Forum on Risks to the Public in Computers and Related Systems
ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator
Volume 25: Issue 61
Sunday 29 March 2009
Contents
DNA contamination led to serial-killer illusion- Mark Brader
-
Announcing your crime in a chat room may interfere with it
- Mark Brader
-
You have won $[2^32-1]/100, no wait, we mean nothing
- Mark Brader
-
Student dead 2 months, told to improve attendance
- Mark Brader
-
Phantom Serial Killer
- Dave Mulkey
-
E-voting In Ireland
- PGN
-
Fairfax County Virginia voting glitches
- Jeremy Epstein
-
Arose by any other name: was Diebold
- PGN
-
"Security by obscurity Considered Harmful" -- especially for voting
- John Sebes
-
Malware installed at manufacturer on Diebold ATMs
- Toby Douglass
-
Driver Says GPS Unit Led Him to Edge of Cliff
- Richard Grady
-
The Information Security Debt Clock
- Gunnar Peterson
-
Google translations used for phishing attacks against ISPs
- Gadi Evron
-
Economics of Finding and Fixing Vulnerabilities in Distributed Systems
- Gunnar Peterson
-
ZOL downtime and emergency maintenance
- Andrew Yeomans
-
We seem to be going over the top on "risks", forgetting about some realities
- Fred Cohen
-
Info on RISKS (comp.risks)
DNA contamination led to serial-killer illusion
Mark Brader
Fri, 27 Mar 2009 22:25:57 -0400 (EDT)When police in Germany, Austria, and France were able to DNA-match evidence from six homicides (including the killing of policewoman Michele Kiesewetter in the town of Heilbronn) and dozens of other crimes, they naturally concluded that a multiple murderer was at work -- one who acquired the nickname "The Phantom of Heilbronn". But then one of the matches, which seemed unlikely, was retested... and the second time it came back negative. Now it seems that in fact the only connection between the crimes is that when collecting DNA from the evidence, cotton swabs from the same manufacturer (Greiner Bio-One) were used. Unused swabs were tested and a few were found to have the same woman's DNA on them; she worked at the company that did the packaging. Greiner says that they were only supposed to be sterile swabs for medical use, and were not guaranteed to be free of DNA. Of course, if this happened in a work of fiction, it'd turn out that the woman actually had committed one of the early crimes and then taken advantage of her job to deliberately contaminate the swabs in order to divert suspicion. But be that as it may, the consequences for law enforcement are not going to be pleasant. See: http://news.bbc.co.uk/2/hi/europe/7966641.stm http://www.dw-world.de/dw/article/0,,4129872,00.html http://www.time.com/time/world/article/0,8599,1888126,00.html http://www.google.com/hostednews/ap/article/ALeqM5iEPt22F_xcWatGRrX5ludZOsSM5AD976HRM00
Announcing your crime in a chat room may interfere with it
Mark Brader
Sat, 21 Mar 2009 00:56:53 -0400 (EDT)When J.P. Neufeld, an Internet chat-room moderator in Montreal, saw someone posting an announcement that he was shortly going to set fire to a school in Norfolk, England, he took it seriously, first communicating with the poster and then phoning the Norfolk police. They acted quickly and in less than an hour a 16-year-old was arrested near the school while carrying matches and "what is believed to be a flammable liquid". http://www.cbc.ca/world/story/2009/03/20/concordia-student-forum-norfolk.html http://www.ctv.ca/servlet/ArticleNews/story/CTVNews/20090320/school_threat_090320/20090320?hub=TopStories http://www.eveningnews24.co.uk/content/news/story.aspx?itemid=NOED19%20Mar%202009%2008:52:47:223
You have won $[2^32-1]/100, no wait, we mean nothing
Mark Brader
Thu, 19 Mar 2009 19:11:47 -0400 (EDT)It was reported recently that at an Ontario casino in December, a slot machine flashed its lights and displayed a message to the effect that "You have won $42.9 million" (Canadian, about $34 million US). The gambler, Paul Kusznirewicz, had 5 minutes to be ecstatic before being told the machine had malfunctioned and he hadn't won anything. (They did give him some dinner coupons.) In fact, according to the Ontario Lottery and Gaming Corp., its highest possible payout was $9,025 (Canadian). This amount was not marked on the machine, but there was a notice that nothing was payable in case of malfunction. Kusznirewicz is suing, so there probably won't be any further details unless the case makes it to court. In a followup story today, Ryerson