The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 25 Issue 37

Thursday 2 October 2008

Contents

NASDAQ's Google surprise
PGN
Computer Failure Hobbles Hubble, Derails Shuttle Mission
Sharon Gaudin
Amazon multiple account weirdness
Graham Bennett
Alarm sounded on second-hand kit
Gabe Goldberg
Seeking tales of IT gone wrong
Andrew Brandt
Re: Risks of financial systems too complex ,,,
Robert P Schaefer
Re: When is a backup not a backup?
Mark F
The folly of retaining default settings
Ken Knowlton
Weak password reset procedures
identity withheld
New castle rules in chess?
Andy Walker
Re: Hacker claims Palin e-mail hacked ...
Rob McCool
Scott Miller
Allen Hainer
Info on RISKS (comp.risks)

NASDAQ's Google surprise

<"Peter G. Neumann" <neumann@csl.sri.com>>
Wed, 1 Oct 2008 8:29:35 PDT

In the last three minutes of NASDAQ trading on 30 Sep 2008, an amazing event
occurred relating to Google stock.  It was not reported in the 1 Oct issue
of *The New York Times* and mentioned only in passing in a very brief
detail-free summary in the *San Francisco Chronicle*.  This is an excerpt
from NASDAQ.com after the market close:

  GOOG: Stock Quote & Summary Data

  Last Sale  $320.50
  Change Net $60.50  -15.89%
  Today's High/Low $483.63 / $39   [NOT A TYPO. PGN]

In a "glitch" that apparently remains to be explained, the stock price took
a horrendous dive in the last few minutes.  Although some people tried to
profit from it, NASDAQ *canceled* all transactions with Google shares above
$425.29 or below $400.52, and the closing value was readjusted to $400.52.

TheAustralian.news.com.au blames "Erroneous trades" routed to Nasdaq that
sent Google shares tumbling.  Shares rebounded in after-hours trading to
$413.06.

NASDAQ is also investigating trades in Rohm & Haas during the same
three-minute window.

Conceivably, the $39 transaction could have resulted from an erroneous entry
such as $390.  [As I edit this, my old home laptop has suddenly developed a
sticking "a" key.]  And recent studies seem to show that the market is
driven more by rumor and innuendo than by external events.  However, some
sort of range checking would seem to have long ago been in place to prevent
such wild outliers.  In any event, hopefully an insider will be able to let
us know what really happened.


Computer Failure Hobbles Hubble, Derails Shuttle Mission

<technews@HQ.ACM.ORG>
Wed, 1 Oct 2008 14:11:21 -0400

NASA scientists announced that a data formatter and control unit on the
Hubble Space Telescope has "totally failed," preventing data from being sent
to Earth and delaying a shuttle mission.  The Science Data Formatter is
designed to collect information from five onboard instruments, format the
data into packets, put headers on the packets, and send the packets to
Earth.  Hubble Space Telescope program executive Michael Moore says the
Hubble's problematic computer, which has been in orbit for more than 18
years, is a simple but vital part of the telescope's communications system.
NASA scientists are now working to switch the Hubble to onboard redundant
systems to resume services until a space shuttle arrives with a replacement
system.  NASA postponed the space shuttle's planned October repair mission
so a replacement computer system can be obtained.  Hubble manager Preston
Burch does not know what caused the failure, but notes that the unit runs at
a relatively high temperature compared to other components, and high
temperatures tend to accelerate the degradation process.  Moore says
switching over to the redundant systems should take about 10 hours, and
technicians and scientists expect to complete the process at the end of the
first week of October.  NASA's Ed Weiler says the switchover and subsequent
installation of new redundant systems should add another five to 10 years to
Hubble's life.  [Source: Sharon Gaudin, *Computerworld*, 30 Sep 2008, via
ACM TechNews, Wednesday, October 1, 2008]
http://www.computerworld.com/action/article.do?command=3DviewArticleBasic&articleId=3D9115903


Amazon multiple account weirdness

<Graham Bennett <graham@simulcra.org>>
Tue, 30 Sep 2008 20:54:49 +0100

The other day, I logged in to Amazon and got as far as checking out, when I
noticed that my address book only had very old addresses in it (from circa
2001/2002) and the order history stopped around the same time.  After
thinking for a bit I realised that I'd accidentally used an old password
that I don't really use for anything important any more to log in, so I
logged out and logged back in with the correct (newer) password and exactly
the same e-mail address.  Lo and behold, I got my up to date account
information and recent order history.

