The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 25 Issue 53

Saturday 31 January 2009

Contents

England's NHS loses patient data: bad news, good news, bad news
Steven J Klein
Michigan man freezes to death after electric company cuts power
Mark E. Smith
Worm Infects Millions of Computers Worldwide
John Markoff via PGN
Trojan virus spreads to as many as 20,000 Macs
Boy Genius via Dave Farber
Fannie Mae insider attack
Kevin Poulsen via Jeremy Epstein
NSW, Australia Govt Jobs website hacked; authorities in denial
Andrew Jones
MP3 player contained US military secrets
Danny Burstein
Digital road sign in Austin, TX was altered to read, "Zombies Ahead."
David Hollman
Friends, Until I Delete You
Douglas Quenqua via Monty Solomon
Political risks of poorly configured email advocacy
Rich Mintz
Canadian do-not-call list becomes valuable telemarketing database
Olivier Dagenais
Staff Finds White House in the Technological Dark Ages
Anne E. Kornblut via Monty Solomon
Amex goes phishing
James J. O'Donnell
American Express Kept a *Very* Watchful Eye on Charges
Ron Lieber via Monty Solomon
Statue of Frauds [sic]
Martyn Thomas
Re: Yet Another Reason Not to use Windows for Medical Devices
Bernard Peek
Re: Tony Hoare: "Null References"
Michael Albaugh
Jurek Kirakowski
Ray Blaak
Martin Torzewski
Richard O'Keefe
Info on RISKS (comp.risks)

England's NHS loses patient data: bad news, good news, bad news

Steven J Klein <steveklein@mac.com>
Sun, 25 Jan 2009 03:33:10 -0500

Bad news: A National Health Service employee lost a flash drive containing
          personal information of up to 6,360 patients.

Good news: The data on the flash drive was encrypted.

Bad news: The password was written on a sticky-note attached to the drive.

Paraphrased from the *Lancashire Evening Post*
http://www.lep.co.uk/news/Apology-after-prisoners39-health-info.4862265.jp

Steven J Klein, Your Mac & PC Expert, Phone: (248) YOUR-MAC or (248) 968-7622


Michigan man freezes to death after electric company cuts power

"Mark E. Smith" <mymark@gmail.com>
Tue, 27 Jan 2009 04:06:40 -0800

In this case the risk appears to be the assumption that anyone who wishes to
pay their electric bill can do so easily. The 93-year-old WWII veteran may
not have had a checking account, a computer, or online bill paying, and the
weather was too severe for him to leave home to pay his electric bill in
person. After his death, a large amount of cash was found clipped to his
utility bill on his kitchen table.


Worm Infects Millions of Computers Worldwide (John Markoff)

"Peter G. Neumann" <neumann@csl.sri.com>
Fri, 23 Jan 2009 11:26:18 PST

[Source: John Markoff, *The New York Times*, 23 Jan 2009]
http://www.nytimes.com/2009/01/23/technology/internet/23worm.html

A new digital plague has hit the Internet, infecting millions of personal
and business computers in what seems to be the first step of a multistage
attack. The world's leading computer security experts do not yet know who
programmed the infection, or what the next stage will be.

In recent weeks a worm, a malicious software program, has swept through
corporate, educational and public computer networks around the world. Known
as Conficker or Downadup/Downandup, it is spread by a recently discovered
Microsoft Windows vulnerability, by guessing network passwords and by
hand-carried consumer gadgets like USB keys.

Experts say it is the worst infection since the Slammer worm exploded
through the Internet in January 2003, and it may have infected as many as
nine million personal computers around the world.  [...]


Trojan virus spreads to as many as 20,000 Macs: Boy Genius Report

David Farber <dave@farber.net>
Sun, 25 Jan 2009 12:52:32 -0500

via false ilife leak

http://www.boygeniusreport.com/2009/01/23/trojan-virus-spreads-to-as-many-as-20000-macs/


Fannie Mae insider attack

Jeremy Epstein <jeremy.epstein@sri.com>
Fri, 30 Jan 2009 08:42:17 -0500

Threat Level, By Kevin Poulsen, Wired.com, 29 Jan 2009
http://blog.wired.com/27bstroke6/2009/01/fannie.html

A logic bomb allegedly planted by a former engineer at mortgage finance
company Fannie Mae last fall would have decimated all 4,000 servers at the
company, causing millions of dollars in damage and shutting down Fannie Mae
for a least a week, prosecutors say.

