The RISKS Digest
Volume 25 Issue 61

Sunday, 29th March 2009

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…

Contents

DNA contamination led to serial-killer illusion
Mark Brader
Announcing your crime in a chat room may interfere with it
Mark Brader
You have won $[2^32-1]/100, no wait, we mean nothing
Mark Brader
Student dead 2 months, told to improve attendance
Mark Brader
Phantom Serial Killer
Dave Mulkey
E-voting In Ireland
PGN
Fairfax County Virginia voting glitches
Jeremy Epstein
Arose by any other name: was Diebold
PGN
"Security by obscurity Considered Harmful" — especially for voting
John Sebes
Malware installed at manufacturer on Diebold ATMs
Toby Douglass
Driver Says GPS Unit Led Him to Edge of Cliff
Richard Grady
The Information Security Debt Clock
Gunnar Peterson
Google translations used for phishing attacks against ISPs
Gadi Evron
Economics of Finding and Fixing Vulnerabilities in Distributed Systems
Gunnar Peterson
ZOL downtime and emergency maintenance
Andrew Yeomans
We seem to be going over the top on "risks", forgetting about some realities
Fred Cohen
Info on RISKS (comp.risks)

DNA contamination led to serial-killer illusion

Mark Brader
Fri, 27 Mar 2009 22:25:57 -0400 (EDT)

When police in Germany, Austria, and France were able to DNA-match evidence
from six homicides (including the killing of policewoman Michele Kiesewetter
in the town of Heilbronn) and dozens of other crimes, they naturally
concluded that a multiple murderer was at work — one who acquired the
nickname "The Phantom of Heilbronn".

But then one of the matches, which seemed unlikely, was retested...  and the
second time it came back negative.

Now it seems that in fact the only connection between the crimes is that
when collecting DNA from the evidence, cotton swabs from the same
manufacturer (Greiner Bio-One) were used.  Unused swabs were tested and a
few were found to have the same woman's DNA on them; she worked at the
company that did the packaging.  Greiner says that they were only supposed
to be sterile swabs for medical use, and were not guaranteed to be free of
DNA.

Of course, if this happened in a work of fiction, it'd turn out that the
woman actually had committed one of the early crimes and then taken
advantage of her job to deliberately contaminate the swabs in order to
divert suspicion.  But be that as it may, the consequences for law
enforcement are not going to be pleasant.

See:
http://news.bbc.co.uk/2/hi/europe/7966641.stm
http://www.dw-world.de/dw/article/0,,4129872,00.html
http://www.time.com/time/world/article/0,8599,1888126,00.html
http://www.google.com/hostednews/ap/article/ALeqM5iEPt22F_xcWatGRrX5ludZOsSM5AD976HRM00


Announcing your crime in a chat room may interfere with it

Mark Brader
Sat, 21 Mar 2009 00:56:53 -0400 (EDT)

When J.P. Neufeld, an Internet chat-room moderator in Montreal, saw someone
posting an announcement that he was shortly going to set fire to a school in
Norfolk, England, he took it seriously, first communicating with the poster
and then phoning the Norfolk police.  They acted quickly and in less than an
hour a 16-year-old was arrested near the school while carrying matches and
"what is believed to be a flammable liquid".

http://www.cbc.ca/world/story/2009/03/20/concordia-student-forum-norfolk.html
http://www.ctv.ca/servlet/ArticleNews/story/CTVNews/20090320/school_threat_090320/20090320?hub=TopStories
http://www.eveningnews24.co.uk/content/news/story.aspx?itemid=NOED19%20Mar%202009%2008:52:47:223


You have won $[2^32-1]/100, no wait, we mean nothing

Mark Brader
Thu, 19 Mar 2009 19:11:47 -0400 (EDT)

It was reported recently that at an Ontario casino in December, a slot
machine flashed its lights and displayed a message to the effect that "You
have won $42.9 million" (Canadian, about $34 million US).  The gambler, Paul
Kusznirewicz, had 5 minutes to be ecstatic before being told the machine had
malfunctioned and he hadn't won anything.  (They did give him some dinner
coupons.)  In fact, according to the Ontario Lottery and Gaming Corp., its
highest possible payout was $9,025 (Canadian).  This amount was not marked
on the machine, but there was a notice that nothing was payable in case of
malfunction.  Kusznirewicz is suing, so there probably won't be any further
details unless the case makes it to court.

