[RISKS] Risks Digest 26.59

From: RISKS List Owner <risko_at_private> Date: Sun, 23 Oct 2011 15:52:28 PDT · This archive was generated by hypermail 2.2.0 : Sun Oct 23 2011 - 21:38:34 PDT

RISKS-LIST: Risks-Forum Digest  Sunday 23 October 2011  Volume 26 : Issue 59

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
  <http://catless.ncl.ac.uk/Risks/26.59.html>
The current issue can be found at
  <http://www.csl.sri.com/users/risko/risks.txt>

  Contents:
China Bullet Trains Trip on Technology (Areddy/Shirouzu)
NJ election cover-up (Andrew Appel via Monty Solomon)
Gas bill climbed 13,000 pounds after correct online reading given
  (Gabe Goldberg)
Robot editors strike again (Earl Boebert)
Computer Virus Hits U.S. Drone Fleet (WiReD via Joly MacFie)
BlackBerry Outage Linked to Massive Drop in Traffic Crashes (Brad Aaron)
Re: Blackberry outage saves lives (Mark Thorson)
Security Vulnerability In HTC Android Devices (Artem Russakovskii)
Skype for iPhone makes stealing address books a snap (Dan Goodin)
Massive HTC Android phone vulnerabilities reported (John P. Mello Jr. via
  Gene Wirchenko)
AmEx 'debug mode left site wide open' (John Leyden via Monty Solomon)
Air traffic control data found on eBayed network gear (John Leyden)
Skype flaw allows BitTorrent users to be identified (Jeremy Kirk)
Adobe flash design would let authorities order Adobe to	turn on your
  mic/camera remotely (Steve Bellovin)
FBI Official Calls for Secure, Alternate Internet (Lauren Weinstein)
Researchers crack W3C encryption standard for XML (Lauren Weinstein)
Better Business Bureau offers rogue script browser peril (Gabe Goldberg)
Washington objects, OnStar reverses tracking policy (Computerworld)
Re: United Airlines uses 11,000 iPads ... (John Stanley)
ACSAC 2011 open for registration (Jeremy Epstein)
Abridged info on RISKS (comp.risks)

----------------------------------------------------------------------

Date: Tue, 4 Oct 2011 17:25:15 PDT
From: "Peter G. Neumann" <neumann_at_private>
Subject: China Bullet Trains Trip on Technology (Areddy/Shirouzu)

James T. Areddy (Shanghai) and Norihiko Shirouzu (Beijing), *The Wall Street
Journal*, 3 Oct 2011; PGN-ed. Yang Jie in Shanghai and Yoli Zhang in Beijing
contributed to this article. james.areddy_at_private, norihiko.shirouzu_at_private
http://online.wsj.com/article/SB10001424053111904353504576568983658561372.html

The *WSJ* item is quite long.  I attempt to make a very long story and still
unresolved short: Hitachi used components in China's high-speed rail
signaling system that were delivered to them as black boxes from Hollysys
Automation Technologies Ltd., with no specs or details -- to hinder reverse
engineering.  This clearly also hindered system testing, and seems likely to
have contributed to recent deadly crashes.

------------------------------

Date: Wed, 28 Sep 2011 08:10:56 -0400
From: Monty Solomon <monty_at_private>
Subject: NJ election cover-up (Andrew Appel)

By Andrew Appel, Freedom to Tinker, 13 Sep 2011

During the June 2011 New Jersey primary election, something went wrong in
Cumberland County, which uses Sequoia AVC Advantage direct-recording
electronic voting computers. From this we learned several things:

  1. New Jersey court-ordered election-security measures have not been
     effectively implemented.

  2. There is a reason to believe that New Jersey election officials have
     destroyed evidence in a pending court case, perhaps to cover up the
     noncompliance with these measures or to cover up irregularities in this
     election. There is enough evidence of a cover-up that a Superior Court
     judge has referred the matter to the State prosecutor's office.

  3. Like any DRE voting machine, the AVC Advantage is vulnerable to
     software-based vote stealing by replacing the internal vote-counting
     firmware. That kind of fraud probably did not occur in this case. But
     even without replacing the internal firmware, the AVC Advantage voting
     machine is vulnerable to the accidental or deliberate swapping of
     vote-totals between candidates. It is clear that the machine
     misreported votes in this election, and both technical and procedural
     safeguards proved ineffective to fully correct the error.
  [...]

  https://freedom-to-tinker.com/blog/appel/nj-election-cover

Did NJ election officials fail to respect court order to improve security of
elections?
https://freedom-to-tinker.com/blog/appel/did-nj-election-officials-fail-respect-court-order-improve-security-elections

Will the NJ Attorney General investigate the NJ Attorney General? 
https://freedom-to-tinker.com/blog/appel/will-nj-attorney-general-investigate-nj-attorney-general

What happens when the printed ballot face doesn't match the electronic ballot definition? 
https://freedom-to-tinker.com/blog/appel/what-happens-when-printed-ballot-face-doesnt-match-electronic-ballot-definition

http://www.cs.princeton.edu/~appel/voting/nj-election-cover-up.pdf

------------------------------

Date: Sat, 22 Oct 2011 23:23:40 -0400
From: Gabe Goldberg <gabe_at_private>
Subject: Gas bill climbed 13,000 pounds after correct online reading given

*Register* Reader and Stockport dweller Rob was shocked to find that trying
to save his mother a few pounds on her gas bill ended up pushing the tab up
13,088.43 pounds, rather than down the 20 quid he was expecting.  It was the
unlikely result of entering a meter reading on Southern Electric's website.

We asked Southern Electric what went wrong. Turns out it is down to a weird
feature of their website which would put other customers looking to save a
few pounds at the same risk of being over-billed by ten thousand odd.

