The RISKS Digest
Volume 24 Issue 78

Wednesday, 8th August 2007

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…

Contents

San Francisco power outage
PGN
US-VISIT problems
PGN
PGN's Holistic Defective Agency
Peter Mellor
Ounces, pounds, war, and the I-35W bridge
Sidney Markowitz
Re: Comair Flight 5191
Erling Kristiansen
A retrospective on an ARP spoofing attack...
Nicholas Weaver
BotHunter: Detecting when a local system might be infected!
Phil Porras
Legislation aims to end identity theft
Monty Solomon
Bush Signs Law to Widen Legal Reach for Wiretapping
Monty Solomon
Problem involving accidental misuse of someone else's credit card
Paul Robinson
Call For Search Engine Issues, Complaints, Concerns
Lauren Weinstein
Re: Accuracy of Hawkeye at Wimbledon
Mike Scott
Michael Smith
REVIEW: "COSO Enterprise Risk Management", Robert R. Moeller
Rob Slade
Info on RISKS (comp.risks)

San Francisco power outage

<"Peter G. Neumann" <neumann@csl.sri.com>>
Fri, 3 Aug 2007 15:29:31 PDT

At 1:49pm on 24 Jul 2007, 365 Main's San Francisco data center experienced a
power surge when transformer breakers opened unexpectedly.  Three of the ten
backup generators failed to start, resulting in the loss of 40% of the
customers.  Attempts to close the breakers caused voltage fluctuations in
PG&E's Martin Substation in Daly City.  That resulted in a transformer
failing in a manhole under 560 Mission Street.  Between 30- and 50-thousand
customers were out, in some cases up to two hours.

The final incident FAQ, with an introduction by Christopher M. Dolan,
President and CEO, 365 Main Inc., is online, and worth reading.
  http://www.365main.com/status_update.html
There is also an article in the San Francisco Chronicle that appeared
online that evening.  (Valleywag renamed the datacenter ``364.98 Main''.)


US-VISIT problems

<"Peter G. Neumann" <neumann@csl.sri.com>>
Wed, 8 Aug 2007 6:30:49 PDT

US-VISIT (allocated $1.7 billion since 2002), the U.S. government's main
border control system, is plagued by computer security weaknesses,
increasing the risk of computer attacks, data thefts, and manipulation of
millions of identity records including passport, visa and Social Security
numbers and the world's largest fingerprint database.  A GAO report said
"Weaknesses existed in all control areas and computing device types
reviewed."

US-VISIT has compiled digital facial images and fingerprints of 90
million individuals and is used to vet 54 million border crossings each
year. But Marc Rotenberg, executive director of the Electronic Privacy
Information Center, said the government has not taken adequate steps to
safeguard the privacy of millions of people whose citizenship,
immigration, law enforcement and national security records are used in
the customs checks.

[Border Computers Vulnerable to Attack GAO Report Details Problems in System,
Spencer S. Hsu, *The Washington Post*, 3 Aug 2007; A02; PGN-ed]
http://www.washingtonpost.com/wp-dyn/content/article/2007/08/02/AR2007080202260.html


PGN's Holistic Defective Agency (Re: RISKS-24.77)

<MellorPeter@aol.com>
Sun, 5 Aug 2007 14:31:43 EDT

So there was I thinking "Tsk.  Can't even build bridges properly!"
and recalling Tacoma Narrows, the Hyatt Regency walkway, etc.

Then I recalled a few UK disasters:

Aberfan: Although the Coal Board (R.I.P.) had understood for years that
spoil tips from coal mines could slip downwards and outwards
catastrophically when wetted by rain, it took the deaths of around 70 Welsh
schoolchildren to force action.

Ronan Point: No tie-bars in a tower block.  A relatively small gas explosion
in one flat blew out the walls and one whole corner of the block collapsed
like a stack of cards.

Box Girder Bridges: Major problem for years with a cheap prefabricated
method of constructing motorway bridges.

The "wobbly" Millennium Bridge: Well, I belong to a small but irritating
minority that thinks it was more fun when it wobbled.

No doubt UK readers will be able to provide details of these and think of
many more.