Unix engineer Rajendrasinh Babubha Makwana, 35, was indicted on 27 Jan 2009
in federal court in Maryland on a single count of computer sabotage for
allegedly writing and planting the malicious code on Oct.  24, the day he
was fired from his job. The malware had been set to detonate at 9:00 a.m. on
Jan. 31, but was instead discovered by another engineer five days after it
was planted, according to court records.

Makwana, an Indian national, was an employee of technology consulting firm
OmniTech, but he worked full time on-site at Fannie Mae's massive data
center in Urbana, Maryland, for three years.

On the afternoon of 24 Oct 2008, he was told he was being fired because of a
scripting error he'd made earlier in the month, but he was allowed to work
through the end of the day, according to an FBI affidavit (.pdf) in the
case.  "Despite Makwana's termination, Makwana's computer access was not
immediately terminated," wrote FBI agent Jessica Nye.

Five days later, another Unix engineer at the data center discovered the
malicious code hidden inside a legitimate script that ran automatically
every morning at 9:00 a.m. Had it not been found, the FBI says the code
would have executed a series of other scripts designed to block the
company's monitoring system, disable access to the server on which it was
running, then systematically wipe out all 4,000 Fannie Mae servers,
overwriting all their data with zeroes. [...]


NSW, Australia Govt Jobs website hacked; authorities in denial

Andrew Jones <andrew2004sydney@yahoo.com>
Mon, 26 Jan 2009 16:28:14 -0800 (PST)

Spammers hack into Government jobs website

http://www.smh.com.au/news/technology/security/id-theft-alert-as-job-site-h
acked/2009/01/26/1232818299147.html

"The NSW Government website used to advertise public service jobs has been
hacked into and the perpetrators have spammed the Government's database of
job seekers with phony vacancies in an effort to steal personal data and
possibly to spread viruses."  [...]

"However, Turner said the blame did not lie solely with the Government as
'any computer system can be hacked ... even American defence force
computers'." [...]

" 'The Department of Commerce is currently looking into the matter and has
alerted the relevant authorities,' the spokeswoman said."


MP3 player contained US military secrets

danny burstein <dannyb@panix.com>
Fri, 30 Jan 2009 00:18:08 -0500 (EST)

Kerri Ritchie, 28 Jan 2009

When a New Zealand man spotted a portable MP3 player for $US9 in an American
op-shop, he thought he'd landed a real bargain.  But Chris Ogle got far more
than he bargained for.

Instead of storing songs, the MP3 player contained secrets; 60 highly
sensitive US military files. ...  When he got back to New Zealand, he tried
to download some songs onto his computer and says he got the shock of his
life - 60 US military files labeled top secret popped up on his screen. ...

Kerri Ritchie: The files contained the social security numbers, home
addresses, even mobile phone numbers of American soldiers based in
Afghanistan and Iraq.

rest:
http://www.abc.net.au/pm/content/2008/s2476665.htm

  [Also noted by Gene Wirchenko,
http://arstechnica.com/security/news/2009/01/man-buys-used-ipod-gets-60-pages-of-sensitive-military-data.ars
  PGN]


Digital road sign in Austin, TX was altered to read, "Zombies Ahead."

David Hollman <dah8@cornell.edu>
Thu, 29 Jan 2009 15:23:13 +0000

Excerpts from http://www.foxnews.com/story/0,2933,484326,00.html :

Transportation officials in Texas are scrambling to prevent hackers from
changing messages on digital road signs after one sign in Austin was altered
to read, "Zombies Ahead."*

...The sign was reverted back to its original message within hours... the
signs are tamper-resistant and equipped with external locks.

