The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 24 Issue 55

Saturday 3 February 2007

Contents

Super Bowl site hacked, seeded with exploits
EEkid
Ed Felten: AACS Decryption Code Released
Monty Solomon
/Mis/using a laptop to compute take-off parameters on a B747-400
Philippe Jumelle
Customer was sent 75000 bank statements
Martyn Thomas
Another example of bad software
Avi Rubin
Windows Vista voice vulnerability
Joe Loughry
Daylight savings time mess looms
Lauren Weinstein
Massachusetts Attorney General sees card fraud close up
Mark Lutton
Canadian coins containing tiny transmitters
Mark
StopBadware blacklists a cartoon book site
Jim Youll
Doesn't sound like a laser pointer to me...
Paul Saffo
Square roots
Andrew Koenig
Risks of one's complement arithmetic?
Daniel P.B. Smith
Re: Excel Date Bug
Steve Wildstrom
Re: Cell phone in man's pocket sets him on fire
Lauren Weinstein
REVIEW: "Security Governance", Fred Cohen
Rob Slade
REVIEW: "Knowledge Power: Intellectual Property, Information and Privacy", Renee Marlin-Bennett
Rob Slade
Info on RISKS (comp.risks)

Super Bowl site hacked, seeded with exploits (via Dave Farber's IP)

<EEkid@aol.com>
February 2, 2007 5:41:10 PM EST

A visitor to the site with an unpatched Windows machine will connect to a
remote server registered to a nameserver in China and download a Trojan
keylogger/backdoor that gives the attacker full access to the compromised
computer."  http://blogs.zdnet.com/security/?p=15


Ed Felten: AACS Decryption Code Released

<Monty Solomon <monty@roscom.com>>
Wed, 24 Jan 2007 22:13:14 -0500

AACS Decryption Code Released
Monday January 8, 2007 by Ed Felten

Decryption software for AACS, the scheme used to encrypt content on both
next-gen DVD systems (HD-DVD and Blu-ray), was released recently by an
anonymous programmer called Muslix. His software, called BackupHDDVD, is now
available online. As shipped, it can decrypt HD-DVDs (according to its
author), but it could easily be adapted to decrypt Blu-ray discs.

Commentary has been all over the map, with some calling this a non-event and
others seeing the death of AACS. Alex Halderman and I have been thinking
about this question, and we believe the right view is that the software
isn't a big deal by itself, but it is the first step in the meltdown of
AACS.  We'll explain why in a series of blog posts over the next several
days.

Today I'll explain how the existing technology works: how AACS encrypts the
content on a disc, and what the BackupHDDVD software does.  ...
http://www.freedom-to-tinker.com/?p=1104

[See Ed's blog for many other RISKS-relevant items on AACS and more.  PGN]


/Mis/using a laptop to compute take-off parameters on a B747-400

<"Philippe Jumelle" <pjumelle@gmail.com>>
Thu, 1 Feb 2007 11:36:47 +0100

I leave it to aviation experts RISKS readers to elaborate on the following:

A French Boeing 747-400 fully packed with passengers bound to the
Caribbean suffered a "tail strike" incident in December 2006.

The "Bureau d'Enquêtes et d'Analyses" issued a report
(http://www.bea-fr.org/docspa/2006/f-ov061210/pdf/f-ov061210.pdf,
available in French only) that explains how a misused "Boeing Laptop
Tool" (laptop PC) was involved in this incident:

2 BLTs are available in the aircraft. They are used to compute
important take-off parameters including Vr (rotation speed) and EPR
(engine thrust).

One of them had an empty battery. The other one was switched off
mistakenly during the flight preparation procedure. After restart,
wrong parameters were entered by the crew member and a mix-up between
ZFW (Zero Fuel Weight) and TOW (Take-Off Weight) occurred, resulting
in incorrect flight parameters displayed on the BLT and entered in the
Flight Management System.

Fortunately, the crew noticed that parameters were wrong while attempting
take-off and took appropriate action, resulting however in this "tail
strike". As a consequence, the aircraft was visually inspected by a fighter
for damages and landed safely at the departure airport after dumping fuel.

The airline issued recommendations to the crews so that they make sure that
BLTs are properly plugged into AC power while the aircraft is on the ground
(flat battery, hibernation risk) and described cross-check procedures
avoiding over-reliance in BLT output.