BTW (slightly related to PGN's mixed metaphor): Does anyone recall a
demonstration by the Animal Liberation Front at which one of the banners
read: "Free Schroedinger's Cat"?

BTW (even less related, but a variation on proverbs and metaphors): Dorothy
Parker, when asked to demonstrate te use of the word "horticulture", came up
with: "You can take a horticulture, but you can't make her think".

Peter Mellor;   Mobile: 07914 045072;   email: MellorPeter@aol.com
Telephone and Fax: +44 (0)20 8459 7669


Ounces, pounds, war, and the I-35W bridge

<Sidney Markowitz <sidney@sidney.com>>
Sat, 04 Aug 2007 17:08:49 +1200

I decided to look up some numbers to see how close the I-35W bridge disaster
is to the 1:16 ratio in the adage about ounces and pounds. For good measure,
I did some unit conversions to bring numbers in the millions and billions
down to small ones that people find easy to visualize.

This is all approximate to get the right order of magnitudes, based on new
reports that you can find through Google, so I'm not including links.

Congress allocated $250 million to Minnesota for emergency repairs of the
bridge. Other news reports quote an estimate of what would be needed to
repair failing bridge infrastructure in the US of over $9 billion per year
for 20 years, based on a figure of $188 billion total required to repair the
estimated 73,533 "structurally deficient" bridges in the country. That comes
out to an average of about $2.5 million per bridge in repair
costs. Currently only $2 billion per year is being spent on such repairs.

On a separate topic, the Congressional Budget Office said that the Iraq war
has cost about $500 billion so far, or about $10 billion/month or
$4000/second.

So it would have cost a little over 10 minutes of Iraq war expenditures to
have repaired the I-35W bridge before it collapsed, and now it will cost
about 100 bridges worth of preventative maintenance to repair this one
bridge after the fact.

That doesn't add in the cost of loss of life, injuries and their aftermaths,
destroyed cars, and the economic effect of the disruption to traffic with a
major urban bridge down.


Re: Comair Flight 5191 (Koenig, RISKS-24.76)

<Erling Kristiansen <erling.kristiansen@xs4all.nl>>
Mon, 06 Aug 2007 18:04:04 +0200

Quoting from Department of Homeland Security, SECURITY IN THE SOFTWARE
LIFECYCLE: Making Software Development Processes — and Software Produced by
Them — More Secure, DRAFT Version 1.2 - August 2006,
which in turn quotes from Dr. Nancy Leveson, A Systems-Theoretic Approach to
Safety in Software-Intensive Systems, *IEEE Transactions on Dependable and
Secure Computing*, Vol. 1 No. 1, January-March 2004.

The assumption for almost all causal analysis for engineered systems today
is a model of accidents (the safety corollary of security compromises) that
assumes they result from a chain of failures and human errors. From an
observed error, the analysis backward through the chain eventually stops at
an event that is designated as the cause.  A root cause selected from the
chain of events usually has one or more of the following characteristics:

1. It represents a type of event that is familiar and thus easily acceptable
   as an explanation for the accident.
2. It is a deviation from a standard.
3. It is the first event in the backward chain for which a *cure* is known.
4. It is politically acceptable as the identified cause.


A retrospective on an ARP spoofing attack...

<Nicholas Weaver <nweaver@ICSI.Berkeley.EDU>>
Mon, 6 Aug 2007 09:33:04 -0700

http://blogs.technet.com/neilcar/archive/2007/06/28/arp-cache-poisoning-incident.aspx

Neil Carpenter, a Microsoft Escalation engineer on the PSS Security Support
team, has a retrospective on his blog on an ARP-cache poisoning incident he
was involved in analyzing.

In this case, the attacker used an arp-cache-poisoning transparent HTTP
proxy to interrupt all HTTP requests and inject a piece of malicious attack
code in a 0-size Iframe.  Any vulnerable browser on the local network would
quickly find itself infected with the malicious code.

The interesting thing was the automation: the automated tool, once installed
on a victim, served to attack all the other systems.  Also, the trick of
looking at the MAC string to find the vendor tag seems a useful one to
remember.