Instead of just taking the number down 23 and recalculating accordingly,
their bill-calculator programme went through into a whole new cycle - pushed
the meter up to 9999, down to zero again and then up to 7305.  Meaning that
they assumed it had gone up 9,977 since last time, rather than down 23.

http://www.theregister.co.uk/2011/10/06/gas_bill_shocker/

------------------------------

Date: Sat, 15 Oct 2011 09:39:38 -0600
From: Earl Boebert <boebert_at_private>
Subject: Robot editors strike again

I just made a posting over on the Deepwater Horizon thread on gCaptain. 
I used the word "adversarial" (without quotes).  Robot changed it to:

  advers"lux-sans-1"  (with quotes)

I changed it to "headbutting" and went on with life.

------------------------------

Date: October 7, 2011 5:37:02 PM EDT
From: Joly MacFie <joly_at_private>
Subject: Computer Virus Hits U.S. Drone Fleet (WiReD)

http://www.wired.com/dangerroom/2011/10/virus-hits-drone-fleet/

A computer virus has infected the cockpits of America's Predator and Reaper
drones, logging pilots' every keystroke as they remotely fly missions over
Afghanistan and other warzones.  The virus included a key-logger payload,
and had been detected by the military's Host-Based Security System, nearly
two weeks before the {\it WiReD} item appeared.  It has reportedly not
prevented pilots at Creech Air Force Base in Nevada from flying their
missions overseas.  And there are no confirmed incidents of classified
information being lost or sent to an outside source.  However, the virus has
resisted multiple efforts to remove it from Creech's computers.  The
infection underscores the ongoing security risks in what has become the
U.S.~military's most important weapons system.  ``We keep wiping it off, and
it keeps coming back.  We think it's benign.  But we just don't know.''
[PGN-ed from the {\it WiReD} Danger Room,]

------------------------------

Date: Thu, 20 Oct 2011 14:56:19 -0400
From: Monty Solomon <monty_at_private>
Subject: BlackBerry Outage Linked to Massive Drop in Traffic Crashes 
  (Brad Aaron)

According to data released last week by NYPD, distracted drivers were the
leading cause of city traffic crashes in August. Of 16,784 incidents, 1,877
were attributed to "driver inattention/distraction," while an additional 10
were linked specifically to phones or other electronic devices.

While NYPD reports make it impossible to decipher exactly how many city
drivers are texting or talking before a crash - we'll go out on a limb and
assume it was more than 10 - the recent BlackBerry service outage in Europe,
Africa and the Middle East served to illustrate the extent of the problem in
two cities. ...  [Source: Brad Aaron, BlackBerry Outage Linked to Massive
Drop in Traffic Crashes, StreetsBlog, 17 Oct 2011]

http://www.streetsblog.org/2011/10/17/blackberry-outage-linked-to-massive-drop-in-traffic-crashes/

------------------------------

Date: Mon, 17 Oct 2011 10:07:49 -0700
From: Mark Thorson <eee_at_private>
Subject: Re: Blackberry outage saves lives

The three-day Blackberry outage saw traffic accidents fall 20% in Dubai
and 40% in Abu Dhabi.
http://www.thenational.ae/news/uae-news/blackberry-cuts-made-roads-safer-police-say

In this case, the normal condition is the *risk*, and the aberrant condition
is safer.  Perhaps this could be exploited by throttling down network
traffic during hazardous driving conditions, such as the first heavy rain of
the season, major holiday evenings, and at the end of large sports events.

------------------------------

Date: Tue, 4 Oct 2011 00:53:35 -0400
From: Monty Solomon <monty_at_private>
Subject: Security Vulnerability In HTC Android Devices (Artem Russakovskii)

Artem Russakovskii: Massive Security Vulnerability In HTC Android Devices
(EVO 3D, 4G, Thunderbolt, Others) Exposes Phone Numbers, GPS, SMS, Emails
Addresses, Much More, 3 Oct 2011

I am quite speechless right now. Justin Case and I have spent all day
together with Trevor Eckhart (you may remember him as TrevE of DamageControl
and Virus ROMs) looking into Trev's findings deep inside HTC's latest
software installed on such phones as EVO 3D, EVO 4G, Thunderbolt, and
others.

These results are not pretty. In fact, they expose such ridiculously
frivolous doings, which HTC has no one else to blame but itself, that the
data-leaking Skype vulnerability Justin found earlier this year pales in
comparison. Without further ado, let me break things down.

The Vulnerability

In recent updates to some of its devices, HTC introduces a suite of logging
tools that collected information. Lots of information. LOTS.  Whatever the
reason was, whether for better understanding problems on users' devices,
easier remote analysis, corporate evilness - it doesn't matter. If you, as a
company, plant these information collectors on a device, you better be DAMN
sure the information they collect is secured and only available to
privileged services or the user, after opting in.

That is not the case. What Trevor found is only the tip of the iceberg - we
are all still digging deeper - but currently any app on affected devices
that requests a single android.permission.INTERNET (which is normal for any
app that connects to the web or shows ads) can get its hands on. ...

http://www.androidpolice.com/2011/10/01/massive-security-vulnerability-in-htc-android-devices-evo-3d-4g-thunderbolt-others-exposes-phone-numbers-gps-sms-emails-addresses-much-more/

------------------------------

Date: October 22, 2011 12:35:13 PM EDT
From: Randall  Webmail <rvh40_at_private>
Subject: Skype for iPhone makes stealing address books a snap (Dan Goodin)

Dan Goodin, *The Register*, 20 Sep 2011

Just add JavaScript

If you use Skype on an iPhone or iPod touch, Phil Purviance can steal=20
your device's address book simply by sending you a chat message.