In a followup story today, Ryerson University computer professor Sophie
Quigley suggests that the number -1, as a 32-bit 2's complement signed
integer, was interpreted as an unsigned integer in cents: $42,949,672.95.
"A casting error", as she put it.  (Not necessarily in the strict C sense.)

Incidentally, the Toronto Star ran the followup next to a story about Marie
Douglas-David, who is involved in a divorce case and allegedly claims that
"she cannot live on $43 million" (US).  The paper put the two pieces side by
side under a common headline: "Two very different $43 million questions".

http://www.cbc.ca/consumer/story/2009/03/17/slot.html
http://www.thestar.com/News/Ontario/article/604035

  [2nd URL corrected in archive copy.  Item also noted by David Magda.  PGN]


Student dead 2 months, told to improve attendance

Mark Brader
Wed, 25 Mar 2009 21:15:51 -0400 (EDT)

Macclesfield High School (near Manchester, England), threatened to ban Megan
Gillan from their prom if her attendance did not improve.  This was unlikely
to happen, as Megan had died two months before.  The girl's parents, still
very much grieving, were "floored".

Megan had been removed from the school's "main database", but was still
listed "in a different part of the computer system" that allows letters to
be sent to parents of former students.

See: http://news.bbc.co.uk/1/hi/england/manchester/7963081.stm

Or if that URL isn't long enough, try:
http://www.telegraph.co.uk/education/educationnews/5049001/School-apologises-after-letter-warns-parents-over-dead-schoolgirls-attendance.html


Phantom Serial Killer

"Mulkey, Dave" <Dave_Mulkey@fis.edu>
Sun, 29 Mar 2009 14:24:16 +0200

Amusingly, German police have been searching in vain for a phantom serial
killer, apparently responsible for 40 murders.  Unfortunately, they were led
astray by DNA "evidence" that resulted from using contaminated cotton swabs
to collect DNA evidence.  They had all been packed by an employee who
refused to wear rubber gloves, so here DNA appeared to be scattered all over
the country at various crime scenes.  Police used the swabs against written
advice in the accompanying product instructions that said the swabs were
unsuitable for forensic use.  Fortunately nobody was injured or arrested as
a result.  Here is an article from *Time* with the details:

http://www.time.com/time/world/article/0,8599,1888126,00.html

If your German is good, you can read this:

http://www.focus.de/politik/weitere-meldungen/phantom-von-heilbronn-des-raetsels-loesung-war-das-wattestaebchen-_aid_384841.html


E-voting In Ireland

"Peter G. Neumann" <neumann@csl.sri.com>
Tue, 17 Mar 2009 13:14:23 PDT

The [Irish] government finds itself in a deep hole because of the purchase
and storage of thousands of electronic voting machines. It should stop
digging. What had seemed like a good idea, way back in 1999, has turned out
to be an unmitigated disaster. The initial waste of public money on the
purchase of this dangerously insecure system has been compounded by the
establishment of long-term leases of up to 30 years for the storage of
machines in controlled environments.

John Gormley is the fourth minister for the environment to have
responsibility for the mess. And because there is no question of the
machines being used in the forthcoming local and European elections, or
thereafter, he should call a halt to the madness. An estimated 52 million
euros was spent on voting machines by Noel Dempsey and by his successor,
Martin Cullen, in spite of the objections and concerns of the opposition
parties. And when a special Commission on Electronic Voting found it was
easy to bypass the proposed security system in 2004, the machines were put
into storage at an annual cost of about 700,000 euros.

This public waste must end at a time when everybody is being asked to
tighten their belts. The cost of storing these machines will amount to 3.5
million euros by the end of this year. And because contracts ranging from 20
to 30 years were entered into on behalf of the State, penalties are likely
to be imposed for an early buy-out. The Government should not continue to
engage in what is a face-saving exercise.