BotHunter: Detecting when a local system might be infected!

<Phil Porras <porras@csl.sri.com>>
Mon, 6 Aug 2007 12:40:38 PDT

One significant risk to those who spend lots of money on intrusion detection
systems to monitor incoming network traffic is that they may grow to assume
that outbound communications are not of high interest.  In recent months a
small group of researchers and I have been spending a significant amount of
time developing a dialog-tracking engine to focus on the analysis of
outbound traffic.  In particular we've been interested in understanding the
kinds of dialog interactions malware-infected local systems have with
external systems.

Last week we made our dialog-correlation engine freely available on the
Internet at http://www.cyber-ta.org/BotHunter/.  BotHunter should be of
interest particularly to security researchers and system administrators.

To illustrate the effectiveness of BotHunter, the website include a link to
our live malware analysis pages — where we've been able to test BotHunter
against roughly 9000 successful malware infections over the last 90 days.
The website includes the details of our system, including our must recent
paper, which is being presented at this year's Usenix Security Conference on
8 Aug 2007:

  Guofei Gu, Phillip Porras, Vinod Yegneswaran, and Martin Fong,
  BotHunter: Detecting Malware Infection through IDS-Driven Dialog
  Correlation

If you have doubts whether all the machines inside your network perimeter
are infection-free, BotHunter may help you assess the "risks from the
inside."

Phillip A. Porras (porras@csl.sri.com), Program Director,  SRI International
333 Ravenswood Ave, Menlo Park CA 94025 USA  (650) 859-3232

  [BotHunter seems to be attracting considerable interest.  As of this week,
  it reached its first 1000 downloads.  PGN]


Legislation aims to end identity theft

<Monty Solomon <monty@roscom.com>>
Sat, 4 Aug 2007 12:18:36 -0400

Dan Ring <dring@repub.com>, 4 Aug 2007

Massachusetts Governor Deval L. Patrick yesterday signed a bill designed to
protect people against identity theft.  The new law, which takes effect in
90 days, allows consumers to pay a $5 fee to block access to their credit
reports, forces companies and government agencies to notify people if
personal information is lost or stolen and mandates disposal of certain
personal information on consumers.

The law was approved following some highly-publicized thefts, including one
reported in January by TJX Cos. in Framingham and another in May 2006
involving birth dates and Social Security numbers kept by the federal
government of 26.5 million military veterans. ...

http://www.masslive.com/hampfrank/republican/index.ssf?/base/news-10/1186212257204950.xml&coll=1

An Act Relative To Security Freezes And Notification Of Data Breaches
http://www.mass.gov/legis/laws/seslaw07/sl070082.htm

An Act Relative to the Protection of Personal Information
http://www.mass.gov/legis/bills/house/185/ht04pdf/ht04144.pdf


Bush Signs Law to Widen Legal Reach for Wiretapping

<Monty Solomon <monty@roscom.com>>
Mon, 6 Aug 2007 08:42:28 -0400

President Bush signed into law on Sunday legislation that broadly expanded
the government's authority to eavesdrop on the international telephone calls
and e-mail messages of American citizens without warrants.  [Source: James
Risen, *The New York Times*, 6 Aug 2007; PGN-ed]

Congressional aides and others familiar with the details of the law
said that its impact went far beyond the small fixes that
administration officials had said were needed to gather information
about foreign terrorists. They said seemingly subtle changes in
legislative language would sharply alter the legal limits on the
government's ability to monitor millions of phone calls and e-mail
messages going in and out of the United States.

They also said that the new law for the first time provided a legal
framework for much of the surveillance without warrants that was
being conducted in secret by the National Security Agency and outside
the Foreign Intelligence Surveillance Act, the 1978 law that is
supposed to regulate the way the government can listen to the private
communications of American citizens. ...

http://www.nytimes.com/2007/08/06/washington/06nsa.html?ex=1344052800&en=5e759f53fc811cd7&ei=5090


Problem involving accidental misuse of someone else's credit card

<Paul Robinson <Paul@paul-robinson.us>>
Sat, 04 Aug 2007 05:51:24 -0400

I have had a problem involving use of someone else's credit card over the
Internet.  I want to post this because I want to advise people of a
potential problem and/or risk and perhaps ask if someone else noticed this,
or, in the alternative, make it known what happened so that people can be
aware of it.  Or maybe someone can tell me how this happened.