In a video posted over the weekend, the security researcher makes the
attack look like child's play. Type some JavaScript commands into the
user name of a Skype account, use it to send a chat message to
someone using the latest version of Skype on an iPhone or iPod touch,
and load a small program onto a webserver. Within minutes, you'll
have a fully-searchable copy of the victim's address book. ...
  http://www.theregister.co.uk/2011/09/20/skype_for_iphone_contact_theft/

------------------------------

Date: Tue, 04 Oct 2011 09:37:50 -0700
From: Gene Wirchenko <genew_at_private>
Subject: Massive HTC Android phone vulnerabilities reported (John P. Mello Jr.)

John P. Mello Jr., Massive HTC Android phone vulnerabilities reported:
Researchers say HTC failed to respond after they notified the firm of 
threat risks on 24 Sep.  4 Oct 2011
  http://www.itbusiness.ca/it/client/en/home/News.asp?id=64366

selected text:

Security researchers say they've uncovered a flaw in several smartphone
models produced by HTC that gives any application that has Internet access
the keys to a trove of information on the phone, including e-mail addresses,
GPS locations, phone numbers, and text message data.

The modifications made to Android by HTC allow any application that you give
permission to access the Internet from the phone access to a plethora of
sensitive information on the device. What's more, it also has permission to
send the data that it finds wherever it wants on the Net without your
knowledge.

  [See also an Infoworld item.  PGN]
http://www.infoworld.com/d/mobile-technology/androids-big-security-flaw-and-why-only-google-can-fix-it-175145

------------------------------

Date: Sun, 9 Oct 2011 11:38:28 -0400
From: Monty Solomon <monty_at_private>
Subject: AmEx 'debug mode left site wide open'

John Leyden, AmEx 'debug mode left site wide open', says hacker, 
Customer cookies 'at risk', *The Register, 7 Oct 2011

An alleged vulnerability on American Express site exposed customers to a
serious security risk before the credit card giant closed down a portion of
its site on Thursday afternoon.

Researcher Niklas Femerstrand claimed the problem arose because the debug
mode of the americanexpress.com site had inexplicably been left on, thus
providing access to vulnerable debug tools. The security shortcoming
creating a possible mechanism to harvest users' authentication cookies,
according to Femerstrand. ...

http://www.theregister.co.uk/2011/10/07/amex_website_security_snafu/

------------------------------

Date: Sat, 1 Oct 2011 09:27:16 -0400
From: Monty Solomon <monty_at_private>
Subject: Air traffic control data found on eBayed network gear (John Leyden)

John Leyden, NATS passwords and info left on switch [costing 20 pounds], 
*The Register*, 30 Sept 2011

A switch with networking configurations and passwords for the UK 
traffic control centre was offered for sale on eBay, raising serious 
security concerns.

http://www.theregister.co.uk/2011/09/30/nats_switch_fail/

------------------------------

Date: Fri, 21 Oct 2011 10:26:23 -0700
From: Gene Wirchenko <genew_at_private>
Subject: Skype flaw allows BitTorrent users to be identified (Jeremy Kirk)

Jeremy Kirk, Skype flaw allows BitTorrent users to be identified:
Researchers have demonstrated its possible to link BitTorrent users 
to Skype account information via IP addresses. It's a possible risk 
to Skype's user privacy. *ITBusiness, 21 Oct 2011]
http://www.itbusiness.ca/it/client/en/home/News.asp?id=64617

------------------------------

Date: Sat, 22 Oct 2011 09:18:27 -0700
From: Lauren Weinstein <lauren_at_private>
Subject: Adobe flash design would let authorities order Adobe to
	turn on your mic/camera remotely (Steve Bellovin)

  Adobe flash design would let authorities order Adobe to turn on your
  mic/camera remotely    http://j.mp/pmyAJI  (CirleID / Steven Bellovin)
  (via NNSquad)

  "From a technical perspective, it's simply wrong for a design to outsource
  a critical access control decision to a third party. My computer should
  decide what sites can turn on my camera and microphone, not one of Adobe's
  servers.  The policy side is even worse. What if the FBI wanted to bug
  you? Could they get a court order compelling Adobe to make an access
  control decision that would turn on your microphone?"

------------------------------

Date: Sat, 22 Oct 2011 12:26:11 -0700
From: Lauren Weinstein <lauren_at_private>
Subject: FBI Official Calls for Secure, Alternate Internet 

  http://j.mp/qk4xTq  (military.com)

  "In an Associated Press interview Thursday, [Shawn] Henry [FBI executive
  assistant director] said jihadist militants looking to harm the U.S. can
  tap organized crime groups who are willing to sell their services and
  abilities to attack computer systems.  He would not say which terror group
  or whether any insurgent networks have actually been able to acquire the
  high-tech capabilities.  But he said one way to protect critical utility
  and financial systems would be to set up a separate, highly secure
  Internet.  Henry sketched out the Internet idea to a crowd at a conference
  of the International Systems Security Association, saying that
  cyberthreats will always continue to evolve and outpace efforts to defend
  networks against them."

I won't even begin here to discuss the myriad reasons why this approach is
so incredibly problematic and -- dare I say it -- technologically naive.

