The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 24 Issue 93

Sunday 30 December 2007

Contents

Computer Failure Causes Closure of Seattle Downtown Transit Tunnel
Jason Axley
Breakdown of aircraft separation, Sydney 4 April 2007
Andrew Rae
Nitrogen Used To Fill Aircraft Oxygen Systems
PGN
Army to use Macs to prevent hacking
Peter Houppermans
'Wrong country' sat-nav blunder
Richard Weir
Man pleads guilty to attempted shutdown of state's power grid
Paul Saffo
FedEx Contemplating A Move to Kyrgyzstan?
Robert Mathews
Ohio vote tampering opportunity?
Paul Saffo
Colorado Decertifies Voting Machines
Ken Dunham
A new low in phishing?
Andrew Koenig
Re: Computer Glitch Leads To Brawl At Wauwatosa Kmart
Howard Israel
Re: Whole of UK Child Benefit records on CD lost in the post
Tony Wright
Re: Private details/UK Government disks
Rob Slade
HMRC Lost Discs & Encryption
Brian Gladman
Drunk a better guide than sat nav
Jay R. Ashworth
Risk of poor capacity planning, etc.: online auction
Steven Hoober
Info on RISKS (comp.risks)

Computer Failure Causes Closure of Seattle Downtown Transit Tunnel

<Jason Axley <jason@axley.net>>
Mon, 17 Dec 2007 22:06:03 -0800

Who would have thought a tunnel would be subject to a computer failure?  But
alas, after the multi-year tunnel retrofit that recently completed, it seems
as if all of the tunnel systems are now controlled by a single computer
system that has failed.  Too many eggs in one basket...

  The downtown Seattle bus tunnel is closed for the night and may not be
  open for Tuesday's commute because of a failure of the computer system
  that controls tunnel operations.  Transit officials are asking riders to
  check the metro transit Web site after 4 a.m. Tuesday morning to see if
  the tunnel will be open. The Web site is www.kingcounty.gov/metro
  <http://www.kingcounty.gov/metro>.  Riders should check timetables online
  under the heading "When the tunnel is closed," which is the same routing
  buses use on nights and weekends.  All of the systems in the tunnel -- as
  ventilation, lighting and signals -- controlled by a computer system
  installed during the recent retrofit of the tunnel. Sound Transit is
  responsible for that system, and is trying to fix it, a Sound Transit
  spokesman said.  [Source: Computer failure closes downtown bus tunnel,
  *Seattle Times* staff]
http://seattletimes.nwsource.com/html/localnews/2004078843_webtunnelclosed17m.html


Breakdown of aircraft separation, Sydney 4 April 2007

<Andrew Rae <ajrae@ssqe.com.au>>
Tue, 18 Dec 2007 10:07:26 +1000

On 4 April near Sydney, Australia, a loss-of-separation incident occurred
between a Boeing 737 and a Airbus A330.  The immediate cause of the incident
was incorrect data entry by the air traffic controller.  A contributing
factor was that the controller was, as per normal practice, reconfiguring
his workstation to his personal preferences at the time of the incorrect
data entry.  This task normally takes over a minute, and is a distraction
from the controllers' safety critical tasks.

Other jurisdictions provide an overlap between operators to allow for such
tasks.

http://www.atsb.gov.au/publications/investigation_reports/2007/AAIR/aair200701982.aspx


Nitrogen Used To Fill Aircraft Oxygen Systems

<Peter G Neumann <Neumann@csl.sri.com>>
Fri, 21 Dec 2007 21:24:51 -0600

Airlines all over the world are being warned to check to make sure there's
actually oxygen in their aircraft oxygen systems after an embarrassing
mix-up by Qantas Airlines at Melbourne International Airport. For ten
months, crews have been filling airliner oxygen systems from a nitrogen cart
that's supposed to be used to fill tires. The mistake went unnoticed until a
couple of weeks ago when an observant aircraft engineer spotted service
workers using the cart. "He was walking around the plane and asked what they
were doing. When they said they were topping up the oxygen, he said, 'No
you're not, that's a nitrogen cart,'" an unnamed source told *The Age*.  As
anyone who works with industrial gases knows, oxygen tanks have different
fittings than other gases to prevent exactly this kind of mix-up. However,
when the crews discovered the fittings on what they thought was their new
oxygen cart didn't fit, they swapped them for the ones on the old cart they
were retiring. Of course, Australian officials are looking into the error
and Qantas has been busy notifying other airlines that use its services in
Melbourne.  Hundreds of aircraft may be affected.
http://avweb.com/avwebflash/news/NitrogenUsedToFillAircraftOxygenSystems_196776-1.html


