The RISKS Digest
Volume 25 Issue 17

Friday, 30th May 2008

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…


Wrong patient gets appendix removed, software to blame
Rex Sanders
E-Voting Banned by Dutch Government
Udo de Haes
Don't phlash that dwarf—hand me the pliers!
John Leyden
Firmware-based phone vulnerabilities
David Magda
A Low-cost Attack on a Microsoft CAPTCHA
Jeff Yan and Ahmad Salah El Ahmad via Monty Solomon
SYN attack from RIAA contractor
David Lesher
Random and haphazard are not synonyms
Andrew Koenig
An iTunes file database problem Apple will never fix
Max Power
Microsoft's Masters: Whose Rules Does Your Media Center Play By?
Greg Sandoval
Fundraising that is too Excel-lent to report
Mark Brader
On-line registration for College Reunion 2008
F John Reinke
Why not set the pump to half price and post a sign?
Daniel P. B. Smith
Re: Securing The Wrong Spaces: A Lesson
John Sullivan
Bill Hopkins
An account of the Estonian Internet War
Gadi Evron
Info on RISKS (comp.risks)

Wrong patient gets appendix removed, software to blame

Rex Sanders <>
Fri, 23 May 2008 10:26:57 -0700
Software incompatibility was part of a chain of events leading to the wrong
patient getting an appendectomy.

News story:

Original report:

E-Voting Banned by Dutch Government

"Peter G. Neumann" <>
Fri, 23 May 2008 12:36:38 PDT
  [via Natarajan Shankar]

Udo de Haes, Andreas, (21 May 2008)

The Netherlands has banned the use of electronic voting machines in future
elections due to concerns that the technology was too vulnerable to
eavesdropping. "Developing new equipment furthermore requires a large
investment, both financially and in terms of organization," according to the
Ministry of Internal Affairs. "The administration judges that this offers
insufficient added value over voting by paper and pencil." The Dutch
government also banned voting printers, which were criticized by a group of
experts led by Bart Jacobs, a professor at Radboud University in Nijmegen,
over similar security concerns. The Netherlands will make use of electronic
vote counting, and will conduct tests to improve its effectiveness. The
local activist group "Wij vertrouwen stemcomputers niet" (We don't trust
voting computers), led by computer hacker Rop Gonggrijp, declared the
decision a victory for those who want verifiable election results.

Don't phlash that dwarf—hand me the pliers!

David Chessler <>
Sat, 24 May 2008 21:19:01 -0400
  [From johnmacsgroup]

Phlashing attack thrashes embedded systems
John Leyden, *The Register*, 21 May 2008

A security attack that damages embedded systems beyond repair was
demonstrated for the first time in London on Wednesday.  The cyber-assault
thrashes systems by abusing firmware update mechanisms. If successful, the
so-called phlashing attack would force victims to replace systems.

The attack was demonstrated by Rich Smith, head of research for offensive
technologies and threats at HP Systems Security Lab, at the EUSecWest
<> security conference in London on
Wednesday. Smith told Dark Reading that such as "permanent denial of
service" attack could be carried out remotely over the Internet.

Theoretically the attack could be both more effective (as the damage caused
would be harder to recover from) and cheaper than conventional denial of
service attacks, which typically rely on hackers paying to rent control of a
network of compromised PCs.

The PhlashDance approach relies on exploiting frequently unpatched
vulnerabilities in embedded systems, such as flaws in remote management
interfaces, to get access to a system. That alone wouldn't be enough, but
because firmware updates are seldom secured, the possibility exists of
making an update that effectively trashes a system.

Smith is calling on vendors to authenticate the mechanism as one way of
defending against such attacks. He is demonstrating a tool to search for
vulnerabilities in firmware, as well as an attack mechanism to corrupt
vulnerable firmware at EUSecWest.

There's no record of such an attack even occurring and other security
watchers are skeptical over whether crackers could make money - the main
motive for denial of service attacks - from such an approach. Both H D Moore
of Metapolit fame and the Hack a Day blog reckon that exploiting
vulnerabilities to plant malware in firmware is a far more insidious and
dangerous type of attack than simply destroying systems.  Another
presentation at EuSecWest will demonstrate a proof of concept rootkit
capable of covertly monitoring and controlling Cisco routers. The Cisco IOS
rootkit software was developed by Sebastian Muniz, of Core Security.