Ireland is the only country in Europe that holds out a vague prospect of
using this technology. Last year, the Dutch government decided to abandon
the system because of its inherent vulnerability. Last week, the supreme
court in Germany ruled that the Nedep system — which we also purchased --
breached its electoral laws. It found that the control measures required
would not be achieved by a print-out of votes. The ability to recheck votes
was more important than early election results.  It was not saying a final
No to electronic voting, just that the current generation of voting machines
was unsatisfactory.

Ten years ago, the replacement of pencils and ballot papers by machines was
seen as a badge of modernity. But technology was not sufficiently advanced
to guarantee security of the new system. In spite of that, Fianna Fáil
ministers ignored the views of computer experts and ploughed ahead. Now that
the Netherlands and Germany have abandoned the project on security grounds,
the Government should bow to the inevitable.  [*The Irish Times*, 29 Mar 2009]
http://www.irishtimes.com/newspaper/opinion/2009/0317/1224242944297.html


Fairfax County Virginia voting glitches

Jeremy Epstein <jeremy.j.epstein@gmail.com>
Thu, 12 Mar 2009 13:59:54 -0400

A special election in Fairfax County Virginia had some voting machine
problems.  A very close race had one DRE (out of about 50 in use) that
printed suspicious results.  Coverage at
http://www.washingtonpost.com/wp-dyn/content/article/2009/03/11/AR2009031101675.html
and
http://www.washingtonpost.com/wp-dyn/content/article/2009/03/10/AR2009031002068.html

I spent the day after the election observing the canvass process at the
invitation of the Democratic candidate (but the campaign did not supply me
with any information, nor did they pay me).  Details of my findings are at
http://abqordia.blogspot.com.  While a winner was eventually declared, there
are two unexplained problems: in one, the "zero tape" printed before the
polls opened (which is supposed to show that there are no votes recorded)
showed that the total votes was 0, of which 3 were for the Republican, 2 for
the Democrat, 1 for the independent, and 1 write-in.  Or mathematically,
3+2+1+1 = 0.  No one (other than me!) seemed all that concerned that this
shows something was *clearly* wrong, because they were able to get the
machine to print the (purported) ballots, and count those by hand....

The risks?  When the machine can print something that looks reasonable, the
people making the decisions are willing to overlook clear problems (as in
the math error).  Instead of treating the math error as an indication that
there's a deeper problem, they wrote it off as an unexplained glitch - "my
car didn't start the first time I turned the key, but it started fine the
second time, so I guess there's no problem".  That may be true, or it may be
the starter getting ready to fail.


Arose by any other name: was Diebold

"Peter G. Neumann" <neumann@csl.sri.com>
Wed, 18 Mar 2009 9:10:09 PDT

Premier Election Solutions (formerly Diebold Election Systems) admitted in a
California hearing on 17 Mar 2009 that the audit logs in its tabulation
software do not record significant events that occur on the system during an
election, such as the deletion of votes.  The company acknowledged that the
problem exists with every version of its tabulation software.  [Source: Kim
Zetter, Wired.com]
  http://blog.wired.com/27bstroke6/2009/03/diebold-admits.html

  [See also Shannon McElyea in Dave Farber's IP, citing Diebold Admits Audit
  Logs in ALL Versions of Their Software Fail to Record Ballot Deletions,
    http://www.bradblog.com/?p=6995]


"Security by obscurity Considered Harmful" — especially for voting

"E. John Sebes" <jsebes@osdv.org>
Wed, 25 Mar 2009 21:17:04 -0700

    No "Security By Obscurity" for Voting, Please
    John Sebes' blog, 25 Mar 2009, http://osdv.org/blog

I have to confess to being appalled by the number of times recently that I
have heard people talk about potential benefits of "security by obscurity"
for voting systems. It's one of those bad old ideas that just won't die: if
you hide the inner workings (source code) of a complex device (a voting
system), that makes it harder for an adversary to break (hack, steal
elections). With regard to voting systems, of course, the issue gets all
muddled up with vendors' fears of compelled source code disclosure, but
setting that aside, the proposition is simply this: a voting system is "more
secure" (whatever that means) if the source code is not public. Or as one
election official said to me recently, "We've been schooled to think that
making the code public would give up the keys to the system" (my paraphrase)
and ensure that a voting system could be hacked to steal elections (my
inference).