Army to use Macs to prevent hacking

<Peter Houppermans <peter@houppermans.com>>
Fri, 21 Dec 2007 22:21:05 +0100

"[..] the military is quietly working to integrate Macintosh computers into
its systems to make them harder to hack. That's because fewer attacks have
been designed to infiltrate Mac computers, and adding more Macs to the
military's computer mix makes it tougher to destabilize a group of military
computers with a single attack [..]"
http://www.forbes.com/home/technology/2007/12/20/apple-army-hackers-tech-security-cx_ag_1221army.html
http://preview.tinyurl.com/29xelf


'Wrong country' sat-nav blunder

<Richard Weir <tech@vif.com>>
Sat, 22 Dec 2007 07:17:03 -0500

[Another report from the BBC regarding 'blind' faith GPS. It boggles the mind.]

Shoppers on a Christmas trip to France were taken to the wrong country after
a satellite navigation blunder diverted their coach seven hours off course.
Instead of arriving in Lille, France, 50 members of Cheltenham and
Gloucester (C&G) Social Club were taken 98 miles (157km) away to Lille,
Belgium.  "Unfortunately the driver from the coach company we commissioned
made a blunder on his satellite navigation."

Story from BBC NEWS, 11 Dec 2007
http://news.bbc.co.uk/go/pr/fr/-/1/hi/england/gloucestershire/7139603.stm


Man pleads guilty to attempted shutdown of state's power grid

<Paul Saffo <paul@saffo.com>>
Sun, 16 Dec 2007 17:28:24 -0800

[Now, why do you suppose they had the "power off' button to begin with?!? -p]

A Sacramento County computer technician has pleaded guilty to trying to shut
down California's power grid by pushing a button marked "Emergency Power
Off," authorities said.  Lonnie Charles Denison, 33, of South Natomas,
admitted Friday in U.S. District Court in Sacramento that he went into a
room at the Independent System Operator's data center in Folsom (Sacramento
County) on April 15, broke a glass cover and pushed the button, prosecutors
said. Denison, a contract employee at the data center, was upset with his
employer, authorities said.

The ISO oversees electricity purchases and distribution. Denison prevented
the data center from communicating to the electricity market for about two
hours, leaving the electrical power grid vulnerable to shortages, Matthew
St. Amant, a California Highway Patrol officer assigned to an FBI task
force, wrote in an affidavit.  No blackout occurred because the incident -
which cost $14,000 for 20 computer specialists to repair - happened on a
Sunday, investigators said.  Denison was identified by surveillance-tape
footage and his security-access code, the affidavit said. He pleaded guilty
to attempted damage of an energy facility, a felony. He is to be sentenced
Feb. 29 by U.S. District Judge Garland Burrell.  [Source: Henry K. Lee, *San
Francisco Chronicle*, 16 Dec 2007, C3; hlee@sfchronicle.com; PGN-ed]
http://sfgate.com/cgi-bin/article.cgi?f=/c/a/2007/12/16/BACHTVEM6.DTL (Henry


FedEx Contemplating A Move to Kyrgyzstan?

<"Prof. Robert Mathews (OSIA)" <mathews@hawaii.edu>>
Fri, 28 Dec 2007 02:54:37 -0500

Could it be that FedEx is contemplating a move of their global
operations from Memphis,TN, to Bishek, Kyrgyzstan?  What are the RISKS?

If FedEx were to consider Bishek as a base of operations, they would be well
advised to note that SWECO's analysis did not involve components (either
traffic or operational) that affect the 'bi-directional' and
'multi-directional' movement of global freight, or the possibility of the
enterprise either being enhanced or enriched by the emplacement of a
'multi-point,' operation and distribution - Logistic Control System (LCS).
In comparison, Santa's yearly trip as it stands, is at least thought of as
being 'uni-directional' and 'load-insensitive.'