Firmware-based phone vulnerabilities

David Magda <>
Wed, 28 May 2008 13:56:03 -0400 (EDT)
There are some phones that have complicated software (iPhone, Nokia S60
line), but even "firmware-based" phones now have security issues:

> This vulnerability allows remote attackers to execute arbitrary code on
> vulnerable Motorola RAZR firmware based cell phones. User interaction is
> required to exploit this vulnerability in that the target must accept a
> malicious image sent via MMS.
> The specific flaw exists in the JPEG thumbprint component of the EXIF
> parser. A corrupt JPEG received via MMS can cause a memory corruption
> which can be leveraged to execute arbitrary code on the affected device.

A Low-cost Attack on a Microsoft CAPTCHA

Monty Solomon <>
Mon, 12 May 2008 08:02:37 -0400
Jeff Yan, Ahmad Salah El Ahmad
School of Computing Science, Newcastle University, UK
{Jeff.Yan, Ahmad.Salah-El-Ahmad}

Abstract: CAPTCHA is now almost a standard security technology. The most
widely used CAPTCHAs rely on the sophisticated distortion of text images
rendering them unrecognisable to the state of the art of pattern recognition
techniques, and these text-based schemes have found widespread applications
in commercial websites. The state of the art of CAPTCHA design suggests that
such text-based schemes should rely on segmentation resistance to provide
security guarantee, as individual character recognition after segmentation
can be solved with a high success rate by standard methods such as neural
networks.  In this paper, we analyse the security of a text-based CAPTCHA
designed by Microsoft and deployed for years at many of their online
services including Hotmail, MSN and Windows Live. This scheme was designed
to be segmentation-resistant, and it has been well studied and tuned by its
designers over the years. However, our simple attack has achieved a
segmentation success rate of higher than 90% against this scheme. It took on
average ~80 ms for the attack to completely segment a challenge on a desktop
computer with a 1.86 GHz Intel Core 2 CPU and 2 GB RAM. As a result, we
estimate that this Microsoft scheme can be broken with an overall
(segmentation and then recognition) success rate of more than 60%. On the
contrary, its design goal was that "automatic scripts should not be more
successful than 1 in 10,000" attempts (i.e. a success rate of 0.01%). For
the first time, we show that a CAPTCHA that is carefully designed to be
segmentation-resistant is vulnerable to novel but simple attacks. Our
results show that it is not a trivial task to design a CAPTCHA scheme that
is both usable and robust. ...

SYN attack from RIAA contractor

David Lesher <>
Thu, 29 May 2008 15:08:24 -0400
MediaDefender is a company that works for the RIAA/MPAA to thwart the
distribution of copyrighted materials over P2P networks.  Apparently, over
the weekend, they SYN flooded servers hosting seeds for Revision3's
BitTorrent-distributed programs.

Revision3's CEO Jim Louderback explains the SYN flood attack and
MediaDefender's role in it in a really well written blog post:

FYI: Revision3 is an ad-supported online TV network that distributes
original programming via podcast, streaming, and BitTorrent, among other
methods.  BitTorrent and SYN flooding are explained in Louderback's post.

Random and haphazard are not synonyms

Andrew Koenig <>
Fri, 23 May 2008 10:54:33 -0400
Jim Horning's note (RISKS-25.16) about uninitialized memory reminds me of
something that happened to me nearly 40 years ago.

At the time I was in college and working as a student consultant at the
computer center.  Another student came in with a problem: A comparison in
his program wasn't working as he thought.

This program was in 360 assembly language, using a single-pass assembler
with the wonderful name of SPASM.  360 machine language includes a bunch of
instructions to work with sequences of characters that can range from 1
through 256 characters.  This particular student was exploiting this feature
in a way that was breathtakingly clever or naive—or both.

He had several Boolean flags in his program.  He used three bytes to
represent each flag, setting those bytes to the EBCDIC values of "SAM" or
"XYZ" to represent true or false.  Moreover, he did not bother to initialize
these flags, figuring that they would start out with random values.  In
other words, if he wanted a flag to start out as false, he would assume it
was true if its value was "SAM", trusting that the probability that it would
be "SAM" by chance would be small enough to be zero for practical purposes.
Similarly, if wanted a flag to start out as true, he would assume that it
was false if its value was "XYZ".

