Search RISKS

The RISKS Digest

Volume 25 Issue 77

Tuesday, 1st September 2009

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information features enabled by clicking the flashlight icon above. They are described in the news page. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…

Contents

UK Chinook helicopters grounded for *years* due to software problems

danny burstein <dannyb@panix.com>

[UK news sources: UK bought Boeing helicopters, figured they'd save money by designing their own software...] When the [Boeing] Chinooks were delivered in 2001 at a cost of 259 million [British pounds] - the [software] codes would have pushed the price to over 300 million - they could not be certified because of the lack of software. They could be flown but pilots were barred from taking the controls in cloudy conditions or at low altitude. .... While all the discussions were going on the Chinooks had been idle in their hangars. Between 2001 and 2007 the helicopters had to be inspected once a week and moved out of the hangars every two years for more detailed checks, at a total cost of 560,000 [pounds]. Rest, with links to related stories and lots of interesting reader comments): http://www.timesonline.co.uk/tol/news/politics/article6808604.ece

DNA Evidence Can Be Fabricated, Scientists Show

Monty Solomon <monty@roscom.com>

Scientists in Israel have demonstrated that it is possible to fabricate DNA evidence, undermining the credibility of what has been considered the gold standard of proof in criminal cases. The scientists fabricated blood and saliva samples containing DNA from a person other than the donor of the blood and saliva. They also showed that if they had access to a DNA profile in a database, they could construct a sample of DNA to match that profile without obtaining any tissue from that person. "You can just engineer a crime scene," said Dan Frumkin, lead author of the paper, which has been published online by the journal Forensic Science International: Genetics. "Any biology undergraduate could perform this." [Source: Andrew Pollack, *The New York Times*, 18 Aug 2009; PGN-ed] http://www.nytimes.com/2009/08/18/science/18dna.html

Computer-driven class schedules

"David Lesher" <wb8foz@panix.com>

[would Ferris Bueller get the week off?] Prince Georges [MD] Public Schools $4.1 million SchoolMax student scheduling system has left thousands of its high school students with no schedules, and thus no classes. Those students have spent the first few days of school sitting in the gym, cafeteria, or other holding areas. While the number of still-unscheduled students has fallen from the first day's 8000 [of 41,000 total] to roughly 2000, that does not include those in the wrong classes; including one where administrators have, in effect, randomly assigned students to any available class. The saga sounds oh so familiar to RISK regulars; a big changeover, no manual fallback scheme, approaching deadlines, with complaints about inadequate training, and big increases in the time needed [from ~10 minutes to 45 per student!] for core tasks. But SchoolMax is not a new creation, nor are these issues. It was deployed for 300,000 in the Los Angeles Unified School District, and Richmond County, Georgia had similar issues in 2004. So who's not learning here: SchoolMax, the school systems clients, or their students? Class Chaos Persists at Prince George's High Schools <http://www.washingtonpost.com/wp-dyn/content/article/2009/08/27/AR2009082701518_pf.html>

Computer to blame for man's fiery death

Gene Wirchenko <genew@ocis.net>

A Laptop computer that burst into flames after being left on a couch is to blame for a Vancouver man's death, prompting a public warning from the British Columbia Coroners Service not to leave the devices on soft furniture. [Source: *The Daily News*, Kamloops, British Columbia, Canada, 27 Aug 2009, A4 PGN-ed]:

RFI isn't all harmless: turns on oven

"David Lesher" <wb8foz@panix.com>

RFI is usually an annoyance but seldom harmful. Here's an exception. A UPI article of 18 Aug reports: Andrei Melnikov said his Maytag Magic Chef stove beeps and turn its broiler onto the highest setting if his phone, which he has had for about three years, receives an incoming call while within two feet of the appliance, WABC-TV, New York, reported Tuesday. ... He said the stove is currently unplugged and Maytag has agreed to send a repair crew to get to the bottom of the problem. GSM cell phones are noted for causing audible RFI in other receivers nearby. Looks like some Maytag ranges are equally vulnerable. [Also reported by David Hollman and by Kevin Connolly, who added, ``Here in Ireland the electrical regulations require a wall switch to isolate the mains supply to a cooker when not in use. It is good advice to use it.'' PGN]