------------------------------

Date: Fri, 21 Oct 2011 10:46:13 -0700
From: Lauren Weinstein <lauren_at_private>
Subject: Researchers crack W3C encryption standard for XML
  "A pair of German researchers revealed at the ACM Conference on Computer
  and Communications Security in Chicago this week that they have discovered
  a way to decrypt data within XML documents that have been encrypted using
  an implementation of the World Wide Web Consortium's XML Encryption
  standard."  http://j.mp/qGJBQv  (ars technica)

------------------------------

Date: Sat, 22 Oct 2011 23:30:22 -0400
From: Gabe Goldberg <gabe_at_private>
Subject: Better Business Bureau offers rogue script browser peril

A javascript redirect on the BBB blogs site (hosted by Word Press) was
spawning an iframe to download malware for several days before it was
shutdown.  [PGN-ed]
  http://www.theregister.co.uk/2011/10/03/bbb_rogue_scripts/

------------------------------

Date: Wed, 28 Sep 2011 10:31:30 -0700
From: Lauren Weinstein <lauren_at_private>
Subject: Washington objects, OnStar reverses tracking policy (Re: RISKS-26.58) 

  "Only a few days after it made what U.S. Senator Charles Schumer (D-NY)
  called "brazen" changes to its privacy policy, General Motors subsidiary
  OnStar has backed down and said it would revert back to its previous terms
  of service.  OnStar ignited a firestorm of criticism when it announced it
  would continue to collect information about customers of its onboard auto
  services even after their subscription ends - unless specifically
  instructed by the consumer not to. In the past OnStar would have ended
  such tracking when a subscription ended.  OnStar typically collects data
  about customers' location, speed, driving habits and odometer mileage."
  http://j.mp/mXIRv4  (*Computerworld*)

------------------------------

Date: Tue, 20 Sep 2011 16:23:56 +1200
From: Stephen Irons <stephen.irons_at_private>
Subject: Re: United Airlines uses 11,000 iPads to take planes paperless

In Risks Digest 26.56, Geoff Kuenning wrote:

> Re: United Airlines uses 11,000 iPads to take planes paperless
> But of course passengers will still be prohibited from using those same
> devices while the pilots have them turned on...

Patrick Smith writes the column 'Ask the Pilot' for salon.com. In
http://www.salon.com/technology/ask_the_pilot/2011/09/01/paperless_cockpit ,
he writes:

  You were wondering, meanwhile ...

  Now that pilots can use their iPads in the cockpit, shouldn't passengers
  be allowed to use them in the cabin, whenever they want to? And doesn't
  this prove that the rules about electronic devices aren't really
  necessary?

  Not quite. The main reason tablets and laptops are banned during takeoff
  and landing isn't because of concerns over interference, but because they
  might hinder an evacuation, and are potentially dangerous projectiles in
  the event of an impact or rapid deceleration. I suspect you don't want a
  Kindle or MacBook knocking you in the head at 180 miles per hour. The
  devices in the cockpit will need to be stowed or secured as well.

Stephen Irons, Tait Radio Communication http://www.taitworld.com
175 Roydvale Ave, Christchurch, New Zealand  DDI: +64 - 3 - 357-0713

------------------------------

Date: Wed, 28 Sep 2011 11:39:04 -0700 (DT)
From: John Stanley <stanley_at_private>
Subject: Re: United Airlines uses 11,000 iPads ... (Douglass, RISKS-26.56)

Andrew Douglass <andrew_at_private>:

  If they require everyone to turn off wireless capabilities to avoid
  interference with instruments and communication (I trust there is a safety
  argument as well), is this not also a confession that there IS a
  vulnerability?

Of course. This is not a secret. Any radio system can be jammed.

There are also "of course" ways of avoiding jamming. Spread spectrum systems
developed for the military are one. With this jam resistance comes three
major problems. First, the cost of replacing every avionics system in every
airplane on the planet to work with the new, unjammable ground radio systems
(ILS, voice, ADF, marker beacon, MLS, VOR, DME, etc.) would be
astronomical. This change would make every current handheld backup radio
immediately obsolete, reducing the safety factor of being able to have a
handheld backup for critical functions (and excluding all aircraft where the
only radio systems are handheld.)

Second, with the added complexity of this system comes new failure modes.

And third, once you are building aviation radios that cannot be jammed by
simple sources, you have aviation radios that can be jammed by someone who
has bought or stolen one of the new complex radios. Spread spectrum works
for the military because their radios and programming are classified.  There
can be no such security for aviation systems because every airplane in the
sky needs to be a part of the system.

All you would accomplish is making the prices of aviation radios skyrocket
beyond the current ridiculous prices.

You can work very hard to shield and ground everything that must be
protected, but once the aircraft leaves the factory the normal cycle of wear
and tear will begin. You cannot inspect every inch of wire every day, or
even every month, to detect fraying or corrosion.

But that's just the airplane itself. You forget the issue of the electronic
devices being carried by passengers. Properly designed, properly maintained,
and properly certificated non-intentional radiators should remain within
legal limits for radiation and not be able to overcome properly designed and
properly maintained shielding on the aircraft, but ...

In 2004, a presumably properly designed Toshiba television began radiating a
carrier signal on 121.5MHz at a level sufficient to trigger the then
operational SARSAT system, which alerted searchers to the problem. The
television design had certainly passed FCC muster for unintentional
radiators, and yet this television was literally screaming exactly on the
international distress frequency.

That is just one example. I use it because I was there and part of the group
that found it. I mentioned previously the interference from a properly
designed and properly maintained radio within the cockpit that interfered
with another properly designed, properly maintained radio.

Yes, interference with aircraft avionics systems is a well-known hazard. 
It happens. It can be mitigated but not eliminated. If doing something as 
simple as turning off all electronics devices during take-off and landing 
will keep it from happening during those two flight-critical operations, 
then I suggest those that worry about the twenty minutes they can't work 
cutting into their sleep spend that time sleeping. The value of napping 
has been reported in the medical literature.

------------------------------

Date: Thu, 20 Oct 2011 17:31:06 -0400
From: Jeremy Epstein <jeremy.j.epstein_at_private>
Subject: ACSAC 2011 open for registration

The Annual Computer Security Applications Conference (ACSAC) invites you to
come learn and network with world-class security practitioners this December
in Orlando.  Keynoting ACSAC 2011 will be Susan Landau (privacy use cases)
and Terry Benzel (security experimentation), with classic paper
presentations by Paul Syverson (onion routing) and Matt Blaze (key escrow).