University computer professor Sophie Quigley suggests that the number -1, as a 32-bit 2's complement signed integer, was interpreted as an unsigned integer in cents: $42,949,672.95. "A casting error", as she put it. (Not necessarily in the strict C sense.) Incidentally, the Toronto Star ran the followup next to a story about Marie Douglas-David, who is involved in a divorce case and allegedly claims that "she cannot live on $43 million" (US). The paper put the two pieces side by side under a common headline: "Two very different $43 million questions". http://www.cbc.ca/consumer/story/2009/03/17/slot.html http://www.thestar.com/News/Ontario/article/604035 [2nd URL corrected in archive copy. Item also noted by David Magda. PGN]
Student dead 2 months, told to improve attendance
Mark Brader
Wed, 25 Mar 2009 21:15:51 -0400 (EDT)Macclesfield High School (near Manchester, England), threatened to ban Megan Gillan from their prom if her attendance did not improve. This was unlikely to happen, as Megan had died two months before. The girl's parents, still very much grieving, were "floored". Megan had been removed from the school's "main database", but was still listed "in a different part of the computer system" that allows letters to be sent to parents of former students. See: http://news.bbc.co.uk/1/hi/england/manchester/7963081.stm Or if that URL isn't long enough, try: http://www.telegraph.co.uk/education/educationnews/5049001/School-apologises-after-letter-warns-parents-over-dead-schoolgirls-attendance.html
Phantom Serial Killer
"Mulkey, Dave"
<Dave_Mulkey@fis.edu>
Sun, 29 Mar 2009 14:24:16 +0200Amusingly, German police have been searching in vain for a phantom serial killer, apparently responsible for 40 murders. Unfortunately, they were led astray by DNA "evidence" that resulted from using contaminated cotton swabs to collect DNA evidence. They had all been packed by an employee who refused to wear rubber gloves, so here DNA appeared to be scattered all over the country at various crime scenes. Police used the swabs against written advice in the accompanying product instructions that said the swabs were unsuitable for forensic use. Fortunately nobody was injured or arrested as a result. Here is an article from *Time* with the details: http://www.time.com/time/world/article/0,8599,1888126,00.html If your German is good, you can read this: http://www.focus.de/politik/weitere-meldungen/phantom-von-heilbronn-des-raetsels-loesung-war-das-wattestaebchen-_aid_384841.html
E-voting In Ireland
"Peter G. Neumann"
<neumann@csl.sri.com>
Tue, 17 Mar 2009 13:14:23 PDTThe [Irish] government finds itself in a deep hole because of the purchase and storage of thousands of electronic voting machines. It should stop digging. What had seemed like a good idea, way back in 1999, has turned out to be an unmitigated disaster. The initial waste of public money on the purchase of this dangerously insecure system has been compounded by the establishment of long-term leases of up to 30 years for the storage of machines in controlled environments. John Gormley is the fourth minister for the environment to have responsibility for the mess. And because there is no question of the machines being used in the forthcoming local and European elections, or thereafter, he should call a halt to the madness. An estimated 52 million euros was spent on voting machines by Noel Dempsey and by his successor, Martin Cullen, in spite of the objections and concerns of the opposition parties. And when a special Commission on Electronic Voting found it was easy to bypass the proposed security system in 2004, the machines were put into storage at an annual cost of about 700,000 euros. This public waste must end at a time when everybody is being asked to tighten their belts. The cost of storing these machines will amount to 3.5 million euros by the end of this year. And because contracts ranging from 20 to 30 years were entered into on behalf of the State, penalties are likely to be imposed for an early buy-out. The Government should not continue to engage in what is a face-saving exercise. Ireland is the only country in Europe that holds out a vague prospect of using this technology. Last year, the Dutch government decided to abandon the system because of its inherent vulnerability. Last week, the supreme court in Germany ruled that the Nedep system -- which we also purchased -- breached its electoral laws. It found