Another roommate who stays at the house I rent a room in uses my computer to
handle his business, basically for surfing the net and such.  If I'm at the
computer I'm willing to help him find things or enter details.  On occasion,
typically for his customers he will book airline tickets, and he uses one
specific credit card for that purpose.  On occasion he's had me enter his
information into the computer.

I do not know, and have never saved or captured his credit card information
(I have my own cards).  Well, what is weird is, there were two things I
ordered which were charged to his card number.  I haven't the slightest idea
how.  The last 4 digits of both cards are different, the issuers are not the
same (the one I use belongs to a family member and is a major East-Coast
bank, his has his name and is some small bank in the Midwest), and as I
don't even know his number there's no way I could have used it
intentionally.

My ATM card is on the Visa network, and if I hit a website that refused
debit cards, I have a regular credit card which is issued to a family
member, so I did not need to use someone else's card.  And if I did need a
credit card and did not have one around, I would have asked him first if I
didn't have a credit card available.

I use Netscape version 7.2 "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US;
rv:1.7.2) Gecko/20040804 Netscape/7.2 (ax)" on a Windows XP machine with
Service Pack 2 for browsing because I do not trust Internet Explorer and its
security holes.  I have a hardware firewall between this computer and the
Internet, so I can't argue some hacker broke in and switched one of my
charges to his credit card.  (Which is ridiculous to say the least.)

The only possible answer I can think of is that on one of the form fields
used by one of the airline websites, is using the same field name as the two
companies I ordered things from, and somehow they are capturing the same
values from each other.  (One was Vista Print, where I ordered two rubber
stamps, and the other was AAA where I ordered a membership.  I think the
tickets he ordered were from Southwest Airlines.)

When I placed his legitimate order on Southwest, I typed in his number as he
read it to me.  I did not copy the number into the clipboard or otherwise
save the number.  Later when he saw his bill for two items he did not
recognize and asked me about it, I discovered that the purchases he has on
his bill exactly match the two I made, but should have gone on my credit
card number.  And I haven't the slightest idea how.

I went to Vistaprint's website, and tried a fake transaction.  When I got to
the payment page, where it asks for credit card number, the field is blank.
I double-clicked on the credit card number field, and the previous value
came up, with the correct card number (the one I would have used).

I don't know his number, didn't save it and did not attempt to use it.  I
couldn't have used his card number by mistake by typing in off of it if, I
had, say, found it on the desk because he left it behind and I mistook it
for one of the credit cards someone in my family has (first, the name would
have been wrong and even if I didn't notice that, I would have spotted the
credit cards as being wrong because I do not and have never used his bank.)
But somehow I did use his card number and I haven't the slightest idea how.
The only possible explanation I have is that some how form fields used on
three different web sites are somehow cross-collecting information by
pre-populating them, or something.

The two transactions together come to less than $90, so it wasn't a huge
issue, but it frightens me because I haven't the slightest idea how it
happened or how I could have prevented it.

The solution I am going to use is that if I ever do anything for him that
involves ordering something, I will use Internet Explorer (for accessing a
specific known and trusted website, it is okay), and I will not use Netscape
for anything he's using, as I only use Netscape for anything I order.  The
only possible answer I can come up with is some form of cross-website
contamination, which I do not believe could happen if I'm not using the same
browser for any of his transactions, so I think this will solve the problem.
I've also suggested he get his bank to issue him a new card with a different
number.

This kind of thing scares me; if it wasn't for the fact he was understanding
about it, I could technically have been looking at charges for credit card
fraud!  The thing that bothers me most is that I'll be damned if I can
figure out how the hell this happened.


