The RISKS Digest
Volume 24 Issue 87

Monday, 22nd October 2007

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…

Contents

Tix-Nix Rocks Rox-Sox Jox
Computerised anti-aircraft gun kills 9
Gary Hinson
Russian spacecraft lands short: "computer glitch"
Ken Knowlton
Loss of control and crash of UAV
Ian Staines
Re: LI Railroad double bills for tickets
Al Stangenberger
Erik Mooney
Re: Dutch railway offers easy access to customer profiles
Leon Kuunders
Risks of cute e-mail
Chris Williams
SSP 2008: Paper Submission Deadline: Friday, November 9, 2007
Yong Guan
REVIEW: "Exploiting Online Games", Greg Hoglund/Gary McGraw
Rob Slade
Info on RISKS (comp.risks)

Tix-Nix Rocks Rox-Sox Jox

<"Peter G. Neumann" <neumann@csl.sri.com>>
Mon, 22 Oct 2007 16:23:04 PDT

Mark Johnson contributed this item from the Colorado Rockies' website:
http://colorado.rockies.mlb.com/content/printer_friendly/col/y2007/m10/d22/c2276226.jsp

  Sales of World Series tickets in Denver had to be suspended after "too
  much activity" on the servers.  Fewer than 500 tickets were sold out of
  over 50,000.  The current plan is to fix the online system and try again.

Mark also added:
  Even more interesting is a *Denver Post* opinion piece that indicates over
  200 clients lost the ability to sell tickets due to this server failure.
  Nothing like putting all your eggs into one basket.

Joe Loughry added this gem from *The Denver Post*:
http://www.denverpost.com/ci_7248448

  But some people found glitches, such as being told to "enable cookies" and
  to set their computer security to the "lowest level." And some fans
  couldn't log in at all.

  Alves explained that those who saw a "page cannot be displayed" message
  had "IP addresses that we blocked due to suspicious/malicious activity to
  our website during the last 24 to 48 hours. As an example, if several
  inquiries came from a single IP address they were blocked."

With baseball's so-called World Series between the Rockies and the Red Sox
about to start on 24 Oct, this item seems timely.  Maybe simultaneous overly
large orders from scalpers brought down the server?  All games will be
broadcast on Fox, but will there be anyone in the stands?

  With Rocks in their Socks,
  And their Jocks on Fox,
  The Rox in the Box
  May get some Knocks
  Off the Sox --
  If they can DeTox,
  Fix the Tix-Nix Mix-
  up, and get in some Lix.
  Rox or Sox in six?
  Seven is heaven.

PGN


Computerised anti-aircraft gun kills 9

<"Gary Hinson" <Gary@isect.com>>
Sat, 20 Oct 2007 11:29:38 +1300

http://www.mg.co.za/articlePage.aspx?articleid=322117&area=/breaking_news/br
eaking_news__national/

The story speaks for itself.  After the operators cleared a jam in a
Swiss/German Oerlikon 35mm Mark V anti-aircraft twin-barreled gun during a
live-firing military exercise [at the South African National Defence Force
Lohatlha training grounds], the gun turned to the left and fired a rapid
burst of cannon shells directly at adjacent guns in the line, killing 9
soldiers and injuring 14.  At the time, the gun was supposedly on 'manual',
locked on to a target 1.5 to 2km away.  On 'manual', it should not have
turned at all.

http://www.itweb.co.za/sections/business/2007/0710161034.asp?S=IT%20in%20Defence&A=DFN&O=FPTOP,
According to "Defence pundit Helmoed-Roemer Heitman told the Weekend Argus
that if 'the cause lay in computer error, the reason for the tragedy might
never be found.'"  If 'computer error' equates to bug, then I can only
assume the software must be horrendously complex and opaque to be so
resistant to analysis ... which it probably is if it combines target
acquisition/identification, range finding, gun control, oh and safety.

The South African Department of Defence is under pressure to conduct an
inquiry.
http://www.mg.co.za/articlePage.aspx?articleid=321877&area=/breaking_news/breaking_news__national/

Don't the procurers of such automated weaponry specify mechanical safety
interlocks capable of physically preventing the turret from turning beyond
set azimuth (and perhaps elevation) limits?