Pepper-spray ATMs

Jeremy Epstein <jeremy.j.epstein@gmail.com>

Haven't seen this in RISKS - I first heard about it on NPR's Wait Wait (waitwait.npr.org) as part of their truth-is-weirder-than-fiction contest, so was initially skeptical, but it appears to be true. Seems that some South African ATMs are equipped with pepper spray to (under software control) spray anyone who tampers with the machines. According to the (UK) Guardian, "the technology uses cameras to detect people tampering with the card slots. Another machine then ejects pepper spray to stun the culprit while police response teams race to the scene." The Guardian report says that three servicing technicians were hit while (legitimately) repairing the machines. It doesn't take a rocket scientist to figure out that when there's software involved, there's opportunities for it to go wrong. And as someone on a blog pointed out, this technology can also be used by the bad guys - get the ATM to trigger on a legitimate customer, and while the customer is incapacitated, take their ATM card and whatever other valuables they have. http://www.guardian.co.uk/world/2009/jul/12/south-africa-cash-machine-pepper-spray (and many others, which all seem to use pretty much the same text)

The VA erroneously informs over a thousand vets of fatal diagnosis

Rob McCool <robm@robm.com>

http://fcw.com/articles/2009/08/26/va-erroneously-informs-vets-of-fatal-disease-diagnosis.aspx Through a data maintenance error, the Veteran's Affairs department recently sent out automated letters to as many as 1200 veterans that they had the fatal neurological disorder known as Lou Gehrig's disease. A diagnostic code was chosen many years ago for "unknown neurological disorder". That itself is an example of the often problematic "miscellaneous" hole in most categorization systems. Some things simply defy categorization. Later, the diagnostic code was expanded to include Lou Gehrig's disease. Still later, the VA decided to make Lou Gehrig's disease a service-connected disability. So they sent the automated letters to inform affected vets that benefits were available. Up to 1200 people were erroneously informed of this and the office is getting more than 50 calls a day from veterans in an understandable panic.

ROTC Computer Files Found in the Public Domain

Monty Solomon <monty@roscom.com>

Art Jahnke, Technology error exposes personal information, BU News, 20 Aug 2009 A file transfer program erroneously installed on a server in an Army Reserve Officers' Training Corps (ROTC) office at Boston University inadvertently exposed personal information about thousands of people affiliated with the program. University officials say the compromised computer was taken off-line when the breach was identified on July 28; they are working with the U.S. Army Cadet Command to contact every person whose information was placed at risk. The incident involved information on 6,675 people, say University administrators, 406 of whom are affiliated with BU. Officials believe the rest come from ROTC branches around the country. ... http://www.bu.edu/today/campus-life/2009/08/17/rotc-computer-files-found-public-domain

Hackers break into police computer as sting backfires

Andrew Pam <andrew@sericyb.com.au>

"An Australian Federal Police boast, on the ABC's Four Corners program last night, about officers breaking up an underground hacker forum, has backfired after hackers broke into a federal police computer system. Security consultants say police appear to have been using the computer as a honeypot to collect information on members of the forum but the scheme came undone after the officers forgot to set a password." http://www.theage.com.au/technology/security/hackers-break-into-police-computer-as-sting-backfires-20090818-eohc.html

3 Indicted in Theft of 130 Million Card Numbers

Monty Solomon <monty@roscom.com>

On 24 Aug 2009, Albert Gonzalez was indicted along with two unspecified Russian conspirators. Charges included theft of 130 million credit and debit card numbers from late 2006 to early 2008 from various sources -- Heartland Payment Systems, 7-Eleven, Hannaford Brothers, and others. Some of those numbers were sold online and used in identity frauds. Gonzalez is already waiting trial for previous cases involving T.J. Maxx (in Massachusetts) and the Dave & Buster restaurant chain (in New York). [Source: Brad Stone, *The New York Times*, 18 Aug 2009; PGN-ed] http://www.nytimes.com/2009/08/18/technology/18card.html