Customer was sent 75000 bank statements

<"Martyn Thomas" <martyn@thomas-associates.co.uk>>
Mon, 29 Jan 2007 19:21:23 -0000

http://news.bbc.co.uk/1/hi/scotland/north_east/6310633.stm

An Aberdeen woman who asked for her bank statement was sent those of 75,000
other customers.  Stephanie McLaughlan, 22, was shocked when Halifax Bank of
Scotland (HBOS) sent her the unexpected financial details by mistake.  Ms
McLaughlan received several large packages in the post and said she was
concerned it could happen.  HBOS apologised and said it was carrying out an
investigation into the "serious" but "isolated" incident.

HBOS said in a statement: "We are treating this matter very seriously and
are investigating in full.
"This is a very specific, isolated incident and we will take steps to ensure
there is no security issue for customers as a result of this matter.
"We apologise for any concern this has caused customers."

  [Also noted by Bernhard Riedel: ``I have real trouble trying to imagine
  how many 'pilot errors' it requires for such a report to be mailed to an
  ordinary customer.  Banks should be more accountable than that.''  PGN]


Another example of bad software

<Avi Rubin <rubin@jhu.edu>>
Tue, 30 Jan 2007 07:25:56 -0500

Bad Software All Around
http://avi-rubin.blogspot.com/

Earlier this week, I took a train up to NYC to give a talk to some potential
<a href="http://securityevaluators.com">ISE</a> customers on Wall St. A
collection of Chief Information Security Officers and other executives from
financial firms. I was asked to speak about software security, and two
things happened on this trip that put to rest any doubt that the current
state of software security and network security is dismal. I didn't doubt
it, but I thought it was particularly humorous that these happened on a trip
whose purpose was to give this particular talk.

I arrived at my hotel about an hour before I was scheduled to speak.  Since
the hotel was only a couple of blocks from Wall St., I figured that I had
time to go online and read my email. I opened up my laptop in my room and
saw that there was a WiFi base station whose SSID was "Exchange" (which was
the name of my hotel) along with several other available base stations. So,
I connected to my hotel's access point.  I had full bars, so the connection
was strong, but I was unable to reach my email server. I had a look at the
IP address assigned to me by the network and noticed that it was a factory
default address that was probably not what the hotel was using. So, I called
the front desk, and I told the woman who had just checked me in that I was
having a problem with the wireless network. It seemed that I was not getting
a valid IP address. She said something about their street address, and I
realized that while this nice lady was very good at checking me into my
room, she was not going to be the best tech support person I had ever had.

I explained to the woman that I was able to connect to the wireless network,
but that I was unable to read my email because the network was not
working. She understood that and said, "Yes, this happens all the time. I
will just reboot the thingy. Give it a few minutes and try again." That
sounded like a reasonable solution. Meanwhile, I tried the other wireless
networks, and none of them would allow a connection without a password. I
chalked this up to progress.

Several minutes later, I reconnected to the Exchange network, and I was
assigned what looked like a normal NATed IP address. But, I was still unable
to connect anywhere. So, I opened up a browser window to see if I needed to
log in. What I saw surprised me at first. It looked like some kind of menu
console for managing an appliance. I clicked around and realized that I had
the ability to configure routing and firewall rules. In fact, I was logged
into the hotel's router - the "thingy" if you will. I smiled to myself at
the thought of what I could do if I wanted to, but I quit out of that and
was able to access the Internet. The connection was pretty slow, and I
chuckled at the thought of getting back into the administration console to
filter out the other users in the hotel. Of course, I decided against that.

Unbelievable!

But, it gets better.

When I arrived back at Baltimore Penn Station, I left the train and walked
to my car. I drove up 2 levels in the parking garage, and I arrived at the
exit gate. This parking garage installed an automated system where you use a
credit card to get in when you arrive, and if you use the same credit card
when you leave, you don't need to take a ticket, and it charges that card
and lets you out. At least that's the theory. It didn't work that way on
this trip. As I approached the exit, I saw that there were two lanes open
for exiting, and that the car in front of me had pulled into one of
them. So, went to the other one and inserted my credit card. On my mind was
my daughter's school play, which started in about an hour. I had time to
grab a quick sandwich and then head to her school. I had planned my trip so
that I could be back in time to see her perform.