that the control measures required would not be achieved by a print-out of votes. The ability to recheck votes was more important than early election results. It was not saying a final No to electronic voting, just that the current generation of voting machines was unsatisfactory. Ten years ago, the replacement of pencils and ballot papers by machines was seen as a badge of modernity. But technology was not sufficiently advanced to guarantee security of the new system. In spite of that, Fianna Fáil ministers ignored the views of computer experts and ploughed ahead. Now that the Netherlands and Germany have abandoned the project on security grounds, the Government should bow to the inevitable. [*The Irish Times*, 29 Mar 2009] http://www.irishtimes.com/newspaper/opinion/2009/0317/1224242944297.html
Fairfax County Virginia voting glitches
Jeremy Epstein
<jeremy.j.epstein@gmail.com>
Thu, 12 Mar 2009 13:59:54 -0400A special election in Fairfax County Virginia had some voting machine problems. A very close race had one DRE (out of about 50 in use) that printed suspicious results. Coverage at http://www.washingtonpost.com/wp-dyn/content/article/2009/03/11/AR2009031101675.html and http://www.washingtonpost.com/wp-dyn/content/article/2009/03/10/AR2009031002068.html I spent the day after the election observing the canvass process at the invitation of the Democratic candidate (but the campaign did not supply me with any information, nor did they pay me). Details of my findings are at http://abqordia.blogspot.com. While a winner was eventually declared, there are two unexplained problems: in one, the "zero tape" printed before the polls opened (which is supposed to show that there are no votes recorded) showed that the total votes was 0, of which 3 were for the Republican, 2 for the Democrat, 1 for the independent, and 1 write-in. Or mathematically, 3+2+1+1 = 0. No one (other than me!) seemed all that concerned that this shows something was *clearly* wrong, because they were able to get the machine to print the (purported) ballots, and count those by hand.... The risks? When the machine can print something that looks reasonable, the people making the decisions are willing to overlook clear problems (as in the math error). Instead of treating the math error as an indication that there's a deeper problem, they wrote it off as an unexplained glitch - "my car didn't start the first time I turned the key, but it started fine the second time, so I guess there's no problem". That may be true, or it may be the starter getting ready to fail.
Arose by any other name: was Diebold
"Peter G. Neumann"
<neumann@csl.sri.com>
Wed, 18 Mar 2009 9:10:09 PDTPremier Election Solutions (formerly Diebold Election Systems) admitted in a California hearing on 17 Mar 2009 that the audit logs in its tabulation software do not record significant events that occur on the system during an election, such as the deletion of votes. The company acknowledged that the problem exists with every version of its tabulation software. [Source: Kim Zetter, Wired.com] http://blog.wired.com/27bstroke6/2009/03/diebold-admits.html [See also Shannon McElyea in Dave Farber's IP, citing Diebold Admits Audit Logs in ALL Versions of Their Software Fail to Record Ballot Deletions, http://www.bradblog.com/?p=6995]
"Security by obscurity Considered Harmful" -- especially for voting
"E. John Sebes"
<jsebes@osdv.org>
Wed, 25 Mar 2009 21:17:04 -0700
No "Security By Obscurity" for Voting, Please
John Sebes' blog, 25 Mar 2009, http://osdv.org/blog
I have to confess to being appalled by the number of times recently that I
have heard people talk about potential benefits of "security by obscurity"
for voting systems. It's one of those bad old ideas that just won't die: if
you hide the inner workings (source code) of a complex device (a voting
system), that makes it harder for an adversary to break (hack, steal
elections). With regard to voting systems, of course, the issue gets all
muddled up with vendors' fears of compelled source code disclosure, but
setting that aside, the proposition is simply this: a voting system is "more
secure" (whatever that means) if the source code is not public. Or as one
election official said to me recently, "We've been schooled to think that
making the code public would give up the keys to the system" (my paraphrase)
and ensure that a voting system could be hacked to steal elections (my
inference).