AT&T unable to protect Kevin Mitnick's account

"David Magda" <dmagda@ee.ryerson.ca>

It's a good thing that most people are not as "high profile" as Kevin Mitnick, as otherwise their phone records would be practically public records: > Over the past month, both HostedHere.net, his longtime webhost, and AT&T, > his cellular provider since he was released from prison more than nine > years ago, have told him they no longer want him as a customer. The > reason: his status as a celebrity hacker makes his accounts too hard to > defend against the legions of script kiddies who regularly attack them. http://www.theregister.co.uk/2009/08/19/att_dumps_kevin_mitnick/ Of course the rest of AT&T customers' accounts are probably not better protected and just as vulnerable. If Mr. Mitnick does change providers, I'm curious to know if they'll do any better than AT&T has. [Also noted by David Lesher. PGN]

Swiss Data Protection orders Google Streetview offline

Peter Houppermans <peter@houppermans.com>

The risk of not living up to your promises when you do mass surveillance: the Swiss newspaper NZZ reports today that the Swiss office for Data Protection (http://www.edoeb.admin.ch) has asked Google to immediately shut down the Swiss part of Google Streetview because it does not meet Data Protection standards - the masking of license plates and faces is insufficient. The (German language) article is at http://preview.tinyurl.com/nwsl65. I can attest to that, I had a quick browse of a place I know, and the promised masking of faces was in quite a few cases simply absent.. The Swiss Data Protection office doesn't consider the "you can opt out if you want" approach as acceptable, a point I can only agree with when it comes to privacy. I've read through a Q&A (http://preview.tinyurl.com/muor75, no English version available) with Google provided answers, and that contains a few classics: (a) people would know in advance where the cars would be, "so they could act accordingly" - a fantastic idea to move your obligation to the people you're surveilling ("just go and hide if you don't like it") (b) you can always have your picture removed - which only requires you to remember where exactly you saw the camera car, several months later. It appears Google has also offered to remove house images if so required. I think that's a bit much, but from what I've seen so far it would be a good idea if they would at least obscure windows. The resolution of the images is in some cases sufficient to make out what's INSIDE houses close to the street. But hey, according to Google they should have had their curtains drawn when Google came filming. English translation available at http://preview.tinyurl.com/m3vokf.

Canadian model gets Google to unmask nasty blogger

"Peter G. Neumann" <neumann@csl.sri.com>

Legal ruling will force Internet search giant to reveal identify of blogger who posted derogatory comments about Liskula Cohen. [Source: Simon Avery, *Globe and Mail*, 20 Aug 2009]

Cannot print on Tuesdays!

phil colbourn <philcolbourn@gmail.com>

Today I came across an interesting bug mentioned on a blog. The problem was that printing for some people failed occasionally. Later someone noted that his Wife had been complaining that she couldn't print on Tuesdays! In reading through the bug report people were initially claiming that it must be an OpenOffice bug since all other applications printed fine. Others noted that it comes and goes. One user found a solution: To remove and purge the system of OpenOffice and re-install (any easy task on Ubuntu). He reported on a Thursday that this fixed his printing problem. Two weeks later he reported (on a Tuesday) that his solution did not work after-all. Nearly 4 months later the Wife of a Ubuntu hacker complained that OpenOffice would not print on Tuesdays. I can imagine the scenario: Wife: Steve, the printer will not work on Tuesdays. Steve: That's the printer's day off - Of course it will not print on Tuesdays. Wife: No, I'm serious! I can not print from OpenOffice on Tuesdays. Steve: (Unbelieving..) Ok... Show me. Wife: I can't show you. Steve: (Rolling eyes..) Why? Wife: It's Wednesday! Steve: (Nods. He says slowly...) Right. The problem seemed to be tracked down to a program called 'file'. This *NIX utility uses patterns to detect file types. eg. if the file starts with '%!' followed by 'PS-Adobe-' then it is a PostScript file. It seems that OpenOffice writes the date to the postscript file. On Tuesdays it takes the form of %%CreationDate: (Tue MMM D hh:mm:...) An error in the pattern for an Erlang JAM file meant that 'Tue' in the PostScript file was being recognised as an Erlang JAM file and so, presumably, it was not being sent to the printer. The Erlang JAM file pattern is: 4 string Tue Jan 22 14:32:44 MET 1991 Erlang JAM file - version 4.2 It should have been 4 string Tue\ Jan\ 22\ 14:32:44\ MET\ 1991 Erlang JAM file - version 4.2 With the large number of files types that this program attempts to match (over 1600) it is not surprising that errors are made in the patterns, but also the order of matching could mean that false positives are common. In this case, an Erlang JAM file was matched before the PostScript match occurred. References: http://mdzlog.alcor.net/2009/08/15/bohrbugs-openoffice-org-wont-print-on-tuesdays/ Reported as this bug: https://bugs.edge.launchpad.net/ubuntu/+source/cupsys/+bug/255161 Later made a duplicate to this bug: https://bugs.edge.launchpad.net/ubuntu/+source/file/+bug/248619. http://www.blaxlandweather.com/ http://philatwarrimoo.blogspot.com