  [Other reports on this noted by Ilya Gulko, Martin Ward, and
  Kurtis Lanovaz.  PGN]


Russian spacecraft lands short: "computer glitch"

<Ken Knowlton <KCKnowlton@aol.com>>
Sun, 21 Oct 2007 13:21:39 EDT

A Russian spacecraft came down a minute early, on a steeper-than-planned
descent, and landed 210 miles off from its designated site, due to a
"computer glitch." And nobody got hurt. Said Alexei Krasnov, head of the
Russian space agency's manned space programs, "It's difficult to immediately
name a specific reason behind the problem.  We need to do an in-depth
analysis."  (AP 21 Oct 2007)
  http://www.abcnews.go.com/Technology/wireStory?id=3756743


Loss of control and crash of UAV

<"Staines, Ian" <istaines@rsasecurity.com>>
Fri, 19 Oct 2007 19:50:07 -0400

AVweb has a good article on the recent loss of control and crash of an
UAV (Unmanned Arial Vehicle).

http://www.avweb.com/avwebflash/news/NTSB_CustomsBorderPatrol_UAVcrash_196405-1.html

The full article is an even better read.  See the full NTSB report:
http://www.ntsb.gov/ntsb/brief2.asp?ev_id=20060509X00531&ntsbno=CHI06MA121&akey=1

There are numerous automation and user faults that RISKS readers will find
familiar.

I think what is poignant here is that although these vehicles have a fairly
long history of use within the military these aircraft are now being
integrated into the civilian airspace.  They are also flying along
international boarders and potentially in international airspace.
Especially troubling for me is this quote: "...Because of national security
issues and past experience with similar UASs, the FAA temporarily waived
this requirement for the issuance of the Certificate of Waiver or
Authorization (COA) to operate in the National Airspace System (NAS)..."

Ian Staines, Delta, BC, CANADA, istaines@shaw.ca


Re: LI Railroad double bills for tickets (RISKS-24.86)

<Al Stangenberger <forags@nature.berkeley.edu>>
Sat, 13 Oct 2007 21:50:20 -0700

The railroad now says that the problem was caused by a software update in
late September, rather than an error undiscovered since 2001.  They have
reverted to the previous version of the software and are revising their
testing procedures.

http://www.newsday.com/news/local/wire/newyork/ny-bc-ny--lirrdoublebilling1011oct11,0,3782883.story


Re: LI Railroad double-bills for tickets (RISKS-24.86)

<Erik Mooney <erik@dos486.com>>
Thu, 11 Oct 2007 16:39:41 -0500

Anybody want to bet that the problematic limit was precisely 32,767? :)

This glitch actually hit me personally - I had a LIRR ticket double-billed.
I didn't bother with LIRR customer service, since I had no evidence to
convince a commuter railroad that I didn't ride it two days in succession.
I was waiting for the credit card statement to cycle so I could dispute it
at that level, but fortunately the merchant (the railroad) discovered its
error and credited the account.  'Twas strange, after reading RISKS for
years to find myself actually caught in one!

  [R.G. Newbury and Scott Nicol also suggested this likely explanation.
  Scott: "Could this have been a 16-bit signed int rollover bug?"  PGN]


Re: Dutch railway offers easy access to customer profiles (R-24.86)

<Leon Kuunders <leon@kuunders.info>>
Fri, 12 Oct 2007 00:24:21 +0200

For what it's worth: in the meantime some minor inconsistencies (spelling
errors, very broad error messages that include instructions on how their
cards are numbered) have been detected on their website.  Also, and of more
interest, is the way their privacy policy is set up: they point for part of
the transaction process to another company (owned by 5 large Dutch public
transport organizations), who in return point back at them.  Bottom-line:
they can (and will) identify you, even if you are using an anonymous card,
through the bank-transaction that is needed to buy the (anonymous) card...

Noothoven van Goorstraat 14, 2806 RA, GOUDA  http://leon.kuunders.info
W: +31 641 164 995  P: +31 620 624 702


Risks of cute e-mail

<Chris Williams <cwilliams@jabber.com>>
Thu, 11 Oct 2007 11:40:18 -0600

Recently here in the Denver area, a very cute e-mail has been making the
rounds.  The story goes:

-----Original Message-----

  Scott rescued 6 black lab (mix) puppies out of the middle of the road on
  Saturday. PLEASE help me find them homes - otherwise, it's Animal Control
  - which means they only have 5 days. We've bathed them, sprayed them for
  fleas and wormed them....but we can't keep them. They are currently in a
  kennel in my basement since I don't have a fence. I've lost count of the
  number of rescue groups that I've contacted, only to be turned down due to
  no room.