Now, I don't thinking I'm alone in expecting that when I create an account
with a website, the e-mail address or login id will be the primary key, and
not the login and password combined.  So I was a bit surprised by this.

I sent Amazon e-mail asking them how this could have happened, and asking
them a couple of awkward questions like "What if I change the passwords on
both accounts to be the same?" and "If I delete one account does it delete
both?".  They couldn't really provide satisfactory answers to that and said
I must have inadvertently created the second account (which is probably the
case).

Discussing this with some colleagues at work, it became evident that this is
the usual behaviour - you can create as many accounts as you like for the
same e-mail address, as long as the passwords are different.  Moreover,
creating the account does not require the email address to be confirmed!  So
this means anyone can create an account on Amazon with my e-mail address.

Now, I don't think this in itself is a massive security hole since the new
account doesn't have access to any privileged data, but at the very least
someone malicious could try to do some nasty things.  For example, they
could create a lot of accounts against a target e-mail address with common
passwords, and hope that the victim accidentally logs in with the wrong one
and, not realising their mistake, re-enters their details and makes a
purchase.  The user probably wouldn't notice since the confirmation will get
sent to their e-mail address as expected.

I put these points to Amazon in a customer services enquiry, and for the
most part I got the expected fob-off:

  "Please rest assured that Your Account is secure.

  "In the event of Malicious creating accounts with obvious passwords in the
  hope that someone will accidentally type the wrong one and enter their
  credit card details into an account,Our secure server software encrypts
  all your personal information including credit or debit card number, name
  and address. The encryption process takes the characters you enter and
  converts them into bits of code that are then securely transmitted over
  the Internet.

  "Secondly, An attacker registering many passwords against the e-mail
  address of a victim, even if the attacker was to get access to the
  customer's account,Please know that if someone was able to log in to your
  account, they would still not have access to your payment card details, as
  they are not displayed anywhere on the site.

  "None of the customers who have shopped at Amazon.co.uk have reported
  fraudulent use of a payment card as a result of purchases made with us.
  In fact, we are so confident about the transaction security we offer on
  our site that we back every purchase with a security guarantee."

Well, I'm glad that I've got all those 'bits of code' protecting me!
Unfortunately, they'll be protecting the attacker too... They do make the
valid point that you can't extract credit card details even if you can log
into an account, but you can still make purchases and read or change
addresses.

I have seen posts on the Web saying that the reason for this functionality
is so that people sharing the same e-mail address can have their own
accounts.  This might have been an issue in the early days of online
shopping, but now in the days of widely available free e-mail accounts, I
don't think this is necessary.  Even then, why not have an e-mail
verification step when creating a new account?  I don't think this would be
a barrier for people signing up.

It seems strange to me that such a well-known Web presence as Amazon would
operate a confusing system like this, the disadvantages seem to far outweigh
the advantages.  I'm sure security experts would say that the simpler a
system is, the simpler it is to secure it.

http://graham33.wordpress.com/2008/09/14/amazon-multiple-account-weirdness/


Alarm sounded on second-hand kit

<Gabe Goldberg <gabe@gabegold.com>>
Thu, 02 Oct 2008 10:50:03 -0400

For less than a pound (UK), a security expert obtained front-door access to
a council's internal network.  Andrew Mason from security firm Random Storm
bought some network hardware from auction site eBay for 99p.  When he
switched it on and plugged it in, the device automatically connected to the
internal network of Kirklees Council in West Yorkshire.  Kirklees council
called the discovery "concerning", but said its data had not been
compromised.
  http://news.bbc.co.uk/2/hi/technology/7635622.stm


Seeking tales of IT gone wrong

<Andrew Brandt <risks_inquiry@amishrabbit.com>>
Thu, 25 Sep 2008 02:14:46 -0600

As a sporadic reader of your list, I'm familiar with the kinds of stories
that end up gracing each issue of the ACM Risks Digest.  I've come to ask
you, all of you, for some help.

I'm a freelance reporter, currently on assignment to write a story for
*Infoworld*.  The gist of the story is "Greatest IT Mistakes," where I hope
to relate true anecdotes of people who -- perhaps in an ill-advised,
well-intentioned state of mind -- set off a cascade of errors that resulted
in serious computer downtime, lost data, or other notable information
technology failures or problems.

As opposed to the typical story in RISKS, I'm searching for the stories
about problems that, while they may have been aggravated or magnified by
automated systems, were initiated by humans.