After about a minute, it seemed odd to me that my credit card had not come
out yet. The machine said that it was validating ticket data.  But, I had
not inserted a ticket. So, I pressed the intercom button, and an attendant
asked if she could help me. I told her that I put my credit card in a while
ago, and that I wanted to pay and leave. The gentleman in the truck in the
other lane yelled to me that he was in the same boat, so I told the woman
that neither one of us could leave. She asked us to hold on a second, and in
about another minute a woman in a parking attendant uniform appeared. She
told me that it might be that the other gentleman and myself inserted our
credit cards at the exact same time in the two different machines. I agreed
that this was indeed possible. In the meantime, I rather long line of cars
had formed behind us.

The parking attendant backed up all of the cars and suggested that I back up
about one car length, and that the other gentleman do the same. Then, she
suggested that I drive back up to the machine, which I did. My credit card
came out, but she said I had to reinsert it. I did, and it said that it was
validating ticket data. The attendant said, "oh no." That didn't sound
good. I asked what the problem was.  She said that every once in a while,
when two people insert their credit cards at the exact same time, it crashes
their whole system.  We did the back up thing again to retrieve our
cards. Since the other guy was first, she went and processed his payment
manually. That took about 3 minutes. Then, she took my credit card and went
to do mine.  In the meantime, another car behind me drove into the other
lane, which was now available and inserted his card. The system did not
respond. It was hosed. A few minutes later, she came back and gave me my
credit card and receipt and opened the gate so that I could exit.  The line
of cars was now very long, and she said she would have to do them all by
hand until a technician could come. I have no idea where this technician was
coming from, but I was glad to be on my way. I got that sandwich, but
because of my delay, I had to eat it in the car on the way to my daughter's
play.

What kind of software design results in this kind of crash? The answer is
pretty clear to anyone who has worked with software. While they may have
tested the system exhaustively, they probably did not test the possibility
of putting credit cards in two different machines at the exact same
time. Which brings me back (as usual on this blog) to voting machines. They
may be tested and tested and certified and verified and validated. But, if
on Election Day something unusual happens, a scenario that was not
anticipated, something might go very wrong. And, if there is no tangible,
physical record of the votes that were cast on the machine, then votes might
be lost in an unrecoverable way.

Given what I've seen about voting system standards and voting system testing
labs, I would bet money that the parking garage system at Baltimore Penn
Station was tested more extensively before it was deployed than the Diebold
voting machines that we use in Maryland.

Avi Rubin, Johns Hopkins University, Computer Science, Tech.Dir. Information
Security Institute 1-410-516-8177 http://www.cs.jhu.edu/~rubin/ rubin@jhu.edu


Windows Vista voice vulnerability

<Joe Loughry <joe.loughry@lmco.com>>
Thu, 01 Feb 2007 09:11:26 -0700

Here's a good one:

1. Microsoft Windows Vista comes with voice recognition installed and
active by default.

2. Voice services has tons of security privileges, since it is a
"local" service and therefore safe, right?

3. Playing a sound through the speakers on Vista requires almost no
security privileges, since that's a harmless operation, right?

4. By playing a prerecorded file of spoken commands, an unprivileged
process can execute arbitrary processes that get executed with
elevated security privileges.

http://isc.sans.org/diary.html?storyid=2148

Microsoft promises to have a patch for this "real soon now."


Daylight savings time mess looms

<Lauren Weinstein <lauren@vortex.com>>
Wed, 31 Jan 2007 22:10:46 -0800 (PST)

When few people were paying attention in August 2005, Congress lengthened
daylight saving time by four weeks in the name of energy efficiency.  The
change takes effect on 11 Mar 2007.  It has angered airlines and creates
many problems for automated systems that are preprogrammed to switch by the
old schedule.  [Source: Charles Babington, Clocks' Early Spring Forward May
Bring About a Few Falls *The Washington Post*, 1 Feb 2007; PGN-ed]
  [This is another iteration on an old RISKS topic.  Each year brings
  more new items.  Stay tuned for this one in five more weeks!  PGN]