Further, as an engineering firm, SWECO does not provide any information as
to what sort of improvements/savings in terms of time, efficiency, reindeer
food and methane emissions*** can be expected by the proposed need to
re-locate...  :-) Also, the SWECO Web-site prefers that clients connect
using IE 5.0 or Netscape 4.7, and not a Mozilla-Firefox browser.

Santa Claus should live in Kyrgyzstan
http://www.sweco.se/templates/Page.asp?id=19592&print=1

*Experts at the consulting engineering company SWECO have come to the
conclusion that Santa Claus should live in Kyrgyzstan. By starting his
journey there, Santa can achieve the most efficient around-the-world trip to
distribute Christmas gifts. He can eliminate time-consuming detours and
avoid subjecting his reindeer to undue strain.*

One of SWECO's areas of expertise is the use of geographic information and
maps, for example to plan transports in an optimal manner. In order to
calculate Santa's ideal route, they have also studied where children live,
the Earth's rotation and various demographic data to find our planet's
demographic centerpoint.

Identifying Santa's optimal Christmas route is not just something we do for
fun. SWECO uses the same technique when carrying out assignments on behalf
of our clients. For example, we have helped numerous transport companies to
optimise their routes as a means for shorting their driving distances,
reducing negative impact on the environment and saving money, all at the
same time!

*Why figure out where Santa Claus should live?
*This is a good exercise, and not just for fun. In recent years we have
tried to think up original ideas for Christmas cards and gifts to our
clients. One year we gave our clients blueprints for a gingerbread house, to
highlight the fact that we have architects in the Group. This year we have
chosen to show how GIS can contribute to a peaceful holiday season.

*Why Kyrgyzstan?
*A geographic and demographic analysis shows that Kyrgyzstan is located close
to the richly populated countries of China and India and a ways up on the
more densely populated northern hemisphere. This is also an ideal place to
live if Santa Claus starts in eastern Asia and then continues his Christmas
journey in a westerly direction. He would then be traveling against the
Earth's rotation, which would give him twice as much time to deliver gifts
to all of the world's children.

By starting his journey there, Santa can achieve the most efficient
around-the-world trip to distribute Christmas gifts. He can eliminate
time-consuming detours and avoid subjecting his reindeer to undue strain."
*Santa Claus has very little time to make each stop, is it really possible?
*Yes, it is, but his extreme speed is also the reason why we rarely meet
him. You might like to say hello, shake his hand and give him a pat on the
shoulder, but by the time you get around to it he's already in the next
town.

*Where Santa Claus should live:*
Latitude, (N)40.40 °
Longitude, (E) 74.24  °

*For more information:
*Rebecka Gunner, Press Officer SWECO +46 (0)734-126675,
rebecka.gunner@sweco.se <mailto:rebecka.gunner@sweco.se>

[Source: Kyrgyzstan touted as ideal delivery hub for Santa, 24 Dec 2007]
http://www.reuters.com/article/oddlyEnoughNews/idUSEIC47011920071224?feedType=nl&feedName=usoddlyenough

*** Raymond Hainey, "Santa told to sack his gas-emitting team of reindeer,"
*The Scotsman*, 24 December, 2005
http://news.scotsman.com/ViewArticle.aspx?articleid=2689094


Ohio vote tampering opportunity?

<Paul Saffo <paul@saffo.com>>
Sun, 16 Dec 2007 17:29:59 -0800

'Tis a great day for stupid computer tricks! -p

Hanna Siegel, 16 DEC 2007, Wanna Change Votes in Ohio? Use a PDA and a Magnet;
Study Finds Ohio's Voting System Is Seriously Flawed
http://abcnews.go.com/Politics/story?id=3D4008511

Got a PDA and a magnet? You could switch votes cast in an Ohio election by
connecting your PDA to the voting machine.