Wow. It's quite the fallacy, but staying power of the "Security by
Obscurity" idea is impressive; despite being completely discredited among
digital security professionals, the idea just won't stay dead. But please,
don't take my word for it. Despite a couple decades in the security biz, I'm
also an open source advocate. Instead, take a look at what security experts
(the real ones, not the folks that call themselves "security experts") have
to say about it. You can find several good thought pieces on the blog
<http://www.schneier.com/blog> of applied cryptographer and author Bruce
Schneier. You can find a range of pieces on the topic in the Risks Forum
<http://www.risks.org> and <http://www.csl.sri.com/users/neumann/#3.>. For
brief and general summary of the topic (including open source), PGN's IEEE
<http://www.ieee.org> Science and Policy piece "Robust Nonproprietary
Software" <http://www.csl.sri.com/neumann/ieee00.pdf> provides a pithy and
balanced viewpoint. For an entertaining bit of myth-debunking, try "Security
by Insecurity" <http://www.csl.sri.com/users/neumann/insiderisks.html#161>.
And for specificity to voting, try Peter's testimony
<http://www.csl.sri.com/neumann/calsen06.pdf> to the State of California
invited by CA's Secretary of State, Debra Bowen
<http://www.sos.ca.gov/admin/bio.htm>. [TNX! PGN]
But I can't resist a couple closing thoughts. First is my little theory that
closed systems are actually easier to crack. Consider the Windows OS,
unsurpassed for widespread adoption, proprietary software, and history of
security vulnerabilities. I am not MS-bashing here! My point is that where
there is an attractive target (and Windows is #1), the bad guys have all the
needed grist for the mill, without the source code!. They have the running
software itself; they have some information about the software's interfaces;
and they have many years of experience to guide efforts to find weak
points. They have a cookbook! They don't need an electron microscope to
examine the atoms and reverse engineer the target. In fact, if the source
code were available, then it might actually be more work to wade through it
to find security vulnerabilities.
Lastly, I want to get back to election technology generally, and voting
systems in specific. I do not believe that current voting systems benefit
from security by obscurity. I also do not believe that disclosure of the
source code would be beneficial. Independent reviewers have found many
reasons for security concerns, and the vendors underline those concerns by
fear-mongering around the issue of security vs. openness. Where vendors
admit security problems, and yet do not display willingness to fix known
problems, disclosure doesn't help because new knowledge about problems and
fixes is irrelevant if the fixes don't get done. But just as disclosure
wouldn't help, it also would not hurt - despite the fear mongering. Plenty
enough is already known about vulnerabilities of these systems, and the bad
guys have plenty of info - including the ability to buy voting machines on
E-bay and reverse engineer to heart's content.
So basically, disclosure of current systems is a matter of indifference to
me in terms of security benefit or detriment - there is neither. But it
really bothers me when people are misled into thinking that secret computing
equals secure computing. It's not so, and especially not for election
technology, which should be open and transparent, not for security, but for
trust and public confidence in the results -- that is, the selection of
those public servants who govern our public life.
The recent New York Times editorial "Still Broken" is well worth the
read, especially for its significant focus on dysfunction.