Massachusetts Attorney General sees card fraud close up

<<Mark.Lutton@thomson.com>>
Sat, 20 Jan 2007 20:30:44 -0500

*The Boston Globe* story looks like the best coverage.
http://www.boston.com/news/local/massachusetts/articles/2007/01/19/just_seated_ag_nearly_gets_burned_by_fraud/
*Boston Herald*
http://news.bostonherald.com/localRegional/view.bg?articleid=177931

This story is not being reported outside of Boston.  It has appeared only in
the Boston newspapers and television stations.  The new Massachusetts
Attorney General, Martha Coakley, was the target of attempted credit card
fraud a week before she was sworn into office.  Coakley received a telephone
message from Dell Computer asking to confirm whether she had ordered a
$1,200 computer to be shipped to an address in Texas.  She had not.  She
quickly canceled the transaction and also closed her credit card account.

*The Boston Globe*: "As a prosecutor, however, Coakley said she couldn't
help being frustrated that no one was going after the perpetrator.  She
doesn't know how someone obtained her credit cards number -- or how Dell
found her phone number."

Or whether the call was really from Dell, I think.  That must be one of
those "unknowns we don't know we don't know."

If a state Attorney General is helpless against card fraud, what chance do
the rest of us have?

Mark Lutton, Business Intelligence Services, a Thomson Business


Canadian coins containing tiny transmitters

<Mark - Syminet <mark@syminet.com>>
Mon, 22 Jan 2007 20:35:52 -0800

Canadian coins containing tiny transmitters have turned up in the pockets of
at least three American defence contractors...
http://www.cbc.ca/technology/story/2007/01/10/rfid-defence.html


StopBadware blacklists a cartoon book site

<Jim Youll <jim@challengeandresponse.com>>
Fri, 12 Jan 2007 17:32:38 -0500

The (possible) risks of well-intentioned but (apparently) uncoordinated
censorship

Who's watching the watchers? (StopBadware blacklists a cartoon book site)

Capefeare.com, described as "The Ultimate Life in Hell Website", is
blacklisted in Google, which cites StopBadware.org as the source.  However,
StopBadware.org doesn't list the site in its database. I can't find
anything wrong at the site and it seems to be legit (and popular). What's
going on here, and who's watching the watchers?  11 Jan 2007

http://bbaadd.com/blog/2007/01/whos-watching-watchers-stopbadware_11.html


Doesn't sound like a laser pointer to me...

<Paul Saffo <paul@saffo.com>>
Sun, 21 Jan 2007 10:42:16 -0800

[perhaps it was a dermatology tool?]

Laser pointer causes Miracle Mile office fire [Associated Press, 21 Jan 2007]

A hand-held laser pointer caused a fire at a Miracle Mile high rise that
caused $200,000 in damage, a fire official said.  The blaze at the 17-story
office building at 6200 Wilshire Blvd.  began just after 10 a.m. Saturday,
said Los Angeles city fire spokesperson Brian Humphrey.  The laser device
had been laid on an examination table in a 12th floor dermatologist's
office, Humphrey said. The device ignited surrounding furnishings, sparking
the fire.  The fire was extinguished by the building's sprinkler system,
Humphrey said.  Firefighters mopped up about 3 inches of water.  There were
no reports of injuries.

http://www.mercurynews.com/mld/mercurynews/16513705.htm


Square roots

<"Andrew Koenig" <ark@acm.org>>
Sat, 20 Jan 2007 11:37:30 -0500

Paul Robinson complains about compilers that use hardware square-root
instructions instead of software-based math libraries.

I believe that in the specific case of square root, this complaint is
misplaced on IEEE-754 compliant processors, because the IEEE 754 standard
requires compliant processors to compute square roots accurately.

It is true that a processor whose manufacturer claims that it complies with
the standard might not actually comply, either because of defects or design
errors.  However, that problem exists for more primitive instructions as
well, as we saw with the Intel floating-point division bug.  In such cases,
the solution lies in testing the hardware, not in refusing to use it.

  [Something like trying to fit square roots in a round-off?  PGN]


Risks of one's complement arithmetic? (Re: Lee, RISKS-24.53)

<"Daniel P. B. Smith" <dpbsmithadhoc@dpbsmith.com>>
Sat, 30 Dec 2006 08:48:32 -0500

> the sudden energy of all the bits turning from 1 to 0 got coupled into
> that wire and caused the fault.