According to the blog i-hacked.com, some commercial road signs, including
those manufactured by IMAGO's ADDCO division, can be easily altered because
their instrument panels are frequently left unlocked and their default
passwords are not changed.

"Programming is as simple as scrolling down the menu selection,"
i-hacked.com reports. "Type whatever you want to display -- In all
likelihood, the crew will not have changed [the password]."

  [Also noted by Geoffrey Brent:
http://www.woostercollective.com/2009/01/hacking_the_grid_in_austin_zombies_ahead.html
  PGN]


Monty Solomon <monty@roscom.com>
Fri, 30 Jan 2009 23:59:50 -0500
Subject: Friends, Until I Delete You

Douglas Quenqua, *The New York Times*, 29 Jan 2009

A person could go mad trying to pinpoint the moment he lost a friend.  So
seldom does that friend make his feelings clear by sending out an e-mail
alert.

It's not just a fact of life, but also a policy on Facebook. While many
trivial actions do prompt Facebook to post an alert to all your friends -
adding a photo, changing your relationship status, using Fandango to buy
tickets to "Paul Blart: Mall Cop" - striking someone off your list simply is
not one of them.

It is this policy that Burger King ran afoul of this month with its "Whopper
Sacrifice" campaign, which offered a free hamburger to anyone who severed
the sacred bonds with 10 of the friends they had accumulated on
Facebook. Facebook suspended the program because Burger King was sending
notifications to the castoffs letting them know they'd been dropped for a
sandwich (or, more accurately, a tenth of a sandwich).

The campaign, which boasted of ending 234,000 friendships, is history now -
Burger King chose to end it rather than tweak it to fit Facebook's policy -
but the same can hardly be said of the emerging anxiety it tapped. As social
networking becomes ubiquitous, people with an otherwise steady grip on
social etiquette find themselves flummoxed by questions about "unfriending"
people: how to do it, when to do it and how to get away with it quietly. ...
  http://www.nytimes.com/2009/01/29/fashion/29facebook.html


Political risks of poorly configured email advocacy

Rich Mintz <richmintz@richmintz.com>
Sat, 31 Jan 2009 10:59:04 -0500

In the UK last week, Greenpeace asked its supporters to email their MP on
the issue of runway expansion at Heathrow.  Apparently, the email system in
question was set up to send the supporter's email to their own MP -- and to
copy the email to all the other targeted MPs on the system.  As a result, 57
MPs each got thousands of emails in three or four hours.  Hilarity ensued.

What makes this interesting: the 57 targeted MPs are all *supporters* of
Greenpeace's position, who were being asked in the emails to hold firm in
their support.

http://business.timesonline.co.uk/tol/business/columnists/article5600838.ece
http://www.mattwardman.com/blog/2009/01/27/david-taylor-mp-raises-greenpeace-heathrow-automated-mass-email-campaign-in-parliament/


Canadian do-not-call list becomes valuable telemarketing database

Olivier Dagenais <olivier.dagenais@gmail.com>
Sat, 24 Jan 2009 10:22:15 -0500

The Consumers' Association of Canada says it has been inundated with
complaints from people who have been called by scam artists after placing
their telephone numbers on the registry, which went into effect last
September.

The do-not-call list was created to prevent telemarketers from contacting
people who do not want to be pestered with uninvited sales pitches. For
companies to find out who they are not permitted to call, the Canadian
Radio-television and Telecommunications Commission sells the list online for
a fee.

"You can buy any list you want of people who subscribe to the do-not-call
registry online. The whole of Toronto costs you 50 bucks for 600,000 names,"
Bruce Cran, president of the CAC, said in a telephone interview yesterday.

"That's just perfect for any telemarketer, because these are good names
which they would otherwise have to pay money for to verify. In addition to
that, there's no index list of cell phone numbers that you can get. However,
people were encouraged to put their cell phone numbers on there as well."