Wow. It's quite the fallacy, but staying power of the "Security by
Obscurity" idea is impressive; despite being completely discredited among
digital security professionals, the idea just won't stay dead. But please,
don't take my word for it. Despite a couple decades in the security biz, I'm
also an open source advocate. Instead, take a look at what security experts
(the real ones, not the folks that call themselves "security experts") have
to say about it. You can find several good thought pieces on the blog
<http://www.schneier.com/blog> of applied cryptographer and author Bruce
Schneier. You can find a range of pieces on the topic in the Risks Forum
<http://www.risks.org> and <http://www.csl.sri.com/users/neumann/#3.>. For
brief and general summary of the topic (including open source), PGN's IEEE
<http://www.ieee.org> Science and Policy piece "Robust Nonproprietary
Software" <http://www.csl.sri.com/neumann/ieee00.pdf> provides a pithy and
balanced viewpoint. For an entertaining bit of myth-debunking, try "Security
by Insecurity" <http://www.csl.sri.com/users/neumann/insiderisks.html#161>.
And for specificity to voting, try Peter's testimony
<http://www.csl.sri.com/neumann/calsen06.pdf> to the State of California
invited by CA's Secretary of State, Debra Bowen
<http://www.sos.ca.gov/admin/bio.htm>.   [TNX!  PGN]

But I can't resist a couple closing thoughts. First is my little theory that
closed systems are actually easier to crack. Consider the Windows OS,
unsurpassed for widespread adoption, proprietary software, and history of
security vulnerabilities. I am not MS-bashing here! My point is that where
there is an attractive target (and Windows is #1), the bad guys have all the
needed grist for the mill, without the source code!.  They have the running
software itself; they have some information about the software's interfaces;
and they have many years of experience to guide efforts to find weak
points. They have a cookbook! They don't need an electron microscope to
examine the atoms and reverse engineer the target. In fact, if the source
code were available, then it might actually be more work to wade through it
to find security vulnerabilities.

Lastly, I want to get back to election technology generally, and voting
systems in specific. I do not believe that current voting systems benefit
from security by obscurity. I also do not believe that disclosure of the
source code would be beneficial. Independent reviewers have found many
reasons for security concerns, and the vendors underline those concerns by
fear-mongering around the issue of security vs.  openness. Where vendors
admit security problems, and yet do not display willingness to fix known
problems, disclosure doesn't help because new knowledge about problems and
fixes is irrelevant if the fixes don't get done. But just as disclosure
wouldn't help, it also would not hurt - despite the fear mongering. Plenty
enough is already known about vulnerabilities of these systems, and the bad
guys have plenty of info - including the ability to buy voting machines on
E-bay and reverse engineer to heart's content.

So basically, disclosure of current systems is a matter of indifference to
me in terms of security benefit or detriment - there is neither. But it
really bothers me when people are misled into thinking that secret computing
equals secure computing. It's not so, and especially not for election
technology, which should be open and transparent, not for security, but for
trust and public confidence in the results — that is, the selection of
those public servants who govern our public life.

The recent New York Times editorial "Still Broken" is well worth the
read, especially for its significant focus on dysfunction.


Malware installed at manufacturer on Diebold ATMs

"Toby Douglass" <trd@45mercystreet.com>
Wed, 18 Mar 2009 22:56:36 +0100 (CET)

http://www.goodgearguide.com.au/article/295924/criminals_sneak_card-sniffing_software_diebold_atms

Diebold has some of its ATMs fabricated in Russia.

A break-in occurred.  These ATMs run Windows.  Malware, which captures card
details, was installed.  Pretty sophisticated stuff, too.

Sophos report they believe the code has been in circulation (whatever that
means) since November 2008.

The fix was apparently released Jan 2009.

I'm starting to think cash-from-a-bank may make a comeback.