Well, maybe, but I have to wonder.

The PDP-1 was a one's complement machine with two arithmetically equivalent
representations of zero. Most current machines are two's complement; the
word with all bits set represents the arithmetical value -1. On the PDP-1,
all bits set was "minus zero" and all bits clear was "plus zero."

The two values were equivalent when functioning as operands in arithmetic
operations.

But there was also a special, designed-in feature, colloquially referred to
as "minus-zero gronking." On arithmetic operations (and only on arithmetic
operations) if the result of an operation was minus zero, it was
automatically changed to plus zero. I forget what the rationale for this
was; presumably it was for convenience in testing whether results equaled
zero.

But the two values ought to have displayed identically on the screen, too.

Was this really an electronic error or was it an unexpected (and poorly
understood) consequence of the PDP-1's intended functioning?


Re: Excel Date Bug (RISKS-24.54)

<steve_wildstrom@wdc.exchange.businessweek.com>
Sun, 21 Jan 2007 12:08:35 -0500

It's hard for me to believe that any developer doesn't know about the Excel
date problem, which has actually been around since Lotus 1-2-3.  The history
of the bug, as well as Microsoft's explanation for why fixing it would cause
more problems that it would solve, is at
http://support.microsoft.com/kb/214326/en-us.

Steve Wildstrom, Technology & You Columnist, BusinessWeek
1200 G St. NW Suite 1100, Washington, DC 20005


Re: Cell phone in man's pocket sets him on fire (Brader, RISKS-24.54)

<Lauren Weinstein <lauren@vortex.com>>
Fri, 19 Jan 2007 15:33:20 -0800

This story has already been debunked.  Not true.
  [I suppose the man de-bunked himself fairly quickly as well.  PGN]


REVIEW: "Security Governance", Fred Cohen

<Rob Slade <rMslade@shaw.ca>>
Wed, 31 Jan 2007 11:27:19 -0800

BKSECGOV.RVW   20061110

"Security Governance", Fred Cohen, 2005, 1-878109-37-5
%A   Fred Cohen http://all.net
%C   572 Leona Dr, Livermore, CA   94550
%D   2005
%G   1-878109-37-5
%I   Fred Cohen and Associates
%O   925-454-0171 all.net
%O  http://www.amazon.com/exec/obidos/ASIN/1878109375/robsladesinterne
  http://www.amazon.co.uk/exec/obidos/ASIN/1878109375/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/1878109375/robsladesin03-20
%O   Audience a Tech 1 Writing 2 (see revfaq.htm for explanation)
%P   96 p.
%T   "Security Governance: Business Operations, Risk Management, and
      Enterprise Security Architecture"

Most of the security frameworks available are in the form of a
checklist, so why shouldn't Cohen's CISO Toolkit (see also
BKCISOGG.RVW for the "Governance Guidebook" and BKCISOHB.RVW for "The
CISO Handbook") have one?

In fact, Cohen's version may be considerably easier to understand and
use, particularly for those with a business, rather than a security,
background.  While most security frameworks are structured according
to a taxonomy of security concepts, the checklist in "Security
Governance" is based on business models and concepts.  For example,
the four major divisions are made on the basis of business functions
and modelling, oversight, business risk management, and enterprise
security management.  Therefore, the businessperson working through
the points will start with the familiar, and only later have to face
items directly discussing security.  (Even then, the security issues
are those regarding the position and management of security within the
organization.)

Regardless of other security frameworks that you may use, Cohen's
checklist will be of value.  While many items will have relations to
details in other indices, the articles and entities in "Security
Governance" address a number of issues that are not found in most
security frameworks.  Let's face it: regardless of the emphasis or
perspective, security frameworks tend to follow the same general
outline.  Cohen's work is idiosyncratic--and, in this case, that's a
useful characteristic.