What he did not count on was that this single-pass assembler assembled his
program in the same memory that it subsequently used to run it--so that one
of his variables would always start out with "SAM" as its initial value.

I never did figure out why he didn't use the assembly language's
initialization feature.

An iTunes file database problem Apple will never fix

Max Power <>
Mon, 26 May 2008 00:39:19 -0700
An iTunes file database problem Apple will never fix: podcast files that are
not deleted do not moved out of their original directory ... and iTunes has
other poor podcast directory disk capacity tracking issues.

In one case iTunes showed I had no "National Nine News" files, but the
directory had about 1gb worth of video files.  This memory and file tracking
problem is more severe with video files, but audio files may have the same
problem if they are not MP3 files.  At its worse iTunes could tell users it
has no files, but your hard disk could be full of podcasts.  This is not an
iTunes library issue.  I am fairly certain that iTunes counts only podcasts
you have not deleted in its disk capacity tracking text below the podcast
list.  More people need to provide more detail about this long-standing
iTunes bug.

My system Vista: podcasts stored on a FAT32 drive OSX systems probably have
this same flaw, as it is a User Interface problem (high-level code vs
low-level edge code that interfaces with the OS).

Max Power, CEO, Power Broadcasting, SA

Microsoft's Masters: Whose Rules Does Your Media Center Play By?

Monty Solomon <>
Fri, 23 May 2008 07:47:20 -0400
Posted by Danny O'Brien, 19 May 2008

While its customers are still puzzling over why Vista Media Center is
suddenly refusing to record over-the-air NBC digital TV, Microsoft has come
out with an astounding admission, courtesy of Greg Sandoval at CNet News:

"Microsoft included technologies in Windows based on rules set forth by the
(Federal Communications Commission)," a Microsoft spokeswoman wrote in an
e-mail to CNET "As part of these regulations, Windows Media Center
fully adheres to the flags used by broadcasters and content owners to
determine how their content is distributed and consumed."

Microsoft's statement shines light on how Microsoft expects Media Center to
behave. If this is the company's explanation for what users are seeing when
attempting to record digital NBC broadcasts over-the-air, then Microsoft is
saying Vista obeys the broadcast flag: a requirement rejected by courts and
Congress. ...

Fundraising that is too Excel-lent to report

Mark Brader
Mon, 26 May 2008 18:01:29 -0400 (EDT)
* From: Greg Goss <>
* Newsgroups:
* Subject: Democratic fundraising overwhelms FEC computers
* Date: Mon, 26 May 2008 12:07:09 -0600

What is the difference when you have a quarter million people signing
checks for $200 instead of 200 people signing checks for a quarter

Your fundraising report to the government becomes unwieldy.

  [The FEC is at the same time both Overwhelmed and Underwhelming.  PGN]

For other reports, browse on
   Obama fundraising report spreadsheet excel

On-line registration for College Reunion 2008

"r@rcc" <>
Tue, 27 May 2008 07:53:46 -0400
Here's an attempt to bootstrap an authentication process. Argh! Everyone is
an InfoSec expert.

Wonder if I can sign up everyone I know?  Maybe I can order a Ferrari? If
they are this lame, I can NOT imagine what the site security is like!

This is a real email from one of 'my' schools.


You can't make this stuff up!


*** begin quote ***

From: The Alumni Relations Team []
Sent: Friday, May 16, 2008 5:19 PM
To: yyyyy
Subject: NEW: On-line registration for zzzzz College Reunion

Dear yyyyy

zzzzz College is launching a new payment gateway that will further
ensure that using your credit card on our Web site is both secure and
protected. On-line safety is our main concern, whether you register for a
class or event, make a gift or purchase an item. Please use our Web site
knowing that you will always be provided with the best possible means of
using your credit card in a safe and secure on-line environment.

In order take advantage of the feature to register for Alumni Reunion
Weekend (, you are being sent your Campus
Wide Identification Number. This will serve as your "User ID". Your initial
pin number will be your birth date, entered as six digit number (ex.021458).
After you have entered this information on the link provided below to the
registration page, you may change your log on information to a more familiar


(your 6 digit birth date in the form of MMDDYY - i.e. Feb 14 1958 would be
021458 )

To Register for Reunion Weekend 2008:

1. Access the new Self Service Payment Gateway:
(If you experience a "website security certificate" notification, select
"allow" as prompted)
2. Enter your User ID and pin (provided above)
3. Select the Alumni Services tab
4. Select Reunion 2008
5. Follow prompts to complete your registration with credit card

These measures ensure all of us that your personal information remains
private. Thank you for your continued support of the College. We look
forward to seeing you on Reunion Weekend!