A study conducted over a two-month period this year found that Ohio's voting
systems are seriously flawed. An 86-page report released by Ohio Secretary
of State Jennifer Brunner says, "The findings in this study indicate that
the computer-based voting systems in use in Ohio do not meet computer
industry security standards, and are susceptible to breaches of security
that may jeopardize the integrity of the voting process."

When Brunner was campaigning for her office seat, she promised a
top-to-bottom overview of Ohio's voting system.  Her findings have broad
implications. With the election less than a year away, Ohio is an important
swing state, decisive in returning President Bush to office in 2004.

A team of researchers from Microsolve Inc., Penn State and the University of
Pennsylvania found critical security failures in all five voting systems
used across the state.  The software is problematic, as well. The report
found that servers crashed easily. Crashes in 2007 delayed results for
hours.

Brunner recommends that all touch-screen machines in Ohio be replaced with
optical scan paper ballot machines, so that the results can be more easily
verified.  "We know this type of system will work because [many states]
already use it," she said.

Brunner was not Ohio's secretary of state when the current voting machines
were purchased. When asked why flawed systems were put into operation, she
replied, "I'm dealing with the system that I inherited."


Colorado Decertifies Voting Machines

<"Ken Dunham" <kdunham@rogers.com>>
Wed, 19 Dec 2007 11:39:30 -0500

http://blogs.zdnet.com/projectfailures/?p=3D541

Coming quick on the heels of a scathing voting machine report
http://www.sos.state.oh.us/sos/info/EVEREST/14-AcademicFinalEVERESTReport.pdf
from the Ohio Secretary of State (see Larry Dignan for details),
<http://blogs.zdnet.com/security/?p=3D753> the machines have been
decertified for use in parts of Colorado.

According to The Denver Channel
<http://www.thedenverchannel.com/politics/14875334/detail.html> :

Secretary of State Mike Coffman cited security or accuracy problems in the
decertified machines.  A number of electronic scanners used to count ballots
were also decertified, including a type used by Boulder County.  Coffman
said the system had a 1 percent error rate when counting ballots.  ``So for
every 100 ballots we tested, we found there was an error with one of those
ballots,'' Coffman said.

The post-election random audit on which the decertification was based:
  http://www.elections.colorado.gov/DDefault.aspx?tid=3D833
Detailed county-level audit results:
  http://www.elections.colorado.gov/DDefault.aspx?tid=3D989

Ohio and Colorado are only the latest states to experience voting machine
problems. Rest assured, there are many more voting machine screw-ups and
decertifications to come. Folks, this story has hardly begun.


A new low in phishing?

<"Andrew Koenig" <ark@acm.org>>
Tue, 11 Dec 2007 17:07:29 -0500

[I got the following today--text, not HTML--purporting to be from
service@paypal.com:]

Your account has been temporarily inactivated due to our general
security policy. In order for us to activate your account, please send
the following documents:

1) Send us a copy of all Credit Cards, both front and back
2) Send us a copy of a valid identification document (passport, driver's
   license)
3) Send us a copy of any utility bill (bank statement, electricity,
   insurance) with your name and address on it.

Please fax your documents to (888) xxx-xxxx.

We assure you that your personal data and documents will not be transferred
to third parties.

Please note that all information which is sent by fax has to be clearly
readable, otherwise we will need to re-request the verification documents.

If you should require further assistance, please contact us again as we are
at your service 24 hours a day, 7 days a week.

Thank you for using PayPal
The PayPal Team

  [Do people really fall for this? ARK]  [Yes.  PGN]


Re: Computer Glitch Leads To Brawl At Wauwatosa Kmart (RISKS-24.92)

<"Howard Israel" <Howard.Israel@fidessa.com>>
Tue, 27 Nov 2007 09:30:23 -0500

Interesting secondary consequences:

"One witness told police someone went to another Kmart, got some
applications there and was selling them in the Wauwatosa Kmart parking lot
for $20 apiece."

Who could predict such things?