GSM's A5/1 cipher being brute forced

David Magda <dmagda@ee.ryerson.ca>

Looks like the GSM folks may want to think about upgrading to a better algorithm: > It will take 80 high-performance computers about three months to do > a brute force attack on A5/1 and create a large look-up table that > will serve as the code book, said Nohl, who announced the project at > the Hacking at Random conference in the Netherlands 10 days ago. > > Using the code book, anyone could get the encryption key for any GSM > call, SMS message, or other communication encrypted with A5/1 and > listen to the call or read the data in the clear. [...] > Carriers should upgrade the encryption or move voice services to 3G, > which has much stronger encryption, [Karsten] Nohl said. http://news.cnet.com/8301-27080_3-10316812-245.html Is there any reason why future mobile standards shouldn't just use AES? Given that most governments can tap phone calls for lawful purposes once the signal hits the tower, what possible use would there be to having a weak cipher for radio transmissions?

The Pirate Bay Returns With Guns Blazing

<jidanni@jidanni.org>

When The Pirate Bay was shut down by the authorities yesterday many believed that this was the end for the Internet's largest BitTorrent tracker. A mere three hours after it went offline the site reappeared from a different location. The Pirate Bay team released the following statement, adapted from Churchill's famous "We Shall Fight On the Beaches" speech. "We have, ourselves, full confidence that if all do their duty, if nothing is neglected, and if the best arrangements are made, as they are being made, we shall prove ourselves once more able to defend our Internets..." http://torrentfreak.com/the-pirate-bay-returns-with-guns-blazing-090825/

Bad questions for account retrieval

Jeremy Epstein <jeremy.j.epstein@gmail.com>

A recent study [1] showed that the "security questions" used for recovering account access tend to be easily guessable, even by strangers, and the answers are almost as frequently forgotten by the account owner. As pointed out in that article, it's important in choosing questions that they have relatively unchanging answers, or else customers will be unable to recall the answer a year or two down the road when they're needed. That's of course why questions like birthplace and mother's maiden name are "good" from the memory perspective, even though they're bad from the security perspective. So the other day I was helping my son apply for a student credit card at Citibank, and was somewhat amused that the following were the *only* questions allowed (I think you had to have answers to three of them): (A) Best friend's last name (B) Pet's name (C) Favorite teacher's last name (D) Last 4 digits of friend/relative phone # (E) Other (A) might be mined from Facebook or a similar page (a large fraction of people will probably list their spouse's name!), if it's not their spouse, for many people this will change over time. (*) [1] notes that "best childhood friend" is frequently forgotten and fairly easily guessed; "best friend" is both easily guessed and subject to change. As noted in [1], (B) is easily guessed (although less likely to change than (A)). (C) is likely to change over time. (D) has the disadvantages of the person changing, as well as choosing which phone number (cell/home/work); also many of the college students who are the target of this application don't know their friends' phone numbers since they're all programmed into cell phone memory. And their implementation of (E) doesn't allow you to put in a hint, but the answer is limited to 10 characters. The risk? In the move to trying to improve the security of backup questions, even big companies can miss the point.... [1] "It's no secret: Measuring the security and reliability of authentication via 'secret' questions", Stuart Schechter, A.J. Bernheim Brush, and Serge Egelman, 2009 IEEE Symposium on Research in Security and Privacy, http://research.microsoft.com/apps/pubs/default.aspx?id=79594 (*) For some people, the spouse's name will also change over time, but that's outside the scope of this note.

