist on ATM skimming: put the data collector inside the gas pump! Two Men Plea Guilty in Sophisticated Gas Station ATM and Credit Card Skimming Scheme, 11 Jan 2011, Contact: (510) 622-4500 http://oag.ca.gov/news/press_release?id=2024 Martinez CA, Two men were sentenced today to prison for their role in stealing more than $90,000 from some 200 people in Northern California by stealing personal financial information with a sophisticated skimming device placed inside ATM and credit card payment devices at gas station pumps. This morning in Contra Costa County Superior Court in Martinez, the two men pleaded guilty to all felonies they were charged with, including conspiracy and identity theft. David Karapetyan, 32, pled guilty to 37 felonies and received a seven-year prison sentence. Zhirayr Zamanyan, 31, pled guilty to five felonies and received a five-year prison sentence. Two other defendants, Edwin Hamazaspyan, 31, and Naum Mints, 21, are scheduled to appear in court on February 15. In March, the Attorney General's office took over prosecution of the case from the Contra Costa District Attorney's office because the crimes occurred in multiple jurisdictions throughout Northern California. An amended complaint was filed in October. In their high-tech crime spree, the gang traveled to gas stations across the Bay Area in a rented Cadillac Escalade. From November 2009 to February 2010, they are believed to have stolen $90,000 from 196 people through their skimming scheme. The thieves acquired keys to unlock various kinds of gas station pumps. Once they opened the pumps, they were able to connect two cables inside to their two-inch electronic device, which looked like a circuit board encased in electrical tape, and recorded ATM and credit card data as well as victims' PINs. No tampering was visible on the outside of the pumps. The gang would later return to retrieve the skimmers, which took less than 20 seconds. The investigation began in February when police in Solano and Contra Costa counties reported an increase in identity theft and a 7-Eleven store employee in Martinez noticed a skimming device inside a gas pump. Police removed the device, replaced it with a mock device and conducted 24-hour surveillance. Karapetyan and Zamanyan were arrested when they arrived to remove the device. In total, seven devices were found inside gas pumps in Martinez, Benicia, Livermore, Hayward, Oakland, San Mateo and Sacramento. Banks have reimbursed the victims. The Northern California Computer Crimes Task Force, a partnership of 17 local, state and federal agencies, participated in the investigation with assistance from the U.S. Secret Service, Martinez Police Department and the Glendale Police Department. The amended complaint and second amended complaint, as well as the arrest affidavit for Mints, are attached to the electronic version of the press release on the Attorney General's website: www.ag.ca.gov ------------------------------ Date: Tue, 4 Jan 2011 12:04:40 -0800 From: Daniel Faigin <faigin_at_private> Subject: Risks of Touring the White House My daughter is getting ready for a Confirmation Class trip to Washington DC, which will include a trip to the White House. So I received an email request from the trip coordinator stating: "There is a security form that I must fill out and I need the following information for each student/participant ASAP! 1. Name as it appears on Drivers License or other legal document; 2. Social Security Number; 3. Exact Date of Birth; 4. Citizen of US? Yes or No?; 5. City of current residence." She needed it ASAP, and I'm betting most parents will blindly email her the SSN. I've already informed her of the problem with doing that, but this is just the tip of the iceberg. I wanted to see why the SSN was required, and so I did some searching. I found Rep Elton Gallegly's site on tours (https://forms.house.gov/gallegly/forms/tours/tour_request.shtml), and it calls for the same information. So this seems to be a White House requirement (and SSNs seem to be a common identifier for searching security records, even though that isn't their real use). However, what is scary is the following: " Download Security Information Sheet (Excel) and email to CA24.Tours_at_private". Yup. Email again. You would think in this era of the Privacy Act the White House webmaster would have set up an HTTPS: page to submit this information. Daniel Faigin, CISSP faigin -at cahighways -dot org Journal/Blog: cahwyguy.livejournal.com Facebook: facebook.com/cahwyguy ------------------------------ Date: Mon, 10 Jan 2011 13:44:23 -0800 From: Gene Wirchenko <genew_at_private> Subject: Confusing Interface I just got an Epson Stylus NX215 printer. I hope it lasts longer than my Dell laser printer which did not get through its second toner cartridge although my usage was not heavy in the 3 1/2 years that I used it. My new printer has very nice documentation for the installation, but one little bit got me. Near the end, there is the option to install some additional goodies. The interface was less than clear. "Select the items you want and click Install". OK. What do the Xs mean? Do they