This year's outstanding technical program includes 39 accepted papers (out
of 195 submitted), along with panels and case studies.  Look for returning
favorites, such as the New Security Paradigms Workshop Highlights panel, as
well as new sessions ranging from Social Network Security and Applied
Cryptography to Mobile Security and Situational Awareness.  Also, don't miss
out on the workshops, FISMA training, and professional development courses,
including for the first time at ACSAC, Tracer FIRE -- a forensic and
incident response exercise & competition.  All of which, along with the
technical program, qualify for continuing education credit.

Whether your interest is web security, virtualization, applied cryptography,
botnets, anonymity, security usability, or software protection, you are sure
to find plenty to learn about and discuss with your colleagues at ACSAC
2011.

Program and Registration are available at www.acsac.org.  Early registration
deadline is November 11th.

Works-in-progress (short) presentations will be accepted until the
start of the conference subject to space availability.

------------------------------

Date: Mon, 6 Jun 2011 20:01:16 -0900
From: RISKS-request_at_private
Subject: Abridged info on RISKS (comp.risks)

 The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
 comp.risks, the feed for which is donated by panix.com as of June 2011.
=> SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent)
 if possible and convenient for you.  The mailman Web interface can
 be used directly to subscribe and unsubscribe:
   http://lists.csl.sri.com/mailman/listinfo/risks
 Alternatively, to subscribe or unsubscribe via e-mail to mailman
 your FROM: address, send a message to
   risks-request_at_private
 containing only the one-word text subscribe or unsubscribe.  You may
 also specify a different receiving address: subscribe address= ... .
 You may short-circuit that process by sending directly to either
   risks-subscribe_at_private or risks-unsubscribe_at_private
 depending on which action is to be taken.

 Subscription and unsubscription requests require that you reply to a
 confirmation message sent to the subscribing mail address.  Instructions
 are included in the confirmation message.  Each issue of RISKS that you
 receive contains information on how to post, unsubscribe, etc.

=> The complete INFO file (submissions, default disclaimers, archive sites,
 copyright policy, etc.) is online.
   <http://www.CSL.sri.com/risksinfo.html>
 The full info file may appear now and then in RISKS issues.
 *** Contributors are assumed to have read the full info file for guidelines.

=> .UK users may contact <Lindsay.Marshall_at_private>.
=> SPAM challenge-responses will not be honored.  Instead, use an alternative
 address from which you NEVER send mail!
=> SUBMISSIONS: to risks_at_private with meaningful SUBJECT: line.
 *** NOTE: Including the string "notsp" at the beginning or end of the subject
 *** line will be very helpful in separating real contributions from spam.
 *** This attention-string may change, so watch this space now and then.
=> ARCHIVES: ftp://ftp.sri.com/risks for current volume
     or ftp://ftp.sri.com/VL/risks for previous VoLume
 http://www.risks.org takes you to Lindsay Marshall's searchable archive at
 newcastle: http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue.
   Lindsay has also added to the Newcastle catless site a palmtop version
   of the most recent RISKS issue and a WAP version that works for many but
   not all telephones: http://catless.ncl.ac.uk/w/r
 <http://the.wiretapped.net/security/info/textfiles/risks-digest/> .
==> PGN's comprehensive historical Illustrative Risks summary of one liners:
    <http://www.csl.sri.com/illustrative.html> for browsing,
    <http://www.csl.sri.com/illustrative.pdf> or .ps for printing
  is no longer maintained up-to-date except for recent election problems.
==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
    <http://www.acm.org/joinacm1>

------------------------------

End of RISKS-FORUM Digest 26.59
************************
precedence: bulk
Subject: Risks Digest 26.59

RISKS-LIST: Risks-Forum Digest  Sunday 23 October 2011  Volume 26 : Issue 59

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
  <http://catless.ncl.ac.uk/Risks/26.59.html>
The current issue can be found at
  <http://www.csl.sri.com/users/risko/risks.txt>

  Contents:
China Bullet Trains Trip on Technology (Areddy/Shirouzu)
NJ election cover-up (Andrew Appel via Monty Solomon)
Gas bill climbed 13,000 pounds after correct online reading given
  (Gabe Goldberg)
Robot editors strike again (Earl Boebert)
Computer Virus Hits U.S. Drone Fleet (WiReD via Joly MacFie)
BlackBerry Outage Linked to Massive Drop in Traffic Crashes (Brad Aaron)
Re: Blackberry outage saves lives (Mark Thorson)
Security Vulnerability In HTC Android Devices (Artem Russakovskii)
Skype for iPhone makes stealing address books a snap (Dan Goodin)
Massive HTC Android phone vulnerabilities reported (John P. Mello Jr. via
  Gene Wirchenko)
AmEx 'debug mode left site wide open' (John Leyden via Monty Solomon)
Air traffic control data found on eBayed network gear (John Leyden)
Skype flaw allows BitTorrent users to be identified (Jeremy Kirk)
Adobe flash design would let authorities order Adobe to	turn on your
  mic/camera remotely (Steve Bellovin)
FBI Official Calls for Secure, Alternate Internet (Lauren Weinstein)
Researchers crack W3C encryption standard for XML (Lauren Weinstein)
Better Business Bureau offers rogue script browser peril (Gabe Goldberg)
Washington objects, OnStar reverses tracking policy (Computerworld)
Re: United Airlines uses 11,000 iPads ... (John Stanley)
ACSAC 2011 open for registration (Jeremy Epstein)
Abridged info on RISKS (comp.risks)

----------------------------------------------------------------------

Date: Tue, 4 Oct 2011 17:25:15 PDT
From: "Peter G. Neumann" <neumann_at_private>
Subject: China Bullet Trains Trip on Technology (Areddy/Shirouzu)

James T. Areddy (Shanghai) and Norihiko Shirouzu (Beijing), *The Wall Street
Journal*, 3 Oct 2011; PGN-ed. Yang Jie in Shanghai and Yoli Zhang in Beijing
contributed to this article. james.areddy_at_private, norihiko.shirouzu_at_private
http://online.wsj.com/article/SB10001424053111904353504576568983658561372.html

The *WSJ* item is quite long.  I attempt to make a very long story and still
unresolved short: Hitachi used components in China's high-speed rail
signaling system that were delivered to them as black boxes from Hollysys
Automation Technologies Ltd., with no specs or details -- to hinder reverse
engineering.  This clearly also hindered system testing, and seems likely to
have contributed to recent deadly crashes.