Also, most security frameworks give you a checklist of about 135 items
for roughly U$150: Cohen gives you over 900 points for U$49.00.

copyright Robert M. Slade, 2006   BKSECGOV.RVW   20061110
rslade@vcn.bc.ca     slade@victoria.tc.ca     rslade@computercrime.org
http://victoria.tc.ca/techrev/rms.htm


REVIEW: "Knowledge Power: Intellectual Property, Information and Privacy", Renee Marlin-Bennett

<Rob Slade <rMslade@shaw.ca>>
Mon, 08 Jan 2007 13:31:27 -0800

BKKPIPIP.RVW   20061119

"Knowledge Power: Intellectual Property, Information and Privacy",
Renee Marlin-Bennett, 2004, 1-58826-281-2, U$23.50
%A   Renee Marlin-Bennett
%C   1800 30th St., Boulder, CO   80301
%D   2004
%G   1-58826-281-2
%I   Lynne Rienner Publishers
%O   U$23.50 www.rienner.com
%O  http://www.amazon.com/exec/obidos/ASIN/1588262812/robsladesinterne
  http://www.amazon.co.uk/exec/obidos/ASIN/1588262812/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/1588262812/robsladesin03-20
%O   Audience i- Tech 1 Writing 1 (see revfaq.htm for explanation)
%P   273 p.
%T   "Knowledge Power: Intellectual Property, Information and Privacy"

Chapter one examines the idea of intellectual property (IP).  This analysis
could have been either prescriptive (what IP should be) or descriptive (what
IP is, usually in terms of law), but instead it mostly opines
prescriptively, and, when there is a need to take a stand, cravenly goes to
what the legislation (generally from the United States) says.  (There is
some mention of international differences.)  A link between privacy and IP
is promised in one section, but not delivered.  A historical overview of the
development of IP is given in chapter two: when it gets to current
definitions we are again presented with US law.  Treaties and organizations
attempting to bridge national differences in IP are listed in chapter three.
Chapter four presents some examples of problem areas in IP, such as
pharmaceutical patents and those on sections of the human genome.

A few philosophical views and theories of information are outlined in
chapter five, followed by a discussion of information of various types and
values.  (The deliberation would have been more interesting if the types had
been analyzed in light of the different theories.)  Chapter six looks into
the pros and cons of "ownership" and limitation of public types of data,
such as that in regard to weather and geography.  Similarly, chapter seven
has the same type of discussion regarding information about people (much of
it in relation to issues of surveillance.)  Chapter eight has the same
problems with the definition of the topic that most other works have had,
which is possibly why the remaining examination seems unhelpful.  There are
numerous technical errors ("Magic Lantern" is *not* a virus) in chapter
nine's discussion of privacy breaches.  Similarly, the deliberation on
privacy protection technology, in chapter ten, is flawed.  Chapter eleven
finishes off with vague opining.

There are a number of other books that address the topic of privacy at the
same superficial level, such as "Benjamin Franklin's Website" by Robert
Ellis Smith (cf. BKBNFRWS.RVW), Simson Garfinkel's "Database Nation"
(cf. BKDBSNTN.RVW), Peterson's "I Love the Internet But I want My Privacy
Too" (cf. BKILIWMP.RVW), Cannon's "Privacy" (cf.  BKPRVACY.RVW), and "The
Privacy Papers" by Rebecca Herold (cf. BKPRVPAP.RVW).  Then there are the
superior works that define the field, like "Technology and Privacy: The New
Landscape" by Agre and Rotenberg (cf. BKTCHPRV.RVW), 1997, Cady and
McGregor's surprisingly good "Protect Your Digital Privacy"
(cf. BKPYDPRV.RVW), "Internet and Online Privacy" by Frackman, Martin and
Ray (cf. BKINONPR.RVW), Schneier and Banisar's entertaining and informative
"Electronic Privacy Papers" (cf. BKELPRPA.RVW), and "Privacy on the Line"by
Whitfield Diffie and Susan Landau (cf. BKPRIVLN.RVW).

True, as with David Brin's "The Transparent Society" (cf. BKTRASOC.RVW),
Marlin-Bennett promises a unique premise, in this case a tie between privacy
and intellectual property.  Unlike Brin, in this book the link is not
strongly demonstrated.  We are, therefore, left with a somewhat simplistic
review of the topics listed in the title.

copyright Robert M. Slade, 2006   BKKPIPIP.RVW   20061119
rslade@vcn.bc.ca     slade@victoria.tc.ca     rslade@computercrime.org
http://victoria.tc.ca/techrev/rms.htm

Please report problems with the web pages to the maintainer

Top