  Please check with every dog person you know to see if they need a puppy.
  Regards,

  Tim Aumack

  If you know someone looking for a pet, please contact:
  Bryan Pratt , CPA, Manager - Corporate Tax, Bill Barrett Corporation
  .... 18th Street, Suite 2300, Denver , CO 80202 PH: 303-293-....
  FAX: 303-291-....  DIR: 303-312-....  bpratt@<domainname deleted>

-----End Message-----

And of course there was a appropriately cute picture attached of six black
lab mix puppies (omitted here).

I first saw this e-mail early last week as it made the rounds at my
girlfriend's place of work.  A day or so later I heard from several other
friends and they forwarded it along as well.  Now this week it appears to
still be circulating as it made it to my work as well.  It does appear that
this is (or was originally) a legit e-mail and the photo attached was just
that, but the RISKS here are several:

1) Who needs a bot army to send spam/viruses when you can get people to
   willingly forward things along for you?

2) If you attach a picture with something as cute as puppies looking for a
   home, everybody is going to open it.

3) Since this appears to have started as a local phenomenon and has slipped
   by every anti-spam and anti-virus engine, the potential for malice is
   high.

4) Before speculating on the legitimacy of something in a public forum,
   research, research, research!

A search of the interwebs revealed this e-mail to be a nationwide phenomenon.
Despite the fact this e-mail is indeed a hoax, it doesn't detract from the
validity of the first three RISKS.

It will be interesting to see if this e-mail makes it out of the
Denver/Boulder area to other parts of the country or if we see someone on
the dark side take this localized phenomenon and twist it to work for the
dark side.

chris williams, manager of information technology, jabber, inc. 1-303.308.3292
[Address, phone numbers & e-mail address in the original e-mail suppressed.-c]


SSP 2008: Paper Submission Deadline: Friday, November 9, 2007

<Yong Guan <guan@iastate.edu>>
Tue, 16 Oct 2007 20:15:27 -0500

2008 IEEE Symposium on Security and Privacy
The Claremont Resort, Berkeley/Oakland, California, USA, May 18-22, 2008

PAPER SUBMISSION DEADLINE: Friday, 9 Nov 2007 23:59:00 EST (GMT-5)
(No extensions!)
For more information on the symposium, please visit:
  http://www.ieee-security.org/TC/SP2008/oakland08.html


REVIEW: "Exploiting Online Games", Greg Hoglund/Gary McGraw

<Rob Slade <rmslade@shaw.ca>>
Mon, 22 Oct 2007 10:16:10 -0800

BKEXONGA.RVW   20070913

"Exploiting Online Games", Greg Hoglund/Gary McGraw, 2008,
0-13-227191-5, U$44.99/C$55.99
%A   Greg Hoglund www.rootkit.com
%A   Gary McGraw www.exploitingonlinegames.com gem@cigital.com
%C   P.O. Box 520, 26 Prince Andrew Place, Don Mills, Ontario  M3C 2T8
%D   2008
%G   978-0-13-227191-2 0-13-227191-5
%I   Addison-Wesley Publishing Co.
%O   U$44.99/C$55.99 416-447-5101 fax: 416-443-0948 bkexpress@aw.com
%O  http://www.amazon.com/exec/obidos/ASIN/0132271915/robsladesinterne
  http://www.amazon.co.uk/exec/obidos/ASIN/0132271915/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0132271915/robsladesin03-20
%O   Audience i+ Tech 2 Writing 2 (see revfaq.htm for explanation)
%P   340 p.
%T   "Exploiting Online Games: Cheating Massively Distributed Systems"

Shall We Play A Game? or
Being a Review of "Exploiting Online Games"
With Much Editorializing and Extensive Digressions

Fair warning, then: this review is going to be a bit different.