------------------------------

Date: Wed, 28 Sep 2011 08:10:56 -0400
From: Monty Solomon <monty_at_private>
Subject: NJ election cover-up (Andrew Appel)

By Andrew Appel, Freedom to Tinker, 13 Sep 2011

During the June 2011 New Jersey primary election, something went wrong in
Cumberland County, which uses Sequoia AVC Advantage direct-recording
electronic voting computers. From this we learned several things:

  1. New Jersey court-ordered election-security measures have not been
     effectively implemented.

  2. There is a reason to believe that New Jersey election officials have
     destroyed evidence in a pending court case, perhaps to cover up the
     noncompliance with these measures or to cover up irregularities in this
     election. There is enough evidence of a cover-up that a Superior Court
     judge has referred the matter to the State prosecutor's office.

  3. Like any DRE voting machine, the AVC Advantage is vulnerable to
     software-based vote stealing by replacing the internal vote-counting
     firmware. That kind of fraud probably did not occur in this case. But
     even without replacing the internal firmware, the AVC Advantage voting
     machine is vulnerable to the accidental or deliberate swapping of
     vote-totals between candidates. It is clear that the machine
     misreported votes in this election, and both technical and procedural
     safeguards proved ineffective to fully correct the error.
  [...]

  https://freedom-to-tinker.com/blog/appel/nj-election-cover

Did NJ election officials fail to respect court order to improve security of
elections?
https://freedom-to-tinker.com/blog/appel/did-nj-election-officials-fail-respect-court-order-improve-security-elections

Will the NJ Attorney General investigate the NJ Attorney General?
https://freedom-to-tinker.com/blog/appel/will-nj-attorney-general-investigate-nj-attorney-general

What happens when the printed ballot face doesn't match the electronic ballot definition?
https://freedom-to-tinker.com/blog/appel/what-happens-when-printed-ballot-face-doesnt-match-electronic-ballot-definition

http://www.cs.princeton.edu/~appel/voting/nj-election-cover-up.pdf

------------------------------

Date: Sat, 22 Oct 2011 23:23:40 -0400
From: Gabe Goldberg <gabe_at_private>
Subject: Gas bill climbed 13,000 pounds after correct online reading given

*Register* Reader and Stockport dweller Rob was shocked to find that trying
to save his mother a few pounds on her gas bill ended up pushing the tab up
13,088.43 pounds, rather than down the 20 quid he was expecting.  It was the
unlikely result of entering a meter reading on Southern Electric's website.

We asked Southern Electric what went wrong. Turns out it is down to a weird
feature of their website which would put other customers looking to save a
few pounds at the same risk of being over-billed by ten thousand odd.

Instead of just taking the number down 23 and recalculating accordingly,
their bill-calculator programme went through into a whole new cycle - pushed
the meter up to 9999, down to zero again and then up to 7305.  Meaning that
they assumed it had gone up 9,977 since last time, rather than down 23.

http://www.theregister.co.uk/2011/10/06/gas_bill_shocker/

------------------------------

Date: Sat, 15 Oct 2011 09:39:38 -0600
From: Earl Boebert <boebert_at_private>
Subject: Robot editors strike again

I just made a posting over on the Deepwater Horizon thread on gCaptain.
I used the word "adversarial" (without quotes).  Robot changed it to:

  advers"lux-sans-1"  (with quotes)

I changed it to "headbutting" and went on with life.

------------------------------

Date: October 7, 2011 5:37:02 PM EDT
From: Joly MacFie <joly_at_private>
Subject: Computer Virus Hits U.S. Drone Fleet (WiReD)

http://www.wired.com/dangerroom/2011/10/virus-hits-drone-fleet/

A computer virus has infected the cockpits of America's Predator and Reaper
drones, logging pilots' every keystroke as they remotely fly missions over
Afghanistan and other warzones.  The virus included a key-logger payload,
and had been detected by the military's Host-Based Security System, nearly
two weeks before the {\it WiReD} item appeared.  It has reportedly not
prevented pilots at Creech Air Force Base in Nevada from flying their
missions overseas.  And there are no confirmed incidents of classified
information being lost or sent to an outside source.  However, the virus has
resisted multiple efforts to remove it from Creech's computers.  The
infection underscores the ongoing security risks in what has become the
U.S.~military's most important weapons system.  ``We keep wiping it off, and
it keeps coming back.  We think it's benign.  But we just don't know.''
[PGN-ed from the {\it WiReD} Danger Room,]

------------------------------

Date: Thu, 20 Oct 2011 14:56:19 -0400
From: Monty Solomon <monty_at_private>
Subject: BlackBerry Outage Linked to Massive Drop in Traffic Crashes
  (Brad Aaron)

According to data released last week by NYPD, distracted drivers were the
leading cause of city traffic crashes in August. Of 16,784 incidents, 1,877
were attributed to "driver inattention/distraction," while an additional 10
were linked specifically to phones or other electronic devices.