Warmest regards,
xyz, Director of Alumni Relations

   [Literals PGN-ed to hinder filtering.]

Why not set the pump to half price and post a sign?

"Daniel P. B. Smith" <>
Sun, 25 May 2008 11:32:34 -0400
Monty Solomon quoted a Washington Post article about a gas-station operator
who fears going out of business because her mechanical pumps can't be set to
more than $3.99 a gallon.

The reporter doesn't explain why she couldn't do what was done on a
widespread basis the last time something like this happened.

On 23 May 1979, *The New York Times* reported that "New York State gave
dealers emergency permission to meter by the half-gallon. The change is
designed to allow more of them to charge more than $1 a gallon and thus
encourage them to stay open.... By allowing machines to charge by
half-gallons, the technical limit would be doubled, to $1.99 8/10 a gallon."

My recollection is that at the time, in other cases, operators simply set
the pumps to register half the actual price, and posted conspicuous signage
stating the actual prices and noting the customer would be charged twice the
total registered by the pump registered.

I'm no lawyer, and certainly can't speak to weights and measures law in
every state, but I find it hard to believe that an station owner taking such
an action in good faith would get in serious trouble.

  [Big surprise.  This is what is happening.  Lots of items submitted on
  this "problem".  PGN]

Re: Securing The Wrong Spaces: A Lesson (Damiani, RISKS-25.10)

John Sullivan <>
Sun, 25 May 2008 17:34:14 +0100
(The original piece was in RISKS-25.06.)

Assuming your transmitter emits a specific strength RF pulse, and your
receiver can detect anything more powerful than some (lower) strength
pulse, the inverse square law will help determine the maximum path
length between transmitter and receiver that still allows detection.

Having determined this length, but assuming perfect reflectors where
necessary, whether the path is looped back on itself to reach the
position of the original transmitter (enemy at distance X, path length
2X), or layed straight to reach the enemy receiver (enemy at distance
2X, path length 2X) shouldn't make a difference.

Re: Securing The Wrong Spaces: A Lesson (Price, RISKS 25.16)

"Bill Hopkins" <>
Tue, 27 May 2008 14:33:48 -0400
Picking nits off nits, re: target detection vs. radar source detection:

It's actually much more than four times the distance.  Only a tiny fraction
of the incident signal is reflected by the target, so we are talking about
orders of magnitude, not small integer ratios.

Given that, the limit on detecting someone else's threat detection radar is
limited more by the geometry of surface-to-surface signals on a sphere than
distance effects on signal strength.

The lesson of the original post holds, that systems to detect military
threats may not (indeed, may be designed not to) detect civilian bystanders.

An account of the Estonian Internet War

Gadi Evron <>
Tue, 20 May 2008 09:30:40 -0500 (CDT)
About a year ago after coming back from Estonia I promised I'd send in an
account of the Estonian "war". The postmortem analysis and recommendations I
later wrote for the Estonian CERT are not yet public.

A few months ago I wrote an article for the Georgetown Journal of
International Affairs, covering the story of what happened there, in
depth. The journal owns the copyright so I had no way of sending that along
either. I wasn't about to email saying "go buy a copy".

Mostly silly articles kept popping up with misguided to wrong information
about what happened in Estonia, and when an Estonian student was arrested
for participating, some in our community even jumped up to say "it was just
some student". Ridiculous.

This is the "war" that made politicians aware of cyber security and entire
countries scared, NATO to "respond" and the US to send in "help". It
deserved a better understanding for that alone, whatever actually happened

I was there to help, but I just deliver the account. The heroes of the story
are the Estonian ISP and banking security professionals and the CERT (Hillar
Aarelaid and Aivar Jaakson).

Apparently the Journal made my article available in PDF form by a third

Battling Botnets and Online Mobs
Estonia's Defense Efforts during the Internet War

It is not technical, I hope you find it useful.

Please report problems with the web pages to the maintainer