mean that the items have been selected, or that no, they have not been? The form starts with an X in each choice. It turns out that X means selected, but it could easily mean the other way around since X can mean wrong or no. Windows has standard input controls, but it seems that it is not the thing to do to use them when writing your installation program. I have run into the attitude before. In one USENET posting, a newbie was asking about other controls. He did not want to use the standard ones, BECAUSE they were standard. I remember one of the benefits of Windows pushed in the early days that with standard interfaces, it would be easier. My bet was that, since graphics was getting to be very important, the standard controls would be considered not good enough. I wish I had bet money on this. This is not the first time that I have been puzzled by non-standard controls. ------------------------------ Date: Wed, 12 Jan 2011 20:29:31 -0500 (EST) From: Danny Burstein <dannyb_at_private> Subject: Re: "Risk of coffee in the cockpit", maybe, maybe not (Brown, RISKS-26.28) The aviation folk are having lots of fun digesting this story and trying to determine whether or not the claimed scenario is, indeed, plausible. Curiously enough the film "Fate is the Hunter" [a] aired, err, cabled... on the Turner Classic Movies cable channel a week or so ago. The plot revolves around an airplane crash which seems to be due to pilot error. One investigator just can't believe "his pilot" would do something that careless. The relevance here (rot-13'ed as it's a spoiler): Vg gheaf bhg gung n fcvyyrq phc bs pbssrr fubegrq bhg gur pbageby pvephvgel, xabpxvat bhg gur ratvarf. So it may be that we have real life following a movie script. Or possibly just the reporting of same... [a] http://en.wikipedia.org/wiki/Fate_Is_the_Hunter_%28film%29 http://www.imdb.com/title/tt0058091/ [Also noted by Charlie Shub. citing the author of the 1961 movie Ernest K. Gann, and the Glenn Ford movie (1964). PGN] ------------------------------ Date: Wed, 12 Jan 2011 09:28:16 -0500 From: Jonathan Kamens <jik_at_private> Subject: Re: RISKS of reusing ID numbers (RISKS 26.27) [I somehow missed Geoff Kuenning's response to Jonathan before putting out RISKS-26.28. But I thought Jonathan's posting stood on its own. This time, Geoff's reply to Jonathan follows below. PGN] Geoff, It seems to me that Apple is not *complicit* in this case. Rather, Apple is *the cause* of the problem you encountered. If TNT's tracking numbers end with two letters, and Apple doesn't include the two letters when giving out TNT tracking numbers, then the confusion was introduced by Apple, not by TNT. I have no direct knowledge of how TNT generates tracking numbers, but with those two letters at the end, I can easily envision a tracking number algorithm which would completely eliminate the potential for confusion. For example, if the two letters indicate in base 26 the number of days since some baseline date modulus 676 (26*26), which gives you a range of 1.85 years, then as long as (a) TNT removes old shipping records from their Web tracking in less than 1.85 years, and (b) their system ensures that the same tracking number is not used twice /in the same day/, tracking number confusion will never occur. I think a correction to RISKS is in order. On 01/12/2011 07:57 AM, Geoff Kuenning wrote: >> Their Web site says, "If your consignment number appears more than once >> in the results field, you can use the letters as shown on your >> consignment note, e.g. GE123456781WW, to avoid duplicate results." Were >> you given those letters? Did using them eliminate the duplication? > Interesting; I missed seeing that note. No, I wasn't given those letters. > I cut and pasted directly from Apple's e-mail. So apparently Apple is > complicit in this case. (*Why* would they go out of their way to remove > information? It can't be easy to correctly reduce the ID number from > multiple shipping suppliers to a minimal acceptable value. Weird.) ------------------------------ Date: Thu, 13 Jan 2011 11:20:22 PST From: "Peter G. Neumann" <neumann_at_private> Subject: 50th Anniversary of Eisenhower's Farewell Address CSPO and AAAS are co-sponsoring a seminar in Washington, D.C., commemorating the 50th anniversary of President Dwight D. Eisenhower's farewell address. Eisenhower's speech is mainly remembered for his warning of the perils of a "military-industrial complex." Less widely known, but no less important, was his caution a few sentences later about "the danger that public policy could itself become the captive of a scientific-technological elite." This seminar will explore the historical context and current relevance of Eisenhower's worries. Was He Right About the "Scientific-Technological Elite?" AAAS Auditorium / Washington, D.C. Panel: * Dan Greenberg, science journalist and author of several books on science policy * Gregg Pascal Zachary, author of the authoritative biography of Vannevar Bush * William Lanouette, a journalist on science policy and a senior analyst on energy and science issues at GAO from 1991 to 2006 * Dan Sarewitz, co-director of CSPO * Moderator: Steve Lagerfeld, editor of The Wilson Quarterly Live webcast Jan. 18 at 4:30p ET / 2:30p MT GO TO: http://www.ustream.tv/channel/cspo ------------------------------ Date: Thu, 13 Jan 2011 16:01:04 -0600 From: "Guofei Gu" <guofei_at_private> Subject: Call for Papers: RAID'11 CALL FOR PAPERS: RAID 2011 14th International Symposium on Recent Advances in Intrusion Detection September 20-21, 2011 SRI International, Menlo Park, CA http://raid2011.org Paper submission deadline: Mar 31, 2011 (11:59PM PST) [Excerpted for RISKS. See raid2011.org for details. PGN] This symposium, the 14th in an annual series, brings together leading researchers and practitioners from academia, government, and industry to discuss issues and technologies related to intrusion detection and defense. The Recent Advances in Intrusion Detection (RAID) International Symposium series furthers advances in intrusion defense by promoting the exchange of ideas in a broad range of topics. As in previous years, all topics related to intrusion detection, prevention and defense systems and technologies are within scope, including but not limited to the following: * Network and host intrusion detection and prevention * Anomaly and specification-based approaches * IDS cooperation and event correlation * Malware prevention, detection, analysis, containment * Web application security * Insider attack detection * Intrusion response, tolerance, and self-protection * Operational experiences with current approaches * Intrusion detection assessment and benchmarking * Attacks against intrusion detection systems * Formal models, analysis, and standards * Deception systems and honeypots * Vulnerability analysis and forensics * Adversarial machine learning for security * Visualization techniques * High-performance intrusion detection * Legal, social, and privacy issues * Network exfiltration detection * Botnet analysis, detection, and mitigation * Cyber-physical systems General Chair: Alfonso Valdes, SRI International, US Program Chair: Robin Sommer, ICSI/LBNL, US Program Co-Chair: Davide Balzarotti, Eurecom, France Publication Chair: Gregor Maier, ICSI, US Publicity Chair: Guofei Gu, Texas A&M, US Guofei Gu, Assistant Professor, Department of Computer Science & Engineering Texas A&M University ------------------------------ Date: Thu, 29 May 2008 07:53:46 -0900 From: RISKS-request_at_private Subject: Abridged info on RISKS (comp.risks) The ACM RISKS Forum is a MODERATED digest, with Usenet equivalent comp.risks. => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) if possible and convenient for you. The mailman Web interface can be used directly to subscribe and unsubscribe: http://lists.csl.sri.com/mailman/listinfo/risks Alternatively, to subscribe or unsubscribe via e-mail to mailman your FROM: address, send a message to risks-request_at_private containing only the one-word text subscribe or unsubscribe. You may also specify a different receiving address: subscribe address= ... . You may short-circuit that process by sending directly to either risks-subscribe_at_private or risks-unsubscribe_at_private depending on which action is to be taken. Subscription and unsubscription requests require that you reply to a confirmation message sent to the subscribing mail address. Instructions are included in the confirmation message. Each issue of RISKS that you receive contains information on how to post, unsubscribe, etc. => The complete INFO file (submissions, default disclaimers, archive sites, copyright policy, etc.) is online. <http://www.CSL.sri.com/risksinfo.html> The full info file may appear now and then in RISKS issues. *** Contributors are assumed to have read the full info file for guidelines. => .UK users should contact <Lindsay.Marshall_at_private>. => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you NEVER send mail! => SUBMISSIONS: to risks_at_private with meaningful SUBJECT: line. *** NOTE: Including the string "notsp" at the beginning or end of the subject *** line will be very helpful in separating real contributions from spam. *** This attention-string may change, so watch this space now and then. => ARCHIVES: ftp://ftp.sri.com/risks for current volume or ftp://ftp.sri.com/VL/risks for previous VoLume <http://www.risks.org> redirects you to Lindsay Marshall's Newcastle archive http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue. Lindsay has also added to the Newcastle catless site a palmtop version of the most recent RISKS issue and a WAP version that works for many but not all telephones: http://catless.ncl.ac.uk/w/r <http://the.wiretapped.net/security/info/textfiles/risks-digest/> . ==> PGN's comprehensive historical Illustrative Risks summary of one liners: <http://www.csl.sri.com/illustrative.html> for browsing, <http://www.csl.sri.com/illustrative.pdf> or .ps for printing ==> Special Offer to Join ACM for readers of the ACM RISKS Forum: <http://www.acm.org/joinacm1> ------------------------------ End of RISKS-FORUM Digest 26.29 ************************Received on Thu Jan 13 2011 - 19:17:25 PST
This archive was generated by hypermail 2.2.0 : Thu Jan 13 2011 - 21:11:43 PST