While NYPD reports make it impossible to decipher exactly how many city
drivers are texting or talking before a crash - we'll go out on a limb and
assume it was more than 10 - the recent BlackBerry service outage in Europe,
Africa and the Middle East served to illustrate the extent of the problem in
two cities. ...  [Source: Brad Aaron, BlackBerry Outage Linked to Massive
Drop in Traffic Crashes, StreetsBlog, 17 Oct 2011]

http://www.streetsblog.org/2011/10/17/blackberry-outage-linked-to-massive-drop-in-traffic-crashes/

------------------------------

Date: Mon, 17 Oct 2011 10:07:49 -0700
From: Mark Thorson <eee_at_private>
Subject: Re: Blackberry outage saves lives

The three-day Blackberry outage saw traffic accidents fall 20% in Dubai
and 40% in Abu Dhabi.
http://www.thenational.ae/news/uae-news/blackberry-cuts-made-roads-safer-police-say

In this case, the normal condition is the *risk*, and the aberrant condition
is safer.  Perhaps this could be exploited by throttling down network
traffic during hazardous driving conditions, such as the first heavy rain of
the season, major holiday evenings, and at the end of large sports events.

------------------------------

Date: Tue, 4 Oct 2011 00:53:35 -0400
From: Monty Solomon <monty_at_private>
Subject: Security Vulnerability In HTC Android Devices (Artem Russakovskii)

Artem Russakovskii: Massive Security Vulnerability In HTC Android Devices
(EVO 3D, 4G, Thunderbolt, Others) Exposes Phone Numbers, GPS, SMS, Emails
Addresses, Much More, 3 Oct 2011

I am quite speechless right now. Justin Case and I have spent all day
together with Trevor Eckhart (you may remember him as TrevE of DamageControl
and Virus ROMs) looking into Trev's findings deep inside HTC's latest
software installed on such phones as EVO 3D, EVO 4G, Thunderbolt, and
others.

These results are not pretty. In fact, they expose such ridiculously
frivolous doings, which HTC has no one else to blame but itself, that the
data-leaking Skype vulnerability Justin found earlier this year pales in
comparison. Without further ado, let me break things down.

The Vulnerability

In recent updates to some of its devices, HTC introduces a suite of logging
tools that collected information. Lots of information. LOTS.  Whatever the
reason was, whether for better understanding problems on users' devices,
easier remote analysis, corporate evilness - it doesn't matter. If you, as a
company, plant these information collectors on a device, you better be DAMN
sure the information they collect is secured and only available to
privileged services or the user, after opting in.

That is not the case. What Trevor found is only the tip of the iceberg - we
are all still digging deeper - but currently any app on affected devices
that requests a single android.permission.INTERNET (which is normal for any
app that connects to the web or shows ads) can get its hands on. ...

http://www.androidpolice.com/2011/10/01/massive-security-vulnerability-in-htc-android-devices-evo-3d-4g-thunderbolt-others-exposes-phone-numbers-gps-sms-emails-addresses-much-more/

------------------------------

Date: October 22, 2011 12:35:13 PM EDT
From: Randall  Webmail <rvh40_at_private>
Subject: Skype for iPhone makes stealing address books a snap (Dan Goodin)

Dan Goodin, *The Register*, 20 Sep 2011

Just add JavaScript

If you use Skype on an iPhone or iPod touch, Phil Purviance can steal=20
your device's address book simply by sending you a chat message.

In a video posted over the weekend, the security researcher makes the
attack look like child's play. Type some JavaScript commands into the
user name of a Skype account, use it to send a chat message to
someone using the latest version of Skype on an iPhone or iPod touch,
and load a small program onto a webserver. Within minutes, you'll
have a fully-searchable copy of the victim's address book. ...
  http://www.theregister.co.uk/2011/09/20/skype_for_iphone_contact_theft/

------------------------------

Date: Tue, 04 Oct 2011 09:37:50 -0700
From: Gene Wirchenko <genew_at_private>
Subject: Massive HTC Android phone vulnerabilities reported (John P. Mello Jr.)

John P. Mello Jr., Massive HTC Android phone vulnerabilities reported:
Researchers say HTC failed to respond after they notified the firm of
threat risks on 24 Sep.  4 Oct 2011
  http://www.itbusiness.ca/it/client/en/home/News.asp?id=64366

selected text:

Security researchers say they've uncovered a flaw in several smartphone
models produced by HTC that gives any application that has Internet access
the keys to a trove of information on the phone, including e-mail addresses,
GPS locations, phone numbers, and text message data.

The modifications made to Android by HTC allow any application that you give
permission to access the Internet from the phone access to a plethora of
sensitive information on the device. What's more, it also has permission to
send the data that it finds wherever it wants on the Net without your
knowledge.

  [See also an Infoworld item.  PGN]
http://www.infoworld.com/d/mobile-technology/androids-big-security-flaw-and-why-only-google-can-fix-it-175145

------------------------------

Date: Sun, 9 Oct 2011 11:38:28 -0400
From: Monty Solomon <monty_at_private>
Subject: AmEx 'debug mode left site wide open'

John Leyden, AmEx 'debug mode left site wide open', says hacker,
Customer cookies 'at risk', *The Register, 7 Oct 2011

An alleged vulnerability on American Express site exposed customers to a
serious security risk before the credit card giant closed down a portion of
its site on Thursday afternoon.