  [Here's an excerpt from another report on this subject: "Security firm
  Sophos reported this week that it received three samples of a trojan that
  was customized to run on Diebold-manufactured cash machines in Russia,
  said Graham Cluley, Sophos' senior security consultant. The malware was
  able to read card numbers and PINs — then when the attacker returned to
  the ATM, he inserted a specially crafted card that told the machine to
  issue him a receipt containing the stolen information."  PGN]
  http://www.scmagazineus.com/ATM-malware-appears-Diebold-issues-security-update/article/129059/


Driver Says GPS Unit Led Him to Edge of Cliff

Richard Grady <richard@richbonnie.com>
Thu, 26 Mar 2009 00:28:27 -0700

A British driver blamed his GPS navigation unit for leaving his car
teetering on the edge of a 100-foot cliff in Doncaster, South Yorkshire,
after following its instructions.  (He was stopped by running into a wire fence.)
  http://www.foxnews.com/story/0,2933,510495,00.html


The Information Security Debt Clock

"Gunnar Peterson" <gunnar@visi.com>
Tue, 24 Mar 2009 19:24:19 +0000

If you want to architect Web security like it's 1995, then the Information
Security Debt Clock is for you. The Information Security Debt Clock tracks
the time since the Web security architecture based on Network Firewalls and
SSL was first deployed:

http://1raindrop.typepad.com/1_raindrop/2009/03/information-security-debt-clock.html

According tp c2com, Technical Debt occurs when "During the planning or
execution of a software project, decisions are made to defer necessary
work...The list can grow quite long, with some items surviving across
multiple development cycles."

As of right now its been approximately 4,863 days since SSL 1.0 was added
into Netscape in Dec. 1995.


Google translations used for phishing attacks against ISPs

Gadi Evron <ge@linuxbox.org>
Wed, 25 Mar 2009 13:46:01 +0100

In this e-mail message I'd like to discuss two subjects:
a. Phishing against ISPs.
b. Phishing in different languages against ISPs as soon as Google adds a
   new translation module.

In the past few weeks there has been an increasing number of phishing
attacks against clients of Israeli ISPs. I've only seen a few of these, but
the local ISPs confirm it's happening across the board.

In all these cases, the phishing e-mail is in Hebrew.

While we have seen ISP phishing and Hebrew phishing before, these attacks
started when Google added translation into Hebrew.

Is this a trend? Have other countries (or populations) been targeted
when Google added a translation module for more languages?

Notes:
a. Some Israeli ISPs e-mailed their clients warning against such attacks.
Saying they'd never ask for their password, etc.

b. While I was certainly heavily involved with phishing originally and
even started the first coordination group to deal with the issue, I am
somewhat removed from it now, dealing more with phishing/banking Trojan
horses.
Can anyone educate me as to how often ISPs get phished, if at all?

c. If you get phished, what strategies if any have you taken to prevent
the attacks/respond to them/educate your clients? What worked?

d. I wonder if these translation misuses could eventually translate into
some intelligence we will see in Google security reports, such as on
malware.


Economics of Finding and Fixing Vulnerabilities in Distributed Systems

"Gunnar Peterson" <gunnar@visi.com>
Tue, 24 Mar 2009 19:26:29 +0000

The Economics of Finding and Fixing Vulnerabilities in Distributed Systems
Quality of Protection Keynote, Alexandria, VA, October 27. 2008
By Gunnar Peterson

Like many people in this industry, my focus on security was fundamentally
altered by Dan Geer's speech "Risk Management is Where the Money Is"[1],
there are not many people who can call a ten year shot in the technology
business, but Dan Geer did. The talk revolutionized the security
industry. Since that speech, the security market, the vendors, consultants,
and everyone else has realized that security is really about risk
management.

Of course, saying that you are managing risk and actually managing risk are
two different things. Warren Buffett started off his 2007 shareholder letter
[2] talking about financial institutions' ability to deal with the subprime
mess in the housing market saying, "You don't know who is swimming naked
until the tide goes out." In our world, we don't know whose systems are
running naked, with no controls, until they are attacked. Of course, by then
it is too late."

Full talk: http://1raindrop.typepad.com/1_raindrop/2008/11/the-economics-of-finding-and-fixing-vulnerabilities-in-distributed-systems-.html

  [This item apparently fell through the RISKS crack last year.  Don't
  forget to include "notsp" in your would-be postings.  I'm filtering over a
  thousand spams a day, and still having to cull through 95% spam after
  that.  The subject line is very important.  PGN]


ZOL downtime and emergency maintenance

Andrew Yeomans <ajv@yeomans.org.uk>
Wed, 25 Mar 2009 21:37:26 +0000

Zimbabwe Internet has been having downtime problems recently, and sent their
customers the attached disarming honest e-mail.