Call For Search Engine Issues, Complaints, Concerns

<Lauren Weinstein <lauren@vortex.com>>
Sun, 05 Aug 2007 22:32:19 -0700

           Call For Search Engine Issues, Complaints, Concerns
              http://lauren.vortex.com/archive/000266.html

Greetings.  As part of my continuing research and an upcoming white
paper focusing on policy and related technical issues associated
with search engines and their impacts, I'd very much appreciate any
examples of relevant specific situations, concerns, and any other
positive or negative experiences with search engine operations and
support personnel, with a particular emphasis on (but not limited to)
the following categories:

   — Attempts to remove or deemphasize from search engine listings
      any data perceived to promote Web sites containing seriously
      incorrect, defamatory, misleading, privacy-invasive, or
      otherwise highly damaging or problematic materials

   — Search engine issues or problems related to "public record"
      (e.g. government) data, particularly with negative impacts on
      privacy or individuals' personal lives

   — Issues of "obsolete" or superseded data being promoted by
      search engine listings, without any indication that such
      data is no longer current and/or correct

   — Any problems related to search engine caches exacerbating
      the sorts of issues listed above or other related problems

   — And so on ...

I am particularly interested in any experiences you may have had
while attempting to contact search engine personnel (either through
provided Web forms or other means) with concerns or problems, and
the dispositions of those communications.

For this round, I am specifically *not* soliciting issues related
to "Search Engine Optimization" (SEO) concerns (e.g., "How come
my Web site always ranks lower than that other Web site on Google?")

For any sagas you relate to me, please be as specific as possible
(within whatever bounds that you feel comfortable) — but at the very
least please identify the particular search engine of concern and the
approximate time period of the issue.  Unless you specify otherwise,
I will assume that I may note the issue (on an anonymous basis) in
my reports on this subject.  If you'd prefer that I don't reference
your issue in any form, or if you don't mind being quoted
non-anonymously for attribution, please let me know.

Please send any information that you can provide as soon as possible to:
      search@pfir.org

For some recent background on the issues of concern, please see:

Search Engine Dispute Notifications: Request For Comments
http://lauren.vortex.com/archive/000253.html

Extending Google Blacklists for Dispute Resolutions
http://lauren.vortex.com/archive/000254.html

A Most Remarkable Google Page: Toward Search Dispute Resolutions
http://lauren.vortex.com/archive/000255.html

Benefits and Risks in Google's Public Records Access Project
http://lauren.vortex.com/archive/000228.html

Thanks very much!

Lauren Weinstein lauren@vortex.com or lauren@pfir.org
+1 (818) 225-2800 http://www.pfir.org/lauren Blog: http://lauren.vortex.com


Re: Accuracy of Hawkeye at Wimbledon (RISKS-24.76)

<Mike Scott <usenet.11@data.scotts>>
Sat, 04 Aug 2007 11:04:12 +0100

The official Hawkeye website is a bit coy about details, but from
http://jtsang.blogspot.com/2006/07/technology-in-tennis-hawk-eye.html it
looks as though 6 cameras are used - plus a /lot/ of processing power and no
doubt many unpublished assumptions about ball dynamics (and some errorless
code? :-) ). It's a very high-tech solution, and vulnerable to all sorts of
problems (calibration comes to mind; the claimed accuracy may be quoted as
3mm - but one wonders what the error distribution looks like).

I've been racking my brains since my original submission to RISKS, and still
can't see what would be wrong with a simple set of video cameras (about 10
needed?) monitoring the various lines along with some simple recording gear
with action replay, re-showing the real thing if needed.  The simulation is
very nice for TV to show details of players contact with the ball - but why
is it necessary for line-call judgment?  Technology for profit's sake,
perhaps, plus the "king's new clothes" syndrome?

Mike Scott (unet <at> scottsonline.org.uk) Harlow Essex England


Re: Accuracy of Hawkeye at Wimbledon (RISKS-24.76)

<Michael Smith <emmenjay@zip.com.au>>
Mon, 06 Aug 2007 10:10:34 +1000

I suspect that we have misunderstood the process involved.

On serves, Hawkeye is used exclusively and to override it would be quite
unusual.  You do not generally see challenges on serves.

On other shots, by default, a human judge makes the call.  If the player
challenges that call, Hawkeye is used to adjudicate.