Malware installed at manufacturer on Diebold ATMs
"Toby Douglass"
<trd@45mercystreet.com>
Wed, 18 Mar 2009 22:56:36 +0100 (CET)http://www.goodgearguide.com.au/article/295924/criminals_sneak_card-sniffing_software_diebold_atms Diebold has some of its ATMs fabricated in Russia. A break-in occurred. These ATMs run Windows. Malware, which captures card details, was installed. Pretty sophisticated stuff, too. Sophos report they believe the code has been in circulation (whatever that means) since November 2008. The fix was apparently released Jan 2009. I'm starting to think cash-from-a-bank may make a comeback. [Here's an excerpt from another report on this subject: "Security firm Sophos reported this week that it received three samples of a trojan that was customized to run on Diebold-manufactured cash machines in Russia, said Graham Cluley, Sophos' senior security consultant. The malware was able to read card numbers and PINs -- then when the attacker returned to the ATM, he inserted a specially crafted card that told the machine to issue him a receipt containing the stolen information." PGN] http://www.scmagazineus.com/ATM-malware-appears-Diebold-issues-security-update/article/129059/
Driver Says GPS Unit Led Him to Edge of Cliff
Richard Grady
<richard@richbonnie.com>
Thu, 26 Mar 2009 00:28:27 -0700A British driver blamed his GPS navigation unit for leaving his car teetering on the edge of a 100-foot cliff in Doncaster, South Yorkshire, after following its instructions. (He was stopped by running into a wire fence.) http://www.foxnews.com/story/0,2933,510495,00.html
The Information Security Debt Clock
"Gunnar Peterson"
<gunnar@visi.com>
Tue, 24 Mar 2009 19:24:19 +0000If you want to architect Web security like it's 1995, then the Information Security Debt Clock is for you. The Information Security Debt Clock tracks the time since the Web security architecture based on Network Firewalls and SSL was first deployed: http://1raindrop.typepad.com/1_raindrop/2009/03/information-security-debt-clock.html According tp c2com, Technical Debt occurs when "During the planning or execution of a software project, decisions are made to defer necessary work...The list can grow quite long, with some items surviving across multiple development cycles." As of right now its been approximately 4,863 days since SSL 1.0 was added into Netscape in Dec. 1995.
Google translations used for phishing attacks against ISPs
Gadi Evron
<ge@linuxbox.org>
Wed, 25 Mar 2009 13:46:01 +0100In this e-mail message I'd like to discuss two subjects: a. Phishing against ISPs. b. Phishing in different languages against ISPs as soon as Google adds a new translation module. In the past few weeks there has been an increasing number of phishing attacks against clients of Israeli ISPs. I've only seen a few of these, but the local ISPs confirm it's happening across the board. In all these cases, the phishing e-mail is in Hebrew. While we have seen ISP phishing and Hebrew phishing before, these attacks started when Google added translation into Hebrew. Is this a trend? Have other countries (or populations) been targeted when Google added a translation module for more languages? Notes: a. Some Israeli ISPs e-mailed their clients warning against such attacks. Saying they'd never ask for their password, etc. b. While I was certainly heavily involved with phishing originally and even started the first coordination group to deal with the issue, I am somewhat removed from it now, dealing more with phishing/banking Trojan horses. Can anyone educate me as to how often ISPs get phished, if at all? c. If you get phished, what strategies if any have you taken to prevent the attacks/respond to them/educate your clients? What worked? d. I wonder if these translation misuses could eventually translate into some intelligence we will see in Google security reports, such as on malware.
Economics of Finding and Fixing Vulnerabilities in Distributed Systems
"Gunnar Peterson"
<gunnar@visi.com>
Tue, 24 Mar 2009 19:26:29 +0000The Economics of Finding and Fixing Vulnerabilities in Distributed Systems Quality of Protection Keynote, Alexandria, VA, October 27. 2008 By Gunnar Peterson Like many people in this industry, my focus on security was fundamentally altered by Dan Geer's speech "Risk Management is Where the Money Is"[1], there are not many people who can call a ten year shot in the technology business, but Dan Geer did. The talk revolutionized the security industry. Since that speech, the security market, the vendors, consultants, and everyone else has realized that security is really about risk management. Of course, saying that you are managing risk and actually managing risk are two different things. Warren Buffett started off his 2007 shareholder letter [2] talking about financial institutions' ability to deal with the subprime mess in the housing market saying, "You don't know who is swimming naked until the tide goes out." In our world, we don't know whose systems are running naked, with no controls, until they are attacked. Of course, by then it is too late." Full talk: http://1raindrop.typepad.com/1_raindrop/2008/11/the-economics-of-finding-and-fixing-vulnerabilities-in-distributed-systems-.html [This item apparently fell through the RISKS crack last year. Don't forget to include "notsp" in your would-be postings. I'm filtering over a thousand spams a day, and still having to cull through 95% spam after that. The subject line is very important. PGN]