Take only pictures *we* like

"David Lesher" <wb8foz@panix.com>

Ever vigilant against terrorism, the LAPD gets specific instructions: <http://online.wsj.com/public/resources/documents/mccarecommendation-06132008.pdf> A Suspicious Activity Report (SAR) is a report used to document any reported or observed activity, or any criminal act or attempted criminal act, which an officer believes may reveal a nexus to foreign or domestic terrorism. The information reported in a SAR may be the result of observations or investigations by police officers, or may be reported to them by private parties. Incidents which shall be reported on a SAR are as follows: [...] Takes pictures or video footage (with no apparent aesthetic value, i.e., camera angles, security equipment, security personnel, traffic lights, building entrances, etc.). There are so many fallacies here I don't know where to start. a) People taking pictures is a terrorism problem. Well, sure, but so is driving on freeways, and buying BBQ grill fuel, and.... b) But only *some* takers may be terrorists. Jack and Jill Instamatic, suspect; All Kinda Productions, of course not — terrorists can't be part of our economic base. [Err... What BETTER way to hide an attack then fake up a movie over same, and hire off-duty cops for security?] c) LAPD's finest's esthetic value judgment is up to the task of differentiating between terrorism and turkeys. Err, I've seen their HQ building; and besides, not even the Hollywood power barons manage that task well - witness this summer's flops such as GI Joe. d) But NO DOUBT, the database from those SAR's shall be used both to harass/arrest Jack & Jill's associates, and the fact that data came from a computer renders it irreproachable. Garbage In, Garbage Out *still* does no good and much ill.

Re: Kentucky election fraud indictments (RISKS-25.76)

Drew Dean <ddean@csl.sri.com>

On Aug 15, 2009, at 3:26 PM, RISKS List Owner wrote: > In the November 2009 election in Kentucky, there was a serious discrepancy ^^^^^^^ ^^^^ I must say, electronic voting systems have become quite advanced if they can commit fraud in future elections! :-) [My goof. The indictment actually covered the 2002, 2004, and 2006 elections. Ray Gardner noted that the elections affected by the ES&S user interface exploit were just 2004 and 2006. The county didn't get those machines until 2003. The 2002 fraud was apparently of another sort. And I am neither prescient nor postscient. PGN]

Stephen Albin. The Art of Software Architecture

David Schneider <pd@hq.acm.org>

Stephen Albin The Art of Software Architecture: Design Methods and Techniques August 2009 ACM Featured Online Book for Professional Members The ACM Featured Online Book Program focuses on books in the ACM Collection that are highly used and highly reviewed. A different book will be featured in each newsletter. This issue features a title from our Books24x7 collection. Stephen Albin. The Art of Software Architecture: Design Methods and Techniques This book synthesizes and distills information so that the practicing software architect, and especially the beginning software architect, can fill in the gaps in their understanding of software architecture design. This innovative book uncovers all the steps readers should follow in order to build successful software and systems. With the help of numerous examples, Albin clearly shows how to incorporate Java, XML, SOAP, ebXML, and BizTalk when designing true distributed business systems. The book not only teaches how to easily integrate design patterns into software design, but also documents all architectures in UML and presents code in either Java or C++. Bernard Kuc of Computing Reviews said "Albin presents extensive coverage of the current state of the art in software architecture. Throughout the book, he remains focused on software architecture. He does not give in to the temptation of going deeper into software engineering and design, an area already well covered elsewhere, and hence achieves coverage of a wide breadth of material in relatively few pages." One Amazon reviewer, who rated the book 5 stars, said the book as "This book uses real world examples and practical advice coupled with academic rigor. It provided tremendously helpful insights into how I can improve the efforts of my team." Feedback: We are always looking for feedback and recommendations on our book offerings. If you know of a book you would like ACM to consider offering, please email me at Schneider@hq.acm.org. David Schneider, Education Manager, Association for Computing Machinery

Search RISKS

Please report problems with the web pages to the maintainer

Top