Why games?  Isn't this topic a bit trivial?  After all, Hoglund and McGraw
are among the very select few who have been able to use the "hack to
protect" style work.  By examining vulnerabilities they have created books
like "Software Security" (cf. BKSWSBSI.RVW) that have contributed useful
guidance to those attempting to build more robust and reliable programs.
Therefore, the foreword, preface, and first chapter all attempt to provide
reasons why such a book is needed.

First off, there is a very large virtual economy that interpenetrates with
the [real|cash] one.  Since gamers have started selling abilities, "game
gold," and even characters, game objects now have cash values in the real
world.  As with anything that has an exchangeable value, the criminal world
has taken an interest.  Trade in game objects now comprises a large fraction
of online frauds, identity theft, and money laundering.  (The trojan posted
at the Dolphin Stadium Website, and others, around SuperBowl time had a
subordinate payload looking specifically for "World of Warcraft" accounts.)

Everything that relates to software insecurity (and security) in the online
gaming environment applies (though possibly not equally) to security in
other systems.  Therefore, a book noting the security vulnerabilities of
game systems provides an introduction to system security in general, and
application security in particular.  It helps that the gaming topic is of
intrinsic interest to a number of people, and therefore may spark interest
in information security.

(Interestingly, no argument is made in the book is that the existence of
vulnerabilities in the game system itself, and particularly on the client
side, may open the gamer to various forms of attack [and not just by
axe-swinging berserkers].  Loopholes in the client software could lead to
openings for intrusions, means of gaining information about the user or
system, or entry points for malware.  We have seen numerous instances of
problems associated with widely used client software packages, such as those
for instant messaging and peer-to- peer file sharing.)

Chapter two contains a discussion of various ways of manipulating games.
Most of these are at a conceptual level, although some are extremely
detailed, including macro and C code.  The material also addresses some
countermeasures to the cheats, and a few ways to defeat the safeguards, as
well.  Instances and examinations of the virtual economies that have sprung
up around online games are presented in chapter three.  Given the earlier
stress on the importance of the point (as a rationale for the book itself),
the content is disappointingly thin in this separate chapter.  American
copyright and related laws (particularly the Digital Millennium Copyright
Act) and End-User Licence Agreements are the substance of chapter four.

Chapter five notes a number of bugs, primarily those involving interactions
of complex functions and states of games.  Tools and techniques for
examining and manipulating client software are described in chapter six.
There is a lot of C code, and, although the programming is extensive it
can't be exhaustive, since the chapter basically covers a topic to which
whole books are devoted.  (Most of the suggestions are directed at attacking
the server, and, again, there are few mentions of the risks of
vulnerabilities in the client.)  Chapter seven provides C code for
programming robots to cheat at the game for you.  The chapter seems oddly
placed, since eight returns to the topic of reverse engineering of software,
and lists more tools.  (There is also a rather comprehensive guide to basic
functions in assembly code.)  Advanced game hacking, in chapter nine, deals
mostly with the modification of clients or the creation of alternate game
servers.

Chapter ten starts off with the statement that the primary goal (of the
book) is to "understand the security implication of massively distributed
software systems that have millions of users."  That's a worthy goal, and
one that is indicated by the subtitle.  Therefore, it is strange to note
that not only is this intent omitted from the rationale given at the
beginning, but also that the topic really isn't addressed in the text.
There are so many notions that could be explored under that subject, such as
the social engineering aspects of working with large groups, the emergent
properties that might arise from simple functions operating in large numbers
of nodes, the massive power of distributed systems, or even the relation to
the botnets that are currently such a concern.  None of these ideas are
explored in the book or in chapter ten itself, which is simply a fairly
brief review of some decent but basic software security guidelines.

The book is, therefore, a partial success.  The introduction to the
fundamentals of software security via the gaming medium is a potentially
useful and valuable device.  The work does tend to concentrate more on the
game aspects, and less on the generic principles, but that emphasis is not
necessarily a flaw.  The precepts are sound, and those who do become
interested in security will be able to apply them, and move on to more
advanced areas.

copyright Robert M. Slade, 2007   BKEXONGA.RVW   20070913
rslade@vcn.bc.ca     slade@victoria.tc.ca     rslade@computercrime.org
http://victoria.tc.ca/techrev/rms.htm

Please report problems with the web pages to the maintainer

x
Top