Many such historical events (e.g., the Morris Worm) are well known.  Many
more end up in the Snopes urban legend archive. I'm looking for examples
that fall outside the parameters of the well-known events of this type, and
I won't print anything the veracity of which I cannot authenticate. Please
send me true stories, preferably where you have direct, personal knowledge
of the details and parties involved.

The goal of the story is not to humiliate a person, or call attention to a
company with poor IT policies. This isn't a name-and-shame piece. I'd like
the story to serve as a cautionary tale to others, with a humorous angle, if
that's possible. And I think it is. To that end, I'm willing to anonymize
what anyone cares to share with me to whatever extent is necessary to avoid
such humiliation. Of course, if the person or people responsible for, by way
of entirely hypothetical example, deleting a company's entire e-mail archive
in the process of performing a backup are willing to have their identities
disclosed, I'd be more than happy to oblige.

I'll be searching the archives for stories dating back no further than about
18 months that suit the needs of my article; If you know of a particularly
juicy tidbit, please contact me directly with anecdotes. You can use the
risks_inquiry@amishrabbit.com e-mail address, with the word "risks"
somewhere in the subject line.

Thanks very much in advance for your assistance.

  [I suggested to Andrew that he cull through the RISKS archives and my
  annotated index (http://www.csl.sri.com/neumann/illustrative.html),
  especially those with the descriptor "h" (for human) and "i" (for
  interface).  PGN]


Re: Risks of financial systems too complex ,,, (Schaefer, R-25.36)

<"Schaefer, Robert P \(US SSA\)" <robert.p.schaefer@baesystems.com>>
Tue, 30 Sep 2008 15:55:58 -0400

PGN missed my follow-up correction.  Ouroboros was written in 1926, before
the crash.  A good read though.  The book I meant to cite was:

  Garet Garrett, The Bubble that Broke the World, 1932
  http://www.mises.org/books/bubbleworld.pdf


Re: When is a backup not a backup? (Ward, RISKS-25.36)

<Mark F <mark49607@gmail.com>>
Wed, 01 Oct 2008 20:13:38 -0400

> We have had systems fail because the backup system was not able to handle
> the peak load on the main system: in other words, the "backup" turned out to
> be unable to take over when most needed. So it wasn't a "backup" at all.

I've been on commercial flights that weren't permitted to take off because
they had only 2 of 3 navigational devices functioning.

The irony is that only 2 were required, but the airline had decided that it
wanted the extra reliability of having 3, not realizing that the FAA rules
said that ALL of the installed units had to be working.

(This was in about 1965, so the rules may have changed.)


The folly of retaining default settings (Re: Haynes, RISKS-25.36)

<Ken Knowlton <KCKnowlton@aol.com>>
Wed, 1 Oct 2008 10:16:03 EDT

[Re: Jim Haynes RISKS 25.36: Default passwords and gasoline thefts,
and George Santayana's "Those who cannot remember the past..."]

Sixty five years ago Richard Feynman created a minor ruckus by opening
several filing cabinets containing super-secret info at Los Alamos simply by
dialing the standard factory setting of their combination locks.


Weak password reset procedures

<[Identity withheld by request]>
Wed, 1 Oct 2008 11:52:58

There's always a tradeoff in making password resets easy vs. secure.  I ran
into what (to me) was a new low point today.

At Starwood.com, if you forget your account info, you can type in your
e-mail address.  It then gives you a choice of e-mailing you a temporary
password (the normal approach), or recovering it using your "secret"
question - which I did.  So the answer to my "secret" question is as good as
my password....  but most people's secret question is probably *less* secure
than a password, since it's more likely to be something that can be
recovered from a credit report, or at least brute force guessed.  (I don't
know if there are limits as to how many failures you can have before they
lock you out.)

OK, that's pretty weak.  But then the big surprise - once I logged in
(again, having only provided the answer to my secret question), I changed
passwords - and the profile screen displays all 16 digits of my credit card
number, plus the expiration date.  Not the usual twelve stars and the last
four digits, but the full 16 digits.

The risk?  Making recovery easy for customers (and hence increasing revenue
and reducing help desk costs) can increase the risk to customers, even those
who don't lose their passwords!