Computer Glitch Leads To Brawl At Wauwatosa Kmart; 2 People Arrested
26 Nov 2007, excerpted  http://www.wisn.com/news/14697601/detail.html

A melee at a Kmart store in Wauwatosa Saturday morning was started by a
computer glitch.  The store was running a promotion in which it would give
away $10 to anyone applying for its credit card, but the computer glitch led
to everyone's application being granted -- bestowing up to $4,000 in instant
credit to anyone who applied even if they shouldn't have qualified.  Once
word started to spread about the so-called "free money" Saturday, witnesses
said things got pretty nuts inside the Wauwatosa store.  "They were having a
big fight. Two ladies was jumping a lady over credit cards," witness
Sylvester Wilson said.

Nearly a dozen Wauwatosa squad cars responded to the call just before 11
a.m. Saturday for what was called a large fight in progress.  "It was a nice
brawl. It came from inside to outside. If you go up there, you'll see hair,
earrings, all pulled out on the ground," Wilson said.

What started as a fight between two women in the crowded store evolved when
several men intervened.  A store employee got punched in the nose and
crashed through a glass display case. He was treated for a broken nose and
various cuts.  Two suspects, a 22-year-old man and a 16-year-old boy, were
arrested, accused of battery.

Meantime, Kmart is still trying to clear up the credit card mess.

Two employees confirmed for police that anyone who applied was being given
instant credit -- from $850 up to $4,000. They also told police that people
started calling other people to the store for so-called free money. The
store ran out of credit applications.  One witness told police someone went
to another Kmart, got some applications there and was selling them in the
Wauwatosa Kmart parking lot for $20 apiece.  Kmart would not comment on how
many people got the credit cards who shouldn't have or how much merchandise
they were able to buy with them.

Previous Story: November 24, 2007: Brawl Breaks Out At Kmart
<http://www.wisn.com/news/14682561/detail.html>

Howard Israel, Corporate Security Officer, Fidessa Corporation
Howard.Israel@fidessa.com <mailto:Howard.Israel@fidessa.com> (212) 320-3315


Re: Whole of UK Child Benefit records on CD lost in the post

<Tony Wright <adw@saska.co.uk>>
Tue, 18 Dec 2007 23:12:22 +0000
  (Mellor, RISKS-24.92)

The danger here is in misunderstanding what service you are buying.  In
Royal Mail (I've no idea what the 'In house' TNT service does) what actually
happens is this:

Recorded Delivery means that the package or letter goes totally untraced
with regular mail until such time as it is Delivered or returned by the
postman to the sorting office as Undelivered. If it is delivered it should
be signed for by the recipient -- upon return to office the postman hands in
the delivery sheet and the item is only then entered into the system as
Delivered. If undelivered, then a notice should be left and the item is only
then logged into the system when the item is returned to the office. AKA
*Nothing* is traced until a delivery is attempted. If the item doesn't shake
out of the bottom of a bag in a sorting office somewhere, there is no more
way to trace where it is during its journey than any piece of regular mail.

Special Delivery, AKA what was referred to as Registered Mail (which no
longer exists) is signed for, barcode traced and receives special handling
throughout its entire journey from when it is posted at a Post Office to
when it is delivered.

The thing about Recorded Delivery is that if uncollected it must be returned
to sender after 7 days and is therefore used as a legal instrument of
notification in the UK.


Re: Private details/UK Government disks (Houppermans, RISKS-24.92)

<Rob Slade <rMslade@shaw.ca>>
Mon, 17 Dec 2007 20:38:05 -0800

"The department had a detailed manual covering procedures for handling the
benefits database and other sensitive information. However, the manual
itself was considered too sensitive to be widely distributed, so it was
restricted to civil servants only, The Guardian reports."
http://www.theregister.co.uk/2007/12/17/hmrc_manual/.

  ("Civil servants" are senior staff.)

rslade@vcn.bc.ca     slade@victoria.tc.ca     rslade@computercrime.org
http://victoria.tc.ca/techrev/rms.htm


HMRC Lost Discs & Encryption

<Brian Gladman <brg@gladman.plus.com>>
Tue, 18 Dec 2007 09:26:38 +0000

The discs lost by HM Revenue & Customs were password protected with WinZip
version 8, which means that encryption was used but it was relatively weak
and subject to both password search and known plaintext attacks.  It is very
unlikely to hold up against a determined attacker.