Researcher Niklas Femerstrand claimed the problem arose because the debug
mode of the americanexpress.com site had inexplicably been left on, thus
providing access to vulnerable debug tools. The security shortcoming
creating a possible mechanism to harvest users' authentication cookies,
according to Femerstrand. ...

http://www.theregister.co.uk/2011/10/07/amex_website_security_snafu/

------------------------------

Date: Sat, 1 Oct 2011 09:27:16 -0400
From: Monty Solomon <monty_at_private>
Subject: Air traffic control data found on eBayed network gear (John Leyden)

John Leyden, NATS passwords and info left on switch [costing 20 pounds],
*The Register*, 30 Sept 2011

A switch with networking configurations and passwords for the UK
traffic control centre was offered for sale on eBay, raising serious
security concerns.

http://www.theregister.co.uk/2011/09/30/nats_switch_fail/

------------------------------

Date: Fri, 21 Oct 2011 10:26:23 -0700
From: Gene Wirchenko <genew_at_private>
Subject: Skype flaw allows BitTorrent users to be identified (Jeremy Kirk)

Jeremy Kirk, Skype flaw allows BitTorrent users to be identified:
Researchers have demonstrated its possible to link BitTorrent users
to Skype account information via IP addresses. It's a possible risk
to Skype's user privacy. *ITBusiness, 21 Oct 2011]
http://www.itbusiness.ca/it/client/en/home/News.asp?id=64617

------------------------------

Date: Sat, 22 Oct 2011 09:18:27 -0700
From: Lauren Weinstein <lauren_at_private>
Subject: Adobe flash design would let authorities order Adobe to
	turn on your mic/camera remotely (Steve Bellovin)

  Adobe flash design would let authorities order Adobe to turn on your
  mic/camera remotely    http://j.mp/pmyAJI  (CirleID / Steven Bellovin)
  (via NNSquad)

  "From a technical perspective, it's simply wrong for a design to outsource
  a critical access control decision to a third party. My computer should
  decide what sites can turn on my camera and microphone, not one of Adobe's
  servers.  The policy side is even worse. What if the FBI wanted to bug
  you? Could they get a court order compelling Adobe to make an access
  control decision that would turn on your microphone?"

------------------------------

Date: Sat, 22 Oct 2011 12:26:11 -0700
From: Lauren Weinstein <lauren_at_private>
Subject: FBI Official Calls for Secure, Alternate Internet

  http://j.mp/qk4xTq  (military.com)

  "In an Associated Press interview Thursday, [Shawn] Henry [FBI executive
  assistant director] said jihadist militants looking to harm the U.S. can
  tap organized crime groups who are willing to sell their services and
  abilities to attack computer systems.  He would not say which terror group
  or whether any insurgent networks have actually been able to acquire the
  high-tech capabilities.  But he said one way to protect critical utility
  and financial systems would be to set up a separate, highly secure
  Internet.  Henry sketched out the Internet idea to a crowd at a conference
  of the International Systems Security Association, saying that
  cyberthreats will always continue to evolve and outpace efforts to defend
  networks against them."

I won't even begin here to discuss the myriad reasons why this approach is
so incredibly problematic and -- dare I say it -- technologically naive.

------------------------------

Date: Fri, 21 Oct 2011 10:46:13 -0700
From: Lauren Weinstein <lauren_at_private>
Subject: Researchers crack W3C encryption standard for XML
  "A pair of German researchers revealed at the ACM Conference on Computer
  and Communications Security in Chicago this week that they have discovered
  a way to decrypt data within XML documents that have been encrypted using
  an implementation of the World Wide Web Consortium's XML Encryption
  standard."  http://j.mp/qGJBQv  (ars technica)

------------------------------

Date: Sat, 22 Oct 2011 23:30:22 -0400
From: Gabe Goldberg <gabe_at_private>
Subject: Better Business Bureau offers rogue script browser peril

A javascript redirect on the BBB blogs site (hosted by Word Press) was
spawning an iframe to download malware for several days before it was
shutdown.  [PGN-ed]
  http://www.theregister.co.uk/2011/10/03/bbb_rogue_scripts/

------------------------------

Date: Wed, 28 Sep 2011 10:31:30 -0700
From: Lauren Weinstein <lauren_at_private>
Subject: Washington objects, OnStar reverses tracking policy (Re: RISKS-26.58)

  "Only a few days after it made what U.S. Senator Charles Schumer (D-NY)
  called "brazen" changes to its privacy policy, General Motors subsidiary
  OnStar has backed down and said it would revert back to its previous terms
  of service.  OnStar ignited a firestorm of criticism when it announced it
  would continue to collect information about customers of its onboard auto
  services even after their subscription ends - unless specifically
  instructed by the consumer not to. In the past OnStar would have ended
  such tracking when a subscription ended.  OnStar typically collects data
  about customers' location, speed, driving habits and odometer mileage."
  http://j.mp/mXIRv4  (*Computerworld*)

------------------------------

Date: Tue, 20 Sep 2011 16:23:56 +1200
From: Stephen Irons <stephen.irons_at_private>
Subject: Re: United Airlines uses 11,000 iPads to take planes paperless

In Risks Digest 26.56, Geoff Kuenning wrote:

> Re: United Airlines uses 11,000 iPads to take planes paperless
> But of course passengers will still be prohibited from using those same
> devices while the pilots have them turned on...

Patrick Smith writes the column 'Ask the Pilot' for salon.com. In
http://www.salon.com/technology/ask_the_pilot/2011/09/01/paperless_cockpit ,
he writes:

  You were wondering, meanwhile ...

  Now that pilots can use their iPads in the cockpit, shouldn't passengers
  be allowed to use them in the cabin, whenever they want to? And doesn't
  this prove that the rules about electronic devices aren't really
  necessary?

  Not quite. The main reason tablets and laptops are banned during takeoff
  and landing isn't because of concerns over interference, but because they
  might hinder an evacuation, and are potentially dangerous projectiles in
  the event of an impact or rapid deceleration. I suspect you don't want a
  Kindle or MacBook knocking you in the head at 180 miles per hour. The
  devices in the cockpit will need to be stowed or secured as well.

Stephen Irons, Tait Radio Communication http://www.taitworld.com
175 Roydvale Ave, Christchurch, New Zealand  DDI: +64 - 3 - 357-0713

------------------------------

Date: Wed, 28 Sep 2011 11:39:04 -0700 (DT)
From: John Stanley <stanley_at_private>
Subject: Re: United Airlines uses 11,000 iPads ... (Douglass, RISKS-26.56)