New castle rules in chess? (Re: RISKS-25.36)

<anw@cuboid.uk (Andy Walker)>
Thu, 2 Oct 2008 00:13:40 +0000 (UTC)

We've become used to confusions between assorted Sydneys, Gibraltars and
so on.  "Right Move", an organ of the English Chess Federation, reports
on one between Newcastles.  To cut quite a long story short, lady wants
to find a chess club in Newcastle for her son, and quite sensibly googles
for "junior chess Newcastle".  The organiser in Newcastle-under-Lyme, a
modest town, is quite used to this confusion, and passes her on to his
counterpart in Newcastle-upon-Tyne, a large city whose university is
well-known to readers of these articles.  Said organiser finds her some
nearby schools with chess clubs.  Slightly puzzled mother says those
schools are across the city, and aren't there any in nearby suburbs?
Turns out [of course] that she is in Newcastle NSW, Oz -- yet another
of the 33 Newcastles (and more variants) listed by Wiki.

I suppose it shouldn't be a surprise that emigrants to new countries name
not only their towns and cities but also some of their suburbs, streets and
schools after those in their old countries.  The problem is, of course, that
Google and other computerised tools are international in scope, and locals
don't always recognise the need for disambiguation.

[I've just run the same google, and the Lyme one is not only now fifth
(behind two Tynes and two NSWs) but is also clearly a Lyme rather than a
random Newcastle, so either the web pages have changed or else the lady was
somewhat careless.]

[I have a personal interest in this confusion, as my house was once owned by
the Duke of Newcastle, the "most hated man in England" at the time of the
Reform Act riots (when his home, Nottingham Castle, was burned down).  As
Lyme is much too small to have a proper Duke, I always assumed he was a
Tyne.  But I found out fairly recently that the Tynes had died out, the
title had had to be re-created, and they had used the Lyme version as a
figleaf to give a different name but allow the same abbreviation.]


Re: Hacker claims Palin e-mail hacked ... (Miller, R-25.36)

<Rob McCool <robm@robm.com>>
Tue, 30 Sep 2008 20:23:12 -0700 (PDT)

I think Scott Miller raises an interesting question, which is how did the
hacker know to look for her e-mail at Yahoo to begin with.

I agree that it's unlikely that he knew her alternate e-mail address.  I
would think only an insider would know that.

Yahoo IDs can be public, although I can't remember if it's opt-in or
opt-out, at http://members.yahoo.com/

Since the Yahoo ID was deleted after the incident, we don't know if her ID
was listed or not. But that's one way her Yahoo ID could have been found.
For fun, try looking for Arnold Schwarzenegger or Gray Davis in that
directory.  But then again, some of those accounts may have been created by
mischief makers as a result of this incident.

It's also possible that the Yahoo ID recovery process was changed
after this incident and that the mechanism we're looking at isn't
the one that was in place at the time. This may have only been the most
high-profile of cases where the prior mechanism was abused and the Yahoo
security team may have enhanced it since then.

All these possibilities are there, and while I agree that they're slim chances,
I'm not willing to conclude that it's BS yet. But the question remains,
how did this person know that the real Sarah Palin was using Yahoo e-mail?


Re: Hacker claims Palin e-mail hacked ... (McCool, RISKS-25.37)

<SMiller@unimin.com>
Wed, 1 Oct 2008 09:10:25 -0400

Rob, Well, regardless of the accuracy of these reports, there's your risk:
Using a "something you know" factor as part of the recovery authentication
that could in fact be "something that you and everyone else in the Internet
universe knows or can trivially discover".  It is indeed possible that
Yahoo! changed recovery methods after (and as a result of) the incident, but
my observation after over a year of using Yahoo! mail is that they seem to
have a _lot_ of trouble replicating any behavior changes across their server
farm, so I am somewhat skeptical that such a revision was successfully
completed within 48 hours of the initial published reports.  I created the
new account to see if there was some option to allow additional recovery
questions (e.g., the "high school" data mining allegation) that was only
available at set-up time - there was not.  I doubt that the reports are
without a germ of truth, but I think that two things are obvious: The
reports as they stand are at best incomplete; The media (unfortunately
including many IT specialty sites and bloggers) embarrassed itself (again
unfortunately, as usual) with its complete inability to do even rudimentary
fact checking.  Although perhaps I need to check my assumption that anyone
working in the media remains capable of embarrassment...


Re: Hacker claims Palin e-mail hacked ... (RISKS-25.36)

<Allen Hainer <risks@hain-veilchen.de>>
Wed, 01 Oct 2008 15:55:36 +0200

Scott Miller raises the question of whether a yahoo account can be reset
without knowing the yahoo ID.  The yahoo ID in question can easily be found
using yahoo advanced search:
  http://members.yahoo.com/interests?.oc=a

Enter the first and last name.  The picture was last updated in 2006, so I
don't think it is a recent spoof.

Please report problems with the web pages to the maintainer