Source: Fraudsters abusing do-not-call list, *The Globe and Mail*, 23 Jan 2
009
  http://www.theglobeandmail.com/servlet/story/RTGAM.20090123.wdonotcall23/BNStory/National/home

The article makes it sound like names are also included in the lists, but
the DNCL website seems to indicate otherwise (unless, of course,
reverse-lookup is used with other public listings):
  http://www.crtc.gc.ca/ENG/INFO_SHT/t1028.htm


Staff Finds White House in the Technological Dark Ages

Monty Solomon <monty@roscom.com>
Thu, 22 Jan 2009 22:24:40 -0500

[Source: Anne E. Kornblut, *The Washington Post*, 22 Jan 2009, A01]

If the Obama campaign represented a sleek, new iPhone kind of future, the
first day of the Obama administration looked more like the rotary-dial past.
Two years after launching the most technologically savvy presidential
campaign in history, Obama officials ran smack into the constraints of the
federal bureaucracy yesterday, encountering a jumble of disconnected phone
lines, old computer software, and security regulations forbidding outside
e-mail accounts.

What does that mean in 21st-century terms? No Facebook to communicate with
supporters. No outside e-mail log-ins. No instant messaging.  Hard
adjustments for a staff that helped sweep Obama to power through, among
other things, relentless online social networking.  "It is kind of like
going from an Xbox to an Atari," Obama spokesman Bill Burton said of his new
digs.

In many ways, the move into the White House resembled a first day at school
[...].  There were plenty of first-day glitches, too, as calls to many lines
in the West Wing were met with a busy signal all morning and those to the
main White House switchboard were greeted by a recording, redirecting
callers to the presidential Web site. A number of reporters were also shut
out of the White House because of lost security clearance lists.  [...]

http://www.washingtonpost.com/wp-dyn/content/article/2009/01/21/AR2009012104249.html


Amex goes phishing

"James J. O'Donnell" <provost@georgetown.edu>
January 22, 2009 5:36:54 PM EST

  [From Dave Farber's IP]

Got messages on various accounts over the weekend from American Express to
tell cardholders that their 2008 year-end statement is online.  Just click
on this address, it said, giving an address.  If you mouse-overed the
address, a different address appeared in the status bar, and if you clicked
on the address, you went to a third uniquely different address.  I did so,
on a machine that could be cleaned if it were compromised, twice.  What I
found when I got there is that after you clicked on the nonconforming link,
you went to a page that asked you to input credit card information: either
your existing login/password for the amex site *or*, if you didn't have
login/pwd yet, to input your actual credit card information including card
number, expiry date, and 4-digit "security code".

Now I believe that the message was in fact legit: came from Amex and led you
to a site that was what it said it was.  What gobsmacked me was that Amex
was using classic phishing technique to get you to their site, and asked you
once there to engage in *exactly* the behavior that we tell everybody not to
behave in.

So what happened?  Today we got two messages that obviously responded to the
incomplete logins yesterday -- alerts to tell us that there was a problem
with that account due to multiple attempted logins and asking us to login to
the site to check and confirm information there.  The "security messages"
took exactly the same form: please click on this inconsistent URL and when
you get to the page referenced, go ahead and input confidential information.

I phoned Amex and nobody on their standard phone lines understood the issue,
but they got me eventually to corporate in NYC and I spoke to someone in
"investigations" who got what I was saying instantly and I could hear him
shaking his head.  He said he'd get on it.

Archives: https://www.listbox.com/member/archive/247/=now


American Express Kept a *Very* Watchful Eye on Charges (Ron Lieber)

Monty Solomon <monty@roscom.com>
Sat, 31 Jan 2009 00:11:59 -0500

YOUR MONEY
Ron Lieber, American Express Kept a (Very) Watchful Eye on Charges,
*The New York Times*, 31 Jan 2009

You probably know that credit card companies have been scrutinizing every
charge on your account in recent years, searching for purchases that thieves
may have made. Turns out, though, that some of the companies have been
suspicious of your own spending, too.

In recent months, American Express has gone far beyond simply checking your
credit score and making sure you pay on time. The company has been looking
at home prices in your area, the type of mortgage lender you're using and
whether small-business card customers work in an industry under siege. It
has also been looking at how you spend your money, searching for patterns or
similarities to other customers who have trouble paying their bills.