WinZip version 9 introduced an AES based approach with a conservative
design that had good protection against password searches and known
plaintext attacks. With a good non-dictionary password I believe this
would hold up against even the most determined attack had this been used
in the HMRC scenario.


Drunk a better guide than sat nav (Jacobson, RISKS-24.92)

<"Jay R. Ashworth" <jra@baylink.com>>
Tue, 18 Dec 2007 10:56:07 -0500

It's a little troubling to me that none of the articles that seem very
popular lately on "how dangerous it can be to depend entirely on your
satellite navigator" make clear the point -- obvious to technical people,
but not always to civilians -- that the problem is *actually* failures in
the *mapping and routing data*, and nothing directly to do with the
satellites themselves.

The RISK?  Well, it's a slightly obscure one; the opposite of what we
usually deal with around here: it's a bad idea to *reduce* the confidence of
the general public in something which really *is* pretty stable; GPS in
itself is pretty accurate and doesn't break much.

In case you've never noticed, almost no one ever says "run on a bank", even
when that's what's actually happening.  Same reason.  Mass psychology.

Doesn't pay to ignore it.

Jay R. Ashworth, Ashworth & Associates, St Petersburg FL USA +1 727 647 1274
http://photo.imageinc.us http://baylink.pitas.com jra@baylink.com


Risk of poor capacity planning, etc.: online auction

<"Steven Hoober" <shoobe01@gmail.com>>
Fri, 21 Dec 2007 16:50:18 -0600

The .mobi TLD is a relatively new one, specifically to address websites for
mobile browsers. The organization that runs it, promotes it and sort of
makes money helping get folks' sites working has periodic auctions of some
of the more in-demand names. The latest group of these ended 5 December,
2007

As detailed here:
http://dotmobi.typepad.com/dotmobi/2007/12/open-letter-to.html
There were some problems with it. Quoting the salient part:

> We have noticed that some people seem to believe that the auction
> participants who received notifications and invoices before the extension of
> the auction were the highest bidders at the close of the original auction
> period.
>
> Sedo, however, tells us that:
>
> a) this is clearly not true in some cases,
> b) this is unlikely to be true for the names generating the most activity,
>    and
> c) this is possibly not true for any of the auctions.
>
> To those points, Sedo has told us the following:
>
> - As the scheduled auction end approached, bidding activity
> increased dramatically, creating significantly higher-than-expected traffic.
> - Although the web interface slowed down for some participants, the
> auction interface and bid page remained available for many or all users, and
> the web servers continued to log incoming bids.
> - Once the bid processing server stopped functioning properly,
> however, many of those bids -- both standard and proxy -- did not get posted
> to the bid history page.
> - As a result of the server crash, another system automatically
> generated email notices at 5 p.m. GMT to the highest bidder listed
> on the bid history page, despite Sedo's attempts to stop that process.
> - Because the bid history page did not reflect all of the valid
> bids, notices were sent to some participants who were not, in fact, the
> highest bidders.

Some interesting information is revealed. Aside from the failure of Sedo
(or, it seems /anyone/) to accurately predict and provide for capacity, is
the poor capacity planning. In the broader sense, there should have been a
provision for failure of this sort.

My core issue here is of this phrase, "...another system automatically
generated email notices at 5 p.m. GMT to the highest bidder listed on the
bid history page..." This strikes me as particularly poor planning. Sending
notices should probably not simply be at a time, but upon a sending of "win"
status. That alone would have

Even worse is the end of the same sentence, "...despite Sedo's attempts to
stop that process." If true (and not simply spin in the aftermath), having
no good way to stop chronjobs, or sending of data seems like a serious
failure on the part of a system with a notable public presence, and an often
non-trivial financial commitment on the part of the end users.

Entirely aside from designing the system to post, check, and confirm data,
simply planning for component outages should have revealed this failure.
Capacity testing, likewise, should have been performed to failure on
individual components, and likewise should have revealed this failure
condition.

Note that although I work in the mobile industry, I did not have a bid in on
any of these domains, winning or otherwise, so have no specific stake in the
outcome of this event.

Please report problems with the web pages to the maintainer

Top