ZOL downtime and emergency maintenance
Andrew Yeomans
<ajv@yeomans.org.uk>
Wed, 25 Mar 2009 21:37:26 +0000Zimbabwe Internet has been having downtime problems recently, and sent their customers the attached disarming honest e-mail. (I saw this through a friend of a friend; Mark Taylor has also posted it on http://marktaylor.blogspot.com/2009/03/only-in-zimbabwe.html) *Subject: ZOL downtime and emergency maintenance* Dear (name removed) This is a brief update of our considerable downtime today (Monday 16 March) from about 2pm to 5:30pm. We are also announcing emergency maintenance that will take us offline from approximately 8pm to 10pm tomorrow (Tuesday 17th March). Unfortunately every backup system including generators, UPS and routers were totally flummoxed by 2 painters painting the building where our satellite dish is housed. Being diligent men, they decided to remove a junction box to paint behind it. Unluckily that box belongs to Telecontract and houses a fiber optic cable joint connecting to ZOL. This took down not only ZOL, but many ISP connections on the same fiber. We are operating on a temporary solution now, but to fully repair this damage Telecontract have advised us that they will have to redo the entire joint. This will take approximately 2 hours, and will be done at 8pm on Tuesday 17th March. We apologize for any inconvenience caused. Sometimes human brilliance just shines through regardless of the best laid plans! Best Regards, *The ZOL Crew*
We seem to be going over the top on "risks", forgetting about
Fred Cohen
<fc@all.net>
Sun, 8 Mar 2009 09:04:42 -0700
some realities (RISKS-25.60)
In the latest RISKS digest, I detected several problems with the comments. I
thought I would bring them in as a risk of people who talk about risks not
being thorough in their exploration of the issues.
> Subject: Health-care: The Computer Will See You Now (Anne Armstrong-Cohen)
> ... So before we embrace the inevitable, there should be more discussion
> and study of electronic records, or at a minimum acknowledgment of the
> down side.
This is no different from paper records - except that the stored and
displayed answers can be definitive. The problem comes when the computer
records are altered without the informed consent of the doctor who made
them.
> A hybrid may be the answer -- perhaps electronic records should be kept
> only on tablet computers, allowing the provider to write or draw, and face
> the patient.
With current technologies, this would be worse than either of the current
approaches. Tablets today miss lots of the entries put into them and store
dotted lines, misinterpret characters, and so forth - so they will produce
more errors with less definitive information on what really happened.
> The personal relationships we build in primary care must remain a
> priority, because they are integral to improved health outcomes. Let us
> not forget this as we put keyboards and screens within the intimate walls
> of our medical homes."
The notion that the computer is somehow less personal than the piece of
paper or that the doctor cannot still be a human being because they use a
computer seems to me to be flawed.
> Subject: Turkish Airline disaster and the Altimeter
> I fail to see how the software would not spot a problem and carry
> out the landing:
>
> 1) If the two altimeters are reading very different readings,
> 2) If one of the altimeters switches from reading 2000 feet to -8
> feet instantly,
> 3) If one of the altimeters reads a negative number?
Great! So what is the list of ALL of the checks that should be done, how do
we generate that list, how long is it, and how do we implement ALL of the
possible check processes with adequate reliability and proper failsafes when
we can't figure out how to do it for the simple things? Then apply this
recursively and tell me all the ways in which just these 3 checks could
possibly go wrong, and all the checks we need to check them...
By the way, negative altitude is possible - fly into Death Valley some day.
We seem to have forgotten the "simplicity principle" in security - perhaps
because it was removed from the GASSP when the GAISP was put in its place?
Perhaps not. But as a rule of thumb, the more checks we put in, the more
potential failure modes there are.
> Subject: Normal Accidents and Black Swans
Indeed - Risks readers may also be interested in:
http://all.net/Analyst/2009-04.pdf
"Risk management: There are no black swans"
Fred Cohen & Associates tel/fax: 925-454-0171 http://all.net/
572 Leona Drive Livermore, CA 94550
Report problems with the web pages to the maintainer