In some instances, if it didn't like what it was seeing, the company has cut
customer credit lines. It laid out this logic in letters that infuriated
many of the cardholders who received them. "Other customers who have used
their card at establishments where you recently shopped," one of those
letters said, "have a poor repayment history with American Express."

It sure sounded as if American Express had developed a blacklist of
merchants patronized by troubled cardholders. But late this week, American
Express told me that wasn't the case. The company said it had also decided
to stop using what it has called "spending patterns" as a criteria in its
credit line reductions. ...

http://www.nytimes.com/2009/01/31/your-money/credit-and-debit-cards/31money.html


Statue of Frauds [sic] (Re: Leichter, RISKS-25.52)

Martyn Thomas <drmartynthomas@googlemail.com>
Sat, 24 Jan 2009 13:46:04 +0000

  "The common law has traditionally accepted oral contracts - special cases,
  going back the the oddly-named Statue of Frauds, ..."

What an excellent idea! Where is it? What does it look like?

There has been a long-running debate on what should occupy the vacant
fourth plinth in London's Trafalgar Square.

  [Woops!  Your immoderate moderator's spelling checker had no trouble
  with that one, cast in concrete or frozen in stone.  PGN]


Re: Yet Another Reason Not to use Windows for Medical Devices

Bernard Peek <bap@shrdlu.com>
Fri, 23 Jan 2009 13:28:58 +0000
  (Epstein, RISKS-25.52)

It seems that a reality check is required here. In simple terms we have to
realise that there is no perfect solution to the problem of installing
software patches, there are only choices between different risks.

If we choose to install every patch immediately it is released we face the
risk that a patch may conflict with existing software or hardware and bring
systems to a halt.

If we choose to delay installation, even by a day, we risk attacks from
people who have reverse-engineered malware from the patches.

Given that there is no win/win solution it appears to me that we either have
to accept that our systems will occasionally fail or decide that using MS
Windows for critical systems is tantamount to professional negligence.

Bernard Peek, London, UK. DBA, Manager, Trainer & Author

  [This is an old issue for RISKS readers.  However, it continues to
  be a serious issue.  PGN]


Re: Tony Hoare: "Null References" (Baker, RISKS-25.52)

Michael Albaugh <m.e.albaugh@gmail.com>
Thu, 22 Jan 2009 13:43:51 -0800

... or Gresham's law?

While it is a widely held belief, it is not a fact that C is "unable" to
police array bounds. I cannot speak for Fortran or C++, but the C89
standard, at least, sufficiently circumscribes the definitions of pointers
and the operations that may be reliably performed on them to _allow_
bounds-checking. A decent optimizing compiler could even "hoist" much of the
checking out of loops etc.

The issue is that much (most) software "written in C" is in fact "written in
a language corresponding to the mental model formed by firing random
snippets from Byte through the compiler one happened to have handy". A big
part of that mental model is "A pointer is nothing more than a machine
address, which is nothing more than an index into an undifferentiated sea of
octets". Wrong in so many ways!

There have been a few attempts at promoting C compilers that correctly
compile correct programs, and diagnose issues with incorrect ones. These
have been doomed by the overwhelming mass of incorrect programs.

When the (time effective) solution to to the problem of error messages is to
buy instead a compiler which does not emit them, the situation snowballs.

"We have met the enemy, and he is us" (Walt Kelly)

> To a first approximation, the lack of array bounds checking created the
> virus/worm industry, and we are still paying handsomely for this.

Actually, I disagree. A lack of clear separation of code and data, and a
cavalier attitude toward "least privilege" has more to do with this, IMHO.


Re: Tony Hoare: "Null References" (Baker, RISKS-25.52)

"Kirakowski, Jurek" <jzk@ucc.ie>
Fri, 23 Jan 2009 10:20:53 -0000

> "I haven't yet heard an apology from Fortran/C/C++/etc. creators over
  their inability to police array bounds."

I suppose it would be going a bit too far to request a similar apology from
writers of macro assemblers and autocoders? I'm presuming Henry has his
tongue as firmly in his cheek as I do. The real risk has been that the art
of computer programming is badly taught, and that the cherished ideal for
many programmers is to not have to write a line of code ever again after
some point in their lives.