(I saw this through a friend of a friend; Mark Taylor has also posted it
on http://marktaylor.blogspot.com/2009/03/only-in-zimbabwe.html)

  *Subject: ZOL downtime and emergency maintenance*

  Dear (name removed)

This is a brief update of our considerable downtime today (Monday 16 March)
from about 2pm to 5:30pm. We are also announcing emergency maintenance that
will take us offline from approximately 8pm to 10pm tomorrow (Tuesday 17th
March).

Unfortunately every backup system including generators, UPS and routers were
totally flummoxed by 2 painters painting the building where our satellite
dish is housed. Being diligent men, they decided to remove a junction box to
paint behind it. Unluckily that box belongs to Telecontract and houses a
fiber optic cable joint connecting to ZOL.  This took down not only ZOL, but
many ISP connections on the same fiber.

We are operating on a temporary solution now, but to fully repair this
damage Telecontract have advised us that they will have to redo the entire
joint. This will take approximately 2 hours, and will be done at 8pm on
Tuesday 17th March.

We apologize for any inconvenience caused. Sometimes human brilliance just
shines through regardless of the best laid plans!

Best Regards, *The ZOL Crew*


We seem to be going over the top on "risks", forgetting about

Fred Cohen <fc@all.net>
Sun, 8 Mar 2009 09:04:42 -0700
         some realities (RISKS-25.60)

In the latest RISKS digest, I detected several problems with the comments. I
thought I would bring them in as a risk of people who talk about risks not
being thorough in their exploration of the issues.

> Subject: Health-care: The Computer Will See You Now (Anne Armstrong-Cohen)
>  ... So before we embrace the inevitable, there should be more discussion
> and study of electronic records, or at a minimum acknowledgment of the
> down side.

This is no different from paper records - except that the stored and
displayed answers can be definitive. The problem comes when the computer
records are altered without the informed consent of the doctor who made
them.

> A hybrid may be the answer — perhaps electronic records should be kept
> only on tablet computers, allowing the provider to write or draw, and face
> the patient.

With current technologies, this would be worse than either of the current
approaches. Tablets today miss lots of the entries put into them and store
dotted lines, misinterpret characters, and so forth - so they will produce
more errors with less definitive information on what really happened.

> The personal relationships we build in primary care must remain a
> priority, because they are integral to improved health outcomes.  Let us
> not forget this as we put keyboards and screens within the intimate walls
> of our medical homes."

The notion that the computer is somehow less personal than the piece of
paper or that the doctor cannot still be a human being because they use a
computer seems to me to be flawed.

> Subject: Turkish Airline disaster and the Altimeter
> I fail to see how the software would not spot a problem and carry
> out the landing:
>
> 1) If the two altimeters are reading very different readings,
> 2) If one of the altimeters switches from reading 2000 feet to -8
>    feet instantly,
> 3) If one of the altimeters reads a negative number?

Great! So what is the list of ALL of the checks that should be done, how do
we generate that list, how long is it, and how do we implement ALL of the
possible check processes with adequate reliability and proper failsafes when
we can't figure out how to do it for the simple things? Then apply this
recursively and tell me all the ways in which just these 3 checks could
possibly go wrong, and all the checks we need to check them...

By the way, negative altitude is possible - fly into Death Valley some day.

We seem to have forgotten the "simplicity principle" in security - perhaps
because it was removed from the GASSP when the GAISP was put in its place?
Perhaps not. But as a rule of thumb, the more checks we put in, the more
potential failure modes there are.

> Subject: Normal Accidents and Black Swans

Indeed - Risks readers may also be interested in:
	http://all.net/Analyst/2009-04.pdf

"Risk management: There are no black swans"

Fred Cohen & Associates tel/fax: 925-454-0171 http://all.net/
572 Leona Drive Livermore, CA 94550

Please report problems with the web pages to the maintainer

x
Top