No information about the accuracy of Hawkeye can be determined from the
situation.  In fact, the process assumes Hawkeye is 100% accurate and makes
no attempt to verify it.  (Exactly how any verification might be conducted
is not immediately obvious.)


REVIEW: "COSO Enterprise Risk Management", Robert R. Moeller

<Rob Slade <rMslade@shaw.ca>>
Mon, 06 Aug 2007 11:50:15 -0800

BKCOSERM.RVW   20070506

"COSO Enterprise Risk Management", Robert R. Moeller, 2007,
0-471-74115-9
%A   Robert R. Moeller
%C   5353 Dundas Street West, 4th Floor, Etobicoke, ON   M9B 6H8
%D   2007
%G   0-471-74115-9 978-0-471-74115-2
%I   John Wiley & Sons, Inc.
%O   416-236-4433 fax: 416-236-4448
%O  http://www.amazon.com/exec/obidos/ASIN/0471741159/robsladesinterne
  http://www.amazon.co.uk/exec/obidos/ASIN/0471741159/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0471741159/robsladesin03-20
%O   Audience i- Tech 1 Writing 1 (see revfaq.htm for explanation)
%P   367 p.
%T   "COSO Enterprise Risk Management"

The inclusion of "COSO" (the Committee Of Sponsoring Organizations of
the Treadway Commission) in the title indicates that this work takes a
corporate, and particularly financial, perspective with respect to
risk management.  The fact that the first paragraph of the preface
makes reference to the key (if rather vague) phrase "internal
controls" reinforces this idea.  It is, therefore, somewhat ironic
that the introduction complains that risk management is poorly defined
and understood.  The concept of internal control is similarly
nebulous, and a badly understood abstraction can hardly be expected to
result in advice likely to lead to solid implementations by the
readers of the book.

Chapter one is a general introduction to the perceived need for COSO
and internal controls.  With yet more unintentional incongruity there
is heavy emphasis on ethics and philosophy within the organization.
(An ethical enterprise would presumably have no need for internal
controls.)  A traditional risk management process is outlined in
chapter two.  (There is a great deal of consideration given to
surveys, but little to either hard facts or statistics.)  Chapter
three's review of "enterprise" risk management reiterates a good deal
of the previous material.  The COSO risk management components are
noted, mostly in regard to the highest corporate levels.  The
additional COSO dimensions of objectives and entity levels are covered
in chapter four.  Chapter five repeats content on roles,
responsibilities, and process aspects of risk management.  The history
of the initial (1992 version) COSO structure is given in chapter six.

Chapter seven provides background on the Sarbanes-Oxley law, and some
relations to the COSO framework.  Audit is discussed in both chapters
eight and nine, first with respect to the board, and then in regard to
internal audit activities.  The project management cycle is reviewed
in chapter ten: unlike most similar pieces in risk management books,
this one at least addresses specific functions regarding risk
management.  Chapter eleven purportedly ties enterprise risk
management to information technology, but the topics are limited to
application development, business continuity, and malware.

Chapter twelve's suggestions on building a risk culture follow the
usual advice on creating a security awareness program.  Various
national financial standards and regulations are noted in chapter
thirteen.  In chapter fourteen the author ruminates on what should
happen with risk management in the future.

This book is almost identical in content and style to numerous others
on similar topics, such as Marchetti's "Beyond Sarbanes-Oxley
Compliance" (cf. BKBYNSOX.RVW), "Security Controls for Sarbanes-Oxley
Section 404 IT Compliance" by Brewer (cf. BKSCSOXC.RVW),  Lahti and
Peterson's "Sarbanes-Oxley IT Compliance Using COBIT and Open Source
Tools" (cf. BKSOITCU.RVW), and the rather better "Beyond COSO", by
Steven J. Root (cf. BKBECOSO.RVW).  The writing and material may
provide some assistance with a risk management process, but the
central points could have been provided in a clearer and more concise
form.

copyright Robert M. Slade, 2007   BKCOSERM.RVW   20070506
rslade@vcn.bc.ca     slade@victoria.tc.ca     rslade@computercrime.org
http://victoria.tc.ca/techrev/rms.htm

Please report problems with the web pages to the maintainer

x
Top