There IS a market for idiot-proof programming environments. But there is
also a market for precision tools like C.


Re: Tony Hoare: "Null References" (Baker, RISKS-25.52)

Ray Blaak <rblaa@telus.net>
Sun, 25 Jan 2009 13:14:43 -0800

I don't think Tony Hoare should be apologizing for inventing null pointers.
For any language with reference semantics, trying to program without being
able to express a "reference to nothing" would be quite difficult.

I am sure Tony Hoare could do it, but most programmers are not comfortable
with the more formal languages that this would require. They think better in
terms of simple assignments to state, pointer references, etc.

For array bounds checking on the other hand, there is no excuse.

Henry Baker <hbaker1@pipeline.com> writes:
 > Madoff was a rank amateur by comparison.  Computer "scientists" have been
 > producing insecure code like this since before NASDAQ was started.

Well, at least with the compsci folks, they were unintentional early
mistakes, compounded by generations of programmers enthusiastically
repeating them. You use C yourself?  Then you are just as culpable.

Madoff on the other hand, was intentionally stealing from people for years.


Re: Tony Hoare: "Null References" (Baker, RISKS-25.52)

<Martin.Torzewski@blueyonder.co.uk>
Mon, 26 Jan 2009 12:38:53 -0000 (GMT)

Fortran (at least until 77) WAS amenable to the hardware policed, and
hardware speed, storage area bound checking implemented by e.g. ICL's VME
architecture.  (As were, to my knowledge, all extant languages of the time.)
Less efficient bound checking was also implementable in software.

C was not, and had to have that mandatory checking suppressed (by allocating
a vast uniform area of store for the entire "C supporting" environment) in
order to run.

It's possible (and if so, unfortunate) that subsequent Fortrans have
jettisoned their sound industrial-strength approach to storage management,
reducing their engineering quality to that of C.


Re: Tony Hoare: "Null References" (Baker, RISKS-25.52)

"Richard O'Keefe" <ok@cs.otago.ac.nz>
Fri, 30 Jan 2009 19:12:17 +1300

Fortran's creators, at least, have nothing to apologise for: Fortran DOES
allow array bounds to be checked and the Burroughs Fortran compiler DID
check them.  IBM's xlf compiler has a -C (-qcheck) option which makes the
compiler check bounds.  Sun's f95 compiler also has a -C option doing the
same thing.  Both GNU Fortran compilers (g77 and gfortran) have a
-fbounds-check option.

I agree that the compiler writers who do not make this the default have much
to answer for, but the Fortran standardisers are under no obligation to
apologise for a non-existent inability.

It's interesting that Dijkstra waxed enthusiastic about Hoare's records,
uses null extensively.  If Dijkstra didn't see a problem, I don't think
Hoare need blame himself overmuch.
  http://www.cs.utexas.edu/users/EWD/transcriptions/EWD01xx/EWD132.html

Indeed, he may be claiming too much credit/blame for the idea.  PL/I
(designed in 1964) had null pointers (and null offsets).  I don't know when
it got them.  Lisp had NIL well before that, so null pointers were an
obvious invention.  AED-0 started in 1961, and 'Its compact syntax was the
first language to directly support "n-component elements" of Plex
programming (now called "pointers", "records", and "fields".'  Douglas
Ross's classic "The AED-1 Free Storage Package" (CACM, Aug 1967) starts 'The
use of multiword "n-component elements" for the representation and
manipulation of complex problem models in programming systems was first
proposed by the author in 1960'.  I can't tell from that paper whether AED
had null data pointers, but the paper certainly uses null function pointers,
represented as 0.  The earlier paper he mentioned was "A generalized
technique for symbol manipulation and numerical calculation", CACM March
1961, which is the earliest reference I know to general linked webs of
records.  The idea was so new at the time that holding a machine address in
a register was called "reversed use of index registers"!  (For which 0 would
have been possible.)

Perhaps some Risks reader knows something about the history of AED and
whether AED typed pointers allowed null references or not.

Please report problems with the web pages to the maintainer